建立聯盟 Proxy 伺服器的時機When to Create a Federation Server Proxy

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

您在組織中建立聯盟 proxy 伺服器 Active Directory 同盟服務 (AD FS) 部署新增額外的安全性層級。Creating a federation server proxy in your organization adds additional security layers to your Active Directory Federation Services (AD FS) deployment. 請考慮部署聯盟伺服器您組織的周邊網路 proxy,當您想要的事項:Consider deploying a federation server proxy in your organization's perimeter network when you want to:

  • 直接存取聯盟伺服器避免外部 client 電腦。Prevent external client computers from directly accessing your federation servers. 部署聯盟伺服器周邊網路 proxy,您有效隔離聯盟伺服器使其可以存取僅供 client 電腦的登入透過聯盟伺服器 proxy 代表的外部 client 電腦所做的公司網路。By deploying a federation server proxy in your perimeter network, you effectively isolate your federation servers so that they can be accessed only by client computers that are logged in to the corporate network through federation server proxies, which act on behalf of the external client computers. 聯盟伺服器 proxy 不能用製作權杖私密金鑰存取。Federation server proxies do not have access to the private keys that are used to produce tokens. 如需詳細資訊,請查看放置聯盟 Proxy 伺服器For more information, see Where to Place a Federation Server Proxy.

  • 提供方便的方式來區分即將網際網路,而不來自您使用 Windows 整合驗證的企業網路使用者的使用者 sign\ 中的體驗。Provide a convenient way to differentiate the sign-in experience for users who are coming from the Internet as opposed to users who are coming from your corporate network using Windows Integrated Authentication. 聯盟 proxy 伺服器的認證或主領域詳細資料會從網際網路 client 電腦收集使用登入,登出和身分提供者探索 (homerealmdiscovery.aspx) 頁面會儲存在聯盟 proxy 伺服器上。A federation server proxy collects credentials or home realm details from Internet client computers by using the logon, logout, and identity provider discovery (homerealmdiscovery.aspx) pages that are stored on the federation server proxy.

    相較之下,client 電腦隨附的企業網路遭遇不同的體驗,從依據聯盟伺服器的設定。In contrast, client computers that come from the corporate network encounter a different experience, based on the configuration of the federation server. 適用於 Windows 整合式驗證的企業網路上的使用者提供順暢的 sign\ 中體驗公司網路聯盟伺服器通常設定。The corporate network federation server is often configured for Windows Integrated Authentication, which provides a seamless sign-in experience for users on the corporate network.

您在組織中播放的聯盟 proxy 伺服器角色是否放置聯盟 proxy 伺服器 account 合作夥伴公司或資源合作夥伴組織中而定。The role that a federation server proxy plays in your organization depends on whether you place the federation server proxy in the account partner organization or in the resource partner organization. 例如,當聯盟 proxy 伺服器位於 account 協力廠商周邊網路,其的角色是從瀏覽器會收集使用者的認證資訊。For example, when a federation server proxy is placed in the perimeter network of the account partner, its role is to collect the user credential information from browser clients. 聯盟 proxy 伺服器位於周邊網路資源協力廠商,它轉送資源聯盟伺服器的安全性權杖要求,並產生組織的安全性權杖中所提供的其 account 合作夥伴的安全性權杖回應。When a federation server proxy is placed in the perimeter network of the resource partner, it relays security token requests to a resource federation server and produces organizational security tokens in response to the security tokens that are provided by its account partners.

如需詳細資訊,請查看檢視聯盟伺服器 Proxy Account 合作夥伴中的角色檢視聯盟伺服器 Proxy 資源夥伴中的角色For more information, see Review the Role of the Federation Server Proxy in the Account Partner and Review the Role of the Federation Server Proxy in the Resource Partner

如何建立聯盟 proxy 伺服器How to create a federation server proxy

您可以建立聯盟伺服器 proxy 使用 AD FS 聯盟伺服器 Proxy 設定精靈或 Fsconfig.exe command\ 列工具。You can create a federation server proxy using either the AD FS Federation Server Proxy Configuration Wizard or the Fsconfig.exe command-line tool. 如需如何執行此動作,請查看設定電腦聯盟 Proxy 角色For instructions about how to do this, see Configure a Computer for the Federation Server Proxy Role.

了解如何設定的必要條件所有所需部署聯盟 proxy 伺服器的一般資訊,請查看檢查清單︰ 設定好聯盟伺服器 ProxyFor general information about how to set up all the prerequisites necessary to deploy a federation server proxy, see Checklist: Setting Up a Federation Server Proxy.

也了See Also

Windows Server 2012 中的 AD FS 設計指南AD FS Design Guide in Windows Server 2012