放置聯盟伺服器的位置Where to Place a Federation Server

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

基於安全性最佳練習、 Active Directory 同盟服務 (AD FS) 聯盟伺服器前面防火牆然後將它們連接到您的企業網路,以避免遭受從網際網路。As a security best practice, place Active Directory Federation Services (AD FS)federation servers in front of a firewall and connect them to your corporate network to prevent exposure from the Internet. 因為聯盟伺服器有完整的授權以授與的安全性權杖,這很重要。This is important because federation servers have full authorization to grant security tokens. 因此,它們應該會有為網域控制站的相同的保護。Therefore, they should have the same protection as a domain controller. 受到聯盟伺服器,惡意使用者所有 Web 應用程式,並聯盟伺服器的 Active Directory 同盟服務 (AD FS) 資源合作夥伴每個組織都受發出權杖完整存取權的能力。If a federation server is compromised, a malicious user has the ability to issue full access tokens to all Web applications and to federation servers that are protected by Active Directory Federation Services (AD FS) in all resource partner organizations.

注意

安全性與最佳做法,請避免在網際網路上遇到聯盟伺服器直接存取。As a security best practice, avoid having your federation servers directly accessible on the Internet. 請考慮實驗室測試或組織不具有周邊網路時,您的設定時,只提供您聯盟伺服器直接存取網際網路。Consider giving your federation servers direct Internet access only when you are setting up a test lab environment or when your organization does not have a perimeter network.

一般的企業網路,intranet\ 面向防火牆建立公司網路和周邊網路,並在 Internet\ 面向防火牆通常會建立周邊網路與網際網路之間。For typical corporate networks, an intranet-facing firewall is established between the corporate network and the perimeter network, and an Internet-facing firewall is often established between the perimeter network and the Internet. 此時,聯盟伺服器位於中的企業網路,並不是用網際網路直接存取。In this situation, the federation server sits inside the corporate network, and it is not directly accessible by Internet clients.

注意

Client 電腦連接到企業網路,可以直接與透過 Windows 整合式驗證聯盟伺服器通訊。Client computers that are connected to the corporate network can communicate directly with the federation server through Windows Integrated Authentication.

您在設定使用您防火牆伺服器 AD FS 進行之前,聯盟 proxy 伺服器應該會放在周邊網路。A federation server proxy should be placed in the perimeter network before you configure your firewall servers for use with AD FS. 如需詳細資訊,請查看放置聯盟 Proxy 伺服器For more information, see Where to Place a Federation Server Proxy.

設定防火牆伺服器聯盟伺服器Configuring your firewall servers for a federation server

使聯盟伺服器可以直接與聯盟的 proxy 伺服器通訊,必須聯盟伺服器安全超傳輸通訊協定 (HTTPS) 流量允許從聯盟 proxy 伺服器設定內部防火牆伺服器。So that the federation servers can communicate directly with federation server proxies, the intranet firewall server must be configured to allow Secure Hypertext Transfer Protocol (HTTPS) traffic from the federation server proxy to the federation server. 這是需求,因為內部防火牆伺服器必須發行使用連接埠 443 聯盟伺服器 proxy 周邊網路存取聯盟伺服器聯盟伺服器。This is a requirement because the intranet firewall server must publish the federation server using port 443 so that the federation server proxy in the perimeter network can access the federation server.

此外,intranet\ 面向防火牆伺服器,例如執行的網際網路安全性與加速伺服器 (ISA) 伺服器,使用處理程序稱為伺服器發行散發網際網路 client 要求的適當公司聯盟伺服器。In addition, the intranet-facing firewall server, such as a server running Internet Security and Acceleration (ISA) Server, uses a process known as server publishing to distribute Internet client requests to the appropriate corporate federation servers. 這表示,您必須手動執行 Isa 發行叢集的聯盟伺服器的 URL,例如 http:////fs.fabrikam.com 內部伺服器上建立的伺服器發行規則。This means that you must manually create a server publishing rule on the intranet server running ISA Server that publishes the clustered federation server URL, for example, http://fs.fabrikam.com.

如需有關如何周邊網路中設定伺服器發行的詳細資訊,請查看放置聯盟 Proxy 伺服器For more information about how to configure server publishing in a perimeter network, see Where to Place a Federation Server Proxy. 了解如何設定 Isa 發行伺服器的資訊,請查看建立安全的網頁發行規則For information about how to configure ISA Server to publish a server, see Create a secure Web publishing rule.

也了See Also

Windows Server 2012 中的 AD FS 設計指南AD FS Design Guide in Windows Server 2012