放置聯盟 Proxy 伺服器Where to Place a Federation Server Proxy

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

您可以將 Active Directory 同盟服務 (AD FS) 聯盟伺服器 proxy 周邊網路提供對抗惡意的使用者可能會推出從網際網路的保護層級。You can place Active Directory Federation Services (AD FS)federation server proxies in a perimeter network to provide a protection layer against malicious users that may be coming from the Internet. 因為他們無法存取的私密金鑰可以用來建立權杖,聯盟伺服器 proxy 非常適合周邊網路環境中。Federation server proxies are ideal for the perimeter network environment because they do not have access to the private keys that are used to create tokens. 不過,聯盟伺服器 proxy 有效率可以傳送輸入要求授權製作權杖聯盟伺服器。However, federation server proxies can efficiently route incoming requests to federation servers that are authorized to produce those tokens.

您不需要將 account 協力廠商或資源合作夥伴聯盟伺服器中的企業網路 proxy,因為 client 電腦連接到企業網路,可以直接與聯盟伺服器通訊。It is not necessary to place a federation server proxy inside the corporate network for either the account partner or the resource partner because client computers that are connected to the corporate network can communicate directly with the federation server. 在本案例中,聯盟伺服器也提供聯盟 proxy 伺服器的功能來自公司網路 client 的電腦。In this scenario, the federation server also provides federation server proxy functionality for client computers that are coming from the corporate network.

Intranet\ 面向防火牆周邊網路通常是建立周邊網路之間的企業網路,並在 Internet\ 面向防火牆通常會建立周邊網路與網際網路之間。As is typical with perimeter networks, an intranet-facing firewall is established between the perimeter network and the corporate network, and an Internet-facing firewall is often established between the perimeter network and the Internet. 在本案例中,聯盟 proxy 伺服器位於之間這兩個這些防火牆周邊網路上。In this scenario, the federation server proxy sits between both of these firewalls on the perimeter network.

適用於聯盟 proxy 伺服器設定防火牆伺服器Configuring your firewall servers for a federation server proxy

聯盟伺服器 proxy 重新導向處理程序成功,必須允許安全超傳輸通訊協定 (HTTPS) 流量設定所有防火牆伺服器。For the federation server proxy redirection process to be successful, all firewall servers must be configured to allow Secure Hypertext Transfer Protocol (HTTPS) traffic. 使用 HTTPS 是因為防火牆伺服器必須發行聯盟伺服器 proxy 使用連接埠 443,以便聯盟伺服器周邊網路 proxy 可以存取伺服器聯盟公司網路中。The use of HTTPS is required because the firewall servers must publish the federation server proxy, using port 443, so that the federation server proxy in the perimeter network can access the federation server in the corporate network.

注意

所有通訊 client 電腦的也可能會都發生在 HTTPS 上。All communications to and from client computers also occur over HTTPS.

此外,Internet\ 面向防火牆伺服器,例如電腦執行 Microsoft 網際網路安全性和加速 (ISA) 伺服器,使用處理程序稱為伺服器發行散發網際網路 client 要求適當周邊與公司網路伺服器,例如聯盟的 proxy 伺服器或聯盟伺服器。In addition, the Internet-facing firewall server, such as a computer running Microsoft Internet Security and Acceleration (ISA) Server, uses a process known as server publishing to distribute Internet client requests to the appropriate perimeter and corporate network servers, such as federation server proxies or federation servers.

伺服器發行規則判斷伺服器發行的運作方式,基本上、 篩選透過 Isa 電腦的所有傳入的和傳出要求。Server publishing rules determine how server publishing works—essentially, filtering all incoming and outgoing requests through the ISA Server computer. 伺服器發行規則對應傳入 client 要求 Isa 電腦背後的適當的伺服器。Server publishing rules map incoming client requests to the appropriate servers behind the ISA Server computer. 了解如何設定 Isa 發行伺服器的資訊,請查看建立安全網路發行規則For information about how to configure ISA Server to publish a server, see Create a Secure Web Publishing Rule.

在聯盟 AD FS 的世界中,特定的 URL,例如聯盟伺服器識別碼 URL 例如 http://fs.fabrikam.com 通常會做這些 client 要求。In the federated world of AD FS, these client requests are typically made to a specific URL, for example, a federation server identifier URL such as http://fs.fabrikam.com. 因為這些 client 要求會在從網際網路、 Internet\ 面向防火牆伺服器必須設定為聯盟伺服器識別碼 URL 發行的每個聯盟伺服器 proxy 部署周邊網路中。Because these client requests come in from the Internet, the Internet-facing firewall server must be configured to publish the federation server identifier URL for each federation server proxy that is deployed in the perimeter network.

設定允許 SSL IsaConfiguring ISA Server to allow SSL

若要加速安全 AD FS 通訊,您必須設定 Isa 允許之間下列安全通訊端層 (SSL) 通訊:To facilitate secure AD FS communications, you must configure ISA Server to allow Secure Sockets Layer (SSL) communications between the following:

  • 聯盟伺服器,並聯盟的 proxy 伺服器。Federation servers and federation server proxies. 需要的所有通訊聯盟伺服器 proxy 伺服器聯盟之間 SSL 的通道。An SSL channel is required for all communications between federation servers and federation server proxies. 因此,您必須設定 Isa 允許 SSL 連接周邊網路之間公司網路。Therefore, you must configure ISA Server to allow an SSL connection between the corporate network and the perimeter network.

  • Client 電腦、 聯盟伺服器及聯盟的 proxy 伺服器。Client computers, federation servers, and federation server proxies. 使 client 電腦和聯盟伺服器或之間 client 電腦及聯盟伺服器 proxy 發生通訊,您可以將電腦執行 Isa 聯盟伺服器或聯盟伺服器 proxy 前面。So that communications can occur between client computers and federation servers or between client computers and federation server proxies, you can place a computer running ISA Server in front of the federation server or federation server proxy.

    如果您的組織執行 SSL client 驗證聯盟伺服器或聯盟伺服器 proxy,當您將電腦執行 Isa 聯盟伺服器或聯盟伺服器 proxy 前面,必須設定伺服器的 pass-透過 SSL 連接的因為 SSL 連接必須聯盟伺服器 proxy 伺服器聯盟或終止。If your organization performs SSL client authentication on the federation server or federation server proxy, when you place a computer running ISA Server in front of the federation server or federation server proxy, the server must be configured for pass-through of the SSL connection because the SSL connection must terminate at the federation server or federation server proxy.

    如果您的組織不執行聯盟伺服器或聯盟伺服器 proxy SSL client 驗證,其他選項是結束 SSL 連接的電腦執行 Isa 然後 re-建立 SSL 聯盟伺服器或聯盟伺服器 proxy 連接。If your organization does not perform SSL client authentication on the federation server or federation server proxy, an additional option is to terminate the SSL connection at the computer running ISA Server and then re-establish an SSL connection to the federation server or federation server proxy.

注意

聯盟伺服器或聯盟伺服器 proxy 需要連接受保護的安全性權杖 SSL。The federation server or federation server proxy requires that the connection be secured by SSL to protect the contents of the security token.

也了See Also

Windows Server 2012 中的 AD FS 設計指南AD FS Design Guide in Windows Server 2012