Prepare your network infrastructure for federation server proxies

  • Článek

Platí pro: Windows Intune

Poznámka

V tomto tématu je k dispozici obsah online nápovědy, který se vztahuje na více cloudových služeb společnosti Microsoft, včetně služby Windows Intune a služeb Office 365.

To complete all of the tasks using the following procedures you must first be logged into the computers as a member of the Administrators group, or have been delegated equivalent permissions.

Kontrolní seznam Checklist: Prepare your network infrastructure for federation server proxies

Deployment task Links to topics in this section Completed

1. Prepare two computers running either the Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 operating system to be set up as federation server proxy. Depending on the number of users you have, you can use existing web or proxy servers or use a dedicated computer.

N/A

 Zaškrtávací políčko

2. Add the name of the Federation Service in the corporate network (the cluster DNS name you created earlier on the NLB host in the corporate network) and its associated cluster IP address to the hosts files on each federation server proxy computer in the perimeter network.

Add the cluster DNS name and IP address to the hosts file on the proxy computer

 Zaškrtávací políčko

3. Create a new cluster DNS name and cluster IP address on the NLB host in the perimeter network and then add the federation server computers to the NLB cluster. If you are using Windows Server technology for your current NLB hosts, choose the appropriate link to the right based on your operating system version.

Důležité

The cluster DNS name used for this new NLB cluster must match the name of the Federation Service in the corporate network.

Poznámka

This step is optional in a test deployment of this SSO solution with a single AD FS federation server.

To create and configure NLB clusters on Windows Server 2003 and Windows Server 2003 R2, see Checklist: Enabling and configuring Network Load Balancing.

To create and configure NLB clusters on Windows Server 2008, see Creating Network Load Balancing Clusters.

To create and configure NLB clusters on Windows Server 2008 R2, see Creating Network Load Balancing Clusters.

 Zaškrtávací políčko

4. Create a new resource record for the NLB cluster in the perimeter network DNS that points the cluster DNS name of the NLB cluster to its cluster IP address.

Add a resource record to the perimeter DNS for the cluster DNS name configured on the perimeter NLB host

 Zaškrtávací políčko

5. Use the same server authentication certificate as the one used by the federation servers in the corporate network and install it in IIS on the Default Web Site of the federation server proxy.

Import a server authentication certificate to the Default Web Site on the proxy computer

 Zaškrtávací políčko

Add the cluster DNS name and IP address to the hosts file on the proxy computer

In order for the federation server proxy to work as expected in the perimeter network, you must add an entry to the hosts file on each federation server proxy computer that points to the cluster DNS name hosted by the NLB in the corporate network (for example, fs.fabrikam.com) and its IP address (for example, 172.16.1.3). Adding this entry to the hosts file enables the federation server proxy to properly route a client-initiated call to a federation server either within the perimeter network or outside the perimeter network.

To add the cluster DNS name and IP address to the hosts file on the proxy

  1. Navigate to the %systemroot%\Winnt\System32\Drivers directory folder and locate the hosts file.

  2. Start Notepad, and then open the hosts file.

  3. Add the IP address and the host name of a federation server in the hosts file, as shown in the following example:

    172.16.1.3             fs.fabrikam.com

  4. Save and close the file.

Důležité

If the cluster IP address on the NLB host in the corporate network ever changes, you must update the local hosts file on each federation server proxy.

Add a resource record to the perimeter DNS for the cluster DNS name configured on the perimeter NLB host

To service authentication requests from clients either in the perimeter network or outside the perimeter network, AD FS requires name resolution to be configured on external-facing DNS servers that host the organization’s zone (for example, fabrikam.com).

To do this, add a Host (A) Resource Record to the external-facing DNS server that serves only the perimeter network for the cluster DNS name (for example, “fs.fabrikam.com”) to point to the external cluster IP address that has just been configured.

To add a resource record to the perimeter DNS for the cluster DNS name configured on the perimeter NLB host

  1. On a DNS server for the perimeter network, open the DNS snap-in. Click Start, point to Administrative Tools, and then click DNS.

  2. In the console tree, right-click the applicable forward lookup zone (for example, fabrikam.com), and then click New Host (A or AAAA).

  3. In Name, type only the name of the cluster DNS name you specified on the NLB host in the perimeter network (this should be the same DNS name as the name of the Federation Service). For example, for the FQDN fs.fabrikam.com, type fs.

  4. In IP address, type the IP address for the new cluster IP address you specified on the NLB host in the perimeter network. For example, 192.0.2.3.

  5. Click Add Host.

Import a server authentication certificate to the Default Web Site on the proxy computer

After you obtain a server authentication certificate used by one of the federation servers in the corporate network, you must manually install that certificate on the Default Web Site for each federation server proxy in your organization.

Because this certificate must be trusted by clients of AD FS and Microsoft cloud services, use an SSL certificate that is issued by a public (third-party) CA or by a CA that is subordinate to a publicly trusted root; for example, VeriSign or Thawte. For information about installing a certificate from a public CA, see IIS 7.0: Request an Internet Server Certificate.

Poznámka

The subject name of this server authentication certificate must match the FQDN of the cluster DNS name (for example, fs.fabrikam.com) you created earlier on the NLB host. If Internet Information Services (IIS) has not been installed, you must install IIS first in order to complete this task. When installing IIS for the first time, we recommend that you use the default feature options when prompted during the installation of the server role.

To import a server authentication certificate to the Default Web Site on the proxy computer

  1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. In the console tree, click ComputerName.

  3. In the center pane, double-click Server Certificates.

  4. In the Actions pane, click Import.

  5. In the Import Certificate dialog box, click the button.

  6. Browse to the location of the pfx certificate file, highlight it, and then click Open.

  7. Type a password for the certificate, and then click OK.

Next step

Now that you have prepared your network infrastructure for federation server proxies, the next step is to complete the tasks Checklist: Deploy your federation server proxies in the order in which they are presented.

Viz také

Koncepty

Implementace a správa jednotného přihlašování pomocí služby AD FS 2.0