Checklist: Installing a Federation Server Proxy
Applies To: Windows Server 2008
This checklist includes the deployment tasks for preparing a server running Windows Server 2008 Enterprise for the federation server proxy role.
Note
Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
.gif)
Checklist: Installing a federation server proxy
| Task | Reference | |||
|---|---|---|---|---|
.gif) |
Review important changes to AD FS since the Windows Server 2003 R2 release, including an improved installation process. |
|
||
|
Review information in the Active Directory Federation Services Design Guide about where to place federation server proxies in your organization. |
|||
|
Use the information in the Active Directory Federation Services Design Guide to determine whether a single federation server proxy or a federation server proxy farm is necessary.
|
|||
|
Use the information in the Active Directory Federation Services Design Guide to determine whether this new federation server proxy will be created in the perimeter network of the account partner organization or the resource partner organization. |
|
||
|
Before you install the Federation Service Proxy role service on a computer that will become a federation server proxy, read about the importance of obtaining a server authentication certificate and a client authentication certificate and—for federation server proxy farms—adding or sharing certificates across all the servers in a farm. |
|||
|
Review information in the Active Directory Federation Services Design Guide about how to update the perimeter Domain Name System (DNS) so that successful name resolution for federation servers and federation server proxies can occur. |
|||
|
Determine if the federation server proxy must be joined to a domain. Although federation server proxies do not have to be joined to a domain, they are easier to manage with remote administration and Group Policy features when they are joined to a domain. |
|||
|
Depending on how the DNS infrastructure in your perimeter network is configured, complete one of the procedures on the right before you deploy a federation server proxy in your organization. Note Do not perform both procedures. Read Name Resolution Requirements for Federation Server Proxies to determine which procedure best suits the requirements of your organization.
|
|||
|
(Optional) If you will be adding a federation server proxy to a federation server proxy farm, you may have to first export the private key of the existing server authentication certificate (on the first federation server proxy in the farm) so that you have a file of the certificate ready when other federation server proxies have to import the same certificate. This task is not required in scenarios in which your issued server authentication certificate can be reused by multiple computers (without the need to export) or you obtain unique server authentication certificates for each federation server proxy in the farm. |
|
||
|
You must install the public key portion of the Federation Service Proxy client authentication certificate on the federation server so that the federation server can authenticate the federation server proxy. Use the following procedure to export the public key portion of the Federation Service Proxy client authentication certificate. |
|
||
|
After you obtain a server authentication certificate, you must install it in Internet Information Services (IIS) on the default Web site of the federation server proxy. |
|
||
|
After you export the certificate of the federation server proxy, you can use the following procedure to import the certificate into the trust policy of the Federation Service that the proxy will be servicing. |
|
||
|
(Optional) As an alternative to obtaining a server authentication certificate from a certification authority (CA), you can use IIS 7.0 to acquire a sample certificate for your federation server proxy. Because IIS 7.0 generates a self-signed certificate that does not originate from a trusted source, use it to create a self-signed certificate only in the following scenarios:
Warning It is not a security best practice to deploy a federation server proxy in a production environment using a self-signed, server authentication certificate.
|
|
||
|
Install prerequisite applications such as ASP.NET, IIS, and Microsoft .NET Framework 2.0 on the computer that will become the federation server proxy. |
|||
|
Install the Federation Service Proxy role service on the computer that will become the federation server proxy. |
|||
|
To ensure successful tracking of issues that may occur with this federation server proxy, configure event logging. |
|||
|
From a client computer, verify that the federation server proxy is operational. |
.gif)
What's New in AD FS in Windows Server 2008 (.gif)
Note.gif)