Provide Federated Access for Your Remote Employees on the Internet
Updated: January 31, 2008
Applies To: Windows Server 2008
This deployment goal builds on the deployment goal that is described in Provide Federated Access for Your Employees on the Corporate Network. It also makes it possible for remote employees to obtain Active Directory Federation Services (AD FS) tokens from the account federation server. After it obtains the tokens, the remote employee's client computer can use the AD FS tokens to gain federated access to AD FS-secured applications that are hosted in another organization and to allow employees to access resources in their own organization.
For more information, see Federated Web SSO Design.
For example, A. Datum Corporation may want remote employees to have federated access to AD FS-secured applications that are hosted in Trey Research, without requiring A. Datum employees to be on the A. Datum corporate network.
In addition to the foundational components that are described in Provide Federated Access for Your Employees on the Corporate Network and that are shaded in the following figure, the following components are required for this deployment goal:
Account federation server proxy: Employees that access the federated application from the Internet can use this AD FS component to perform authentication. By default, this component performs forms authentication, but it can also perform basic authentication. You may also configure this component to perform Secure Sockets Layer (SSL) client authentication if users at your organization have certificates to present. For more information, see Where to Place a Federation Server Proxy.
Perimeter DNS: This implementation of Domain Name System (DNS) provides the host names for the perimeter network. For more information about how to configure perimeter DNS for a federation server proxy, see Name Resolution Requirements for Federation Server Proxies.
Remote employee: The remote employee accesses an AD FS-secured Web application through a supported Web browser, using valid credentials from the corporate network, while the employee is offsite using the Internet. The employee's client computer in the remote location communicates directly with the federation server proxy to generate a token and authenticate to the application.
The following illustration shows each of the required components for this AD FS deployment goal.