Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

Prepare your network infrastructure for configuring extranet access

Updated: January 27, 2014

Applies To: Office 365, Windows Azure, Windows Intune

To complete all of the tasks using the following procedures you must first be logged into the computers as a member of the Administrators group, or have been delegated equivalent permissions.

Checklist Checklist: Prepare your network infrastructure for configuring extranet access

 

Deployment task Links to topics in this section Completed

1. Prepare two computers running either the Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 operating system to be set up as federation server proxy. If you are using AD FS in Windows Server 2012 R2, your proxy computers must also run Windows Server 2012 R2 and you must deploy Web Application Proxy – a new Remote Access role service that can be used for configuring your AD FS for extranet access. Depending on the number of users you have, you can use existing web or proxy servers or use a dedicated computer.

N/A

Checkbox

2. Add the name of the Federation Service in the corporate network (the cluster DNS name you created earlier on the NLB host in the corporate network) and its associated cluster IP address to the hosts files on each federation server proxy or web application proxy computer in the perimeter network.

Add the cluster DNS name and IP address to the hosts file on the proxy computer

Checkbox

3. Create a new cluster DNS name and cluster IP address on the NLB host in the perimeter network and then add the federation server computers to the NLB cluster. If you are using Windows Server technology for your current NLB hosts, choose the appropriate link to the right based on your operating system version.

ImportantImportant
The cluster DNS name used for this new NLB cluster must match the name of the Federation Service in the corporate network.

noteNote
This step is optional in a test deployment of this SSO solution with a single AD FS federation server.

To create and configure NLB clusters on Windows Server 2003 and Windows Server 2003 R2, see Checklist: Enabling and configuring Network Load Balancing.

To create and configure NLB clusters on Windows Server 2008, see Creating Network Load Balancing Clusters.

To create and configure NLB clusters on Windows Server 2008 R2, see Creating Network Load Balancing Clusters.

For more information about NLB in Windows Server 2012 or Windows Server 2012 R2, see Network Load Balancing Overview.

Checkbox

4. Create a new resource record for the NLB cluster in the perimeter network DNS that points the cluster DNS name of the NLB cluster to its cluster IP address.

Add a resource record to the perimeter DNS for the cluster DNS name configured on the perimeter NLB host

Checkbox

5. Use the same server authentication certificate as the one used by the federation servers in the corporate network. If you are using AD FS in Windows Server 2008 or Windows Server 2012, you must install this certificate on the Default Web Site of the federation server proxy computer. If you are using AD FS in Windows Server 2012 R2, you must import this certificate to the Personal Certificates store on the computer that will function as your Web Application Proxy.

Import a server authentication certificate to the proxy computer

Checkbox

In order for the federation server proxy or Web Application Proxy to work as expected in the perimeter network, you must add an entry to the hosts file on each federation server proxy or Web Application Proxy computer that points to the cluster DNS name hosted by the NLB in the corporate network (for example, fs.fabrikam.com) and its IP address (for example, 172.16.1.3). Adding this entry to the hosts file enables the federation server proxy or Web Application Proxy to properly route a client-initiated call to a federation server either within the perimeter network or outside the perimeter network.

  1. Navigate to the %systemroot%\Winnt\System32\Drivers directory folder and locate the hosts file.

  2. Start Notepad, and then open the hosts file.

  3. Add the IP address and the host name of a federation server in the hosts file, as shown in the following example:

    172.16.1.3             fs.fabrikam.com

  4. Save and close the file.

ImportantImportant
If the cluster IP address on the NLB host in the corporate network ever changes, you must update the local hosts file on each federation server proxy or Web Application Proxy.

To service authentication requests from clients either in the perimeter network or outside the perimeter network, AD FS requires name resolution to be configured on external-facing DNS servers that host the organization’s zone (for example, fabrikam.com).

To do this, add a Host (A) Resource Record to the external-facing DNS server that serves only the perimeter network for the cluster DNS name (for example, “fs.fabrikam.com”) to point to the external cluster IP address that has just been configured.

  1. On a DNS server for the perimeter network, open the DNS snap-in. Click Start, point to Administrative Tools, and then click DNS.

  2. In the console tree, right-click the applicable forward lookup zone (for example, fabrikam.com), and then click New Host (A or AAAA).

  3. In Name, type only the name of the cluster DNS name you specified on the NLB host in the perimeter network (this should be the same DNS name as the name of the Federation Service). For example, for the FQDN fs.fabrikam.com, type fs.

  4. In IP address, type the IP address for the new cluster IP address you specified on the NLB host in the perimeter network. For example, 192.0.2.3.

  5. Click Add Host.

After you obtain a server authentication certificate used by one of the federation servers in the corporate network, you must manually install that certificate onto either:.

  1. The Default Web Site for each federation server proxy in your organization, if you are using AD FS in Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012

  2. The Personal Store of each Web Application Proxy in your organization, if you are using AD FS in Windows Server 2012 R2.

Because this certificate must be trusted by clients of AD FS and Microsoft cloud services, use an SSL certificate that is issued by a public (third-party) CA or by a CA that is subordinate to a publicly trusted root; for example, VeriSign or Thawte. For information about installing a certificate from a public CA, see IIS 7.0: Request an Internet Server Certificate.

noteNote
The subject name of this server authentication certificate must match the FQDN of the cluster DNS name (for example, fs.fabrikam.com) you created earlier on the NLB host. If Internet Information Services (IIS) has not been installed, you must install IIS first in order to complete this task. When installing IIS for the first time, we recommend that you use the default feature options when prompted during the installation of the server role.

  1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. In the console tree, click ComputerName.

  3. In the center pane, double-click Server Certificates.

  4. In the Actions pane, click Import.

  5. In the Import Certificate dialog box, click the button.

  6. Browse to the location of the pfx certificate file, highlight it, and then click Open.

  7. Type a password for the certificate, and then click OK.

Now that you have prepared your network infrastructure for either Web Application Proxies or federation server proxies, the next step is to complete the tasks in either the following topic or the following checklist, depending on what version of AD FS you want to use:

See Also

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.