Federation Server Proxies

  • Article

Applies To: Active Directory Federation Services (AD FS) 2.0

You can use a federation server proxy to enhance the security and performance of your Active Directory Federation Services (AD FS) 2.0 deployment. When you install the AD FS 2.0 software on a computer and configure it for the federation server proxy role, that computer functions as proxy server in a perimeter network (also known as a screened subnet) for a protected Federation Service on an internal network.

For more information about how to plan and deploy federation server proxies in your organization, see Planning Federation Server Proxy Placement (https://go.microsoft.com/fwlink/?LinkId=182439) in the AD FS 2.0 Design Guide.

Deploying a federation server proxy

To deploy a federation server proxy, you should have an existing Federation Service already installed on your corporate network. It should already be configured to have its endpoints enabled for use with a federation server proxy. After these steps are complete, you can configure a new federation server proxy using the AD FS 2.0 Federation Server Proxy Configuration Wizard or the Fsconfig.exe command-line tool.

For more information about how to deploy a new federation server proxy, see Checklist: Setting Up a Federation Server Proxy (https://go.microsoft.com/fwlink/?LinkId=182443) in the AD FS 2.0 Deployment Guide.

Requests that the federation server proxy accepts

The federation server proxy accepts the following types of client requests. It communicates with a back-end Federation Service to service the requests:

  • WS-Trust RST

  • WS-MetadataExchange (MEX)

  • WS-Federation Passive

  • SAML Web SSO

  • WS-Federation Metadata

These services are exposed over Hypertext Transfer Protocol or Secure Hypertext Transfer Protocol (HTTP/HTTPS), and client connections terminate at the proxy. Back-end requests are submitted from the proxy to the protected AD FS 2.0 over a new connection.