Where to place an ADFS-enabled Web server
Updated: December 15, 2006
Applies To: Windows Server 2003 R2
As is typical with perimeter networks, an intranet-facing firewall is established between the perimeter network and the corporate network, and an Internet-facing firewall is often established between the perimeter network and the Internet. In this situation, an Active Directory Federation Services (ADFS)–enabled Web server is placed between both of these firewalls on the perimeter network so that users coming from the Internet can access it.
In contrast, federation servers are typically placed inside the corporate network for security purposes. In scenarios in which you want to reduce the number of servers or public certificates in your ADFS deployment, you can make your ADFS-enabled Web server a federation server or federation server proxy by installing either the Federation Service or Federation Service Proxy component. However, placing a federation server on the perimeter network exposes that server to Internet clients, and this is not a security best practice. For more information, see Where to place a federation server.
Configuring your firewall servers for an ADFS-enabled Web server
So that ADFS-enabled Web servers can communicate directly with federation servers, both the intranet-facing firewall server and the Internet-facing firewall server must be configured to allow Secure Hypertext Transfer Protocol (HTTPS) traffic, usually over port 443. HTTPS configuration is required because ADFS-enabled Web servers communicate with federation servers—and with clients—over HTTPS. ADFS relies on HTTPS to provide channel security.
In addition, intranet-facing and Internet-facing firewall servers, such as servers running Internet Security and Acceleration (ISA) Server, use a process known as server publishing to distribute Internet client requests to the appropriate corporate federation servers and ADFS-enabled Web servers. Consequently, you must manually create a server publishing rule on any intranet and Internet ISA Server computers that publish the ADFS-enabled Web server URL (http://ws.treyresearch.net).
For general information about how to configure ISA Server to publish a server, see Create a secure Web publishing rule (http://go.microsoft.com/fwlink/?LinkId=74605).
Joining an ADFS-enabled Web server to a domain
When they host a Windows NT token-based application, ADFS-enabled Web servers must be joined to the same domain that the resource federation server belongs to. Because claims-aware applications do not require a Windows NT token for authorization, servers that host only claims-aware applications do not have to be joined to any domain.