Checklist: Setting Up a Federation Server Proxy
Updated: February 24, 2012
Applies To: Windows Server 2012
This checklist includes the deployment tasks for preparing a server running Windows Server® 2012 for the federation server proxy role in Active Directory Federation Services (AD FS).
Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
Checklist: Setting Up a federation server proxy
Before you begin deploying your AD FS federation server proxies, review the AD FS deployment topology types and their associated server placement and network layout recommendations.
Review AD FS capacity planning guidance to determine the proper number of federation server proxies you should use in your production environment.
Determine whether a single federation server proxy or a federation server proxy farm is better for your deployment.
Determine whether this new federation server proxy will be created in the perimeter network of the account partner organization or the resource partner organization.
Before you install AD FS on a computer that will become a federation server proxy, read about the importance of obtaining a server authentication certificate—for federation server proxy farms—adding or sharing certificates across all the servers in a farm.
Review information in the AD FS Design Guide about how to update Domain Name System (DNS) in the perimeter network so that successful name resolution for federation servers and federation server proxies can occur.
Determine whether the federation server proxy must be joined to a domain. Although federation server proxies do not have to be joined to a domain, they are easier to manage with remote administration and Group Policy features when they are joined to a domain.
Depending on how the DNS infrastructure in your perimeter network is configured, complete one of the procedures in the topics on the right before you deploy a federation server proxy in your organization.
After you obtain a server authentication certificate, you must install it in Internet Information Services (IIS) on the default Web site of the federation server proxy.
(Optional) As an alternative to obtaining a server authentication certificate from a certification authority (CA), you can use IIS to acquire a sample certificate for your federation server proxy.
Because IIS generates a self-signed certificate that does not originate from a trusted source, use it to create a self-signed certificate only in the following scenarios:
IIS: Create a Self-Signed Server Certificate(http://go.microsoft.com/fwlink/?LinkID=108271)
Install the Federation Service Proxy role service on the computer that will become the federation server proxy.
Configure the AD FS software on the computer to act in the federation server proxy role by using the AD FSFederation Server Proxy Configuration Wizard.
Using Event Viewer, verify that the federation server proxy service has started.