Checklist: Configure extranet access for AD FS on legacy versions of Windows Server

2. Configure the AD FS software on the computer to act in the federation server proxy role by using the AD FS Federation Server Proxy Configuration Wizard.

Configure a computer for the federation server proxy role

4. Optional step -Optimize congestion control settings between Web Application Proxy and the AD FS servers.

The extranet facing federation server proxy is able to throttle requests from the extranet if the latency between the federation server proxy and the federation server increases beyond a certain threshold. Based on this feature, the federation server proxy will reject external client authentication requests if the federation server is overloaded as detected by the latency between the federation server proxy and the federation server to service authentication requests. It is closely related to a similar algorithm employed for congestion control in TCP known as Additive Increase Multiplicative Decrease (AIMD). The solution works by using a congestion window represented by a pool of tokens that it leases out to each incoming request to the federation server proxy.

In a high latency DMZ network or a highly loaded federation server proxy, it is possible for authentication requests to be rejected even if the federation server can satisfy these requests successfully based on the default settings that control this algorithm. In such an environment, we strongly recommend modifying the settings to be less aggressive by performing the following steps.