Active Directory-Related Services and Resulting Internet Communication in Windows Server 2008 R2
Updated: December 16, 2009
Applies To: Windows 7, Windows Server 2008 R2
In this section
This section provides overview information about how Active Directory® Federation Services (AD FS) communicates across the Internet. It also provides brief overview information about Active Directory Rights Management Services (AD RMS), which your organization might use to send information across the Internet.
For information about Active Directory Certificate Services (AD CS), which focuses on the handling of certificates in your organization, see Certificate Support and Resulting Internet Communication in Windows 7 and Windows Server 2008 R2 later in this document.
|It is beyond the scope of this document to describe all aspects of maintaining appropriate levels of security in an organization that is running servers that support users who are communicating across the Internet. This section, however, provides overview information and suggestions for other sources of information about using AD FS. You can use AD FS as part of a strategy for balancing your organization’s requirements for Internet communication with requirements for protecting networked assets.|
Active Directory Federation Services (AD FS) is a server role in Windows Server® 2008 R2 that you can use to create a highly extensible, security-enhancing, and scalable identity Internet access solution that can operate across multiple platforms, including Windows® and non-Windows environments. AD FS provides browser-based clients (internal or external to your network) with a seamless "one prompt" logon process. This logon allows access to one or more protected Internet-facing applications, even when the user accounts and applications are located in different networks or organizations.
Active Directory Rights Management Services (AD RMS) is a server role in Windows Server 2008 R2 that you can use to augment your organization's security strategy. You can protect information through persistent usage policies, which remain with the information regardless of where it is moved. You can use AD RMS to help prevent sensitive information, such as financial reports, product specifications, customer data, and confidential e-mail messages, from intentionally or accidentally being compromised by a malicious user.
If you want to support Web single-sign-on (SSO) technologies to authenticate a user to multiple Web applications over the life of a single online session, you can use AD FS in connection with appropriately designed Web applications, also known as federated applications. AD FS provides support to federated applications by helping secure digital identity and entitlement rights, or "claims," which are shared across security and enterprise boundaries. Because of the relationship between AD FS and federated Web applications, you can control the resulting Internet communication by controlling the design of the applications and the design of your AD FS configuration.
It is beyond the scope of this document to provide guidelines about how to design an AD FS configuration or a federated Web application. For more information, see Additional references for AD FS and federated Web application design later in this section.
Because AD FS serves Web browser clients over a Hypertext Transfer Protocol Secure (HTTPS) connection, the connectivity through HTTPS must be available to the federation servers and federation server proxies. The default port for HTTPS is port 443, but other port numbers may be configured depending on your IIS configuration. Your firewalls between clients and federation servers or federation server proxies must be configured to allow HTTPS traffic.
Just as clients need HTTPS connectivity to the federation server, the federation server proxy requires HTTPS connectivity to the federation server.
If any certificate that you use has certificate revocation lists (CRLs), the server with the configured certificate must be able to contact the server that distributes the CRLs. The type of CRL determines the ports that are used.
The AD FS design called "Federated Web SSO with Forest Trust" has specific port requirements. For more information, see Federated Web SSO with Forest Trust design.
For information about the port requirements that are associated with forest trusts, see the last section of How Domain and Forest Trusts Work.
Extensive information is available on TechNet and MSDN about AD FS and about federated application design. For information about Active Directory Certificate Services (AD CS), which focuses on the handling of certificates in your organization, see Certificate Support and Resulting Internet Communication in Windows 7 and Windows Server 2008 R2 later in this document.
For a list of links to information about AD FS, see:
Active Directory Federation Services
For information about designing an AD FS configuration and about key concepts for AD FS designs, see:
For information about how AD FS can affect privacy, see:
Review how ADFS may affect privacy
For information about how a developer can build AD FS-aware Web applications, see:
Active Directory Federation Services
Extensive information is available on TechNet and MSDN about AD RMS.
For a list of links to information about AD RMS, see:
Active Directory Rights Management Services
For an overview of AD RMS, see:
Active Directory Rights Management Services Overview
For information about using AD RMS with AD FS, see:
AD RMS with AD FS Identity Federation Step-by-Step Guide