Creating a portal trunk for AD FS 2.0
Published: October 21, 2010
Updated: July 31, 2012
Applies To: Unified Access Gateway
To enable a Forefront Unified Access Gateway (UAG) portal trunk for Active Directory Federation Services (AD FS) 2.0, you must configure the Forefront UAG portal trunk that publishes the applications for which you want to allow AD FS 2.0 access to use the AD FS 2.0 authentication server.
This topic describes how to create a Forefront UAG portal trunk for AD FS 2.0. The following procedure assumes that you have already defined an AD FS 2.0 authentication server.
Create a portal trunk as described in Setting up a trunk. Note the following:
On the Setting the Trunk page of the wizard, in Public host name, the host name must match the Secure Sockets Layer (SSL) certificate that you will use on this trunk. In HTTPS port, you must use the default port of 443.
On the Authentication page, select the AD FS 2.0 authentication server.
On the Completing the Create Trunk Wizard page, the URL of the federation metadata file is shown on this page of the wizard. The federation metadata file is not available until after you activate the configuration.
- On the Setting the Trunk page of the wizard, in Public host name, the host name must match the Secure Sockets Layer (SSL) certificate that you will use on this trunk. In HTTPS port, you must use the default port of 443.
After successfully activating the configuration, the federation metadata file that is required for creating the relying party trust with the AD FS 2.0 server is created in the following folder: ...\Microsoft Forefront Unified Access Gateway\von\InternalSite\ADFSv2Sites\<trunk_name>\FederationMetadata\2007-06. If the AD FS 2.0 server has access to the Internet, you can access the federation metadata file using the following URL: https://<Portal_FQDN>/InternalSite/ADFSv2Sites/<trunk_name>/FederationMetadata/2007-06/FederationMetadata.xml. You cannot access this URL on the internal network.
You can check the following items in your configuration:
Make sure that the federation metadata file was successfully created on the Forefront UAG server and that the AD FS 2.0 application was successfully added to the Forefront UAG trunk.
Make sure that the server address and the public host name are identical on the Web Servers tab of the Application Properties dialog box.
You can also check that the passive endpoints in the Paths box on the Web Servers tab correspond with the settings on the AD FS 2.0 server.
For troubleshooting information, see Troubleshooting Forefront UAG with AD FS 2.0 activation errors (http://go.microsoft.com/fwlink/?LinkId=206518).
Your AD FS 2.0 server must be available to external users. It is recommended to use an AD FS 2.0 proxy server; however, you can also publish the AD FS 2.0 server manually, see Creating and managing the AD FS 2.0 application.