Install proxy server Windows
Now we need to make the AD FS infrastructure available to the Internet in a secure fashion, so that Office 365 will be able to contact the AD FS proxy to authenticate user requests.
Planning And Prerequisites
Install And Configure AD FS Proxy OS
In this installation, the AD FS proxy server will be placed into the DMZ, and installed as a workgroup machine since the TailspinToys organisation does not possess a separate management forest in the DMZ. Ensure the machine is built as per your standard build process, is secured and all Microsoft updates are installed.
You will want to install the to light up additional pieces of AD FS functionality, but we will save that for a later blog post. If you do want to take a peek at this now, the PFE Platform folks are rocking it over here – please subscribe to their RSS feed too!
Install And Verify Certificate
As discussed in part one, you will need a certificate from a trusted third party. Ensure that you check with the CA to ensure that you are able to install the certificate onto multiple servers as this is blocked in some license agreements. This is something that you must check directly with the CA.
If you are allowed to install the certificate from the AD FS server, then this simplifies matters else you will require an additional certificate. The name must match the AD FS namespace that you selected through the AD FS design process.
Since the AD FS server will be in a network that may not have access to the internal DNS zone information, ensure that it is able to resolve the AD FS namespace to the internal AD FS infrastructure. A swift update to the local hosts file may suffice, just remember to add this to your build documentation.
External DNS Record
Create external DNS record for the AD FS proxy server. This A record will exist in the external DNS zone of you are using split DNS. In the TailspinToys enterprise (cough, cough this lab) the internal DNS zone is held on AD integrated DNS zones. The external zone is at a commercial ISP, so the external DNS record was created at the commercial ISP so it resolves to the external IP of the AD FS proxy infrastructure when I am at Starbucks.
As with the internal AD FS farm, there should be multiple WAP servers in the DMZ. They should be load balanced, and the DNS record should resolved to the VIP.