Solved

Hosting ADFS Offsite

Posted on 2011-09-15
3
1,407 Views
Last Modified: 2013-12-09
Hi All,

Does anybody have any thoughts on deploying ADFS at an OFFSITE datacentre for Office 365 authentication?

We have recently deployed Office 365 for our 30 user organisation which is making use of federated domains and SSO.

This means we have our ADFS Main server on the primary domain controller, dirsync on another 2003 server and our ADFS proxy on another 2008 server.

These are all hosted at head office.

Currently this works wonderfully and means that users can take full advantage of SSO and they only need to remember 1 set of credentials for everything.

This works great! UNTILL our internet connection goes down at the main office and the outside world is no longer able to authenticate with ADFS servers.

This defeats the purpose entirely of hosting email services in the cloud.

The question then is: in which configuration can we still have our federated domain and SSO but NOT be reliant on a connection to head office?

One scenario I have come up with is to have a virtual server running at a local ISP datacentre, this will be a Read Only Domain Controller and be the main ADFS server.
At head office there will be the ADFS proxy.
These two locations would be connected via an already installed fiber based routed VLAN connection (>= 20Mb/s)

I am after THOUGHTS on why this will and won't work, or if possible alternate scenarios.
I will award the best answer with the largest amount of points I can....
0
Comment
Question by:lemonville
  • 2
3 Comments
 
LVL 1

Author Comment

by:lemonville
ID: 36714233
Anyone?
0
 
LVL 1

Accepted Solution

by:
lemonville earned 0 total points
ID: 36817873
For anyone interested, we have begun planning for the removal of ADFS citing that during a disaster or any other event where the head office internet access is lost, emails will be unavailable.

Thanks for all your help.
0
 
LVL 1

Expert Comment

by:docgoku
ID: 38545745
You would think there is a better way.

We are planning a wider Office 365 deployment and there really isn't a way to get the ADFS servers off site.  Makes no sense really if you are paying MS to hold all of our sensitive email there really is no hold back on the customer side to have a read only domain controller on the MS O365 solution.  It would be a much simpler solution.  

I've been told this is coming but as of now the guys on the ground from MS are saying ADFS onsite is still the way.

So, in our case it will be a new ADFS farm with members in two datacenters, F5 load balanced VIP for internal, F5 APM to that VIP extnerally, and then F5 GTMs in case the main datacenter side goes down and we still need that federation.domain.com to respond.

It's a lot of infrastructure, powershell, and certificates for something that has "been moved to the cloud."  

The problem with not doing ADFS.  Is you loose all the integration bits, the status icons in outlook, sharepoint, phones, ect... b/c you are using a domain.microsoftonline.com account vs. your internal AD account.  We started that way and were missing many of the visibility and integration features.  You'll just have video and IM.  And... it's one more user/password combo to remember and compromise.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Veeam Backup & Replication has added a new integration – Veeam Backup for Microsoft Office 365.  In this blog, we will discuss how you can benefit from Office 365 email backup with the Veeam’s new product and try to shed some light on the needs and …
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Office 365 is currently available in five editions. Three of them are for business use: Office 365 Business Essentials, Office 365 Business, and Office 365 Business Premium. Two of them are for home/personal use: Office 365 Home and Office 365 Perso…
A company’s greatest vulnerability is their email. CEO fraud, ransomware and spear phishing attacks are the no1 threat to a company’s security. Cybercrime is responsible for the largest loss of money to companies today with losses projected to r…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now