ADFS & ADFS Proxy over multiple sites for SSO on Office 365

Posted on 2014-08-07
Last Modified: 2014-08-21

We are trying to setup a hybrid setup for exchange 2013 and Office 365 - as well as using SSO.

We would like the ADFS machines to be fault tolerant and spread out over 2 physical sites for extra redundancy.

I have attached a diagram of the server setup over the 2 sites.

My questions are: How do we setup the NLB over 2 sites (with different IP ranges)
What would the Public DNS be pointing too for the STS address
What would the internal DNS be pointing too for the STS address

Please also note that the external domain and internal domain are the same  (eg, is the public domain, and is the domain used for AD) - not sure If that makes a difference.


Question by:stevie_dee

    Author Comment

    LVL 34

    Accepted Solution

    If your internal and external domain is same , its well and good and your internal ADFS server record and external ADFS server records should be same in that case

    you should create host(A) record for ADFS servers NLB such as
    On external DNS server, this FQDN should point to ADFS proxy server and in corporate network this FQDN should points to internal ADFS servers

    Now to get redundancy there are multiple ways
    1st, u can extend same subnet to another site as well so that you can setup NLB with ADFS servers and ADFS proxy servers
    2nd, you could place hardware load balancer at some other 3rd party location such as ISP and add both ADFS proxy servers in Hardware load balancer
    3rd, you can have both servers (ADFS and ADFS proxy Servers at same location and create standard NLB
    4th, you can have both servers (ADFS and ADFS proxy Servers at same location and take TWO public IP address
    Instead of creating NLB, you can point TWO public IP addresses to TWO ADFS Proxy servers
    Ex: -

    This will also provide redundancy incase your one IP goes down with DNS round robin.
    You need to keep record TTL minimum in DNS
    LVL 38

    Expert Comment

    by:Vasil Michev (MVP)
    True active/active setup between different sites is hard to achieve, costly and in general, not necessary. If you are interested in such, you can review for example this thread:

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Join & Write a Comment

    Find out how to use dynamic social media in email signatures with this top 10 DOs & DON’Ts.
    Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
    Microsoft Office Picture Manager has a Picture Shortcuts pane that shows a list with the Recently Browsed folders. While creating my video Micro Tutorial here at Experts Exchange showing How to Install Microsoft Office Picture Manager in Office 2013…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now