ADFS & ADFS Proxy over multiple sites for SSO on Office 365


We are trying to setup a hybrid setup for exchange 2013 and Office 365 - as well as using SSO.

We would like the ADFS machines to be fault tolerant and spread out over 2 physical sites for extra redundancy.

I have attached a diagram of the server setup over the 2 sites.

My questions are: How do we setup the NLB over 2 sites (with different IP ranges)
What would the Public DNS be pointing too for the STS address
What would the internal DNS be pointing too for the STS address

Please also note that the external domain and internal domain are the same  (eg, is the public domain, and is the domain used for AD) - not sure If that makes a difference.


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

stevie_deeAuthor Commented:
If your internal and external domain is same , its well and good and your internal ADFS server record and external ADFS server records should be same in that case

you should create host(A) record for ADFS servers NLB such as
On external DNS server, this FQDN should point to ADFS proxy server and in corporate network this FQDN should points to internal ADFS servers

Now to get redundancy there are multiple ways
1st, u can extend same subnet to another site as well so that you can setup NLB with ADFS servers and ADFS proxy servers
2nd, you could place hardware load balancer at some other 3rd party location such as ISP and add both ADFS proxy servers in Hardware load balancer
3rd, you can have both servers (ADFS and ADFS proxy Servers at same location and create standard NLB
4th, you can have both servers (ADFS and ADFS proxy Servers at same location and take TWO public IP address
Instead of creating NLB, you can point TWO public IP addresses to TWO ADFS Proxy servers
Ex: - -

This will also provide redundancy incase your one IP goes down with DNS round robin.
You need to keep record TTL minimum in DNS

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Vasil Michev (MVP)Commented:
True active/active setup between different sites is hard to achieve, costly and in general, not necessary. If you are interested in such, you can review for example this thread:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.