• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 202
  • Last Modified:

adfs/wap on single server? Server 2008r2 / 2012r2 with ADFS for Exchange 365

Im' adding a 2012r2 domain controller to the existing 2008r2 DC.

dc1 - 2008r2 - FMSO role holder
dc2 - 2012r2

DC2 will be the ADFS server for SSO with Exchange online.

Question:
Do I *need* to have 2 servers for the ADFS (inside) and WAP (dmz) roles or can I run the WAP on the internal ADFS server and port-forward on the firewall?

Most doc suggests the WAP role is best on a dedicated server in the DMZ, but they don't go so far as to say it's a hard-and-fast requirement.

It seems an expensive item to dedicate a Server OS license to just hold the WAP role.
0
snowdog_2112
Asked:
snowdog_2112
  • 4
1 Solution
 
Adam FarageEnterprise ArchCommented:
I do not see an issue with placing them on the same server *as long* as they are hosted within the internal network, but the reason they say "web application proxy = DMZ" is because Microsoft recommends sandwiching it between two firewalls (an intranet firewall and internet firewall).

As per Technet:

When you decide to use Web Application Proxy in your organization, we recommend that you deploy your Web Application Proxy servers behind a frontend firewall to separate it from the Internet, or between two firewalls; a frontend firewall to separate it from the Internet, and a backend firewall to separate it from the corporate network. In this topology, Web Application Proxy provides a protection layer against malicious users that may be coming from the Internet. No other servers are required to be located in this perimeter network; that is, your AD FS servers are located in the corporate network and can only be reached via Web Application Proxy using its built-in AD FS proxy functionality.

I personally would split it, otherwise I would see no point in deploying it with both roles on one (as the purpose of the WAP is to reduce the surface attack space of ADFS) but I suppose its your decision.

Reference: http://technet.microsoft.com/en-us/library/dn584113.aspx under "Web Application Proxy Technical Overview"
0
 
snowdog_2112Author Commented:
Great info!  THanks!

Assuming I'm limiting the ADFS interaction to *only* the MS Exchange Online IP spaces, is that as big a concern (the attack space)?

Again, I'm trying to weigh the cost of a Server OS license against the risk.  If I can protect the WAP itself, I am comfortable "exposing" ADFS, since it is only to the MS service.
0
 
snowdog_2112Author Commented:
Or, am I not understanding how the ADFS process works with Exchange Online and ADFS?

Do the authentication requests come directly from the client or from the Exchange Online servers?  If it's the former, I'd have to allow "anyone" to access the WAP, where in the latter, I can narrow the scope to a "trusted partner".
0
 
snowdog_2112Author Commented:
It turns out you *cannot* even if you really REALLY want to put WAP on the ADFS box.

The Role wizard gives the big middle finger if you add Remote Access/WAP to the ADFS server.
0
 
snowdog_2112Author Commented:
Tried to add WAP to ADFS, it flat does not allow it.   This is on Server 2012r2 with ADFS 3.0 - YMMV on other flavors.

Thanks all.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now