Solved

adfs/wap on single server? Server 2008r2 / 2012r2 with ADFS for Exchange 365

Posted on 2015-01-07
5
189 Views
Last Modified: 2015-01-16
Im' adding a 2012r2 domain controller to the existing 2008r2 DC.

dc1 - 2008r2 - FMSO role holder
dc2 - 2012r2

DC2 will be the ADFS server for SSO with Exchange online.

Question:
Do I *need* to have 2 servers for the ADFS (inside) and WAP (dmz) roles or can I run the WAP on the internal ADFS server and port-forward on the firewall?

Most doc suggests the WAP role is best on a dedicated server in the DMZ, but they don't go so far as to say it's a hard-and-fast requirement.

It seems an expensive item to dedicate a Server OS license to just hold the WAP role.
0
Comment
Question by:snowdog_2112
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
5 Comments
 
LVL 19

Expert Comment

by:Adam Farage
ID: 40537082
I do not see an issue with placing them on the same server *as long* as they are hosted within the internal network, but the reason they say "web application proxy = DMZ" is because Microsoft recommends sandwiching it between two firewalls (an intranet firewall and internet firewall).

As per Technet:

When you decide to use Web Application Proxy in your organization, we recommend that you deploy your Web Application Proxy servers behind a frontend firewall to separate it from the Internet, or between two firewalls; a frontend firewall to separate it from the Internet, and a backend firewall to separate it from the corporate network. In this topology, Web Application Proxy provides a protection layer against malicious users that may be coming from the Internet. No other servers are required to be located in this perimeter network; that is, your AD FS servers are located in the corporate network and can only be reached via Web Application Proxy using its built-in AD FS proxy functionality.

I personally would split it, otherwise I would see no point in deploying it with both roles on one (as the purpose of the WAP is to reduce the surface attack space of ADFS) but I suppose its your decision.

Reference: http://technet.microsoft.com/en-us/library/dn584113.aspx under "Web Application Proxy Technical Overview"
0
 

Author Comment

by:snowdog_2112
ID: 40537935
Great info!  THanks!

Assuming I'm limiting the ADFS interaction to *only* the MS Exchange Online IP spaces, is that as big a concern (the attack space)?

Again, I'm trying to weigh the cost of a Server OS license against the risk.  If I can protect the WAP itself, I am comfortable "exposing" ADFS, since it is only to the MS service.
0
 

Author Comment

by:snowdog_2112
ID: 40537943
Or, am I not understanding how the ADFS process works with Exchange Online and ADFS?

Do the authentication requests come directly from the client or from the Exchange Online servers?  If it's the former, I'd have to allow "anyone" to access the WAP, where in the latter, I can narrow the scope to a "trusted partner".
0
 

Accepted Solution

by:
snowdog_2112 earned 0 total points
ID: 40543082
It turns out you *cannot* even if you really REALLY want to put WAP on the ADFS box.

The Role wizard gives the big middle finger if you add Remote Access/WAP to the ADFS server.
0
 

Author Closing Comment

by:snowdog_2112
ID: 40553100
Tried to add WAP to ADFS, it flat does not allow it.   This is on Server 2012r2 with ADFS 3.0 - YMMV on other flavors.

Thanks all.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Not seeing additional mailbox after upgrading to 2013 1 42
How ldap located a Domain controller? 22 70
How to update GAL in O365? 4 27
User Folder Creation and Permissions 3 36
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question