adfs/wap on single server? Server 2008r2 / 2012r2 with ADFS for Exchange 365

Im' adding a 2012r2 domain controller to the existing 2008r2 DC.

dc1 - 2008r2 - FMSO role holder
dc2 - 2012r2

DC2 will be the ADFS server for SSO with Exchange online.

Do I *need* to have 2 servers for the ADFS (inside) and WAP (dmz) roles or can I run the WAP on the internal ADFS server and port-forward on the firewall?

Most doc suggests the WAP role is best on a dedicated server in the DMZ, but they don't go so far as to say it's a hard-and-fast requirement.

It seems an expensive item to dedicate a Server OS license to just hold the WAP role.
Who is Participating?
snowdog_2112Connect With a Mentor Author Commented:
It turns out you *cannot* even if you really REALLY want to put WAP on the ADFS box.

The Role wizard gives the big middle finger if you add Remote Access/WAP to the ADFS server.
Adam FarageEnterprise ArchCommented:
I do not see an issue with placing them on the same server *as long* as they are hosted within the internal network, but the reason they say "web application proxy = DMZ" is because Microsoft recommends sandwiching it between two firewalls (an intranet firewall and internet firewall).

As per Technet:

When you decide to use Web Application Proxy in your organization, we recommend that you deploy your Web Application Proxy servers behind a frontend firewall to separate it from the Internet, or between two firewalls; a frontend firewall to separate it from the Internet, and a backend firewall to separate it from the corporate network. In this topology, Web Application Proxy provides a protection layer against malicious users that may be coming from the Internet. No other servers are required to be located in this perimeter network; that is, your AD FS servers are located in the corporate network and can only be reached via Web Application Proxy using its built-in AD FS proxy functionality.

I personally would split it, otherwise I would see no point in deploying it with both roles on one (as the purpose of the WAP is to reduce the surface attack space of ADFS) but I suppose its your decision.

Reference: under "Web Application Proxy Technical Overview"
snowdog_2112Author Commented:
Great info!  THanks!

Assuming I'm limiting the ADFS interaction to *only* the MS Exchange Online IP spaces, is that as big a concern (the attack space)?

Again, I'm trying to weigh the cost of a Server OS license against the risk.  If I can protect the WAP itself, I am comfortable "exposing" ADFS, since it is only to the MS service.
snowdog_2112Author Commented:
Or, am I not understanding how the ADFS process works with Exchange Online and ADFS?

Do the authentication requests come directly from the client or from the Exchange Online servers?  If it's the former, I'd have to allow "anyone" to access the WAP, where in the latter, I can narrow the scope to a "trusted partner".
snowdog_2112Author Commented:
Tried to add WAP to ADFS, it flat does not allow it.   This is on Server 2012r2 with ADFS 3.0 - YMMV on other flavors.

Thanks all.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.