Solved

adfs/wap on single server? Server 2008r2 / 2012r2 with ADFS for Exchange 365

Posted on 2015-01-07
5
170 Views
Last Modified: 2015-01-16
Im' adding a 2012r2 domain controller to the existing 2008r2 DC.

dc1 - 2008r2 - FMSO role holder
dc2 - 2012r2

DC2 will be the ADFS server for SSO with Exchange online.

Question:
Do I *need* to have 2 servers for the ADFS (inside) and WAP (dmz) roles or can I run the WAP on the internal ADFS server and port-forward on the firewall?

Most doc suggests the WAP role is best on a dedicated server in the DMZ, but they don't go so far as to say it's a hard-and-fast requirement.

It seems an expensive item to dedicate a Server OS license to just hold the WAP role.
0
Comment
Question by:snowdog_2112
  • 4
5 Comments
 
LVL 19

Expert Comment

by:Adam Farage
ID: 40537082
I do not see an issue with placing them on the same server *as long* as they are hosted within the internal network, but the reason they say "web application proxy = DMZ" is because Microsoft recommends sandwiching it between two firewalls (an intranet firewall and internet firewall).

As per Technet:

When you decide to use Web Application Proxy in your organization, we recommend that you deploy your Web Application Proxy servers behind a frontend firewall to separate it from the Internet, or between two firewalls; a frontend firewall to separate it from the Internet, and a backend firewall to separate it from the corporate network. In this topology, Web Application Proxy provides a protection layer against malicious users that may be coming from the Internet. No other servers are required to be located in this perimeter network; that is, your AD FS servers are located in the corporate network and can only be reached via Web Application Proxy using its built-in AD FS proxy functionality.

I personally would split it, otherwise I would see no point in deploying it with both roles on one (as the purpose of the WAP is to reduce the surface attack space of ADFS) but I suppose its your decision.

Reference: http://technet.microsoft.com/en-us/library/dn584113.aspx under "Web Application Proxy Technical Overview"
0
 

Author Comment

by:snowdog_2112
ID: 40537935
Great info!  THanks!

Assuming I'm limiting the ADFS interaction to *only* the MS Exchange Online IP spaces, is that as big a concern (the attack space)?

Again, I'm trying to weigh the cost of a Server OS license against the risk.  If I can protect the WAP itself, I am comfortable "exposing" ADFS, since it is only to the MS service.
0
 

Author Comment

by:snowdog_2112
ID: 40537943
Or, am I not understanding how the ADFS process works with Exchange Online and ADFS?

Do the authentication requests come directly from the client or from the Exchange Online servers?  If it's the former, I'd have to allow "anyone" to access the WAP, where in the latter, I can narrow the scope to a "trusted partner".
0
 

Accepted Solution

by:
snowdog_2112 earned 0 total points
ID: 40543082
It turns out you *cannot* even if you really REALLY want to put WAP on the ADFS box.

The Role wizard gives the big middle finger if you add Remote Access/WAP to the ADFS server.
0
 

Author Closing Comment

by:snowdog_2112
ID: 40553100
Tried to add WAP to ADFS, it flat does not allow it.   This is on Server 2012r2 with ADFS 3.0 - YMMV on other flavors.

Thanks all.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
how to add IIS SMTP to handle application/Scanner relays into office 365.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now