Solved

adfs/wap on single server? Server 2008r2 / 2012r2 with ADFS for Exchange 365

Posted on 2015-01-07
5
180 Views
Last Modified: 2015-01-16
Im' adding a 2012r2 domain controller to the existing 2008r2 DC.

dc1 - 2008r2 - FMSO role holder
dc2 - 2012r2

DC2 will be the ADFS server for SSO with Exchange online.

Question:
Do I *need* to have 2 servers for the ADFS (inside) and WAP (dmz) roles or can I run the WAP on the internal ADFS server and port-forward on the firewall?

Most doc suggests the WAP role is best on a dedicated server in the DMZ, but they don't go so far as to say it's a hard-and-fast requirement.

It seems an expensive item to dedicate a Server OS license to just hold the WAP role.
0
Comment
Question by:snowdog_2112
  • 4
5 Comments
 
LVL 19

Expert Comment

by:Adam Farage
ID: 40537082
I do not see an issue with placing them on the same server *as long* as they are hosted within the internal network, but the reason they say "web application proxy = DMZ" is because Microsoft recommends sandwiching it between two firewalls (an intranet firewall and internet firewall).

As per Technet:

When you decide to use Web Application Proxy in your organization, we recommend that you deploy your Web Application Proxy servers behind a frontend firewall to separate it from the Internet, or between two firewalls; a frontend firewall to separate it from the Internet, and a backend firewall to separate it from the corporate network. In this topology, Web Application Proxy provides a protection layer against malicious users that may be coming from the Internet. No other servers are required to be located in this perimeter network; that is, your AD FS servers are located in the corporate network and can only be reached via Web Application Proxy using its built-in AD FS proxy functionality.

I personally would split it, otherwise I would see no point in deploying it with both roles on one (as the purpose of the WAP is to reduce the surface attack space of ADFS) but I suppose its your decision.

Reference: http://technet.microsoft.com/en-us/library/dn584113.aspx under "Web Application Proxy Technical Overview"
0
 

Author Comment

by:snowdog_2112
ID: 40537935
Great info!  THanks!

Assuming I'm limiting the ADFS interaction to *only* the MS Exchange Online IP spaces, is that as big a concern (the attack space)?

Again, I'm trying to weigh the cost of a Server OS license against the risk.  If I can protect the WAP itself, I am comfortable "exposing" ADFS, since it is only to the MS service.
0
 

Author Comment

by:snowdog_2112
ID: 40537943
Or, am I not understanding how the ADFS process works with Exchange Online and ADFS?

Do the authentication requests come directly from the client or from the Exchange Online servers?  If it's the former, I'd have to allow "anyone" to access the WAP, where in the latter, I can narrow the scope to a "trusted partner".
0
 

Accepted Solution

by:
snowdog_2112 earned 0 total points
ID: 40543082
It turns out you *cannot* even if you really REALLY want to put WAP on the ADFS box.

The Role wizard gives the big middle finger if you add Remote Access/WAP to the ADFS server.
0
 

Author Closing Comment

by:snowdog_2112
ID: 40553100
Tried to add WAP to ADFS, it flat does not allow it.   This is on Server 2012r2 with ADFS 3.0 - YMMV on other flavors.

Thanks all.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
This article runs through the process of deploying a single EXE application selectively to a group of user.
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question