We help IT Professionals succeed at work.

ADFS (Active Directory Federation Services)

andavispsav
andavispsav asked
on
I've been tasked with an ADFS project.

I have to find out if there are any risk of having ADFS facing the web without a proxy in front of it ?

Can someone let me know where I can find information about this type of concern and configuration ?

Thanks

Tech Guy :-)
Comment
Watch Question

Exec Consultant
Distinguished Expert 2018
Commented:
This guidance is a good starter before even saying to go into deploying and configuring it. Actually you can still publish the ADFS server to internet (by opening port 443 like in case of Office365  or 80) to allow users outside your company network to access federation server. But security folks see it otherwise for such "direct" by external parties, and they consider proxy:
- Isolate federation servers such that it prevent external client computers from directly accessing prior authenticated
- Identify user identity and managed expectation with necessary sign-in experience for those from ext and int
- Leverage existing DMZ demarcated for consistent enforcement to service exposed such as web services via proxy
See more use case in
@ Planning Federation Server Proxy Placement
https://technet.microsoft.com/en-us/library/dd807130.aspx
@ Best Practices for Secure Planning and Deployment of AD FS
https://technet.microsoft.com/en-us/library/ff630160.aspx

Author

Commented:
I really appreciate this !!!

You've helped me greatly here and I do thank you.

Tech Guy :-)