Solved

AD FS DNS

Posted on 2016-10-10
4
114 Views
Last Modified: 2016-10-10
Hi,

I'd like to confirm the DNS settings for my AD FS design please. Any help appreciated.

Design 1 (AD FS only (No proxy):
Internal name - company.net
External name - company.com
AD FS name: adfs.company.com

Internal DNS: 'A' record for adfs.company.net pointing to VIP
Internal DNS: new zone of adfs.company.com with blank 'A' record

My external name will also be adfs.company.com (as registered on the SSL certificate)
What external DNS/A record do I need? Where would this point the IP to? Do I need a public IP with NAT to the internal VIP? Do I need to allow port forwarding anywhere for 443?

Design 2 (with proxy):
As above but with WAP servers (2012 R2)
2 x WAP servers using NLB with VIP address

Add entries to the hosts files on each WAP server pointing to adfs.company.com or adfs.company.com? Which is correct?
Add external IP with NAT to VIP and an external 'A' record pointing adfs.company.com to the public IP in the DMZ.

So, do I need 2 public IP's and 2 external 'A' records? One for internal only and one for WAP?


Thanks,
Andy
0
Comment
Question by:Andy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 40

Expert Comment

by:footech
ID: 41836471
Internal DNS: 'A' record for adfs.company.net pointing to VIP
This is not needed.

Internal DNS: new zone of adfs.company.com with blank 'A' record
Point this at the IP of your VIP.

If you want access from the internet, use a proxy.

...adfs.company.com or adfs.company.com? Which is correct?
Those are the same thing (and both are correct).

You only need a single public IP.  Your external A record for adfs.company.com points to the public IP, and that NATs to the VIP for your proxies.  In the hosts files on the proxies (if they don't use your internal DNS already), have an entry for adfs.company.com that points to the VIP for your internal ADFSes.
0
 
LVL 7

Author Comment

by:Andy
ID: 41836475
Thanks footech.

So, with an internal only setup, how does adfs.compnay.com resolve itself from the SaaS provider?
I don't need an external DNS entry for this scenario?

Thanks,
Andy
0
 
LVL 40

Accepted Solution

by:
footech earned 500 total points
ID: 41836490
Looks like I answered a similar question from you before.  There's not much I can add.
I know there are some authentication scenarios where there is no communication to the ADFS initiated from the internet, but I don't know exactly when things would fail if you don't have a proxy.

If you want things to always work, set up a proxy.
0
 
LVL 7

Author Closing Comment

by:Andy
ID: 41836596
OK thanks footech, probably just confusing myself the more I think about it.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question