I'd like to confirm the DNS settings for my AD FS design please. Any help appreciated.
Design 1 (AD FS only (No proxy):
Internal name - company.net
External name - company.com
AD FS name: adfs.company.com
Internal DNS: 'A' record for adfs.company.net pointing to VIP
Internal DNS: new zone of adfs.company.com with blank 'A' record
My external name will also be adfs.company.com (as registered on the SSL certificate)
What external DNS/A record do I need? Where would this point the IP to? Do I need a public IP with NAT to the internal VIP? Do I need to allow port forwarding anywhere for 443?
Design 2 (with proxy):
As above but with WAP servers (2012 R2)
2 x WAP servers using NLB with VIP address
Add entries to the hosts files on each WAP server pointing to adfs.company.com or adfs.company.com? Which is correct?
Add external IP with NAT to VIP and an external 'A' record pointing adfs.company.com to the public IP in the DMZ.
So, do I need 2 public IP's and 2 external 'A' records? One for internal only and one for WAP?
Point this at the IP of your VIP.
If you want access from the internet, use a proxy.
Those are the same thing (and both are correct).
You only need a single public IP. Your external A record for adfs.company.com points to the public IP, and that NATs to the VIP for your proxies. In the hosts files on the proxies (if they don't use your internal DNS already), have an entry for adfs.company.com that points to the VIP for your internal ADFSes.