asked on
AD FS DNS
Hi,
I'd like to confirm the DNS settings for my AD FS design please. Any help appreciated.
Design 1 (AD FS only (No proxy):
Internal name - company.net
External name - company.com
AD FS name: adfs.company.com
Internal DNS: 'A' record for adfs.company.net pointing to VIP
Internal DNS: new zone of adfs.company.com with blank 'A' record
My external name will also be adfs.company.com (as registered on the SSL certificate)
What external DNS/A record do I need? Where would this point the IP to? Do I need a public IP with NAT to the internal VIP? Do I need to allow port forwarding anywhere for 443?
Design 2 (with proxy):
As above but with WAP servers (2012 R2)
2 x WAP servers using NLB with VIP address
Add entries to the hosts files on each WAP server pointing to adfs.company.com or adfs.company.com? Which is correct?
Add external IP with NAT to VIP and an external 'A' record pointing adfs.company.com to the public IP in the DMZ.
So, do I need 2 public IP's and 2 external 'A' records? One for internal only and one for WAP?
Thanks,
Andy
I'd like to confirm the DNS settings for my AD FS design please. Any help appreciated.
Design 1 (AD FS only (No proxy):
Internal name - company.net
External name - company.com
AD FS name: adfs.company.com
Internal DNS: 'A' record for adfs.company.net pointing to VIP
Internal DNS: new zone of adfs.company.com with blank 'A' record
My external name will also be adfs.company.com (as registered on the SSL certificate)
What external DNS/A record do I need? Where would this point the IP to? Do I need a public IP with NAT to the internal VIP? Do I need to allow port forwarding anywhere for 443?
Design 2 (with proxy):
As above but with WAP servers (2012 R2)
2 x WAP servers using NLB with VIP address
Add entries to the hosts files on each WAP server pointing to adfs.company.com or adfs.company.com? Which is correct?
Add external IP with NAT to VIP and an external 'A' record pointing adfs.company.com to the public IP in the DMZ.
So, do I need 2 public IP's and 2 external 'A' records? One for internal only and one for WAP?
Thanks,
Andy
Active DirectoryDNS
Last Comment
Andy
ASKER
Thanks footech.
So, with an internal only setup, how does adfs.compnay.com resolve itself from the SaaS provider?
I don't need an external DNS entry for this scenario?
Thanks,
Andy
So, with an internal only setup, how does adfs.compnay.com resolve itself from the SaaS provider?
I don't need an external DNS entry for this scenario?
Thanks,
Andy
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
OK thanks footech, probably just confusing myself the more I think about it.
Point this at the IP of your VIP.
If you want access from the internet, use a proxy.
Those are the same thing (and both are correct).
You only need a single public IP. Your external A record for adfs.company.com points to the public IP, and that NATs to the VIP for your proxies. In the hosts files on the proxies (if they don't use your internal DNS already), have an entry for adfs.company.com that points to the VIP for your internal ADFSes.