Solved

AD FS DNS

Posted on 2016-10-10
4
94 Views
Last Modified: 2016-10-10
Hi,

I'd like to confirm the DNS settings for my AD FS design please. Any help appreciated.

Design 1 (AD FS only (No proxy):
Internal name - company.net
External name - company.com
AD FS name: adfs.company.com

Internal DNS: 'A' record for adfs.company.net pointing to VIP
Internal DNS: new zone of adfs.company.com with blank 'A' record

My external name will also be adfs.company.com (as registered on the SSL certificate)
What external DNS/A record do I need? Where would this point the IP to? Do I need a public IP with NAT to the internal VIP? Do I need to allow port forwarding anywhere for 443?

Design 2 (with proxy):
As above but with WAP servers (2012 R2)
2 x WAP servers using NLB with VIP address

Add entries to the hosts files on each WAP server pointing to adfs.company.com or adfs.company.com? Which is correct?
Add external IP with NAT to VIP and an external 'A' record pointing adfs.company.com to the public IP in the DMZ.

So, do I need 2 public IP's and 2 external 'A' records? One for internal only and one for WAP?


Thanks,
Andy
0
Comment
Question by:Andy
  • 2
  • 2
4 Comments
 
LVL 40

Expert Comment

by:footech
ID: 41836471
Internal DNS: 'A' record for adfs.company.net pointing to VIP
This is not needed.

Internal DNS: new zone of adfs.company.com with blank 'A' record
Point this at the IP of your VIP.

If you want access from the internet, use a proxy.

...adfs.company.com or adfs.company.com? Which is correct?
Those are the same thing (and both are correct).

You only need a single public IP.  Your external A record for adfs.company.com points to the public IP, and that NATs to the VIP for your proxies.  In the hosts files on the proxies (if they don't use your internal DNS already), have an entry for adfs.company.com that points to the VIP for your internal ADFSes.
0
 
LVL 7

Author Comment

by:Andy
ID: 41836475
Thanks footech.

So, with an internal only setup, how does adfs.compnay.com resolve itself from the SaaS provider?
I don't need an external DNS entry for this scenario?

Thanks,
Andy
0
 
LVL 40

Accepted Solution

by:
footech earned 500 total points
ID: 41836490
Looks like I answered a similar question from you before.  There's not much I can add.
I know there are some authentication scenarios where there is no communication to the ADFS initiated from the internet, but I don't know exactly when things would fail if you don't have a proxy.

If you want things to always work, set up a proxy.
0
 
LVL 7

Author Closing Comment

by:Andy
ID: 41836596
OK thanks footech, probably just confusing myself the more I think about it.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question