Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

AD FS DNS

Posted on 2016-10-10
4
Medium Priority
?
284 Views
Last Modified: 2016-10-10
Hi,

I'd like to confirm the DNS settings for my AD FS design please. Any help appreciated.

Design 1 (AD FS only (No proxy):
Internal name - company.net
External name - company.com
AD FS name: adfs.company.com

Internal DNS: 'A' record for adfs.company.net pointing to VIP
Internal DNS: new zone of adfs.company.com with blank 'A' record

My external name will also be adfs.company.com (as registered on the SSL certificate)
What external DNS/A record do I need? Where would this point the IP to? Do I need a public IP with NAT to the internal VIP? Do I need to allow port forwarding anywhere for 443?

Design 2 (with proxy):
As above but with WAP servers (2012 R2)
2 x WAP servers using NLB with VIP address

Add entries to the hosts files on each WAP server pointing to adfs.company.com or adfs.company.com? Which is correct?
Add external IP with NAT to VIP and an external 'A' record pointing adfs.company.com to the public IP in the DMZ.

So, do I need 2 public IP's and 2 external 'A' records? One for internal only and one for WAP?


Thanks,
Andy
0
Comment
Question by:Andy
  • 2
  • 2
4 Comments
 
LVL 41

Expert Comment

by:footech
ID: 41836471
Internal DNS: 'A' record for adfs.company.net pointing to VIP
This is not needed.

Internal DNS: new zone of adfs.company.com with blank 'A' record
Point this at the IP of your VIP.

If you want access from the internet, use a proxy.

...adfs.company.com or adfs.company.com? Which is correct?
Those are the same thing (and both are correct).

You only need a single public IP.  Your external A record for adfs.company.com points to the public IP, and that NATs to the VIP for your proxies.  In the hosts files on the proxies (if they don't use your internal DNS already), have an entry for adfs.company.com that points to the VIP for your internal ADFSes.
0
 
LVL 7

Author Comment

by:Andy
ID: 41836475
Thanks footech.

So, with an internal only setup, how does adfs.compnay.com resolve itself from the SaaS provider?
I don't need an external DNS entry for this scenario?

Thanks,
Andy
0
 
LVL 41

Accepted Solution

by:
footech earned 2000 total points
ID: 41836490
Looks like I answered a similar question from you before.  There's not much I can add.
I know there are some authentication scenarios where there is no communication to the ADFS initiated from the internet, but I don't know exactly when things would fail if you don't have a proxy.

If you want things to always work, set up a proxy.
0
 
LVL 7

Author Closing Comment

by:Andy
ID: 41836596
OK thanks footech, probably just confusing myself the more I think about it.
0

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

927 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question