Link to home
Create AccountLog in
Avatar of Albert Widjaja
Albert WidjajaFlag for Australia

asked on

Building highly redundant OnPremise ADFS service ?

I had this question after viewing Office 365 and Azure with ADFS setup or AD Pass-through authentication ?.

People,

I'd like to plan and build ADFS servers in my current OnPremise infrastructure so that the current AD user account can access or consume the Azure AD cloud services.

At the moment I do not have any Office 365 yet so AD-Pass through authentication is not possible to be implemented.

On Premise – Production Site:
1x Windows Server 2012 R2 – Domain Joined – AD Federation Server & SQL Server Express Edition on the server. [PRDADFS01-VM]
1x Windows Server 2012 R2 – Non-Domain Joined (DMZ) – WebApplication Proxy Server. [PRDADFSPXY01-VM]

On Premise – DR Site:
1x Windows Server 2012 R2 – Domain Joined – AD Federation Server & SQL Server Express Edition on the server. [DRADFS01-VM]
1x Windows Server 2012 R2 – Non-Domain Joined (DMZ) – WebApplication Proxy Server.[DRADFSPXY01-VM]

Certificate requirements:
ADFS.company.com --> this is the load balanced name or VIP using DNS Round Robin both internally and externally.
PRDADFSPXY01-VM.company.com
DRADFSPXY01-VM.company.com

Is that the correct simplest deployment?
SOLUTION
Avatar of Cliff Galiher
Cliff Galiher
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
ASKER CERTIFIED SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of Albert Widjaja

ASKER

Thanks for the reply Cliff,

Regarding the SSL certificate section, I assume that any SSL certificate will be just fine? eg. the cheapest one GoDaddy.

So in the event of disaster strikes, user can still operates / login normally since all traffic will be handled by the DR sites servers ?
If you don't need an IDp like ADFS and this is only for 365 I would consider pass-through auth.  unless you have to use alternate login read about it further.  It will make life easier for you and your users.
@KB: That's very clear explanation on the diagram :-) thanks for sharing.
So in both PRDADFSPXY01-VM.company.com and DRADFSPXY01-VM.company.com I just need to add the HOSTS file entry:

ADFS.company.com  ...which IP address ?...

I do not have any load balancer in my DMZ or in the company that I use.

normally I use DNS round robin for all purpose like Exchange, Webserver, etc...
If you don't need an IDp like ADFS and this is only for 365 I would consider pass-through auth.  unless you have to use alternate login read about it further.  It will make life easier for you and your users.

@KB: What is IDp ? Identity Provider
I do not have Office 365 yet, maybe later on at the end of this year, I will be migrating the Exchange server to Office 365. I guess I can still use the ADFS servers while waiting for the AD pass-through maturity.
What do you need ADFS for without Office 365? are you federating with another Service Provider?
Yes, that's true.
Also, I have some server deployed in Azure so I need to provide SSO for the user.
Round Robin works like this.. if one goes down.. then ~50% of the time users won't have access to auth.... so that's not a DR solution.
OK, according to the Software developer / DevOPS manager this is for the website that they are building this month.
Later on, it will be published into Azure, so I can just publish just one simple server for both roles (ADFS and WebApp Proxy + SQL).
combining ADFS and WAP?  not sure that is a thing.. kind of defeats the purpose?  Where is the HA/DR?
Ah I see, so it needs to have two as a minimum ?
the current purpose is just for the internal website then if I move on to Azure, I can deploy the WAP. is that possible or make sense ?
the WAP proxys (lives in DMZ) the request that originate from the internet.. so you dont have exposure of the Dom Joined ADFS server (Corporate network) on the internet

Are you talking about Azure VMs with ADFS role and WAP role installed connected across VPN to your corporate network?
Are you talking about Azure VMs with ADFS role and WAP role installed connected across VPN to your corporate network?
I'm talking about the OnPremise VMware environments VMs.

So far I'm only using Azure for the Webserver and some IoT services, at the end of this year I will be migrating from Exchange to Office 365.
Thanks all !