Avatar of Albert Widjaja
Albert Widjaja
Flag for Australia asked on

Building highly redundant OnPremise ADFS service ?

I had this question after viewing Office 365 and Azure with ADFS setup or AD Pass-through authentication ?.

People,

I'd like to plan and build ADFS servers in my current OnPremise infrastructure so that the current AD user account can access or consume the Azure AD cloud services.

At the moment I do not have any Office 365 yet so AD-Pass through authentication is not possible to be implemented.

On Premise – Production Site:
1x Windows Server 2012 R2 – Domain Joined – AD Federation Server & SQL Server Express Edition on the server. [PRDADFS01-VM]
1x Windows Server 2012 R2 – Non-Domain Joined (DMZ) – WebApplication Proxy Server. [PRDADFSPXY01-VM]

On Premise – DR Site:
1x Windows Server 2012 R2 – Domain Joined – AD Federation Server & SQL Server Express Edition on the server. [DRADFS01-VM]
1x Windows Server 2012 R2 – Non-Domain Joined (DMZ) – WebApplication Proxy Server.[DRADFSPXY01-VM]

Certificate requirements:
ADFS.company.com --> this is the load balanced name or VIP using DNS Round Robin both internally and externally.
PRDADFSPXY01-VM.company.com
DRADFSPXY01-VM.company.com

Is that the correct simplest deployment?
Microsoft 365* Active Directory Federation Services (ADFS)Active DirectoryDNSAzure

Avatar of undefined
Last Comment
Albert Widjaja

8/22/2022 - Mon
SOLUTION
Cliff Galiher

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER CERTIFIED SOLUTION
K B

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Albert Widjaja

ASKER
Thanks for the reply Cliff,

Regarding the SSL certificate section, I assume that any SSL certificate will be just fine? eg. the cheapest one GoDaddy.

So in the event of disaster strikes, user can still operates / login normally since all traffic will be handled by the DR sites servers ?
K B

If you don't need an IDp like ADFS and this is only for 365 I would consider pass-through auth.  unless you have to use alternate login read about it further.  It will make life easier for you and your users.
Albert Widjaja

ASKER
@KB: That's very clear explanation on the diagram :-) thanks for sharing.
So in both PRDADFSPXY01-VM.company.com and DRADFSPXY01-VM.company.com I just need to add the HOSTS file entry:

ADFS.company.com  ...which IP address ?...

I do not have any load balancer in my DMZ or in the company that I use.

normally I use DNS round robin for all purpose like Exchange, Webserver, etc...
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Albert Widjaja

ASKER
If you don't need an IDp like ADFS and this is only for 365 I would consider pass-through auth.  unless you have to use alternate login read about it further.  It will make life easier for you and your users.

@KB: What is IDp ? Identity Provider
I do not have Office 365 yet, maybe later on at the end of this year, I will be migrating the Exchange server to Office 365. I guess I can still use the ADFS servers while waiting for the AD pass-through maturity.
K B

What do you need ADFS for without Office 365? are you federating with another Service Provider?
Albert Widjaja

ASKER
Yes, that's true.
Also, I have some server deployed in Azure so I need to provide SSO for the user.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
K B

Round Robin works like this.. if one goes down.. then ~50% of the time users won't have access to auth.... so that's not a DR solution.
Albert Widjaja

ASKER
OK, according to the Software developer / DevOPS manager this is for the website that they are building this month.
Later on, it will be published into Azure, so I can just publish just one simple server for both roles (ADFS and WebApp Proxy + SQL).
K B

combining ADFS and WAP?  not sure that is a thing.. kind of defeats the purpose?  Where is the HA/DR?
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Albert Widjaja

ASKER
Ah I see, so it needs to have two as a minimum ?
the current purpose is just for the internal website then if I move on to Azure, I can deploy the WAP. is that possible or make sense ?
K B

the WAP proxys (lives in DMZ) the request that originate from the internet.. so you dont have exposure of the Dom Joined ADFS server (Corporate network) on the internet

Are you talking about Azure VMs with ADFS role and WAP role installed connected across VPN to your corporate network?
Albert Widjaja

ASKER
Are you talking about Azure VMs with ADFS role and WAP role installed connected across VPN to your corporate network?
I'm talking about the OnPremise VMware environments VMs.

So far I'm only using Azure for the Webserver and some IoT services, at the end of this year I will be migrating from Exchange to Office 365.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Albert Widjaja

ASKER
Thanks all !