Building highly redundant OnPremise ADFS service ?

I had this question after viewing Office 365 and Azure with ADFS setup or AD Pass-through authentication ?.

People,

I'd like to plan and build ADFS servers in my current OnPremise infrastructure so that the current AD user account can access or consume the Azure AD cloud services.

At the moment I do not have any Office 365 yet so AD-Pass through authentication is not possible to be implemented.

On Premise – Production Site:
1x Windows Server 2012 R2 – Domain Joined – AD Federation Server & SQL Server Express Edition on the server. [PRDADFS01-VM]
1x Windows Server 2012 R2 – Non-Domain Joined (DMZ) – WebApplication Proxy Server. [PRDADFSPXY01-VM]

On Premise – DR Site:
1x Windows Server 2012 R2 – Domain Joined – AD Federation Server & SQL Server Express Edition on the server. [DRADFS01-VM]
1x Windows Server 2012 R2 – Non-Domain Joined (DMZ) – WebApplication Proxy Server.[DRADFSPXY01-VM]

Certificate requirements:
ADFS.company.com --> this is the load balanced name or VIP using DNS Round Robin both internally and externally.
PRDADFSPXY01-VM.company.com
DRADFSPXY01-VM.company.com

Is that the correct simplest deployment?
LVL 13
Senior IT System EngineerSenior Systems EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
AD pass-through has no dependency on O365, so that whole part of hour question seems extraneous.

Yes, what you list seems valid. "Simplest" is subjective and open to interpretation, as well as your DR setup and load balancing choices.
K BCommented:
Use a load Balancer as DNS round robin is not truly highly available.
the proxy servers will need HOSTS record pointing adfs.contoso.com to VIP of load balancer

asdfasdfasdf3.png

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Senior IT System EngineerSenior Systems EngineerAuthor Commented:
Thanks for the reply Cliff,

Regarding the SSL certificate section, I assume that any SSL certificate will be just fine? eg. the cheapest one GoDaddy.

So in the event of disaster strikes, user can still operates / login normally since all traffic will be handled by the DR sites servers ?
Introduction to R

R is considered the predominant language for data scientist and statisticians. Learn how to use R for your own data science projects.

K BCommented:
If you don't need an IDp like ADFS and this is only for 365 I would consider pass-through auth.  unless you have to use alternate login read about it further.  It will make life easier for you and your users.
Senior IT System EngineerSenior Systems EngineerAuthor Commented:
@KB: That's very clear explanation on the diagram :-) thanks for sharing.
So in both PRDADFSPXY01-VM.company.com and DRADFSPXY01-VM.company.com I just need to add the HOSTS file entry:

ADFS.company.com  ...which IP address ?...

I do not have any load balancer in my DMZ or in the company that I use.

normally I use DNS round robin for all purpose like Exchange, Webserver, etc...
Senior IT System EngineerSenior Systems EngineerAuthor Commented:
If you don't need an IDp like ADFS and this is only for 365 I would consider pass-through auth.  unless you have to use alternate login read about it further.  It will make life easier for you and your users.

@KB: What is IDp ? Identity Provider
I do not have Office 365 yet, maybe later on at the end of this year, I will be migrating the Exchange server to Office 365. I guess I can still use the ADFS servers while waiting for the AD pass-through maturity.
K BCommented:
What do you need ADFS for without Office 365? are you federating with another Service Provider?
Senior IT System EngineerSenior Systems EngineerAuthor Commented:
Yes, that's true.
Also, I have some server deployed in Azure so I need to provide SSO for the user.
K BCommented:
Round Robin works like this.. if one goes down.. then ~50% of the time users won't have access to auth.... so that's not a DR solution.
Senior IT System EngineerSenior Systems EngineerAuthor Commented:
OK, according to the Software developer / DevOPS manager this is for the website that they are building this month.
Later on, it will be published into Azure, so I can just publish just one simple server for both roles (ADFS and WebApp Proxy + SQL).
K BCommented:
combining ADFS and WAP?  not sure that is a thing.. kind of defeats the purpose?  Where is the HA/DR?
Senior IT System EngineerSenior Systems EngineerAuthor Commented:
Ah I see, so it needs to have two as a minimum ?
the current purpose is just for the internal website then if I move on to Azure, I can deploy the WAP. is that possible or make sense ?
K BCommented:
the WAP proxys (lives in DMZ) the request that originate from the internet.. so you dont have exposure of the Dom Joined ADFS server (Corporate network) on the internet

Are you talking about Azure VMs with ADFS role and WAP role installed connected across VPN to your corporate network?
Senior IT System EngineerSenior Systems EngineerAuthor Commented:
Are you talking about Azure VMs with ADFS role and WAP role installed connected across VPN to your corporate network?
I'm talking about the OnPremise VMware environments VMs.

So far I'm only using Azure for the Webserver and some IoT services, at the end of this year I will be migrating from Exchange to Office 365.
Senior IT System EngineerSenior Systems EngineerAuthor Commented:
Thanks all !
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365

From novice to tech pro — start learning today.