Building highly redundant OnPremise ADFS service ?

Senior IT System Engineer
Senior IT System Engineer used Ask the Experts™
on
I had this question after viewing Office 365 and Azure with ADFS setup or AD Pass-through authentication ?.

People,

I'd like to plan and build ADFS servers in my current OnPremise infrastructure so that the current AD user account can access or consume the Azure AD cloud services.

At the moment I do not have any Office 365 yet so AD-Pass through authentication is not possible to be implemented.

On Premise – Production Site:
1x Windows Server 2012 R2 – Domain Joined – AD Federation Server & SQL Server Express Edition on the server. [PRDADFS01-VM]
1x Windows Server 2012 R2 – Non-Domain Joined (DMZ) – WebApplication Proxy Server. [PRDADFSPXY01-VM]

On Premise – DR Site:
1x Windows Server 2012 R2 – Domain Joined – AD Federation Server & SQL Server Express Edition on the server. [DRADFS01-VM]
1x Windows Server 2012 R2 – Non-Domain Joined (DMZ) – WebApplication Proxy Server.[DRADFSPXY01-VM]

Certificate requirements:
ADFS.company.com --> this is the load balanced name or VIP using DNS Round Robin both internally and externally.
PRDADFSPXY01-VM.company.com
DRADFSPXY01-VM.company.com

Is that the correct simplest deployment?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018
Commented:
AD pass-through has no dependency on O365, so that whole part of hour question seems extraneous.

Yes, what you list seems valid. "Simplest" is subjective and open to interpretation, as well as your DR setup and load balancing choices.
Commented:
Use a load Balancer as DNS round robin is not truly highly available.
the proxy servers will need HOSTS record pointing adfs.contoso.com to VIP of load balancer

asdfasdfasdf3.png

Author

Commented:
Thanks for the reply Cliff,

Regarding the SSL certificate section, I assume that any SSL certificate will be just fine? eg. the cheapest one GoDaddy.

So in the event of disaster strikes, user can still operates / login normally since all traffic will be handled by the DR sites servers ?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

K B

Commented:
If you don't need an IDp like ADFS and this is only for 365 I would consider pass-through auth.  unless you have to use alternate login read about it further.  It will make life easier for you and your users.

Author

Commented:
@KB: That's very clear explanation on the diagram :-) thanks for sharing.
So in both PRDADFSPXY01-VM.company.com and DRADFSPXY01-VM.company.com I just need to add the HOSTS file entry:

ADFS.company.com  ...which IP address ?...

I do not have any load balancer in my DMZ or in the company that I use.

normally I use DNS round robin for all purpose like Exchange, Webserver, etc...

Author

Commented:
If you don't need an IDp like ADFS and this is only for 365 I would consider pass-through auth.  unless you have to use alternate login read about it further.  It will make life easier for you and your users.

@KB: What is IDp ? Identity Provider
I do not have Office 365 yet, maybe later on at the end of this year, I will be migrating the Exchange server to Office 365. I guess I can still use the ADFS servers while waiting for the AD pass-through maturity.
K B

Commented:
What do you need ADFS for without Office 365? are you federating with another Service Provider?

Author

Commented:
Yes, that's true.
Also, I have some server deployed in Azure so I need to provide SSO for the user.
K B

Commented:
Round Robin works like this.. if one goes down.. then ~50% of the time users won't have access to auth.... so that's not a DR solution.

Author

Commented:
OK, according to the Software developer / DevOPS manager this is for the website that they are building this month.
Later on, it will be published into Azure, so I can just publish just one simple server for both roles (ADFS and WebApp Proxy + SQL).
K B

Commented:
combining ADFS and WAP?  not sure that is a thing.. kind of defeats the purpose?  Where is the HA/DR?

Author

Commented:
Ah I see, so it needs to have two as a minimum ?
the current purpose is just for the internal website then if I move on to Azure, I can deploy the WAP. is that possible or make sense ?
K B

Commented:
the WAP proxys (lives in DMZ) the request that originate from the internet.. so you dont have exposure of the Dom Joined ADFS server (Corporate network) on the internet

Are you talking about Azure VMs with ADFS role and WAP role installed connected across VPN to your corporate network?

Author

Commented:
Are you talking about Azure VMs with ADFS role and WAP role installed connected across VPN to your corporate network?
I'm talking about the OnPremise VMware environments VMs.

So far I'm only using Azure for the Webserver and some IoT services, at the end of this year I will be migrating from Exchange to Office 365.

Author

Commented:
Thanks all !

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial