We help IT Professionals succeed at work.

Building highly redundant OnPremise ADFS service ?

464 Views
Last Modified: 2017-05-03
I had this question after viewing Office 365 and Azure with ADFS setup or AD Pass-through authentication ?.

People,

I'd like to plan and build ADFS servers in my current OnPremise infrastructure so that the current AD user account can access or consume the Azure AD cloud services.

At the moment I do not have any Office 365 yet so AD-Pass through authentication is not possible to be implemented.

On Premise – Production Site:
1x Windows Server 2012 R2 – Domain Joined – AD Federation Server & SQL Server Express Edition on the server. [PRDADFS01-VM]
1x Windows Server 2012 R2 – Non-Domain Joined (DMZ) – WebApplication Proxy Server. [PRDADFSPXY01-VM]

On Premise – DR Site:
1x Windows Server 2012 R2 – Domain Joined – AD Federation Server & SQL Server Express Edition on the server. [DRADFS01-VM]
1x Windows Server 2012 R2 – Non-Domain Joined (DMZ) – WebApplication Proxy Server.[DRADFSPXY01-VM]

Certificate requirements:
ADFS.company.com --> this is the load balanced name or VIP using DNS Round Robin both internally and externally.
PRDADFSPXY01-VM.company.com
DRADFSPXY01-VM.company.com

Is that the correct simplest deployment?
Comment
Watch Question

CERTIFIED EXPERT
Distinguished Expert 2018
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Senior IT System EngineerSenior Systems Engineer
CERTIFIED EXPERT

Author

Commented:
Thanks for the reply Cliff,

Regarding the SSL certificate section, I assume that any SSL certificate will be just fine? eg. the cheapest one GoDaddy.

So in the event of disaster strikes, user can still operates / login normally since all traffic will be handled by the DR sites servers ?
K B

Commented:
If you don't need an IDp like ADFS and this is only for 365 I would consider pass-through auth.  unless you have to use alternate login read about it further.  It will make life easier for you and your users.
Senior IT System EngineerSenior Systems Engineer
CERTIFIED EXPERT

Author

Commented:
@KB: That's very clear explanation on the diagram :-) thanks for sharing.
So in both PRDADFSPXY01-VM.company.com and DRADFSPXY01-VM.company.com I just need to add the HOSTS file entry:

ADFS.company.com  ...which IP address ?...

I do not have any load balancer in my DMZ or in the company that I use.

normally I use DNS round robin for all purpose like Exchange, Webserver, etc...
Senior IT System EngineerSenior Systems Engineer
CERTIFIED EXPERT

Author

Commented:
If you don't need an IDp like ADFS and this is only for 365 I would consider pass-through auth.  unless you have to use alternate login read about it further.  It will make life easier for you and your users.

@KB: What is IDp ? Identity Provider
I do not have Office 365 yet, maybe later on at the end of this year, I will be migrating the Exchange server to Office 365. I guess I can still use the ADFS servers while waiting for the AD pass-through maturity.
K B

Commented:
What do you need ADFS for without Office 365? are you federating with another Service Provider?
Senior IT System EngineerSenior Systems Engineer
CERTIFIED EXPERT

Author

Commented:
Yes, that's true.
Also, I have some server deployed in Azure so I need to provide SSO for the user.
K B

Commented:
Round Robin works like this.. if one goes down.. then ~50% of the time users won't have access to auth.... so that's not a DR solution.
Senior IT System EngineerSenior Systems Engineer
CERTIFIED EXPERT

Author

Commented:
OK, according to the Software developer / DevOPS manager this is for the website that they are building this month.
Later on, it will be published into Azure, so I can just publish just one simple server for both roles (ADFS and WebApp Proxy + SQL).
K B

Commented:
combining ADFS and WAP?  not sure that is a thing.. kind of defeats the purpose?  Where is the HA/DR?
Senior IT System EngineerSenior Systems Engineer
CERTIFIED EXPERT

Author

Commented:
Ah I see, so it needs to have two as a minimum ?
the current purpose is just for the internal website then if I move on to Azure, I can deploy the WAP. is that possible or make sense ?
K B

Commented:
the WAP proxys (lives in DMZ) the request that originate from the internet.. so you dont have exposure of the Dom Joined ADFS server (Corporate network) on the internet

Are you talking about Azure VMs with ADFS role and WAP role installed connected across VPN to your corporate network?
Senior IT System EngineerSenior Systems Engineer
CERTIFIED EXPERT

Author

Commented:
Are you talking about Azure VMs with ADFS role and WAP role installed connected across VPN to your corporate network?
I'm talking about the OnPremise VMware environments VMs.

So far I'm only using Azure for the Webserver and some IoT services, at the end of this year I will be migrating from Exchange to Office 365.
Senior IT System EngineerSenior Systems Engineer
CERTIFIED EXPERT

Author

Commented:
Thanks all !
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.