Azure AD connect ADFS DNS/firewall setup


Having some issues wrapping my head around the DNS setup for Azure AD connect.

I plan for 1 ADFS and 1 WAP.

Is this correct ?
DNS on inside (new zone with the portion - Local ip (

DNS on outside
ADFS - External ip (
WAP - External ip (

Add wap in server list for server where adfs is running.

Which ports needs to be open for this to work ?
Mr WooberAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Since you're creating an internal zone I assume you have the certificate that corresponds to the FQDN. You only need to publish single A record for and point it to the external IP that's NATed to the interface of the WAP server, port 443 (HTTPS). No need to publish the ADFS server, as it's only should be accessible and accept connections from WAP.
On the WAP server create a hosts records and indicate and point to the IP of ADFS server, port 443 will also be required to open from WAP to ADFS server.

AADConnect only creates OUTBOUND traffic. As long as you allow connectivity from it on ports 443 and 53, you should be ok. See here for more details.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mr WooberAuthor Commented:

Thanks for a very good explanation. Have got the connection correct :)


The wizard crashed, and required me to uninstall. After reinstall I have issues when adding the WAP.

See attached picture. Am not able to find much information related to this error. No records in the event log.

WAP is added to servers and PS and everything works fine. Server can ping and control the WAP.


For further reference.
Machine.config on WAP was corrupted. Restoring this to default solved the issue
Since you're using AADConnect to deploy the services, it seems that both of WAP and ADFS servers are in the same network.
(Correct me if I wrong)
If that's the case, you SHOULD strongly consider deploying WAP as STANDALONE (not part of the domain) in DMZ and make sure and validate that it can ONLY accept incoming traffic on port 443 and allowed to get out to the internet (53 for DNS obviously is required) to "Windows Update" and "Office365" infrastructure ONLY. That's the ideal config.

Internally, it should be able to reach out from DMZ to the internal LAN over port 443 to the ADFS server.

NONE of the machines should be able to talk to the WAP server internally.

I understand that you would require some sort of the management, so make it as secure as you can.

Consider also running SCW to further secure the WAP machine and minimize attack surface.

Let me know if you have any further questions.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.