• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 74
  • Last Modified:

Azure AD connect ADFS DNS/firewall setup


Having some issues wrapping my head around the DNS setup for Azure AD connect.

I plan for 1 ADFS and 1 WAP.

Is this correct ?
DNS on inside (new zone with the portion adfs.contoso.com)
ADFS.contoso.com - Local ip (

DNS on outside
ADFS - External ip (
WAP - External ip (

Add wap in server list for server where adfs is running.

Which ports needs to be open for this to work ?
Mr Woober
Mr Woober
  • 2
1 Solution
Since you're creating an internal adfs.contoso.com zone I assume you have the certificate that corresponds to the FQDN. You only need to publish single A record for adfs.contoso.com and point it to the external IP that's NATed to the interface of the WAP server, port 443 (HTTPS). No need to publish the ADFS server, as it's only should be accessible and accept connections from WAP.
On the WAP server create a hosts records and indicate adfs.contoso.com and point to the IP of ADFS server, port 443 will also be required to open from WAP to ADFS server.

AADConnect only creates OUTBOUND traffic. As long as you allow connectivity from it on ports 443 and 53, you should be ok. See here for more details.
Mr WooberAuthor Commented:

Thanks for a very good explanation. Have got the connection correct :)


The wizard crashed, and required me to uninstall. After reinstall I have issues when adding the WAP.

See attached picture. Am not able to find much information related to this error. No records in the event log.

WAP is added to servers and PS and everything works fine. Server can ping and control the WAP.


For further reference.
Machine.config on WAP was corrupted. Restoring this to default solved the issue
Since you're using AADConnect to deploy the services, it seems that both of WAP and ADFS servers are in the same network.
(Correct me if I wrong)
If that's the case, you SHOULD strongly consider deploying WAP as STANDALONE (not part of the domain) in DMZ and make sure and validate that it can ONLY accept incoming traffic on port 443 and allowed to get out to the internet (53 for DNS obviously is required) to "Windows Update" and "Office365" infrastructure ONLY. That's the ideal config.

Internally, it should be able to reach out from DMZ to the internal LAN over port 443 to the ADFS server.

NONE of the machines should be able to talk to the WAP server internally.

I understand that you would require some sort of the management, so make it as secure as you can.

Consider also running SCW to further secure the WAP machine and minimize attack surface.

Let me know if you have any further questions.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now