Active Directory Federation Server Proxy
The Federation Service Proxy is a component of Active Directory Federation Services. You use federation server proxies in your organization to provide intermediary services between an Internet client and a federation server that is behind a firewall.You place federation server proxies in a perimeter network to provide a protection from malicious users coming from the Internet.Adding a additional security layer to your Active Directory Federation Services deployment.
Configuring firewall servers for the federation server proxy
For the federation server proxy redirection process to be successful, all firewall servers must be configured to allow Secure Hypertext Transfer Protocol (HTTPS) traffic. The use of HTTPS is required because the firewall servers must publish the federation server proxy, using port 443, so that the federation server proxy in the perimeter network can access the federation server in the corporate network
Servers that are running the Federation Service Proxy are required to use the following types of certificates:
Secure Sockets Layer (SSL) server authentication certificates: Federation server proxies use SSL server authentication certificates to secure Web server traffic communication with Web clients. If you setup a federation server proxy farm, all federation server proxy computers must use the same server authentication certificate. It is important to verify that the subject name in the server authentication certificate matches the Domain Name System (DNS) name of the Federation Service endpoint Uniform Resource Locator (URL) in the trust policy.
SSL client authentication certificates: Each federation server proxy uses a client authentication certificate to authenticate to the Federation Service. You can use any certificate with client authentication extended key usage (EKU) that chains to a trusted root CA on the federation server as a client authentication certificate for the federation server proxy. In addition, you must explicitly add the client authentication certificate to the trust policy. However, only the federation server proxy stores the private key that is associated with the federation server proxy client authentication certificate. You can install a client authentication certificate by connecting to an enterprise CA or by creating a self-signed certificate. After you configure a computer with the prerequisite applications and certificates, you are ready to install the Federation Service Proxy component of Active Directory Federation Services (ADFS). You can use the following procedure to install the Federation Service Proxy component. When you install the Federation Service Proxy component on a computer, that computer becomes a federation server proxy.
Installing Federation Service Proxy Role in Windows 2003R2
1.Click Start, point to Control Panel, and then click Add or Remove Programs.
2.In Add or Remove Programs, click Add/Remove Windows Components.
3.In the Windows Components Wizard, click Active Directory Services, and then click Details.
4.In the Active Directory Services dialog box, click Active Directory Federation Services (ADFS), and then click Details.
5.In the Active Directory Federation Services (ADFS) dialog box, select the Federation Service Proxy check box. If ASP.NET 2.0 was not previously enabled, click Yes to enable it, and then click OK.
6.In the Active Directory Services dialog box, click OK.
7.In the Windows Components Wizard, click Next.
8.On the Federation Service Proxy page, click Select to browse for the certificate.
9.In the Select Certificate dialog box, click Client Authentication Certificate for CompanyName FSP, and then click OK.
10.Under Federation Service Domain Name System (DNS) host name, type the host name of your federation server.
11.If you are prompted for the location of the installation files, navigate to R2 Installation Folder\cmpnents\r2, and then click OK.
12.On the Completing the Windows Components Wizard page, click Finish.
Installing Federation Service Proxy Role in Windows 2008
Ensure that all of the prerequisite components are installed and configured on the server and then complete the following steps:
1. From Server Manager, right-click Roles and then click Add Roles to start the Add Roles Wizard.
2. On the Before You Begin page, click Next.
3. On the Select Server Roles page, click Active Directory Federation Services. Click Next two times.
4. On the Select Role Services page , select the Federation Service Proxy check box. If you are prompted to install additional Web Server (IIS) or Windows Process Activation Service role services, click Add Required Role Services to install them and then click Next.
5. On the Specify Federation Server page, type the fully qualified name of the federation server used by this proxy and then click Validate to ensure that the proxy server can communicate with the federation server. Click Next.
6. On the Choose A Client Authentication Certificate page, choose the certificate that you want to use for client authentication and then click Next. If you do not have a certificate configured, then you can choose to use a self-signed certificate. Note The client certificate used by the federation proxy server must be added to federation server configuration, so you should export the client certificate to a file.
7. Complete the installation of the Web Server (IIS) server role. After you complete the installation, the Federation Service Proxy component is configured with default settings that include the URL for the federation server and default settings for client logon, logoff, and account partner discover pages
Name resolution requirements for federation server proxies
When Internet clients attempt to access an application that is secured by Active Directory Federation Services, the clients must first authenticate to the federation server. The federation server usually is not directly accessible from the Internet so, Internet clients must be redirected to the federation server proxy instead. For a successful redirection you must add the appropriate DNS records to your DNS zone or zones that face the Internet. The method that you use to redirect Internet clients depends on how you configure the DNS zone in your perimeter network or a DNS zone that you control on the Internet. Federation server proxies are intended for use in a perimeter network. They redirect Internet client requests to federation servers successfully only when DNS has been configured properly in all of the Internet facing zones that you control. Therefore, the configuration of your Internet facing zones whether you have a DNS zone serving only the perimeter network or a DNS zone serving both the perimeter network and internet clients is important
DNS zone serving only the perimeter network
Successful name resolution for a federation server proxy in the DNS zone serving only the perimeter network scenario depends on the following conditions. The federation server proxy must have a setting in the hosts file to resolve the fully qualified domain name of the Federation Server endpoint Uniform Resource Locator to an IP address of a federation server or federation server cluster.DNS in the perimeter network of the account partner must be configured so that the FQDN of the Federation Server endpoint URL resolves to the IP address of the federation server proxy.
DNS zone serving both the perimeter network and Internet clients
Successful name resolution for a federation server proxy in this scenario depends on the following conditions: DNS in the Internet zone of the account partner must be configured so that the FQDN of the Federation Server endpoint URL resolves to the IP address of the federation server proxy in the perimeter network.DNS in the perimeter network of the account partner must be configured so that the FQDN of the Federation Server endpoint URL resolves to the IP address of the federation server in the corporate network.
To verify that a federation server proxy is operational in Windows 2003 R2
1. Log on to a client computer with Internet access.
2. Open a browser window, and then type the Uniform Resource Locator (URL) for the Federation Service endpoint, along with the path to the Clientlogon.aspx page that is stored on the federation server proxy.
At this point your browser should display the error message "Server Error in '/adfs' Application." This step is necessary to generate the appropriate event message to verify that the clientlogon.aspx page is being loaded properly by Internet Information Services (IIS).
3. Press ENTER.
4. Log on to the federation server proxy.
5. Click Start, point to Administrative Tools, and then click Event Viewer.
6.In the details pane, double-click Application.
7.In the Event column, look for event ID 674.
Verify That a Federation Server Proxy Is Operational in Windows 2008
You can use the following procedure to verify that the federation server proxy can communicate with the Federation Service in ADFS 2.0. You run this procedure after you run the ADFS 2.0 Federation Server Proxy Configuration Wizard to configure the computer to run in the federation server proxy role. Membership in Administrators, or equivalent, on the local computer is the minimum required.
1. Log on to the federation server proxy as an administrator.
2. Click Start, point to Administrative Tools, and then click Event Viewer.
3. In the details pane,double click Applications and Services Logs, double click ADFS 2.0 Eventing, and then click Admin.
4. In the Event ID column, look for event ID 198.