I would like to go through the steps for installing and configuring an ADFS proxy server. ADFS proxies are used to put out on your perimeter network for remote internal users to access your ADFS farm from the internet without having to expose your ADFS server(s) to the outside. When an internal user accesses your network remotely, the ADFS Proxy will use forms based authentication to allow the user to enter their credentials. You will need to have at least one ADFS server installed to install a proxy. The proxy will also need an SSL certificate and its subject name must match the Federation Service Name. Your Federation proxy and your federation servers will resolve to the same Federation Service Name. Since one is internal and the other is external you will need to use a split brain DNS configuration or some other configuration so users will resolve to the ADFS Proxies when they are external to your network and resolve to the ADFS Server farm directly when they are on your internal network. For example, when a client is on the internal network and they try an access a claims aware application which redirects the browser to adfs.pipe2text.com the will go directly to the ADFS Server farm using Windows Authentication. If you have a remote internal user (user from your domain that is currently accessing from the Internet) that is accessing the same claims aware application which redirects their browser to adfs.pipe2text.com they will be redirected to the ADFS proxy which will use forms based authentication. In other words, both your ADFS Proxy (or Proxy Farm) and your ADFS Server (or ADFS Server Farm) would resolve as adfs.pipe2text.com.
Installing the ADFS 2.0 as a Proxy Server
You will need to download the latest version of ADFS 2.0 from Microsoft’s website. As of the writing of this article I had to download the ADFS install along with ADFS 2.0 Rollup 1. Rollup 1 includes some important fixes and enhancements so it is important that you install that as well especially if you have rollup 1 installed on your ADFS Servers. Be sure to download the correct version of the ADFS 2.0 install and rollup depending on whether the type of operating system have is Windows 2008 32 or 64 bit version or Windows 2008 R2. Do NOT install the role for ADFS role that is included in Windows as it is not the current version of ADFS. After you have downloaded the necessary files you can begin the install which is pretty much the same as when you install the software for an ADFS Server but you choose the proxy role instead. After the software is installed, it will then need to be configured.
1. Run the executable that you downloaded from Microsoft’s website “ADFSSetup.exe”.
2. When the “Welcome to ADFS 2.0 Setup’ screen appears, Click “Next”.
3. Accept the EULA agreement and Click “Next”.
4. Choose the “Federation Proxy” role on the “Server Role” screen and Click “Next”.
5. On the “Install Prerequisite Software” screen Click “Next” to install the required prerequisites for ADFS 2.0.
6. Once the install is completed you will receive a completion screen for the ADFS 2.0 Setup Wizard. You can choose to start the “ADFS 2.0 Management Snap-in” when the wizard closes but I have deselected it as I want to move on to installing ADFS 2.0 Rollup 1. Deselect the “Start the ADFS 2.0 Federation Proxy Wizard when this wizard closes” and click “Finish”.
7. Run the installer for ADFS 2.0 Rollup 1 that you downloaded from Microsoft’s website and click “Yes” to install the update as shown below.
8. Click “Close” close when the install is complete.
At this point you have installed the ADFS Software for the Proxy Role. The next steps will be to configure the server using the ADFS Proxy Server Configuration Wizard.
Configuring the ADFS 2.0 Proxy Server
For the configuration wizard to start, you will need an SSL certificate and it you will need to bind it to the default website. If you do not do this, the configuration wizard will not run. Since I am setting this up in a lab I will be using a self signed cert. In a production scenario you would not use a self signed cert, you would need to get a certificate issued by a 3rd party CA such as Verisign that is trusted all machines that are accessing it. As mentioned earlier, the subject name of the certificate must match the federation service name. It seems when creating a self signed cert in IIS 7.5, it will only let you create a cert that uses the server name itself for the subject. For this reason, I used SelfSSL which is part of the IIS 6 resource kit because it gives you the freedom to create a subject name of your choice. To create a self signed cert, download SelfSSL to the ADFS server and open a command prompt as administrator. Change to the directory which contains the the SelfSSL executable and type the following command replacing “adfs.pipe2text.com” with your own federation service name:
selfssl.exe /T /N:cn=adfs.pipe2text.com /V:365
Note: You may receive an error about being unable to open the metabase when running this command. You can safely ignore this error.
Using the /T will make sure the cert is place in the “Trusted Root Certificate Authorities” in addition to the “Personal” certificates on the local machine. Since Im doing this in a lab the self signed cert and not issued by a trusted 3rd party CA like Verisign, it will need to be placed in “Trusted Root Certificate Authorities” on any machine that will be accessing the service using this certificate or there will be certificate errors. The ”/V:365″ switch will make the cert valid for 365 days. You can increase this if you desire.
Now that you have your self sign cert created, you will need to bind it the default website in IIS following these steps:
1. Open the IIS Manager and right click the “Default Website” and select “Edit Bindings”.
2. Under “Type” choose “https” and under “SSL Certificate” choose the cert that was created using SelfSSL and click “OK”.
3. You will now see “https” and “443″ in the list of site bindings. Click “Close”.
Configuring the Host file on the ADFSProxy Server
Since your ADFS proxy Server will be sitting on the DMZ and needs to resolve to the same federation service name that is used for your ADFS Server Farm, you can use the local host file to have the ADFS Proxy resolve the federation service name on the ADFS Server Farm. For example, you would open the host file located in “C:\Windows\System32\drivers\etc” and add in an entry (in my case) adfs.pipe2text.com and the IP address which resolves to the internal ADFS Farm that has the federation service name of adfs.pipe2text.com. As explained earlier, you would have adfs.pipe2text.com in external DNS resolving to a public IP address pointing to the proxy server(s) on the Internet. On the internal network you would have DNS configured so that adfs.pipe2text.com resolves your internal ADFS farm. In addition, the proxy server(s) will use their local host file to resolve to the internal ADFS farm using the same name.
Running the AD FS 2.0 Federation Proxy Server Proxy Configuration Wizard
1. Open the “AD FS 2.0 Federation Proxy Server Proxy Configuration Wizard” from the Start Menu.
2. Click “Next on the “Welcome” screen.
3. On the “Specify Federation Service Name” screen, enter in the federation service name and click the “Test Connection” button. If all goes well you will see a successful connection as shown below. Click “OK” and then click “Next”.
Note: If you are using a self-signed cert in a lab scenario such as I am, you will receive a certificate error and the test will fail. In this case, you would need to import the cert from the ADFS server into the “Trusted Root Certificate Authorities” of the proxy server so that it is trusted. If you are using a cert from a 3rd party CA like Verisign as you would in a production scenario, the cert will already be trusted and this wont be necessary.
4. When you click “Next” on the “Specify Federation Service Name” screen you will be prompted for the ADFS Service account name that you used when configuring your internal ADFS Server Farm as shown below and click “OK”.
5. On the “Ready To Apply Settings” screen click “Next”.
6. When everything is complete on the “Configuration Settings” screen, click “Close”.
Now your proxy server has been configured. You can repeat these steps for each additional proxy server you would want to add. For multiple proxies, you would also need a load balancer to balance the traffic. When adding additional proxies, you would also need to export the cert (with private key) from the first proxy and import it for use on the other proxies. For more information on exporting and importing certs see Adding an additional ADFS Server to your ADFS Farm when using SQL for the Configuration Database. It is possible to use the same SSL cert for your ADFS servers and your ADFS Proxies but depending on your security requirements and best practices you may want to use one cert across your proxies and another cert across your internal ADFS servers. You can go to the Technet library and do some more reading about cert requirements for more information. As always, I recommend fully testing everything in a lab scenario before rolling it out to production. I hope this helps. If you have any questions or feedback please leave a comment.