Federation Server Proxies
Applies To: Active Directory Federation Services (AD FS) 2.0
You can use a federation server proxy to enhance the security and performance of your Active Directory Federation Services (AD FS) 2.0 deployment. When you install the AD FS 2.0 software on a computer and configure it for the federation server proxy role, that computer functions as proxy server in a perimeter network (also known as a screened subnet) for a protected Federation Service on an internal network.
For more information about how to plan and deploy federation server proxies in your organization, see Planning Federation Server Proxy Placement (https://go.microsoft.com/fwlink/?LinkId=182439) in the AD FS 2.0 Design Guide.
Deploying a federation server proxy
To deploy a federation server proxy, you should have an existing Federation Service already installed on your corporate network. It should already be configured to have its endpoints enabled for use with a federation server proxy. After these steps are complete, you can configure a new federation server proxy using the AD FS 2.0 Federation Server Proxy Configuration Wizard or the Fsconfig.exe command-line tool.
For more information about how to deploy a new federation server proxy, see Checklist: Setting Up a Federation Server Proxy (https://go.microsoft.com/fwlink/?LinkId=182443) in the AD FS 2.0 Deployment Guide.
Requests that the federation server proxy accepts
The federation server proxy accepts the following types of client requests. It communicates with a back-end Federation Service to service the requests:
WS-Trust RST
WS-MetadataExchange (MEX)
WS-Federation Passive
SAML Web SSO
WS-Federation Metadata
These services are exposed over Hypertext Transfer Protocol or Secure Hypertext Transfer Protocol (HTTP/HTTPS), and client connections terminate at the proxy. Back-end requests are submitted from the proxy to the protected AD FS 2.0 over a new connection.