Muokkaa

Jaa


Checklist: Setting Up a Federation Server Proxy

This checklist includes the deployment tasks for preparing a server running Windows Server® 2012 for the federation server proxy role in Active Directory Federation Services (AD FS).

Note

Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.

Icon for the Setting Up a federation server proxy check list.Checklist: Setting Up a federation server proxy

Task Reference
Before you begin deploying your AD FS federation server proxies, review the AD FS deployment topology types and their associated server placement and network layout recommendations. Icon for the Determine Your AD FS Deployment Topology link you can use in reference to setting up a federation proxy server.Determine Your AD FS Deployment Topology

Icon for the Planning Federation Server Proxy Placement link you can use in reference to setting up a federation proxy server.Planning Federation Server Proxy Placement

Icon for the Where to Place a Federation Server Proxy link you can use in reference to setting up a federation proxy server.Where to Place a Federation Server Proxy

Review AD FS capacity planning guidance to determine the proper number of federation server proxies you should use in your production environment. Icon for the Planning for Federation Server Proxy Capacity link you can use in reference to setting up a federation proxy server.Planning for Federation Server Proxy Capacity
Determine whether a single federation server proxy or a federation server proxy farm is better for your deployment. Note: Federation servers also perform federation server proxy responsibilities. Icon for the When to Create a Federation Server Proxy link you can use in reference to setting up a federation proxy server.When to Create a Federation Server Proxy

Icon for the When to Create a Federation Server Proxy Farm link you can use in reference to setting up a federation proxy server.When to Create a Federation Server Proxy Farm

Determine whether this new federation server proxy will be created in the perimeter network of the account partner organization or the resource partner organization. Icon for the Review the Role of the Federation Server Proxy in the Account Partner link you can use in reference to setting up a federation proxy server.Review the Role of the Federation Server Proxy in the Account Partner

Icon for the Review the Role of the Federation Server Proxy in the Resource Partner link you can use in reference to setting up a federation proxy server.Review the Role of the Federation Server Proxy in the Resource Partner

Before you install AD FS on a computer that will become a federation server proxy, read about the importance of obtaining a server authentication certificate—for federation server proxy farms—adding or sharing certificates across all the servers in a farm. Icon for the Certificate Requirements for Federation Server Proxies link you can use in reference to setting up a federation proxy server.Certificate Requirements for Federation Server Proxies
Review information in the AD FS Design Guide about how to update Domain Name System (DNS) in the perimeter network so that successful name resolution for federation servers and federation server proxies can occur. Icon for the Name Resolution Requirements for Federation Server Proxies link you can use in reference to setting up a federation proxy server.Name Resolution Requirements for Federation Server Proxies
Determine whether the federation server proxy must be joined to a domain. Although federation server proxies do not have to be joined to a domain, they are easier to manage with remote administration and Group Policy features when they are joined to a domain. Icon for the Join a Computer to a Domain link you can use in reference to setting up a federation proxy server.Join a Computer to a Domain
Depending on how the DNS infrastructure in your perimeter network is configured, complete one of the procedures in the topics on the right before you deploy a federation server proxy in your organization. Note: Do not perform both procedures. Read Name Resolution Requirements for Federation Server Proxies to determine which procedure best suits the requirements of your organization. Icon for the Configure Name Resolution for a Federation Server Proxy in a DNS Zone That Serves Only the Perimeter Network link you can use in reference to setting up a federation proxy server.Configure Name Resolution for a Federation Server Proxy in a DNS Zone That Serves Only the Perimeter Network

Icon for the Configure Name Resolution for a Federation Server Proxy in a DNS Zone That Serves Both the Perimeter Network and Internet Clients link you can use in reference to setting up a federation proxy server.Configure Name Resolution for a Federation Server Proxy in a DNS Zone That Serves Both the Perimeter Network and Internet Clients

After you obtain a server authentication certificate, you must install it in Internet Information Services (IIS) on the default Web site of the federation server proxy. Icon for the Import a Server Authentication Certificate to the Default Web Site link you can use in reference to setting up a federation proxy server.Import a Server Authentication Certificate to the Default Web Site
(Optional) As an alternative to obtaining a server authentication certificate from a certification authority (CA), you can use IIS to acquire a sample certificate for your federation server proxy.

Because IIS generates a self-signed certificate that does not originate from a trusted source, use it to create a self-signed certificate only in the following scenarios:

- When you have to create a Secure Sockets Layer (SSL) channel between your server and a limited, known group of users
- When you have to troubleshoot third-party certificate problems Caution: It is not a security best practice to deploy a federation server proxy in a production environment using a self-signed, server authentication certificate.

Icon for the IIS: Create a Self-Signed Server Certificate link you can use in reference to setting up a federation proxy server.IIS: Create a Self-Signed Server Certificate
Install the Federation Service Proxy role service on the computer that will become the federation server proxy. Icon for the Install the Federation Service Proxy Role Service link you can use in reference to setting up a federation proxy server.Install the Federation Service Proxy Role Service
Configure the AD FS software on the computer to act in the federation server proxy role by using the AD FS Federation Server Proxy Configuration Wizard. Icon for the Configure a Computer for the Federation Server Proxy Role link you can use in reference to setting up a federation proxy server.Configure a Computer for the Federation Server Proxy Role
Using Event Viewer, verify that the federation server proxy service has started. setting up a federated proxy serverVerify That a Federation Server Proxy Is Operational