So, in short, I'm looking for a way to use the web application proxy servers while the DNS record the client sees for
the ADFS servers points at the internal farm servers. Currently this just throws an error on the ADFS side of things. Any thoughts?
Situation:
So lets say that I have ADFS 2.2 Web Application Proxy deployed in front of an Exchange 2010 host for OWA/ECP/etc. Deployment diagram is below, but basicall you have two ADFS Farm servers, two ADFS Web Application Proxies, and two Exchange 2010 CAS hosts, all of them load balanced on ports 80/443. OWA is set to use WIA.
Lets say that we have the internal AD domain of contoso.corp and an external domain of contoso.com. So you create pin point DNS zones on the internal DNS hosts:
adfs.contoso.com -> 10.1.3.10 (ADFS Farm LB)
mail.contoso.com -> 10.1.4.10 (Exchange 2010 CAS LB)
With External DNS records of:
adfs.contoso.com -> 128.104.1.10 (ADFS WAP Farm External LB)
mail.contoso.com -> 128.104.1.10 (ADFS WAP Farm External LB)
Assuming everything is setup properly, internal users using IE will automatically login to OWA and External users will get logged into OWA automatically. External users will get a ADFS FBA prompt, which will then use proxy WIA for them to log them into OWA. Not a bad solution, but if you have, for example, an internal user that uses FireFox or a Linux user, rather than the friendly ADFS FBA prompt they'll see an ugly HTTP 401 authentication prompt.
So, an elegant solution would be to send all internal webmail traffic through the web application proxies, eg:
the internal DNS hosts:
adfs.contoso.com -> 10.1.3.10 (ADFS Farm LB)
mail.contoso.com -> 10.1.2.10 (ADFS WAP Farm Internal LB)
With External DNS records of:
adfs.contoso.com -> 128.104.1.10 (ADFS WAP Farm External LB)
mail.contoso.com -> 128.104.1.10 (ADFS WAP Farm External LB)
That way internal users on IE will get automatically logged in via the ADFS farm servers using WIA, FireFox users will get logged in via ADFS FBA, everyone is happy. Only one problem, this doesn't seem to work.
Any thoughts on getting this method to work properly?
Situation:
So lets say that I have ADFS 2.2 Web Application Proxy deployed in front of an Exchange 2010 host for OWA/ECP/etc. Deployment diagram is below, but basicall you have two ADFS Farm servers, two ADFS Web Application Proxies, and two Exchange 2010 CAS hosts, all of them load balanced on ports 80/443. OWA is set to use WIA.
Lets say that we have the internal AD domain of contoso.corp and an external domain of contoso.com. So you create pin point DNS zones on the internal DNS hosts:
adfs.contoso.com -> 10.1.3.10 (ADFS Farm LB)
mail.contoso.com -> 10.1.4.10 (Exchange 2010 CAS LB)
With External DNS records of:
adfs.contoso.com -> 128.104.1.10 (ADFS WAP Farm External LB)
mail.contoso.com -> 128.104.1.10 (ADFS WAP Farm External LB)
Assuming everything is setup properly, internal users using IE will automatically login to OWA and External users will get logged into OWA automatically. External users will get a ADFS FBA prompt, which will then use proxy WIA for them to log them into OWA. Not a bad solution, but if you have, for example, an internal user that uses FireFox or a Linux user, rather than the friendly ADFS FBA prompt they'll see an ugly HTTP 401 authentication prompt.
So, an elegant solution would be to send all internal webmail traffic through the web application proxies, eg:
the internal DNS hosts:
adfs.contoso.com -> 10.1.3.10 (ADFS Farm LB)
mail.contoso.com -> 10.1.2.10 (ADFS WAP Farm Internal LB)
With External DNS records of:
adfs.contoso.com -> 128.104.1.10 (ADFS WAP Farm External LB)
mail.contoso.com -> 128.104.1.10 (ADFS WAP Farm External LB)
That way internal users on IE will get automatically logged in via the ADFS farm servers using WIA, FireFox users will get logged in via ADFS FBA, everyone is happy. Only one problem, this doesn't seem to work.
Any thoughts on getting this method to work properly?
Diagram: