Microsoft Office Tutorials and References
In Depth Information
Planning the AD FS architecture
AD FS server farm
The number of AD FS servers in the farm, which in turn determines the availability of the
farm, is by far the most important design consideration because AD FS is the enabler for
authentication through AD. There are other factors that might affect AD FS availability, such
as network availability, that you also will need to take into consideration when designing
your AD FS deployment. After you deploy AD FS for Office 365, if your AD FS servers are
inaccessible, then access to Office 365 will not be possible. Therefore, it is important to
build redundancy at the network and server layers.
At the very minimum, two AD FS servers in a single farm that is front ended with a load
balancer will provide the needed redundancy. If one server is down for maintenance or for
any other reason, authentication through the AD FS farm will still be possible and access to
Office 365 will not be interrupted.
AD FS proxy
An AD FS proxy role is recommended if you plan to allow users to connect to Office
365 with SSO from outside the corporate network. Implementing an AD FS proxy is not
required in this scenario, but it is a security best practice. Figure 3-26 shows a typical AD FS
Figure 3-26 Typical AD FS and AD FS proxy implementation in an enterprise.
Implementing an AD FS proxy is beyond the scope of this topic because it is more an of
onpremises network and server infrastructure discussion rather than an Office 365 discussion.
Therefore, we do not cover the process of implementing an AD FS proxy or how to
implement redundancy through the deployment of server farms and failover clusters. However,
in the following sections we show you how to install AD FS 2.0 on a server and how to
establish the relationship with Office 365 to reap the benefits of SSO and extend enterprise
controls into Office 365.