Category: azure security
CS ADNT on Mon, 08 Oct 2012 22:27:18
Having already configured an Azure Gateway, created a VM for a DC replicating with my OnPremise DCs, I would like to have a fallback for the sole ADFS server (published by TMG2010) and used to synchronize my domain and Office 365.
The idea being: if the link connecting our small local domain to internet is broken, we still want to be able to login in Office 365 using a fallback ADFS in Azure 365.
We tried to used ACS but were unable to enter parameters in order to accept requests from Office365 (realm, urls, etc..)
Could we create a secondary ADFS VM and tell it that it shares its DB replicates from our local ADFS'DB ? Could we simply open the port 443 in this server to expose our STS folder (which to use ?) ?
Any idea welcome.
Steve Syfuhs on Tue, 09 Oct 2012 01:04:47
ADFS has to talk directly to the DC for things like LDAP queries and Windows Auth.
You would need to configure ADFS to point to your DC hosted in Azure, and ADFS would have to be configured in a cluster. The main node would be on premise and the other(s) would be in Azure VMs.
You could certainly limit the access to just the ADFS paths, /adfs/*, but you also would want to allow access to /FederationMetadata/*. You could lock it down to just port 443 too.