So far, we have looked into models, which suit for easy implementation and improved security. But this model is focused for high availability. Each role will be configured with NLB clusters. The AD FS database will be hosted in the SQL Always On cluster environment. This model is ideal for the SPs and other businesses, which deal with high volume AD FS requests.
Similar to the previous model, this model's operations are clearly divided into two networks: perimeter and corporate. The firewall will have following NAT and access rules to support the setup:
- Map external IP address to myapp.rebeladmin.com so that users can make initial request from external networks. It is recommended to use TCP 443.
- Map external IP address to secure.rebeladmin.com, map it to the IP address of Web Application Proxy server group's NLB cluster IP, and open TCP 443 from the external to allow access.
- Allows access from Web Application Proxy servers to AD FS Farm NLB cluster IP in TCP port 443.
For both the NLB clusters, the initial connection point will be NLB cluster IP and the external and internal DNS records should have entry for it. Apart from the application's external URL, the only external published URL will be Web Application Proxy's URL. In the preceding example, secure.rebeladmin.com is a map to Web Application Proxy NLB cluster IP.
AD FS servers are using Microsoft SQL Always On availability group to host the AD FS database. This is a read/write database for both the hosts.
Advantages | Disadvantages |
High availability: Each component hosts multiple servers with load balancer. AD FS database also using SQL high availability environment. | High cost: It needs multiple servers and licenses (OS, SQL Servers). It also increases the management cost. |
High performance: Workloads are distributed between multiple hosts using load balancers. | Complex setup: The implementation will be time consuming and needs advanced skills for planning and configuration. |
Support for features such as SAML artifact resolution and SAML/WS-Federation token replay detection. | Troubleshooting an issue will be time consuming and complex as there are many systems and application dependencies. |