How to install ADFS proxy server. A step by step guide.

In this blog we dive deep into ADFS proxy server and we will learn how to install ADFS proxy server on Windows Server 2016. We will learn what is ADFS proxy server, why we need AD FS proxy server, we will talk about AD FS proxy server requirements and how to configure ADFS proxy server.

Watch video

Watch this video to learn how to install AD FS proxy server on Windows Server 2016 step by step.

What is ADFS proxy server

When we install ADFS Server we do not expose it to the internet. That means, this ADFS server always sit behind the firewall. And the reason is, if we expose our ADFS server to the Internet then anyone from external network can access this ADFS server and can get access to the internal network. And that can be a big threat to the organization. So this is the reason we always install ADFS server within internal network.

But, what if an external user wants to access an application that is integrated with ADFS. Or let’s say a user from the same organization is trying to access an application from external network. So How these requests will be handled by the ADFS server? And the answer is AD FS Proxy Server.

Note: ADFS Proxy Server is also called Federation Proxy Server, Remote Access Role or Web Application Proxy Server.

ADFS Proxy Server is always deployed on perimeter network or DMZ network. This network is not part of the same network segment that ADFS server is using.

How does ADFS proxy server work

The purpose of ADFS proxy server is to receive external requests, and forward those requests to the ADFS server.

ADFS Proxy server doesn’t issue a token. Its function is just to listen to the external requests and forward them to the ADFS Server. Then ADFS Server contacts Active Directory for the authentication, and it issues the token to the client.

If you go to ADFS Server Management console and navigate to Endpoints, you will see Proxy Enabled property for all the endpoints.

If this value is set to Yes, that means these endpoints are enabled on the ADFS proxy server. So if any external request is coming from the web browser, that request will be received by the ADFS Proxy Server and will be forwarded to the ADFS server. So this is how ADFS Proxy server works.

Important points about ADFS proxy server

AD FS proxy server reduces the security risk to the ADFS server. You do not have to expose your AD FS server to the Internet
AD FS proxy server doesn’t issue tokens.
ADFS Proxy Server doesn’t authenticate the users.
ADFS Proxy Server is always deployed on the perimeter network.
The role of ADFS proxy server is to receive external requests and forward them to the ADFS server.
It helps AD FS server to identify which request is coming from internal network, and which request is coming from external network.
By deploying ADFS Proxy server we can enable MFA for the external users.

ADFS proxy server installation requirements

You can install AD FS proxy service on Windows Server 2012, 2012 R2, 2016, and 2019.
Port 443 should be open between ADFS server and the machine on which you are going to install AD FS proxy service.
You need an SSL Certificate to install AD FS proxy server. You can use the same SSL certificate that you are using on the ADFS server.
ADFS Server should be reachable from the machine on which you are planning to deploy ADFS proxy service.
You would require local administrator credentials.

How to install ADFS proxy server on Windows Server 2016

Step 1. Export ADFS server SSL certificate

First we will export SSL certificate being used on ADFS server and we will use this certificate on ADFS proxy server.

To export SSL certificate from ADFS server, go to ADFS Management console, expand Services and click Certificates.

Double click on Service Communication certificate.

On the certificate go to Details tab and click Copy to File.

On the Welcome page of Certificate Export Wizard, click Next.

On the Export Private Key page of the wizard, select Yes, export the private key and click Next.

On the Export File Format page, leave default settings selected and click Next.

On the Security page of Certificate Export Wizard, check Password and type a password in Password and Confirm password fields and click Next.

On the File to Export page of the wizard, click Browse, and save the certificate to a location. Ths certificate will be saved with .pfx extension.

Click Next and click Finish on the next page. Now you should see a prompt that says The export was successful. Click OK to close the wizard.

Step 2. Import SSL certificate on ADFS proxy server

In the 2nd step we will import SSL certificate (exported from ADFS server) to the server where we want to install ADFS proxy server.

Copy the certificate from ADFS server (exported in step 1) and paste it to a location in the machine where we want to install ADFS proxy server.

Important: The machine where we want to install ADFS proxy server, it should not be a domain joined machine.

Double click the certificate on ADFS proxy server. On the Welcome page of Certificate Import Wizard, select Local Machine and click Next.

ON the File to Import page of the wizard, the SSL certificate should be selected automatically. If not selected already, click Browse and select the certificate and click Next.

On the Private key protection page of the wizard, type the password that we mentioned while exporting the password in step 1 and click Next.

On the Certificate Store page of the wizard, select Automatically select the certificate store based on the type of certificate and click Next. Click Finish on the Completing the Certificate Import Wizard to close the wizard.

Step 3. Modify host file on ADFS proxy server

We need to make sure the machine on which we want to install ADFS proxy services should be able to reach ADFS server.

If you try to ping ADFS server FQDN (Fully Qualified Domain Name) from the machine where you want to install ADFS proxy services, you will get error similar to below:

Since this machine is not joined with Active Directory domain, you will not be able to ping other machines those are domain-joined.

To make this machine accessible from ADFS proxy server, we need to modify the host file. Go to C: drive > Windows > System32 > drivers > etc on ADFS proxy server. Open hosts file with Notepad and type IP address of the ADFS server and point it to the Fully Qualified Domain Name of the ADFS server.

Save the hosts file.

Now if you try to ping ADFS server FQDN, you would be able to reach ADFS server from ADFS proxy server.

Important: Make sure you are pinging Fully Qualified Domain Name of the ADFS server from proxy server. If you will ping IP address of the ADFS server, you will not be able to reach it.

Step 4. Install Web Application Proxy role

In step 4 we will install Web Application Proxy role on the server on which we want to install ADFS proxy services.

Open Server Manager and click Add roles and features. On Before you begin page of the wizard click Next. On Select installation type page, leave default settings and click Next. On the Select destination server page, click Next.

On the Select server roles page of the wizard, check Remote Access and click Next.

On the Select features page of the wizard, click Next. And on Remote Access page, click Next.

On the Select role services page, select Web Application Proxy, click Add Features and click Next.

On the Confirm installation selections page of the wizard, click Install.

Now the wizard will start installing Web Application Proxy role and you can see the installation progress as shown below.

web application proxy role installation progress

Step 5. Configure ADFS proxy server

Once Web Application Proxy role is installed, click Open the Web Application Proxy Wizard as shown below:

On the Welcome page of Web Application Proxy Configuration Wizard, click Next.

welcome page web application proxy configuration wizard

On the Federation Server page of the wizard, type Federation Service Name, type User name and Password of local administrator of the server and click Next.

On the AD FS Proxy Certificate page of the wizard, click the drop down arrow and select the SSL certificate. Click Next.

On the Confirmation page of the wizard, click Configure.

confirmation page of proxy server wizard

Now the wizard will start configuring Web Application Proxy services on the server. Once this installation is completed, you will see a message Web Application Proxy was configured successfully. Click Close on the Results page to close the wizard.

So this is how we configure ADFS proxy server.

As soon as you will close Web Application Proxy Configuration Wizard, this will automatically open Remote Access Management Console from where you can manage ADFS proxy server.

In the above screenshot you can see an application configured within proxy server. This application is Office 365 Portal which is added as a Relying Party Trust within the ADFS server.

Conclusion

In this blog we learnt what is ADFS proxy server, we learnt how ADFS proxy server works, we learnt how to install ADFS proxy server on Windows Server 2016, we learnt how to install Web Application Proxy role, and we learnt how to configure ADFS proxy server.

If you found this article helpful and informative, please share it within your community and do not forget to share your feedback in the comments section.

Join us on YouTube for videos on Cloud technology and join our Newsletter for early access of the blogs and updates.

We welcome you to browse our other articles on ADFS (Active Directory Federation Services):
What is ADFS
What is federation trust in ADFS
ADFS deployment types
How to install ADFS on Windows Server 2016
ADFS claims based architecture
Set up ADFS for Microsoft 365 for Single Sign-On
ADFS endpoints explained
What is ADFS relying party trust, ADFS Claim Rules
ADFS Authentication Flow
What is ADFS Federation Metadata
What is ADFS Claims Provider Trust
ADFS Certificates explained

Happy Learning!!

Table of Contents