Fortinet black logo

Handbook

AD FS Proxy

AD FS Proxy

The User Authentication > AD FS Proxy sub-menu allows you to perform the following tasks to configure Microsoft AD FS (Active Directory Federation Services) settings for user authentication:

Microsoft AD FS (Active Directory Federation Services) makes it possible for local users and federated users to use claims-based single sign-on (SSO) to Websites and services. You can use AD FS to enable your organization to collaborate securely across Active Directory domains with other external organizations by using identity federation. This reduces the need for duplicate accounts, management of multiple log-ons, and other credential management issues that can occur when you establish cross-organizational trusts.

The AD FS Proxy is a service that brokers a connection between external users and your internal AD FS server. It acts as a reverse proxy and typically resides in your organization’s perimeter network (aka DMZ). As far as the user is concerned, they do not know they are talking to an AD FS proxy server, as the federation services are accessed by the same URLs.

FortiADC can act as a AD FS Proxy to facilitate the deployment of AD FS. If all the users and applications are internal, there is no need to use FortiADC as AD FS Proxy. If there is a requirement to expose the federation service to the Internet, use FortiADC to replace the AD FS Proxy is helpful.

Attach AD FS to a Virtual Server

There are two methods to use the AD FS function for a virtual server.

Attach an AD FS Publish
  1. Edit a virtual server.
  2. Click General.
  3. Select a published service for AD FS Published Service.
  4. Save the configuration.
Use an AD FS script
  1. After attaching an AD FS Publish, go to Server Load Balance > Scripting.
  2. Find the script whose name format is “ADFS_virtual server name_AD FS Publish name." Then clone it.
  3. Detach the AD FS Published Service for the virtual server.
  4. If the real server pool which was used by the virtual server is different from the AD FS Proxy on which the AD FS Published Service was published, add content routing configuration for the both pools.
  5. Attach the content routing created in step 5 to virtual server.
  6. Add the cloned script in step 3 into virtual server.
  7. Save the configuration.

AD FS Proxy

The User Authentication > AD FS Proxy sub-menu allows you to perform the following tasks to configure Microsoft AD FS (Active Directory Federation Services) settings for user authentication:

Microsoft AD FS (Active Directory Federation Services) makes it possible for local users and federated users to use claims-based single sign-on (SSO) to Websites and services. You can use AD FS to enable your organization to collaborate securely across Active Directory domains with other external organizations by using identity federation. This reduces the need for duplicate accounts, management of multiple log-ons, and other credential management issues that can occur when you establish cross-organizational trusts.

The AD FS Proxy is a service that brokers a connection between external users and your internal AD FS server. It acts as a reverse proxy and typically resides in your organization’s perimeter network (aka DMZ). As far as the user is concerned, they do not know they are talking to an AD FS proxy server, as the federation services are accessed by the same URLs.

FortiADC can act as a AD FS Proxy to facilitate the deployment of AD FS. If all the users and applications are internal, there is no need to use FortiADC as AD FS Proxy. If there is a requirement to expose the federation service to the Internet, use FortiADC to replace the AD FS Proxy is helpful.

Attach AD FS to a Virtual Server

There are two methods to use the AD FS function for a virtual server.

Attach an AD FS Publish
  1. Edit a virtual server.
  2. Click General.
  3. Select a published service for AD FS Published Service.
  4. Save the configuration.
Use an AD FS script
  1. After attaching an AD FS Publish, go to Server Load Balance > Scripting.
  2. Find the script whose name format is “ADFS_virtual server name_AD FS Publish name." Then clone it.
  3. Detach the AD FS Published Service for the virtual server.
  4. If the real server pool which was used by the virtual server is different from the AD FS Proxy on which the AD FS Published Service was published, add content routing configuration for the both pools.
  5. Attach the content routing created in step 5 to virtual server.
  6. Add the cloned script in step 3 into virtual server.
  7. Save the configuration.