Azure “DMZ” with Network Security Groups part 2 (AD FS installation)

in earlier blog which can be found from HERE we created DMZ virtual network and needed subnets. We also already allowed HTTPS 443 connection from DMZ network (DMZ Subnet) to production network (Azure VMNet 01) so we are able to configure AD FS and WAP (Web Application Proxy). Next we will setup the AD FS part.

As we described in earlier blog post our final setup should looks like this:

First we need to install two different VMs. One for AD FS and one for WAP.


AD FS is connected to our production network on Azure

and then WAP installation:

WAP is connected to DMZ vnet/DMZ subnet. HTTPS endpoint is also enabled.



Next we need to setup DNS. We created primary DNS zone for AD FS called Then we need to point it to our AD FS with internal IP address ( internal clients internal AD FS server, and external via WAP).


Name field should be empty, because then we have as A record.



Then we needed to request certificate for our AD FS.
We did it from

Import certificate to your AD FS server and then basic AD FS installation (I´m not going to go through all the installation steps, because they are pretty basic and lot of guides can be found already from internet)



Our public domain name is bought from GoDaddy so first we needed to point to our WAP (public IP). Configuration is quick thing from Godaddy portal:

WAP configuration:
First we needed to add AD FS details to host file.
After host file modifications we were able to test connection


Then we needed to import AD FS certificate to WAP server like we did for AD FS server.

Basic WAP installation:
AzureADFS013 AzureADFS014 AzureADFS015 AzureADFS016

that´s it.


Leave a Reply

Your email address will not be published. Required fields are marked *