Azure “DMZ” with Network Security Groups part 2 (AD FS installation)

in earlier blog which can be found from HERE we created DMZ virtual network and needed subnets. We also already allowed HTTPS 443 connection from DMZ network (DMZ Subnet) to production network (Azure VMNet 01) so we are able to configure AD FS and WAP (Web Application Proxy). Next we will setup the AD FS part.

As we described in earlier blog post our final setup should looks like this:
nsg01

First we need to install two different VMs. One for AD FS and one for WAP.
AD FS:

AzureADFS001

AD FS is connected to our production network on Azure
AzureADFS002

and then WAP installation:
AzureADFS003

WAP is connected to DMZ vnet/DMZ subnet. HTTPS endpoint is also enabled.

AzureADFS004

 

Next we need to setup DNS. We created primary DNS zone for AD FS called sts.virtual-station.com. Then we need to point it to our AD FS with internal IP address ( internal clients internal AD FS server, and external via WAP).

AzureADFS005

Name field should be empty, because then we have sts.virtual-station.com as A record.

AzureADFS006

AzureADFS007

Then we needed to request certificate for our AD FS.
We did it from https://www.gogetssl.com/
AzureADFS008

Import certificate to your AD FS server and then basic AD FS installation (I´m not going to go through all the installation steps, because they are pretty basic and lot of guides can be found already from internet)
AzureADFS009

AzureADFS010

 

Our public domain name is bought from GoDaddy so first we needed to point sts.virtual-station.com to our WAP (public IP). Configuration is quick thing from Godaddy portal:
AzureADFS011

WAP configuration:
First we needed to add AD FS details to host file.
After host file modifications we were able to test connection
https://sts.virtual-station.com/adfs/ls/IdpInitiatedSignon.aspx

AzureADFS012

Then we needed to import AD FS certificate to WAP server like we did for AD FS server.

Basic WAP installation:
AzureADFS013 AzureADFS014 AzureADFS015 AzureADFS016

that´s it.

 

Leave a Reply

Your email address will not be published. Required fields are marked *