vrijdag 27 januari 2012

Office 365 Publishing ADFS 2.0 using TMG / ISA

At first, we used a seperate ADFS proxy for external requests requests to our ADFS server.
Since we have a TMG in place, we wanted to get rid of our ADFS proxy and start using TMG for external requests to our ADFS.

We currently have a ADFS farm with 2 members, load balanced by using Windows NLB.

The screens below describe the process of making a Web Publishing Rule in TMG for ADFS services and a Web Listener.

Give your web publishing rule a name according to your rule naming convention.
Click next.

Select "Allow" and click next.

Input you internal site name, we use split DNS and our internal NLB cluster name is the same as our internal ADFS name, so the internal site name is the same as the external.
Input your NLB cluster ip address in the ip address section, in case TMG cannot resolve the name.
Click next.

Input the path for ADFS, this is /adfs/*.
Select "Forward the original host header" and click next.

Input you public name details, public name corresponds to you external ADFS name, the path is the same as your internal publising details. Click next.

You probably dont have a web listener yet for ADFS, click new to set up a new web listener.

In the new web listener wizard, give the web listener a name that corresponds to your web listener naming convention and click next.

Select do not require SSL and click next.

Select your external IP address for your ADFS site and click next.

Select the certificate used for ADFS ( sts.domain.com ) and click next.
I you haven't requested a certificate yet, refer to the certificate planning blog at technet.

Because we want to use form based authentication for external users, select HTLM Form Authentication allong with Windows ( active directory ) and click next.

Click next.

Now you are finished setting up the web listener, now you need to finish the publishing rule wizard.

Select the listener for ADFS you just created, click next.

For authentication, select NTLM authentication and click next.

Select all users in the user sets, because we want all users to be able to connect to the site.
Click next.

Now the publishing rule wizard is also completed, click finish to create the publishing rule.

Also verify if you have normalization and block high bit characters disabled.
Right click your rule and choose configure http.

Also, open the properties of the publishing rule and browse to the link translation tab.
Make sure the " Apply link translation to this rule"  is unchecked.
Otherwise you may receive the error " your organization could not sign you in to this service " when signing in to webmail or the portal.
Don't forget to save your configuration by applying your configuration.

Click finish and you're done!
Now when you are externally connecting to your webmail ( https://outlook.com/domain.com ) you get redirected to your ADFS hostname configured in Office 365.
Below is the form shown by TMG.

In this form based logon you can also enable changing your password and expiry notifications.
These are features not built in ADFS proxy, but you can use these when using TMG.
These settings can me configured in the web listener properties in the forms tab.

Hope this helps!

1 opmerking: