For organisations considering the move to Office 365, you will probably have
explored the requirement for Active Directory Federation Services (AD FS) to
provide Single Sign On (SSO) to your domain users when connecting to Office 365
services. Without AD FS in place to federate and project users domain
credentials to Office 365, users would have to maintain a separate set of
logins details for both the domain and Office 365.
If
you have looked at AD FS and are planning on deploying it on Windows Server 2012
R2, with hardware-load balancers I suggest you read and understand this post in
full. Active Directory Federation Services in Windows Server 2012 R2 is
currently at version 3.0. This is different to even Windows Server 2012, which
was shipped with AD FS 2.1. You can off
course use Windows Network Load Balancing to load balance AD FS but I am sure
you will agree for a component as important as AD FS a dedicated appliance
would be better. If you decide to deploy AD FS, it is vital the service is
highly available, if for whatever reason your AD FS infrastructure goes down
on-site users will not be able to access O365 services.
One
of the improvements in AD FS 3.0 is built-in compatibility for Server Name
Indication (SNI), which is an extension of the TLS element of the SSL protocol.
Although AD FS 3.0 supports SNI not all networking equipment and end devices
do. SNI allows multiple SSL certificates to be bound to the same IP Address and
Port Number, which allows support for multiple SSL (or HTTPS) connections to
the same address.
SNI
works by providing application server host names during the SSL handshaking
phases, thus allowing multiple HTTPS applications to reside behind a single IP
Address.
Although
AD FS 3.0 supports the SNI feature, not all hardware load balancers do. It is
important to consider this when making a purchasing decision for your hardware
load balancers.
At the time of writing the
following servers do offer support for SNI:
Citrix NetScaler
9.2 or higher
F5 Networks Local
Traffic Manager, version 11.1 or higher
KEMP Load
Balancers (as of October 2014)
Apache 2.2.12 or
higher
Apache Traffic
Server 3.2.0 or higher
Apache Tomcat on
Java 7 or higher
Microsoft Internet
Information Server (IIS) 8
Web browsers also require support
for SNI; all of the recent versions of Internet Explorer from 7 onwards support
SNI along with Google Chrome and Mozilla Firefox.
