Secure your AD Connect with IIS deployment
About this task
Before installing AD Connect with IIS, ensure the deployment platform, the Windows Server® Internet Information Server (IIS) host for AD Connect, is secure.
You will want to consider:
-
Deploying the Windows Server IIS host to a secured network location (such as, a combination of firewall with NAT and reverse proxy, or a DMZ). If the IIS host is to be directly connected to the Internet, this is critical.
-
Assigning client browser trusted sites. You will need to add the IIS host as a trusted site to your users' browser clients. We tell you how to do this using Internet Explorer and Mozilla Firefox settings or using Group Policy for IE.
-
Using load-balancing and clustering. If you expect to have large numbers of single sign-on (SSO) users, for high-availability you may want to consider using Microsoft Network Load Balancing (NLB) or another load-balancing and clustering solution.
Steps
-
Follow these deployment requirements:
-
The Windows Server IIS host must reside in an Active Directory domain, but for security reasons, must not be a domain controller (DC).
-
Port 443 (HTTPS) must be the only opened port. You need to verify that this is the case.
-
Time synchronization must be set up on the Windows Server IIS host.
-
The Windows Server IIS host should use a trusted Certificate Authority (CA), rather than self-signed certificates.
-
The Windows Server IIS host must not have a direct Internet connection unless it is deployed in a properly configured DMZ.
-
-
Follow Microsoft’s Security Best Practices for IIS 8, or the corresponding best practices for your version of IIS, to configure the Windows Server IIS host.
-
Optional: If the IIS host is to be directly connected to the Internet, deploy the host in a DMZ. AD Connect needs the following ports open between the DMZ and your internal network (firewall):
TCP and UDP are shown together below. Depending on the firewall network device, you may want to add the TCP and UDP rules separately. - TCP/UDP 389/636 or 3268 or 3269
-
These are the Lightweight Directory Access Protocol (LDAP) ports. Ensure that one of these ports is open for AD Connect with IIS. AD Connect with IIS uses LDAP to access the Active Directory DC (when in-network or Windows Authentication is used). Also used for mobile authentication.
- TCP/UDP 88
-
This port belongs exclusively to Kerberos. AD Connect with IIS uses this port for off-network access when executing a single sign-on (SSO) event outside of the corporate network.
- TCP/UDP 464
-
This server port is also used by Kerberos (to set or change the password). Evidently it is also used to join the IIS (and AD Connect) host to the domain.
Additionally, we assume the following ports are also open. These ports are generally needed by any server operating in a DMZ:
- UDP 138
-
NetBIOS name resolution.
- TCP/UDP 445
-
SAM/LSA.
- UDP 123
-
NTP W32 Time.
- TCP/UDP 135, 49152-65535
-
RPC Endpoint Mapper.
- UDP 137
-
NetBios datagram.
- TCP/UDP 53
-
The DNS service runs on this port. It’s used to convert between URLs and IP Addresses, and is also needed to join the IIS (and AD Connect) host to the domain.
-
Optional: Configure NLB clustering for AD Connect.
See High Availability for AD Connect for instructions.
-
Add the URLs for the Windows Server IIS hosts to the trusted sites list for your users.
You can use either of these methods to add the URLs as trusted sites:
-
Group Policy settings (Internet Explorer only). See Add trusted sites using Group Policy for instructions.
-
Browser site security settings (Internet Explorer and Firefox). See Add trusted sites using Internet Explorer settings or Add trusted sites using Firefox settings for instructions.
-
-
You can now install and configure your AD Connect identity bridge. See Installing AD Connect with IIS for instructions.