We are working on deploying ADFS for SSO with o365.
We have a consulting firm that handles our firewall configuration.
Today, while attempting to get them to set up a DMZ for me to install my ADFS proxy server, the consultent attempted to convinve me to just have them open up port 443 directly to the ADFS server, and to not use a proxy at all. He told me that such a configuration was standard practice now.
Because of the nature of our business, we have very stringent security requirements, including that no internal servers be opened up to the outside.
The question I have is, was he just blowing smoke because he was lazy and diddnt want to configure the DMZ, or does he have a legitimate point?
Best Answer
Oh hell no!
DO NOT PUT THE PRIMARY ADFS SERVER ON THE INTERNET!
There is a specific reason that the Proxy role was invented and placing your primary ADFS box on the internet is not a smart idea. Primarily because the primary server by default is configured to only allow for windows based authentication which means anyone can submit requests and attempt to brute force their way in. Worse, if they get a password they now have a valid username and password on your domain, the worst kind of pain.
The proxy however uses a web-forms based approach to reduce the threat by forcing users outside of your corporate firewall to login via a web-form. If they pass it returns either a cookie or a redirect token that the trusted service (see O365) uses.
Either way, this directly violates the recommended setup by Microsoft and certainly would not pass security audit validation. Plus, since you only are exposing port 80 and 443 traffic to the proxy it would not be real hard to simply port forward only those two ports over a specific IP to your proxy (or load-balanced proxies). Regardless, a DMZ is the smart move, especially if you have other public facing services.