To use Active Directory Federation Services (AD FS) for authentication, you must configure a Forefront Unified Access Gateway (UAG) trunk to act as a proxy for the AD FS server, and to inspect traffic flowing from the end user client, via Forefront UAG, to the AD FS server. The trunk provides access to the Federation server. The trunk should be configured manually to work without authentication. Note that internal users should not make requests through the Forefront UAG server, but directly to the Federation server.

Forefront UAG also handles internal to external name translation, protecting the identity of the AD FS server. Forefront UAG has the same public host name as the Federation Service Proxy (FSP). You must make sure that on the Internet, the Forefront UAG public host name resolves to the IP address of this trunk that publishes the FSP. You must also make sure that on the internal network, the host name resolves to the FSP.

This topic describes how to configure an Active Directory Federation Services (AD FS) replacement trunk on Forefront UAG.


Before you can complete this procedure, you must import the server certificate from the AD FS server into the Personal certificates on the Forefront UAG server.

To configure an AD FS proxy replacement trunk

  1. In the Forefront UAG Management console, in the tree view, right-click HTTPS Connections, and then click New Trunk.

  2. On the Select Trunk Type page of the Create Trunk Wizard, click ADFS trunk, and then click Next.

  3. On the Select Application page, click Next.

  4. On the Setting the Trunk page, enter the trunk name and public host name for the trunk, and then click Next.

    Use the second static IP address configured on the external network adapter of the Forefront UAG server.The public host name must exactly match the name of the server certificate that you imported before performing this procedure.
  5. On the Authentication page, select the Active Directory server (adfs) that you created in the portal trunk configuration, and then click Next.

  6. On the Certificate page, in the Server certificate drop-down list, select the certificate that you imported before performing this procedure, and then click Next.

  7. On the Application Server page, in the Internal IP address box, type the IP address of the federation server.

  8. In the HTTP port drop-down list, click the listener port used by the federation server (the default is 443), and then select the Use SSL check box.

  9. In the Public host name box, enter the AD FS server public host name.

    This public host name must be identical to the trunk’s public host name.
  10. Complete the wizard, and then click Finish. The new trunk that you created appears in the tree view, and the Configuration section displays the trunk’s parameters.

  11. In the Configuration section, in the Trunk Configuration area, click Configure to open the Advanced Trunk Configuration dialog box.

  12. On the Authentication tab, clear the Require users to authenticate at session logon check box.

  13. On the Server Name Translation tab, make sure that a rule has been created that has the external name of the federation server defined in the Virtual Web Server field, the internal server name specified in the Application Server field, and port 443 specified in the Port field.

  14. Click OK to close the Advanced Trunk Configuration dialog box.

  15. In the toolbar of the console, click the Activate configuration icon. In the Activate Configuration dialog box, click Activate.