1
00:00:06,510 --> 00:00:15,060
Many organizations need to provide authentication for users and devices that are located on a network

2
00:00:15,060 --> 00:00:17,970
that is external to the organization.

3
00:00:18,630 --> 00:00:28,050
In most cases, allowing clients to access and have a server located on an internal network directly

4
00:00:28,050 --> 00:00:34,530
from from the Internet is an acceptable security risk.

5
00:00:35,040 --> 00:00:43,200
It is recommended and a first proxy to allow clients of the Internet to access their first.

6
00:00:44,710 --> 00:00:52,940
And the first Brooks is a reverse BROOKS that is in an ad for a specific perimeter network.

7
00:00:53,420 --> 00:01:01,490
Clients from the Internet communicate with the first brooks in the Perimeter Network instead of directly

8
00:01:01,790 --> 00:01:03,530
with the aid of a server.

9
00:01:04,540 --> 00:01:12,970
The ADA offers Brooks to mitigate the risks associated with Internet connectivity for efforts.

10
00:01:14,010 --> 00:01:24,180
Please know that the term Adair first Brooks referenced here is a generic term for a server that provides

11
00:01:24,180 --> 00:01:33,690
indirect network connections to the Federated Servers, and it is not a direct reference to the adverse

12
00:01:33,690 --> 00:01:37,860
proxies server in Windows Server 2012.

13
00:01:39,670 --> 00:01:42,700
No authentication process.

14
00:01:43,570 --> 00:01:51,070
An internal affairs server uses Windows authentication to prompt for authentication.

15
00:01:51,490 --> 00:02:00,130
This works well for internal computers that are adjoined to the domain and can automatically boss workstation

16
00:02:00,130 --> 00:02:05,050
credentials to it first to automate authentication.

17
00:02:05,920 --> 00:02:14,290
This prevents users from seeing a request for authentication credentials when computers that are not

18
00:02:14,290 --> 00:02:17,140
drawn to the domain communicate with it.

19
00:02:17,320 --> 00:02:23,350
First, the web browser presents the user with the sign in prompt.

20
00:02:24,160 --> 00:02:25,510
This sign in prompt.

21
00:02:26,570 --> 00:02:31,700
Asks for a username and password, but provides no context.

22
00:02:32,860 --> 00:02:40,450
When you use an idea first brought to an authentication web page is provided with computers that are

23
00:02:40,450 --> 00:02:41,980
not joined to the domain.

24
00:02:42,970 --> 00:02:49,990
This provides better compatibility than browser based Windows authentication for radio first clients

25
00:02:50,290 --> 00:02:54,580
that are that use non Microsoft operating systems.

26
00:02:55,360 --> 00:03:06,250
Also, you also can customize the web page to provide more context for users by adding a company logo,

27
00:03:06,250 --> 00:03:07,120
for example.

28
00:03:08,710 --> 00:03:16,170
During this resolution to provide seamless movement between internal and external networks, the web

29
00:03:16,180 --> 00:03:18,940
application proxy uses the same host.

30
00:03:20,380 --> 00:03:27,670
Name when accessing aid first internally and externally on the internal network.

31
00:03:28,150 --> 00:03:37,720
The first host name resolves to the IP address of the internally defense server on the external network.

32
00:03:37,990 --> 00:03:43,630
The ADF has hostname resolved to the IP address of the ADF first properly.

33
00:03:44,290 --> 00:03:53,290
In both cases, the ADF first hostname is different from those of the computers that host the ADF as

34
00:03:53,290 --> 00:03:53,740
rules.

35
00:03:55,430 --> 00:03:57,470
And finally certificates.

36
00:03:57,920 --> 00:04:05,630
The certificate used on an internal area of a server has a subject name that is the same as the host

37
00:04:05,630 --> 00:04:07,130
name for any offense.

38
00:04:07,580 --> 00:04:17,000
For example, if the first .88. com because the same hostname is used to access it first, internally

39
00:04:17,000 --> 00:04:25,640
and externally through the first proxy, you need to configure the first proxy with the same certificate

40
00:04:26,030 --> 00:04:27,740
as the ADF server.

41
00:04:28,580 --> 00:04:36,230
If the certificate subject does not match the hostname, the first authentication will fail.

42
00:04:37,220 --> 00:04:43,970
To help ensure that you have a certificate with the same subject name expert, the certificate from

43
00:04:43,970 --> 00:04:51,170
the ADA first server and imported all the web application proxies server.

44
00:04:52,230 --> 00:04:57,150
Remember to include the private key when you export the certificate.

45
00:04:57,900 --> 00:05:03,150
Next up, we'll be talking about web application proxy authentication methods.