Publishing ADFS 3.0 and Exchange with IIS ARR using a single IP address.

I’m running Exchange 2013 CU16 hybrid with Office 365 and ADFS 3.0 published with ARR 3.0

I have one public IP address. Everything worked. Then it stopped. And I couldn’t remember how I got it all working in the first place. So more for me than anybody else, this is what I did to set it up again.

Exchange Hybrid is working correctly and ADFS 3.0 is up and running.

The challenge I had was sitting them behind one available public IP address.

I stood up a Server running Server 2012 in Hyper-V, as I wanted a server that wasn’t the ADFS, WAP or Exchange CAS server.

I downloaded and install ARR v 3.0 from here.

The ARR install will also install any pre-requisites like IIS and URL Rewrite, so Install, I Accept, Finish, Exit

At this point everything I need is installed.

I read something a good while ago when upgrading SBS 2011 to Windows Server  Essentials after Microsoft unbundled Exchange Server. The article was called:

Integrate an On-Premises Exchange Server with Windows Server Essentials

Scroll down or search for a section called: To install and configure Application Request Routing, and then look at bullet point 8 which says:

“In you are migrating from Windows Small Business Server, run the following command”

ARRConfig config -cert “path to the certificate file”hostnames “host names for Exchange Server”

I have a public cert will all the SAN names I need for both services, including autodiscover and sts1 saved to c:\cert.pfx

So, here’s where it get’s clever. I run the following from a command prompt.

“C:\Program Files\Windows Server\Bin\arrconfig.exe” config -cert c:\cert.pfx -hostnames “” -targetserver CLADFS3

The “hostname” must be in the SAN list on the cert, which is stored with the private key in c:\cert.pfx. The “targetserver” is a host name not an FQDN

This will prompt for a password, and when I type it, I get a web site set up in IIS, with one URL re-write rule.

Notice that I’ve published ADFS, the hostname is STS1 and the server I’m redirecting to is the ADFS server running 3.0

In IIS I see the following:

That’s because ARRConfig is designed to publish Exchange.

I also have one URL rewrite rule called Reverse Proxy to Exchange

Rename the Exchange Reverse Proxy Web Site to ADFS Reverse Proxy Website. This will maintain the server bindings and certificates that we specified at the command line.

Don’t worry about the URL Rewrite rule, because any changes you make here will be overwritten in the next step.

Next, re-run ARRConfig, but this time publish Exchange.

“C:\Program Files\Windows Server\Bin\arrconfig.exe” config -cert c:\cert.pfx -hostnames “,” -targetserver CONCEPT

This time I include the hostnames for the Exchange server and for the autodiscover url. This set’s up a new site with bindings for Exchange in ARR.

At this stage, Exchange is published, and the bindings and site are in place for ADFS.

Exchange should be working, but ADFS needs a little work. I need to add one more URL Rewrite rule for ADFS.

Create a new inbound rule with the following settings.

Note that the Rewrite URL includes the public FQDN of the ADFS server. This assumes your internal DNS is working correctly.

Name: ADFS Reverse Proxy Website.
Match URL
Requested URL: Matches the Pattern
Using: Regular Expressions
Pattern: (.*)
Ignore case

Logical grouping: Match All

Condition input: {CACHE_URL}
Check if input string: Matches the Pattern
Pattern: ^(https?)://
Ignore case

No Server Variables

Action type: Rewrite
Action Properties
Rewrite URL: {C:1}://{R:1}
Append query string
Stop processing of subsequent rules

You should now have two websites, two URL rewrite rules and all sitting behind one IIS ARR server, which you can now publish behind one IP address.

There is one final tweak to take this work. Move the ADFS rule up to the top of the rule list.

Leave a Reply

Your email address will not be published. Required fields are marked *