Skip to main content

 

Druva Documentation

How to configure GeoFencing for Phoenix with ADFS?

This article applies to Phoenix.

Overview

You can restrict access to Phoenix Management Console 

You can restrict Phoenix administrators from accessing Phoenix Management Console outside your corporate network using the following steps.

Configure GeoFencing with Phoenix

  1. Integrate Active Directory Federation Services with Phoenix as described in this link.
  2. On the existing ADFS Setup, go to ADFS Management Console > Trust Relationship > Relying Party Trusts > right-click Druva_Phoenix and select Edit Claim Rule.

    GeoFencing01.png
  3. Go to Issuance Authorization Rules and add a new rule.  Select Permit or Deny Users Based on an Incoming Claim from the Claim Rule Template.

    GeoFencing02.png

    GeoFencing03.png
  4. Go to Authentication Policies and click Edit Global Primary Authentication and select the authentication method as shown below.

    GeoFencing04.png
  5. Select a new server which has Windows 2012R2 installed on it. The server can be preferably in the DMZ or perimeter network.
  6. Install the Web Application Proxy on this server:
    1. Go to Add Roles and Features Wizard and select Remote Access role and click Next.

      GeoFencing05.png
    2. Select  Web Application Proxy on the Role Services window and click Next.

      GeoFencing06.png

      GeoFencing07.png
    3. Run Web Application Proxy Configuration Wizard.

      GeoFencing08.png
    4. In the Federation service name box, enter the fully qualified domain name (FQDN) of the AD FS server.  For example, phoenixtest.druva.org.
    5. Enter the credentials of a local administrator account on the AD FS server in the User name and Password boxes.

      GeoFencing09.png
    6. Perform the following steps on the Federation Server dialog:
      1. On the AD FS Proxy Certificate dialog, in the list of certificates currently installed on the Web Application Proxy server, select a certificate to be used by the Web Application Proxy for AD FS proxy functionality and then click Next.
      2. Review the settings and click Finish.

Firewall configuration: Any traffic that comes from external network and intended for the AD FS server must be routed to the WAP server.