Hi all,
During an ADFS farm extension that I’m making for my customer, I have followed all the documented TechNet documentation regards the network prerequisites (flow and ports). But unfortunately, was not enough !
Existing and target architecture
The existing architecture is a 2 members ADFS 3.0 FARM, load balanced via a hardware load balancer. We also had 2 load balanced WAP (Web Application Proxy) severs for ‘proxying’ external connections.
The goal is to add 2 additional ADFS Federation servers and 2 WAP servers on the secondary datacenter. In our case, we are using Azure as the datacenter extension.
The two sites (On-premise and Azure) are connected via a VPN connection that will be soon upgraded to an Express route circuit for more performances and availability. Connection between the two sites is filtered via a on-premise firewall and Azure NSG. So understanding the firewall requirement for the ASDFS servers communication is mandatory in our case. This post does not discuss the ADFS extension itself bit an issue you may encounter during the server join step.
The Microsoft documentation shows that the only ports used for the communication between two ADFS servers are the following : Honestly, you will not fond the answer anywhere 
|
Source |
Target |
Protocol |
Port |
|
ADFS server |
ADFS server |
tcp | 443 |
| Internet | WAP server (or VIP) | tcp | 443,49443 |
| WAP server | ADFS server (or VIP) | tcp | 443,49443 |
Adding the server to the FARM
After authorizing this port, I added the ADFS role and begin adding the server to the existing FARM.
Obviously I received the following error:
Unable to retrieve conflict information from the primary server
The specified dns name of the primary federation server could not be resolved. Verify that the DNS name is correct, and that the ADFS service is running on the primary federation server and try again.
I checked every thing : Ping tests, telnet tests, DNS tests… Still unable to add the server. Finally I decided to install wiresharjk to look what the server is trying to do during the configuration phase.
Look to the result:
Yes, the server is trying to communicate with the ADFS primary server on port 80
I asked the network team to authorize traffic on this port, and it worked like a charm.
So to add the 80 port to the port requirements:
|
Source |
Target |
Protocol |
Port |
|
ADFS server |
ADFS server |
tcp | 443, 80* |
| Internet | WAP server (or VIP) | tcp | 443,49443 |
| WAP server | ADFS server (or VIP) | tcp | 443,49443 |
* Try first to open the port from t’’he server you want to join’ to the ‘ADFS primary server’ (not both direction). I think this port is used just for a connectivity test or to initiate the connection than the traffic is switched to 443
buildwindows 