Hello,

I need help in deciding where the "Geneva" server will reside on the network. We have an intranet of about 1000 computers. AD server is in the intranet.
Our publicly accessibleweb servers reside in a DMZ. We planned"Geneva" to run by itself on a virtual server.

The question is, whether to placeit in the DMZ, and open port 389 for it to be able to access our AD, or,
place "Geneva" inside the intranet, in which case, not sure how a service provider will access it.

Is there a best practices document that outlines this layout?

Thanks in advance,
Sandy

Given the security requirements of a Geneva server, best practice would be to deploy the Geneva server internally along with the Geneva Proxy in your DMZ to receive client requests and forward them along securely. (Over SSL using a client auth certificate between the proxy and the internal server.

More on deploying the Geneva Proxy in the Geneva Design & Deployment guides, here: http://technet.microsoft.com/en-us/library/dd807036(WS.10).aspx

---

Laura E. Hunter - Directory Services MVP Identity Architect - Oxford Computer Group ILM2 & Identity Training, Upcoming Dates - http://www.oxfordcomputergroup.com/course-dates.aspx

Thanks Laura. We have the same setup in our environment. The Geneva server sitting in the intranet is reachable through the proxy in DMZ, which forwards requests inside, securely by a VeriSign SSL (not sure about client authentication-I have set "Accept" Client Authentication in IIS7).
The problem is, I can't establish trust! I'm using the Federation Utility CTP on the intranet Geneva server, and nothing happens when I click on Establish Trust. Any ideas?