Configuring FIM Client with Multiple Servers

  • Article

In my previous post, I covered Server Partitions which showed how to setup multiple servers in your topology.  Once you have your servers setup, you will need to ensure your clients are pointed to the appropriate servers.

Below is the topology that I discussed for reference.

 

image

 

In this topology we want to configure our End user actions from the Client PC to use the following Service Partitions:

  1. FIMPassword.contoso.com – for all password reset & registration Requests
  2. FIMPortal.contoso.com – for all portal activities & Outlook integration Requests

Configuration

When installing the client you will want to do the following:

  1. Configure the Outlook plug-in to use the User Portal “FIMPortal” & send mails to the mail account that is monitored by the FIMPortal service.
    image

  2. Configure the Password Client to the “FIMPassword” web service which is the location where your password reset requests will be processed.
    image

  3. Configure SiteLock for the ActiveX controls
    As part of the security for our ActiveX control you need to specify the sites you want to SiteLock the control for.  This means this control can only be used by these sites.

    Note: In my above topology, the portal is not installed on FIMPassword, but only on FIMPortal for End Users so I will use that for SiteLock.  This has an added implication of now Password Reset\Registration from my client machines (i.e. Windows Login) will go through FIMPassword, but the user could also initiate a password registration\reset attempt via the portal using FIMPortal.
    image
    If you are installing on a machine with IE7 installed then you will get a slightly different dialog. This will allow you to have the portal automatically added to Trusted Sites.
    clip_image002 

Note: This configuration only tells the client which web servers to use & does not prevent an end-user from accessing the portal or web services on different servers.  If you want to prevent Requests from end-users to your administration instance, then you will need to do additional configuration to only allow specific users or IP addresses to make Requests.