Ensure that Access Manager (nam.example.com) and AD FS 2.0 (fsweb.contoso.com) systems have IP connectivity between them. The Contoso.com domain controller, if it is running on a separate computer, does not require IP connectivity to the Access Manager system. If the Access Manager firewall is set up, open the ports required for Identity Server to communicate with Administration Console.
For more information about these ports, see Setting Up Firewalls in the NetIQ Access Manager 5.0 Installation and Upgrade Guide.
For HTTPS communication, Access Manager Identity Server uses TCP 8443 by default. Your browsers need to access this port when using the HTTP POST Binding. Or, you can change this port to 443 by using iptables. See Translating Identity Server Configuration Port in the NetIQ Access Manager 5.0 Installation and Upgrade Guide.
For back-channel communication with cluster members, you need to open port 7801. This port is configurable. See Configuring a Cluster with Multiple Identity Servers.
All federation servers (AD FS and Access Manager) need access to a reliable Network Time Protocol (NTP) time source.