Sanjeev Thakur Sr. Premier Field Engineer, Microsoft Singapore
SINGAPORE
Microsoft
Exchange
Server and
Office 365 :
Hybrid
Deployment
Ram Muthukaruppan Sr. Consultant, Microsoft Singapore
Agenda
Overview of Hybrid Deployment
Planning Hybrid Deployment
Mail Flow Architecture
Calendar Sharing
Secure Transport
Deployment
Migration
What’s new in SP2
Q&A
Hybrid
Exchange sharing features
Exchange
IMAP
Lotus Notes
Large
Medium
Small
On-Premises
Single Sign-On
On-Cloud
DirSync
Bulk Provisioning
Seamless interactions between on-premises and cloud
mailboxes
Calendars and free/busy information sharing between
on-Premises and Cloud Mailboxes.
Mailbox Management can be done using on-premises
Exchange Management Console
Users can log on to their email accounts with their
existing credentials regardless of their mailboxes
Location
Migrations into and out of Exchange Online are
transparent to the user.
Overview of Hybrid Deployment
Coexistence of mailbox permissions –Permissions are
migrated, but do not work when Delegator and
Delegate are split between on-premise & cloud
Migration of Send As for non mailbox recipients
Multi-forest – Only single forest source environments
Public Folders
Limitations - Hybrid Deployment
Hybrid Server Roles
2 Required Server Roles:
• Office 365 Active Directory Synchronization
• Exchange Server 2010 SP1 CAS/Hub*
1 Optional Server Role:
To use hybrid deployment, you must maintain at least one Federation technology
Identity Federation
Provides SSO
Requires AD FS 2.0
Applies to all Office 365 services
Exchange Federation
Exchange Federation Trust
Organization relationships
Applies only to all Exchange Online services
Planning Hybrid Deployment
Primary SMTP Domain : contoso.com
MX record points to on-premises
Service Domain :- service.contoso.com
MX record points to Office 365
Used for Mail routing between On-premises and Office 365
Delegation Domain :exchangedelegation.contoso.com
Only used for setting up the Federation Trust
DNS TXT records configured for proof of ownership purposes
Domain Name Requirement
A public certificate is required to successfully setup both
Identity Federation and Exchange Federation
A public certificate is required for the following services:
AD FS endpoints (AD FS Proxy)
Exchange Web Services
Autodiscover
The Exchange Federation Trust can use a self-signed, public,
or internal CA generated certificate
The Exchange Management Console wizard creates a self-signed
certificate if one does not exist.
This certificate is only used to sign and encrypt delegation tokens
Exchange automatically distributes this certificate to other CAS
servers.
Certificate Requirement
Single Namespace – Core
Concepts
DC
On Premises AD Forest
Exchange 2003 FE/BE Server
MX for contoso.com = On Premises
External Recipient([email protected])
Internet
Email from [email protected] to [email protected]
Shared Namespace-Core Concepts
MX for service.contoso.com = Exchange Online
DC
On Premises AD Forest
Exchange 2003 FE/BE Server
MX for contoso.com = On Premises
External Recipient([email protected])
Internet
Exchange Online
Email from [email protected] to [email protected]
On Premises
On Premises User “Ben”
Client Access Server
Mailbox Server
Standard On-Premises Free/busy
Ben
Brad
Federated Free/busy
On Premises
On Premises User “Ben”
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Joe
Ben
Free Busy Request From Ben To Joe
Exchange Online Archive
On Premises
On Premises User “Ben”
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox ServerBen
Archive Request From Ben To Archive
Secure Mail – TLS
On Premises
Exchange Online
Mailbox Server
Hub Transport
Server
On Premises Mailbox “Ben”
ForeFront Online Protection for
Exchange
Cloud Mailbox “Joe”
Domain Secure
On Premises
Exchange Online
Mailbox Server
Hub Transport
Server
On Premises Mailbox “Ben”
ForeFront Online Protection for
Exchange
Cloud Mailbox “Joe”
Secure Mail - Sending Internal Headers
to the Cloud
XOORG Data
XOORG Data
Certificate
Subject
Cross-premises emails are
authenticated as “Internal”
Secure Mail – Sending Internal Headers to
On-premises
On Premises
Exchange Online
Mailbox Server
Hub Transport
Server
On Premises Mailbox “Ben”
ForeFront Online Protection for
Exchange
Cloud Mailbox “Joe”
XOORG Data
Emails from the cloud are seen as
Internal by Transport
XOORG Data
On Premises
Exchange Online
Mailbox Server
Hub Transport
Server
ForeFront Online Protection for
Exchange
Internet
Centralized Mail flow Control
Centralized Mail flow Control
Creating the Exchange Federation
Trust
Exchange Online
On Premises AD Forest
Exchange 2010 CAS/HUB Server
MSO ID
Microsoft Federation Gateway (MFG)
Automatic implied trust between the Exchange Online tenant and MFG
Create Exchange Federation Trust with the MFG using a “unique namespace”
e.g. “exchangedelegation.contoso.com”
On-premises Org Relationship with “service.contoso.com”
Exchange Online Org Relationship with “contoso.com”
Creating the Secure Mail
Connectors
Exchange Online
On Premises AD Forest
Exchange 2010 CAS/HUB Server
FOPE
Hybrid Coexistence Migration
It’s a true “online” move – user stays connected to their mailbox through the move
– Client switchover happens automatically at the end
– Traditional “offline” move when moving from Exchange 2003 source
Outlook uses Autodiscover to detect the change and fixes up the user’s Outlook profile automatically on the client machine
Since it’s a move (not a new mailbox + data copy), Outlook doesn’t see it as a new/different mailbox. End result = No OST resync
Moves are queued and paced by the datacenter
Object conversion for mail routing happens automatically after data move
– Mailbox on-premises gets converted to Mail-enabled user automatically
– Admin can override this automation and stage the move-then-convert steps
(1) Where is my mailbox?
(2) Local Exchange passes a redirect to “service.contoso.com”
(3) Outlook attempts to discover endpoint through DNS record “autodiscover.service.contoso.com”
(4) Request Authentication
(6) Profile Builds (5) Authentication Success
Autodiscover
Remote Mailbox Primary SMTP Address = [email protected] Remote Routing Address = [email protected]
Mailbox Primary SMTP Address = [email protected] Secondary SMTP Address = [email protected]
Outlook client
What’s New in Exchange 2010
SP2? New Hybrid Configuration Wizard – Exchange federation trust
– Organization relationships
– Remote domains/accepted domains
– Email address policies
– Send/Receive connector
– Forefront inbound/outbound connectors
– MRSProxy
– Pre-req checks (i.e. Office365 Active Directory Sync, Exchange certificates, registered custom domains, etc…)
New PowerShell cmdlets – New/Get/Set/Update-HybridConfiguration
Namespaces improvements – Removing requirement for unique namespace
– Providing every customer a coexistence domain, for every hybrid deployment • Service.contoso.com is now Contoso.mail.onmicrosoft.com
Pre-SP2: Approximately 50 manual steps With SP2: Now only 6 manual steps