Upload
martin-vokoun
View
344
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
1
© SafeNet Confidential and Proprietary© SafeNet Confidential and Proprietary
Office 365 integration with UAG SP1 for OTP Authentication
– INTERNAL ONLY
OTP Solution overview for o365
ADFS v 2.0
UAG
windows authentication
Publishes
ADFS server
OTP authentication
Active Directory
NPS
SAM
Office 365
https://www.outlook.com/owa/safenetdemos.com
3
© SafeNet Confidential and Proprietary
Session Agenda
> What is Office 365
> Key Solution components
> Federation
> Directory synchronization
> Federation
> UAG
> Exchange migration
> How to build up the Solution
> How to build a pilot
> Troubleshooting and Tools
> Demo
4
© SafeNet Confidential and Proprietary
• Flexible service offering with pay-as-you-go, per-user licensing• The complete Office experience with services integration in
Office 365 • Simplified user set-up to preconfigure services• Always the latest version of the Office apps, including Office
Web Apps• Familiar Office user experience to access services
• 25GB Mailbox• Outlook and Outlook Web App• Anti-Virus/Anti-Spam• Shared Calendars, Contacts & Tasks• Mobile email for most mobile devices including
BlackBerry, iPhone, Nokia, Windows Phone• Personal email archiving and compliance capabilities
• My Sites to manage and share documents• Improved Team & Project Sites• Document-level permissions to protect sensitive content• Share documents securely with Extranet Sites• Cross site collection search
• Instant messaging and presence• PC-to-PC audio and video calling • Click-to-communicate from Outlook, SharePoint, and other
Office Applications • Online meetings with PC-audio, video conferencing
and screen sharing• Single click meeting creation and join from Outlook• Calendar integration with Outlook and Exchange
Office 365 Includes…
4
Single user interface to purchase, administer and user with role-based access control | Single sign on with on-premises
Active Directory | 99.9% financially backed SLA | 24x7 IT Pro Support | Built in geo-redundancy in regional datacenters
CONTROL AND EFFICIENCY
5
© SafeNet Confidential and Proprietary
Microsoft Office 365 Value
BEST PRODUCTIVITY EXPERIENCE
Work together, smarter
ACCESS ANYWHERE*
Solve problemsfrom more places
WORKS WITH WHAT YOU
KNOW
Familiar tools
ROBUST SECURITY AND
RELIABILITY
99.9% uptime. Guaranteed.
IT CONTROL AND
EFFICIENCY
Keeps you in control
BEST PRODUCTIVITY EXPERIENCE
Online meeting presentation with pc-to-pc audio and video
Desktop and Application sharing and virtual whiteboard
Recording Capability
Instant messaging
Co-Authoring in Word
Presence
Status update
Activities
My Sites in SharePoint
Easily connect with others across organizations with
calendar sharing and publishing in Outlook
Familiar Office Experience
Create sites to share documents with colleagues and partners with SharePoint
Cross-browser support
• Simultaneously edit documents with your colleagues
• Conduct online meetings with colleagues, partners, and customers, including audio, video and screen sharing
• Manage and share important documents and personal insights with colleagues using My sites
• Share your calendar with colleagues, partners, and customers
• Share documents, task lists, and schedules to keep workgroups in synch with Teamsites
• Simultaneously edit documents with your colleagues
• Conduct online meetings with colleagues, partners, and customers, including audio, video and screen sharing
• Manage and share important documents and personal insights with colleagues using My sites
• Share your calendar with colleagues, partners, and customers
• Share documents, task lists, and schedules to keep workgroups in synch with Teamsites
• Simultaneously edit documents with your colleagues
• Conduct online meetings with colleagues, partners, and customers, including audio, video and screen sharing
• Manage and share important documents and personal insights with colleagues using My sites
• Share your calendar with colleagues, partners, and customers
• Share documents, task lists, and schedules to keep workgroups in synch with Teamsites
• Simultaneously edit documents with your colleagues
• Conduct online meetings with colleagues, partners, and customers, including audio, video and screen sharing
• Manage and share important documents and personal insights with colleagues using My sites
• Share your calendar with colleagues, partners, and customers
• Share documents, task lists, and schedules to keep workgroups in synch with Teamsites
• Simultaneously edit documents with your colleagues
• Conduct online meetings with colleagues, partners, and customers, including audio, video and screen sharing
• Manage and share important documents and personal insights with colleagues using My sites
• Share your calendar with colleagues, partners, and customers
• Share documents, task lists, and schedules to keep workgroups in synch with Teamsites
* Access from mobile devices depends on carrier network quality and availability** “Connect Securely” is not a guarantee of 100% connection security.”
6
© SafeNet Confidential and Proprietary
Microsoft Office 365 Value
BEST PRODUCTIVITY EXPERIENCE
Work together, smarter
ACCESS ANYWHERE*
Solve problemsfrom more places
WORKS WITH WHAT YOU
KNOW
Familiar tools
ROBUST SECURITY AND
RELIABILITY
99.9% uptime. Guaranteed.
IT CONTROL AND
EFFICIENCY
Keeps you in control
• Rich client access online or offline via Office desktop applicationson PCs and Macs
• View and edit documents with Office Web Apps across a broad range of browsers (Internet Explorer, Firefox, Safari)
• Access your inbox from a broad range of browsers with Outlook Web App
• Access mail, contacts, calendar, and SharePoint sites from hundreds of devices including Windows Phones, Nokia, Android, iPhone and BlackBerry
• Single inbox to manage email and voicemail with unified messaging
• Connect securely** over Internet with HTTPS without the need for VPN
ACCESS ANYWHERE
Web applications with cross-browser support
Outlook Web App
Seamless mobile access across many devices
Access to PowerPoint
Access to SharePointOffice Hub in Windows
Phone 7
* Access from mobile devices depends on carrier network quality and availability** “Connect Securely” is not a guarantee of 100% connection security.”
7
© SafeNet Confidential and Proprietary
Microsoft Office 365 Value
BEST PRODUCTIVITY EXPERIENCE
Work together, smarter
ACCESS ANYWHERE*
Solve problemsfrom more places
WORKS WITH WHAT YOU
KNOW
Familiar tools
ROBUST SECURITY AND
RELIABILITY
99.9% uptime. Guaranteed.
IT CONTROL AND
EFFICIENCY
Keeps you in control
* Access from mobile devices depends on carrier network quality and availability** “Connect Securely” is not a guarantee of 100% connection security.”
• Just works. Minimal user training required to get productive right away
• Hybrid deployment scenarios allow on-premises and online users to work together seamlessly
• Multiple plans provide a cost effective way to provide familiar business productivity capabilities to everyone in your business
• Stay up to date with the latest productivity experience through a subscription service
WORKS WITH WHAT YOU KNOW
Outlook Web AppOutlook
8
© SafeNet Confidential and Proprietary
Microsoft Office 365 Value
BEST PRODUCTIVITY EXPERIENCE
Work together, smarter
ACCESS ANYWHERE*
Solve problemsfrom more places
WORKS WITH WHAT YOU
KNOW
Familiar tools
ROBUST SECURITY AND
RELIABILITY
99.9% uptime. Guaranteed.
IT CONTROL AND
EFFICIENCY
Keeps you in control
* Access from mobile devices depends on carrier network quality and availability** “Connect Securely” is not a guarantee of 100% connection security.”
• Premium anti-spam and antivirus protection provided by multiple virus scanning engines
• Data is replicated in geo-redundant datacenters to protect against datacenter wide failures
• Risk mitigation multi-dimensional approach to help safeguard services and privacy of data
• Helps customers comply with ISO 27001, SAS 70 Type I, FERPA, HIPPA, FISMA, EU Safe Harbor Seal
• Backed by a 99.9% financially backed Service Level Agreement
ENTERPRISE SECURITY AND RELIABILITY
99.9% financially backed SLA
Geo redundant datacenters
9
© SafeNet Confidential and Proprietary
Microsoft Office 365 Value
BEST PRODUCTIVITY EXPERIENCE
Work together, smarter
ACCESS ANYWHERE*
Solve problemsfrom more places
WORKS WITH WHAT YOU
KNOW
Familiar tools
ROBUST SECURITY AND
RELIABILITY
99.9% uptime. Guaranteed.
IT CONTROL AND
EFFICIENCY
Keeps you in control
* Access from mobile devices depends on carrier network quality and availability** “Connect Securely” is not a guarantee of 100% connection security.”
MICROSOFT® OFFICE 365 DELIVERS THE POWER OF CLOUD PRODUCTIVITY TO BUSINESSES OF ALL SIZES, HELPING TO SAVE TIME, MONEY AND FREE UP VALUED
RESOURCES• 24/7 IT professional phone support or via electronic ticketing
• Service health portal and RSS feeds to provide up to date service availability information
• Simplified management with a single administration center with role based access
• Remote PowerShell to allow scripting of routine tasks and access to raw data for reports
• IT friendly service update policies that put you in control
IT CONTROL AND EFFICIENCY
Service health portal Simplified Management
10
© SafeNet Confidential and Proprietary
World Class Data Centers
10
• $2.3B+ Investment in cloud infrastructure• Geo-Redundant Data Centers• Locations in North America, Europe, and Asia to provide optimal performance• 99.9% guaranteed uptime (99.95% actual)• Secure Infrastructure – ISO27001 and SAS70 certified• Built from the ground up to be environmentally sustainable
World Class Data Centers
11
© SafeNet Confidential and Proprietary
Security ProgramA risk-based, multi-dimensional approach to help safeguard services and
data
11
Security Monitoring & Response, Threat & Vulnerability Management
Access Control & Monitoring, File/Data Integrity
Account Management, Training & Awareness, Screening
Secure Development Lifecycle, Access Control & Monitoring, Anti-Malware
Access Control & Monitoring, Anti-Malware, Patch & Config Mgmt
Dual-factor Authentication, Intrusion Detection, Vulnerability Scanning
Edge Routers, Firewalls, Intrusion Detection, Vulnerability Scanning
Video Surveillance, biometrics, Access Control
Security Management
12
© SafeNet Confidential and Proprietary
Microsoft Office 365 plans designed for organizations of all types
There’s an Office 365 for Everyone
12
Office 365 for small business
• Small business
• Organizational use
• IT consultant or no IT
• Low monthly subscription price
• Focus on simplicity vs. features
• Community help
Office 365 for enterprise
• Any size organization
• Internal IT or IT partner required
• Fully featured, scripting, customization
• Range of offerings by use type
• 24x7 phone support
Office 365 for Education• Any size educational organization (Higher
Education or K-12)
• Internal IT or IT partner required
• Fully featured, scripting, customization
• 24x7 phone support
• Same 99.9% SLA guarantee as Office 365 for enterprises
• Education capabilities that are tailored specifically to meet the needs of educators and students
13
© SafeNet Confidential and Proprietary
Plans for All of Your Employees
E Family PlansK Family Plans
Office Web Apps
SharePoint Online Kiosk
Plan K1$4/m
Plan K2$10/m
Components
Exchange OnlineKiosk
Office Web Apps
Email, calendar, AV/AS, Personal
Archive
Collaboration Portal
Conferencing
IM and presence
Office Pro Plus
Forms, AccessExcel, and Visio
Services
V.mail and Advanced Archive
Capabilities
Voice
Plan E1$10/m
Plan E2$16/m
Plan E3$24/m
Plan E4$27/m
Office 365 Plans
14
© SafeNet Confidential and Proprietary
Information WorkerKiosk Worker
User Segment Offers: Plan K Family• 500 MB mailbox• Outlook Web App only• POP support• Messaging, calendar, contacts• Forefront antivirus and antispam• SharePoint Access (0 MB storage)• Site search capabilities• Office Web Apps
User Segments: Right Features for the Right Users
Rich feature offering that meets users’ full messaging
and collaboration needs
Low-cost offering to users who do not have messaging and
collaboration capabilities today
User Segment Offers: Plan E Family• 25 GB mailbox• 500 MB SharePoint storage• Client connectivity• Mobility• OCS capabilities• Exchange and SharePoint capabilities• Office Professional Plus• On-premises access rights
Key Differentiators
15
© SafeNet Confidential and Proprietary
Office Professional Plus (O365) vs. Volume LicenseOffice Professional Plus Office Volume License
Download location • Office 365 Portal • VL Software Center
Software • Office Professional Plus • Office Standard 2010• Office Professional Plus 2010
Product Key / Activation
• Subscription based activation• Term – 30 days (monthly)• No keys to manage – only
users
• Volume License technologies• MAK perpetual activation,
KMS 180 days• Manage KMS and /or MAK
keys
When Reduced Functionality Mode (RFM) starts
• In 60 days since last activation• “hard” RFM
• MAK: N/A• KMS: within 180 days• “Notification mode”
Deployment options • Office 365 Portal• Unmanaged & Managed
options
• Unmanaged & Managed Options
• App-V• Terminal Services
# of copies allowed • 5 active installs on different devices per user
• No downgrade rights
• Single device per license/activation
• Downgrade rights
16
© SafeNet Confidential and Proprietary
Session Agenda
> What is Office 365
> Key Solution components
> Directory synchronization> Federation
> UAG
> Exchange migration
> How to build up the Solution
> How to build a pilot
> Troubleshooting and Tools
> Demo
17
© SafeNet Confidential and Proprietary
Directory sync requirements
> Office 365 Enterprise subscribers
> AD Permissions:member of the Enterprise Admins
> Schema Update for Exchange hybrid mode
> AD Cleanup:
> Remove duplicate proxyAddress and userPrincipalName attributes.
> Update blank and invalid userPrincipalName attributes with a valid userPrincipalName.
> Remove invalid and questionable characters in the givenName, surname (sn), sAMAccountName, displayName, mail, proxyAddresses, and userPrincipalName attributes
18
© SafeNet Confidential and Proprietary – INTERNAL ONLY
What does Directory Sync do for you
> Enables you to manage your company’s information in one central location for both on-premise intranet and Office 365
> Seamless user experience across on-premise and Office 365 services (Exchange, Lync, SharePoint)
> Flavors of Co-Existence
Identity Co-Existence (aka Single Sign-On, Federated Identity, Federated Authentication)
Application Co-Existence
> Runs as an appliance
Install and forget
> Proactively reports errors via email
“No news is good news”
19
© SafeNet Confidential and Proprietary
Preparing for Directory sync
> Every User must have a UPN
> UPN suffix must match a validated domain in Office 365
> UPN Character restrictions
> Letters, numbers, dot or dash
> No dot before @ symbol
> Users may need to understand that they must use UPN to logon to Office 365 Apps
> Can be hidden from users with smart links from domain machines
20
© SafeNet Confidential and Proprietary – INTERNAL ONLY
AD Naming v’s UPN Suffix
> Number of different structures for Active Directory Naming
Publicly routable
Sub domain of a publicly routable domain
Private Domain (e.g. contoso.local)
Single level Domain (e.g. contoso)
> Must use a publicly routable or sub domain of a public routable Domain for your UPN Suffix
Required for Realm discovery
Must be able to prove ownership (via public DNS record)
It does not need to be the same as your AD Domain Name
> Domain name must be shorter than 48 characters
21
© SafeNet Confidential and Proprietary – INTERNAL ONLY
UPN Validations
> All users should have a defined UPN
Where not set:
Enterprise Single Sign on Enabled – SAMAccountName@DomainName
Cloud Based Identity – MailNickName@[company].onmicrosoft.com
> Restrictions on allowed characters in cloud based UPN
Letters, numbers, dot, underscore or dash
No dot before @ symbol (e.g. [email protected] is ok, but [email protected] is not)
Username must not be longer than 64 characters
> Non Validated Domain
> Customer ready tool to verify data in AD
22
© SafeNet Confidential and Proprietary
How Directory Synchronization works Attribute Validations
Attribute Most common issues
userPrincipalName • cannot have dot ‘.’ immediately preceding ‘@’• cannot exceed 113 chars (64 for username, 48 for
domain)• cannot contain ! # $ % & \ * + - / = ? ^ _` { | } ~ < >
( )• cannot have duplicate UPNs
sAmAccountName • cannot contain “ \ / [ ] : | < > + = ; ? ,• cannot end with dot ‘.’• cannot be more than 20 chars• cannot be empty
proxyAddresses • cannot contain smtp addresses with domains that are not registered for the tenant
• cannot have duplicate proxy addresses
23
© SafeNet Confidential and Proprietary – INTERNAL ONLY
How Directory Synchronization worksWriting to On-Premise AD
> If Rich Co-Existence disabled, Directory Sync will not modify customer’s on-prem AD
> If Rich Co-Existence enabled, Directory Sync will modify up to 6 attributes on users:
Attribute Feature
SafeSendersHashBlockedSendersHashSafeRecipientHash
Filtering Coexistence enables on-premise filtering using cloud safe/blocked sender info
msExchArchiveStatus Cloud ArchiveAllows users to archive mail to the Office 365 service
ProxyAddresses (cloudLegDN) Mailbox off-boardingEnables off-boarding of mailboxes back to on-premise
cloudmsExchUCVoiceMailSettings
Voicemail Co-ExistenceEnables on-premise mailbox users to have Lync in the cloud
24
© SafeNet Confidential and Proprietary – INTERNAL ONLY
Single Forest AD structure and Considerations
25
© SafeNet Confidential and Proprietary
Single Sign on setup
26
© SafeNet Confidential and Proprietary – INTERNAL ONLY
Customer Network
How Directory Synchronization worksArchitecture
AD
Directory Sync
Office 365 Datacenter
Off
ice
365
FE
s
Microsoft Online ID
Exchange
Office Sub
SharePoint
LyncO365
Directory
27
© SafeNet Confidential and Proprietary
Session Agenda
> What is Office 365
> Key Solution components
> Directory synchronization
> Federation> UAG
> Exchange migration
> How to build up the Solution
> How to build a pilot
> Troubleshooting and Tools
> Demo
28
© SafeNet Confidential and Proprietary
Office 365 Identity features
> Password policy controls for Microsoft Online IDs
> Single sign-on with corporate credentials
> Role-based administration: Five administration roles> Company Admin
> Billing Admin
> User Account Admin
> HelpDesk Admin
> Service Support Admin
> Support for Hybrid environments for services such as Exchange Online
> Support for Strong Authentication (e.g. Smart cards)
29
© SafeNet Confidential and Proprietary
Role Based Access
Partner RolesAdmin and End User Roles
Global AdminIncludes full permissions to your company. The initial user created when signing up will be assigned this role. Can assign admin permissions to other users.
Billing Admin
Has full permissions for billing tasks, and read only permissions for company objects (domains, users). Any user with this role will also receive notifications for billing events.
User Account Admin
Has read only permissions to all company objects, and has user administration permissions. Cannot make changes to billing or tenant admins.
Help Desk Admin
Has read only permission to all company objects, and has reset password privileges. Cannot reset password for tenant, billing or user account admins.
Service Support Admin
Has read only permissions to all company objects. Also has the ability to manage individual services.
User This is the default role for all users, and does not include any admin permissions.
Agent Admin
Agent will have full access (Tenant Admin role) on all tenants that the partner has access to
Agent Help Desk Admin
Agent will have access to reset passwords only (Help Desk Admin role) on all tenants that the partner has access to.
Office 365 Roles
– INTERNAL ONLY
SafenetDemos customer premises
Identity Architecture
1. Microsoft Online IDs
AD
MS Online Directory
Sync
Identity Services
Provisioning
platformLync
Online
SharePoint
Online
Exchange Online
Active Directory
Federation Server 2.0
Trust
IdP Directory
Store
Admin Portal
Authentication platform
Office 365
Desktop Setup
Microsoft Online Services
2. Microsoft Online IDs + DirSync
3.Federated IDs + DirSync
IdP
– INTERNAL ONLY
safenetdemos customer premises
Single Sign on Setup for New domains
1. Microsoft Online PowerShell Module for Windows2. Connect to AD FS 2.0 and Microsoft Office 3653. Add Domain (returns details for proof of ownership)4. Add Domain
Identity Services
Provisioningplatform
Active Directory Federation Server
2.0
Trust
DirectoryStore
Admin Portal/PowerShell
Authentication platform
MSOL PowerShell Module
Microsoft Online Services
Add Domain
RequiredCname
Add Trust- Claim Rules- User Source ID = AD ObjectGUID
Verify-Domain- Active/Mex/Passive- Token certs Current/Next- Brand URI etc
Update
32
© SafeNet Confidential and Proprietary
Identity
32
Windows Server 2008
Users are authenticated by local ADFS server
ADFS 2.0
Different identity options for your organization, including full support for single sign on with the cloud
Federated IDs
•
•
•
• 2 factor authentication options available
•
•
•
•
User Directory Synchronization from On-Premises AD to the Cloud
33
© SafeNet Confidential and Proprietary
Authentication OptionsIT Administrator considerations
Microsoft Online IDs
> Manages password policy in cloud & on-prem
> Password reset for on-prem & MS Online IDs
> No 2 Factor Auth integration
Federated IDs
> Manages password policy on-
premise only
> Password reset for on-premise
IDs only
> 2 Factor Auth integration
options
> Requires additional on-premise
servers to enable identity
federation
– INTERNAL ONLY
Identity Comparison options comparison1. MS Online IDs
Appropriate for• Smaller orgs
without AD on-premise
Pros• No servers
required on-premise
Cons• No SSO• No 2FA• 2 sets of
credentials to manage with differing password policies
• IDs mastered in the cloud
2. MS Online IDs + Dir Sync
Appropriate for• Medium/Large orgs
with AD on-premise
Pros• Users and groups
mastered on-premise
• Enables co-existence scenarios
Cons• No SSO• No 2FA• 2 sets of
credentials to manage with differing password policies
• Single server deployment
3. Federated IDs + Dir Sync
Appropriate for• Larger enterprise
orgs with AD on-premise
Pros• SSO with corporate
cred• IDs mastered on-
premise• Password policy
controlled on-premise
• 2FA solutions possible
• Enables co-existence scenarios
Cons• High availability
server deployments required
35
© SafeNet Confidential and Proprietary
Sign On Experience Federated vs. Non-Federated Summary
> Office 365 Desktop setup required for rich clients
> Installs client and operating system updates to enable best sign-on experience
> Enables authentication support for rich clients
> Not required for Web kiosk scenarios (e.g. OWA)
> Passwords can be saved for Outlook on XP/Vista clients and Mobile devices etc.
Outlook2010
Win 7 Vista/XP
Federated IDs, (domain joined)
MS Online IDs
Outlook Web Application
No prompt* No prompt**
Each session
ActiveSync, POP, IMAP, Entourage
Once per Session***
No prompt
Outlook 2007*
Once at setupEach session Each session Each session
Outlook 2007 or 2010
Win 7
Online IDOnline IDOnline IDOnline IDOnline ID
Win 7/Vista/XP
No prompt
Each session
Office 2010, or Office 2007 SP2
SharePoint Online/Lync Online
Online ID
Once per session***
AD credentials
36
© SafeNet Confidential and Proprietary
Identify Federation Requirements
> Single Active Directory forest Functionality level 2003
> Windows 2008/R2 for Active Directory Federation Services 2.0.
> Hybrid Deployments
> Exchange 2010 SP1 CAS and associated Schema
> Must be an Enterprise AD Account to setup Directory Sync
> Unique third-party SSL certificate
> Windows PowerShell 2.0 feature
> Microsoft Online Services Module for Windows PowerShell tool.
> Establish a relying party trust relationship between the AD FS 2.0 federation server farm and Office 365
> Windows 2003 or above for Directory Synchronization
> Single Forest
> Multiple domains in a single the forest supported
37
© SafeNet Confidential and Proprietary
ADFS Terminology
> ADFS-Standard base service projecting internal users to the cloud by a trust
> STS (Security Token Service)Microsoft asserts that an STS is a Security Token Service that issues/validates Security Tokens that contain Claims about a Subject.
> federation server-A federation server issues tokens and serves as part of a Federation Service.
>http://technet.microsoft.com/en-us/library/adfs2-help-terminology(v=ws.10).aspx
38
© SafeNet Confidential and Proprietary
Identity FederationAuthentication flow (passive profile)
`
Client(joined to CorpNet)
Federation GatewayAD FS 2.0 Server
Exchange Online
Active Directory
Customer Microsoft Office 365
39
© SafeNet Confidential and Proprietary
Identity FederationAuthentication flow (active profile)
`
Client(joined to CorpNet)
Federation GatewayAD FS 2.0 Server
Exchange Online
Active Directory
Customer Microsoft Office 365
40
© SafeNet Confidential and Proprietary – INTERNAL ONLY
Strong Authentication
> Currently supported scenarios
Rich Applications must not require second factor to authenticate
i.e. Logon to workstation with strong auth and then all connections are based on existing Kerberos tickets
Web Applications
> Unsupported scenarios
Non-Domain Joined
(rich apps)
Mobile applications
Operating system/client mix
Windows 7 Legacy Clients
(Vista/XP)
Outlook 2010 Yes No
Outlook 2007* Yes No
Lync 2010 Yes Yes
SharePoint Online
Yes Yes
Web Applications
Yes Yes
Mobile No
41
© SafeNet Confidential and Proprietary
Alternative Proxies and Strong Authentication
Authentication Scheme Authentication limitations
AD FS proxy Requires integration of the strong authentication provider with the AD FS proxy login page.
None
Forefront TMG
Publish the AD FS server. Integration with some strong authentication providers is provided out of the box.
Supported but requires each path to be published separately
Forefront UAG SP1
Publish the AD FS server. Integration with some authentication providers is provided out of the box, very flexible integration options.
Web Clients only
42
© SafeNet Confidential and Proprietary – INTERNAL ONLY
AD FS 2.0 deployment options
1. Single server configuration
2. AD FS 2.0 server farm and load-balancer
3. AD FS 2.0 proxy server or UAG/TMG
(External Users, Active Sync, Down-level Clients with Outlook)
EnterpriseDMZ
AD FS 2.0 ServerProxy
External user
Internaluser
ActiveDirectory
AD FS 2.0
Server
AD FS 2.0 Server
AD FS 2.0 ServerProxy
43
© SafeNet Confidential and Proprietary
Session Agenda
> What is Office 365
> Key Solution components
> Directory synchronization
> Federation
> UAG> Exchange migration
> How to build up the Solution
> How to build a pilot
> Troubleshooting and Tools
> Demo
44
© SafeNet Confidential and Proprietary
Why do I need UAG in a world that is going cloud?> The chance of the future being a hybrid setup cloud + on prem is
very big.
Internet
You will still need to give your clients access to internal apps
You will need a bridge between your corpnet and the could-nets. (think of ADFS publishing)
Internet
45
© SafeNet Confidential and Proprietary
UAG Solution Architecture
DirectAccess
HTTPS (443)
Layer3 VPN
Business Partners /Sub-Contractors
AD, ADFS, RADIUS, LDAP….
Home / Friend / Kiosk
Employees Managed Machines
Mobile
Exchange
CRM
SharePoint
IIS based
IBM, SAP, Oracle
Terminal / Remote Desktop Services
Non web
HTTPS /
HTTP
NPS, ILM
Internet
• Strong authentication• Endpoint health detection:
• NAP and down-level• Authorization:
• Based on health status• Who + where
• Information leakage prevention• Attachment/Cache wiper
46
© SafeNet Confidential and Proprietary
What is UAG & Compare the Edge
Integrated and comprehensive protection from Internet-
based threats
Internet
Unified platform for all enterprise remote access
needs
Internet
47
© SafeNet Confidential and Proprietary
TMG vs UAG (at the publishing level)
> TMG
> De-emphesised on publishing
> Limited to HTTP(s) publishing
> Limited to auth as security
> Client unaware
> UAG
> The future of publishing
> Portal approach
> HTTP(s) + Client / server app + VPN (inclueding DA)
> Health check and cleanup
> Very flexibel authentication
> Loads of pre-built templates
> Very detailed reporting
48
© SafeNet Confidential and Proprietary
Two Keywords in UAG lingo
> Two types of trunks (*UAG can not publish on any other ports)
> HTTP (TCP 80)
> HTTPS (TCP 443)
> Is like an IIS website or a TMG listener => ip + port
> A redirect Trunk can redirect http to https not the other way.
> Can be linked to the portal or direct to application
> Two options
> Portal trunk => homepage of UAG
> ADFS trunk => SSO over the border of forests
ApplicationTrunk
• +/- 40 tempaltes / 5 top-level appsBuild-in services (automatically added to trunk)
File access => ntfs sharesWeb-Monitor => remote UAG mgt
Web (applications)SharepointExchange...Other => create your own setup
Client/server and legacyApps that run outside of the browserSSL vpn for specific appsWhen launching an app the UAG client components loadsRemote Network Access => full network ssl vpn
Browser-embeddedStarts in browser en shifts to binaryCitrixXenApp
Terminal services and remote desktop5 templates
49
© SafeNet Confidential and Proprietary
UAG Trunks
Endpoint detection& clean up
downloaded to client Evaluate EndpointAccess
Settings
Authenticateuser against
authenticationservers
AuthenticationServers
External IP and URL
HTTP or HTTPS
UAG Trunk
Trunk Portal
Add Applications
to Trunk
50
© SafeNet Confidential and Proprietary
Require domain membership for
> ADFS
> KCD
> File-Access
> DirectAccess
> UAG Arry
– INTERNAL ONLY
Adding OTP Authentication
ADFS v 2.0
UAG
windows authentication
Publishes
ADFS server
OTP authentication
Active Directory
NPS
SAM
Office 365
https://www.outlook.com/owa/safenetdemos.com
52
© SafeNet Confidential and Proprietary
Session Agenda
> What is Office 365
> Key Solution components
> Directory synchronization
> Federation
> UAG
> Exchange migration> How to build up the Solution
> How to build a pilot
> Troubleshooting and Tools
> Demo
How to pick an Exchange migration solution?
1 150 5,000 25,000
Organizational Size in Users
C-EM
S-EM with DirSync
Hybrid
<1 Week 2 Weeks 3 Weeks Several Months
Hybrid
None Mailflow/GalSync Free/Busy, Archive in Cloud
Time For Migration including Planning
54
© SafeNet Confidential and Proprietary
Deployment PlanChoices to fit your organization
IMA
P migratio
n
Exchange migration
Staged migration
Hybrid
Exchange 5.5 X
Exchange 2000 X
Exchange 2003 X X X X
Exchange 2007 X X X X
Exchange 2010 X X X
Notes/Domino X
GroupWise X
Other X
* Additional options available with tools from migration partners
Mig
ratio
nH
ybrid
IMAP migrationSupports wide range of e-mail platformsE-mail only (no calendar, contacts, or tasks)
Cut-Over Exchange migration (C-EM)Good for fast, cutover migrationsNo server required on-premises
Staged Exchange migration (S-EM)No server required on-premisesIdentity federation with on-premises directory
Hybrid deployment (MRS)Manage users on-premises and online
Enables cross-premises calendaring, smooth migration, and easy off-boarding
55
© SafeNet Confidential and Proprietary – INTERNAL ONLY
Migration Options
> Cutover – All mailboxes are moved into the cloud in one big hit. Best suited to smaller companies.(No DirSync MX flip)
> Staged – Mailboxes are moved in batches.(Require Dir Sync)
> Hybrid –On board /Off board.
Existing organization Number of mailboxes to migrate Do you want to maintain mailboxes in your on-premises organization? Deployment option
Exchange 2010, Exchange 2007, or Exchange 2003 Less than 1,000 mailboxes No Cutover
Exchange 2007 or Exchange 2003 No maximum Yes Staged or hybrid
Exchange 2010 More than 1,000 mailboxes No Hybrid
Exchange 2010 More than 1,000 mailboxes Yes Hybrid
Office 365 for professionals and small businesses Fewer than 50 * Not applicable ** Cutover
56
© SafeNet Confidential and Proprietary – INTERNAL ONLY
Cutover Exchange migration steps
> Requires Exchange Server 2003 & up
> Enable Outlook Anywhere(RPC over HTTP)
> Enable Certificates
> Run Migrations
> No OST preservations
> All or Nothing migration
> No DDL
> End user performs first logon on 365 and reset password
> End user creates new outlook profile and OST file and do resync al content
57
© SafeNet Confidential and Proprietary – INTERNAL ONLY
Staged Exchange migration steps
> Mail flow In Premise >o365 through CAS
> Requires DirSync
> migrate a subset of your on-premises mailboxes to Office 365. With a staged Exchange migration.
> Incremental syncs not needed
> Users start using their mailbox when created…New mail is available immediately , old content fills in
> Stamps targetAddress on source mailbox to support mail flow from in premises to cloud
> Important: You cannot perform a staged Exchange migration to migrate on-premises Exchange 2010 mailboxes to Office 365.
58
© SafeNet Confidential and Proprietary
HybridStaged Exchange Migration vs Hybrid Feature-setFeature Staged Hybrid
Mail routing between on-premises and cloud (recipients on either side)
Mail routing with shared namespace (if desired) - @company.com on both sides
Unified GAL
Free/Busy and calendar sharing cross-premises
Mailtips, messaging tracking, and mailbox search work cross-premises
OWA Redirection cross-premise (single OWA URL for both on-premises and cloud)
Exchange Online Archive
Exchange Management Console used to manage cross-prem relationship & mailbox migrations
Native mailbox move supports both onboarding and offboarding
No outlook reconfiguration or OST resync required after mailbox migration
Online Mailbox Move allows users to start logged into their mailbox while it is being moved to the cloud
Secure Mail ensure emails cross-premises are encrypted, and the internal auth headers are preserved
Centralized mailflow control, ensures that all email routes inbound/outbound via On Premises
Exchange Sharing
Secure Transport
Mailbox Move
59
© SafeNet Confidential and Proprietary
HybridFeature summary
> Makes your on-premises organization and cloud organization work together like a single, seamless organization> Offers near-parity of features/experience on-premises
and in the cloud
> Seamless interactions between on-premises and cloud mailboxes
> Migrations in and out of the cloud transparent to end-user
> Features not supported:> Migration of Send As/Full Access permissions
> Multi-forest – Only single forest source environments
60
© SafeNet Confidential and Proprietary
Hybrid Server Roles
2 Required Server Roles:
> Office 365 Active Directory Synchronization
> Exchange Server 2010 SP1 CAS/Hub*
Exchange Server 2010 SP1 CAS/Hub
Unified Global Address ListOffice 365 Directory Sync
Exchange SharingAD FSSingle Sign On
1 Optional Server Role:Active Directory Federation Services
Mailbox Move
Secure Transport
Exchange Server 2010 SP1 CAS/Hub
FREE!with paid Exchange
Online subscription
61
© SafeNet Confidential and Proprietary
Federation Scenarios“Federation” – a very overloaded word
Sign-On Scenarios ADFSv2 - “Identity Federation”User uses corporate credentials to access Online resources in the cloud
Cross-premises Free/Busy, Shared
Calendaring
Cross-premises Mailtips
Cross-premises Message Tracking
Cross-premises Mailbox Search
Cross-premises Mailbox Move
authentication
Cross-premises OWA redirection (single
URL)
Cross-premises Archiving
Single Sign-on cloud mailbox login
Applies to all Office 365
services, not just Exchange Online
Delegation Scenarios – “Exchange Federation”Services act on behalf of a user to access Exchange resources
Specific to hybrid features provided by
Exchange Online
62
© SafeNet Confidential and Proprietary
Hybrid SetupStep 1 – Office 365 configuration steps
Step Details Required/Recommended
Register your custom domains in the Office 365 portal
Register any primary SMTP domains Required
Configure Federated Identity
On-premises ADFS/Geneva server allows on-premises (single) identity to be used for cloud authentication
Recommended
Configure DirSync On-premises appliance synchronizes on-premises directory/GAL with the cloud
Required
Enable DirSync Writeback
Allows rich off-boarding with message-repliability, archiving in the cloud, and UM in the cloud
Recommended
Hybrid SetupStep 1 – Office 365 configuration steps
63
© SafeNet Confidential and Proprietary
Hybrid SetupStep 2 – Exchange Configuration Steps
Step Details Required/Recommended
Install Exchange Server 2010 SP1 server On-premises
On-premises Exchange Server 2010 SP1 CAS/Hub server required for hybrid features
Required
Configure cloud Autodiscover DNS record
Allows on-premises targeted autodiscover Outlook client to redirect to cloud Required
Publish MRS Proxy Allows Exchange Online Mailbox Replication Service to connect On Premises and perform a move to the cloud
Required
Implement Cloud Configuration Policies
Create configuration policies in the cloud to match (or complement) on-premises configuration policies (e.g. – ActiveSync policies, OWA policies, etc.)
Recommended
Configure RBAC in the cloud
Create/manage Role Based Access Control (RBAC) settings in the cloud to match (or complement) on-premises RBAC configuration
Recommended
Configure Federation Trust / Org Relationship“Federated Sharing”
Enable infrastructure for delegated Live namespace federation. Allows the following features:
Recommended
Cross-premises Free/Busy, Shared Calendaring
Cross-premises OWA redirection (single URL)
Cross-premises Mailtips Cross-premises Mailbox Search
Cross-premises Message Tracking
Cross-premises Archiving
Configure Cross-premises mail routing
Configure Cross-premises mail routing. This configuration ensures proper anti-spam/header handling for mail sent between on-premises and the cloud.
Recommended
Hybrid Setup Step 2 – Exchange Configuration Steps
64
© SafeNet Confidential and Proprietary
Hybrid MigrationMailbox offboarding
> Why might you care about offboarding?
> Long term hybrid scenarios
> Compliance requirements (retaining ex-employee data)
> Piloting online but not committed to the move
> What you need to know about offboarding?
> Offboarding is available using EMC toolset while in hybrid scenario
> Offboarding to on-premises Exchange Server 2010 database is online mailbox move
65
© SafeNet Confidential and Proprietary
Deployment FlexibilityRich hybrid capabilities
Connect your Exchange Server to the cloud for smooth migration or long-term coexistence• Share free/busy data between cloud and on-premises users• Migrate users to the cloud with native Exchange tools• Give users a seamless transition, with no OST re-sync• Easily move mailboxes back on-premises
Exchange Server 2003 or 2007
Exchange 2010 SP1 “Hybrid Edition” server
66
© SafeNet Confidential and Proprietary – INTERNAL ONLY
FOPE Admin Center
• Run real-time reports• Customize spam
settings• Configure policy
filtering• Perform message
tracking• Office 365 customers
can access FOPE Admin Center
• Provides Office 365 customers with a new level of control
67
© SafeNet Confidential and Proprietary – INTERNAL ONLY
Use FOPE Admin Center for these tasks
• Trace messages outside your organization
• Perform transport-related tasks not available in transport rules:• Specific header attributes• Custom dictionaries, character sets• Actions such as quarantine or
encrypt• Configure org-wide safe/blocked senders• Configure granular anti-spam settings
(e.g. backscatter, SPF)• View reports on spam filtering• Configure forced TLS
• Trace messages within your organization
• Set up transport rules to:• Add disclaimers to emails• Look for keywords and regular
expressions• Block email sent to the outside world
(by sender, domain, etc)• Moderate email delivery
• Configure journaling of emails to external archive
Use Exchange Control Panel for these tasks
When to use Admin Center vs. the Exchange Control Panel
68
© SafeNet Confidential and Proprietary
Session Agenda
> What is Office 365
> Key Solution components
> Directory synchronization
> Federation
> UAG
> Exchange migration
> How to build up the Solution> How to build a pilot
> Troubleshooting and Tools
> Demo
69
© SafeNet Confidential and Proprietary
Steps to build the solution:
> Add and verify your domain name with Office 365
> Prepare your on-premises Active Directory for directory synchronization
> Enable single sign-on (identity federation)
> Install the Directory Synchronization Tool and perform synchronization
> Configure email migrations(Staged or Hybrid )
> Install UAG SP1 and Publish ADFS (Proxy)
> Install SAM 8.0 SP3
> Deploy client applications and the Office 365 desktop setup
> Enroll and provision tokens to clients
> Test and validate
70
© SafeNet Confidential and Proprietary
Key Activities
71
© SafeNet Confidential and Proprietary
Session Agenda
> What is Office 365
> Key Solution components
> Federation
> Directory synchronization
> Federation
> UAG
> Exchange migration
> How to build up the Solution
> How to build a pilot> Troubleshooting and Tools
> Demo
72
© SafeNet Confidential and Proprietary
How to pilot single sign-on in a production user forest> set up an Authorization claim rule on the ADFS 2.0 server, that will
only generate a security token (for the authenticated user) if they are a member of an on-premise security group. Hence your pilot users can be put into this security group, as can your other users as you stage rollout to the organization.
73
© SafeNet Confidential and Proprietary
Session Agenda
> What is Office 365
> Key Solution components
> Federation
> Directory synchronization
> Federation
> UAG
> Exchange migration
> How to build up the Solution
> How to build a pilot
> Troubleshooting and Tools> Demo
74
© SafeNet Confidential and Proprietary – INTERNAL ONLY
Troubleshooting and Tools
> Microsoft Office 365 Deployment Readiness Tool
> Microsoft exchange remote connectivity
> https://www.testexchangeconnectivity.com/
> UAG web monitor
> Powershell Cmdlts
> Outlook test connection