Mojemoje

1

© SafeNet Confidential and Proprietary© SafeNet Confidential and Proprietary

Office 365 integration with UAG SP1 for OTP Authentication

– INTERNAL ONLY

OTP Solution overview for o365

ADFS v 2.0

UAG

windows authentication

Publishes

ADFS server

OTP authentication

Active Directory

NPS

SAM

Office 365

https://www.outlook.com/owa/safenetdemos.com

3

© SafeNet Confidential and Proprietary

Session Agenda

> What is Office 365

> Key Solution components

> Federation

> Directory synchronization

> Federation

> UAG

> Exchange migration

> How to build up the Solution

> How to build a pilot

> Troubleshooting and Tools

> Demo

4


• Flexible service offering with pay-as-you-go, per-user licensing• The complete Office experience with services integration in

Office 365 • Simplified user set-up to preconfigure services• Always the latest version of the Office apps, including Office

Web Apps• Familiar Office user experience to access services

• 25GB Mailbox• Outlook and Outlook Web App• Anti-Virus/Anti-Spam• Shared Calendars, Contacts & Tasks• Mobile email for most mobile devices including

BlackBerry, iPhone, Nokia, Windows Phone• Personal email archiving and compliance capabilities

• My Sites to manage and share documents• Improved Team & Project Sites• Document-level permissions to protect sensitive content• Share documents securely with Extranet Sites• Cross site collection search

• Instant messaging and presence• PC-to-PC audio and video calling • Click-to-communicate from Outlook, SharePoint, and other

Office Applications • Online meetings with PC-audio, video conferencing

and screen sharing• Single click meeting creation and join from Outlook• Calendar integration with Outlook and Exchange

Office 365 Includes…

4

Single user interface to purchase, administer and user with role-based access control | Single sign on with on-premises

Active Directory | 99.9% financially backed SLA | 24x7 IT Pro Support | Built in geo-redundancy in regional datacenters

CONTROL AND EFFICIENCY

5


Microsoft Office 365 Value

BEST PRODUCTIVITY EXPERIENCE

Work together, smarter

ACCESS ANYWHERE*

Solve problemsfrom more places

WORKS WITH WHAT YOU

KNOW

Familiar tools

ROBUST SECURITY AND

RELIABILITY

99.9% uptime. Guaranteed.

IT CONTROL AND

EFFICIENCY

Keeps you in control


Online meeting presentation with pc-to-pc audio and video

Desktop and Application sharing and virtual whiteboard

Recording Capability

Instant messaging

Co-Authoring in Word

Presence

Status update

Activities

My Sites in SharePoint

Easily connect with others across organizations with

calendar sharing and publishing in Outlook

Familiar Office Experience

Create sites to share documents with colleagues and partners with SharePoint

Cross-browser support

• Simultaneously edit documents with your colleagues

• Conduct online meetings with colleagues, partners, and customers, including audio, video and screen sharing

• Manage and share important documents and personal insights with colleagues using My sites

• Share your calendar with colleagues, partners, and customers

• Share documents, task lists, and schedules to keep workgroups in synch with Teamsites





















* Access from mobile devices depends on carrier network quality and availability** “Connect Securely” is not a guarantee of 100% connection security.”

6





ACCESS ANYWHERE*


WORKS WITH WHAT YOU

KNOW

Familiar tools

ROBUST SECURITY AND

RELIABILITY


IT CONTROL AND

EFFICIENCY


• Rich client access online or offline via Office desktop applicationson PCs and Macs

• View and edit documents with Office Web Apps across a broad range of browsers (Internet Explorer, Firefox, Safari)

• Access your inbox from a broad range of browsers with Outlook Web App

• Access mail, contacts, calendar, and SharePoint sites from hundreds of devices including Windows Phones, Nokia, Android, iPhone and BlackBerry

• Single inbox to manage email and voicemail with unified messaging

• Connect securely** over Internet with HTTPS without the need for VPN

ACCESS ANYWHERE

Web applications with cross-browser support

Outlook Web App

Seamless mobile access across many devices

Access to PowerPoint

Access to SharePointOffice Hub in Windows

Phone 7


7





ACCESS ANYWHERE*


WORKS WITH WHAT YOU

KNOW

Familiar tools

ROBUST SECURITY AND

RELIABILITY


IT CONTROL AND

EFFICIENCY



• Just works. Minimal user training required to get productive right away

• Hybrid deployment scenarios allow on-premises and online users to work together seamlessly

• Multiple plans provide a cost effective way to provide familiar business productivity capabilities to everyone in your business

• Stay up to date with the latest productivity experience through a subscription service

WORKS WITH WHAT YOU KNOW

Outlook Web AppOutlook

8





ACCESS ANYWHERE*


WORKS WITH WHAT YOU

KNOW

Familiar tools

ROBUST SECURITY AND

RELIABILITY


IT CONTROL AND

EFFICIENCY



• Premium anti-spam and antivirus protection provided by multiple virus scanning engines

• Data is replicated in geo-redundant datacenters to protect against datacenter wide failures

• Risk mitigation multi-dimensional approach to help safeguard services and privacy of data

• Helps customers comply with ISO 27001, SAS 70 Type I, FERPA, HIPPA, FISMA, EU Safe Harbor Seal

• Backed by a 99.9% financially backed Service Level Agreement

ENTERPRISE SECURITY AND RELIABILITY

99.9% financially backed SLA

Geo redundant datacenters

9





ACCESS ANYWHERE*


WORKS WITH WHAT YOU

KNOW

Familiar tools

ROBUST SECURITY AND

RELIABILITY


IT CONTROL AND

EFFICIENCY



MICROSOFT® OFFICE 365 DELIVERS THE POWER OF CLOUD PRODUCTIVITY TO BUSINESSES OF ALL SIZES, HELPING TO SAVE TIME, MONEY AND FREE UP VALUED

RESOURCES• 24/7 IT professional phone support or via electronic ticketing

• Service health portal and RSS feeds to provide up to date service availability information

• Simplified management with a single administration center with role based access

• Remote PowerShell to allow scripting of routine tasks and access to raw data for reports

• IT friendly service update policies that put you in control

IT CONTROL AND EFFICIENCY

Service health portal Simplified Management

10


World Class Data Centers

10

• $2.3B+ Investment in cloud infrastructure• Geo-Redundant Data Centers• Locations in North America, Europe, and Asia to provide optimal performance• 99.9% guaranteed uptime (99.95% actual)• Secure Infrastructure – ISO27001 and SAS70 certified• Built from the ground up to be environmentally sustainable

World Class Data Centers

11


Security ProgramA risk-based, multi-dimensional approach to help safeguard services and

data

11

Security Monitoring & Response, Threat & Vulnerability Management

Access Control & Monitoring, File/Data Integrity

Account Management, Training & Awareness, Screening

Secure Development Lifecycle, Access Control & Monitoring, Anti-Malware

Access Control & Monitoring, Anti-Malware, Patch & Config Mgmt

Dual-factor Authentication, Intrusion Detection, Vulnerability Scanning

Edge Routers, Firewalls, Intrusion Detection, Vulnerability Scanning

Video Surveillance, biometrics, Access Control

Security Management

12


Microsoft Office 365 plans designed for organizations of all types

There’s an Office 365 for Everyone

12

Office 365 for small business

• Small business

• Organizational use

• IT consultant or no IT

• Low monthly subscription price

• Focus on simplicity vs. features

• Community help

Office 365 for enterprise

• Any size organization

• Internal IT or IT partner required

• Fully featured, scripting, customization

• Range of offerings by use type

• 24x7 phone support

Office 365 for Education• Any size educational organization (Higher

Education or K-12)

• Internal IT or IT partner required

• Fully featured, scripting, customization

• 24x7 phone support

• Same 99.9% SLA guarantee as Office 365 for enterprises

• Education capabilities that are tailored specifically to meet the needs of educators and students

13


Plans for All of Your Employees

E Family PlansK Family Plans

Office Web Apps

SharePoint Online Kiosk

Plan K1$4/m

Plan K2$10/m

Components

Exchange OnlineKiosk

Office Web Apps

Email, calendar, AV/AS, Personal

Archive

Collaboration Portal

Conferencing

IM and presence

Office Pro Plus

Forms, AccessExcel, and Visio

Services

V.mail and Advanced Archive

Capabilities

Voice

Plan E1$10/m

Plan E2$16/m

Plan E3$24/m

Plan E4$27/m

Office 365 Plans

14


Information WorkerKiosk Worker

User Segment Offers: Plan K Family• 500 MB mailbox• Outlook Web App only• POP support• Messaging, calendar, contacts• Forefront antivirus and antispam• SharePoint Access (0 MB storage)• Site search capabilities• Office Web Apps

User Segments: Right Features for the Right Users

Rich feature offering that meets users’ full messaging

and collaboration needs

Low-cost offering to users who do not have messaging and

collaboration capabilities today

User Segment Offers: Plan E Family• 25 GB mailbox• 500 MB SharePoint storage• Client connectivity• Mobility• OCS capabilities• Exchange and SharePoint capabilities• Office Professional Plus• On-premises access rights

Key Differentiators

15


Office Professional Plus (O365) vs. Volume LicenseOffice Professional Plus Office Volume License

Download location • Office 365 Portal • VL Software Center

Software • Office Professional Plus • Office Standard 2010• Office Professional Plus 2010

Product Key / Activation

• Subscription based activation• Term – 30 days (monthly)• No keys to manage – only

users

• Volume License technologies• MAK perpetual activation,

KMS 180 days• Manage KMS and /or MAK

keys

When Reduced Functionality Mode (RFM) starts

• In 60 days since last activation• “hard” RFM

• MAK: N/A• KMS: within 180 days• “Notification mode”

Deployment options • Office 365 Portal• Unmanaged & Managed

options

• Unmanaged & Managed Options

• App-V• Terminal Services

# of copies allowed • 5 active installs on different devices per user

• No downgrade rights

• Single device per license/activation

• Downgrade rights

16


Session Agenda



> Directory synchronization> Federation

> UAG





> Demo

17


Directory sync requirements

> Office 365 Enterprise subscribers

> AD Permissions:member of the Enterprise Admins

> Schema Update for Exchange hybrid mode

> AD Cleanup:

> Remove duplicate proxyAddress and userPrincipalName attributes.

> Update blank and invalid userPrincipalName attributes with a valid userPrincipalName.

> Remove invalid and questionable characters in the givenName, surname (sn), sAMAccountName, displayName, mail, proxyAddresses, and userPrincipalName attributes

18

© SafeNet Confidential and Proprietary – INTERNAL ONLY

What does Directory Sync do for you

> Enables you to manage your company’s information in one central location for both on-premise intranet and Office 365

> Seamless user experience across on-premise and Office 365 services (Exchange, Lync, SharePoint)

> Flavors of Co-Existence

Identity Co-Existence (aka Single Sign-On, Federated Identity, Federated Authentication)

Application Co-Existence

> Runs as an appliance

Install and forget

> Proactively reports errors via email

“No news is good news”

19


Preparing for Directory sync

> Every User must have a UPN

> UPN suffix must match a validated domain in Office 365

> UPN Character restrictions

> Letters, numbers, dot or dash

> No dot before @ symbol

> Users may need to understand that they must use UPN to logon to Office 365 Apps

> Can be hidden from users with smart links from domain machines

20


AD Naming v’s UPN Suffix

> Number of different structures for Active Directory Naming

Publicly routable

Sub domain of a publicly routable domain

Private Domain (e.g. contoso.local)

Single level Domain (e.g. contoso)

> Must use a publicly routable or sub domain of a public routable Domain for your UPN Suffix

Required for Realm discovery

Must be able to prove ownership (via public DNS record)

It does not need to be the same as your AD Domain Name

> Domain name must be shorter than 48 characters

21


UPN Validations

> All users should have a defined UPN

Where not set:

Enterprise Single Sign on Enabled – SAMAccountName@DomainName

Cloud Based Identity – MailNickName@[company].onmicrosoft.com

> Restrictions on allowed characters in cloud based UPN

Letters, numbers, dot, underscore or dash

No dot before @ symbol (e.g. [email protected] is ok, but [email protected] is not)

Username must not be longer than 64 characters

> Non Validated Domain

> Customer ready tool to verify data in AD

mailto:MailNickName@%5Bcompany%5D.onmicrosoft.com

mailto:MailNickName@%5Bcompany%5D.onmicrosoft.com

mailto:[email protected]

mailto:[email protected]

22


How Directory Synchronization works Attribute Validations

Attribute Most common issues

userPrincipalName • cannot have dot ‘.’ immediately preceding ‘@’• cannot exceed 113 chars (64 for username, 48 for

domain)• cannot contain ! # $ % & \ * + - / = ? ^ _` { | } ~ < >

( )• cannot have duplicate UPNs

sAmAccountName • cannot contain “ \ / [ ] : | < > + = ; ? ,• cannot end with dot ‘.’• cannot be more than 20 chars• cannot be empty

proxyAddresses • cannot contain smtp addresses with domains that are not registered for the tenant

• cannot have duplicate proxy addresses

23


How Directory Synchronization worksWriting to On-Premise AD

> If Rich Co-Existence disabled, Directory Sync will not modify customer’s on-prem AD

> If Rich Co-Existence enabled, Directory Sync will modify up to 6 attributes on users:

Attribute Feature

SafeSendersHashBlockedSendersHashSafeRecipientHash

Filtering Coexistence enables on-premise filtering using cloud safe/blocked sender info

msExchArchiveStatus Cloud ArchiveAllows users to archive mail to the Office 365 service

ProxyAddresses (cloudLegDN) Mailbox off-boardingEnables off-boarding of mailboxes back to on-premise

cloudmsExchUCVoiceMailSettings

Voicemail Co-ExistenceEnables on-premise mailbox users to have Lync in the cloud

24


Single Forest AD structure and Considerations

25


Single Sign on setup

26


Customer Network

How Directory Synchronization worksArchitecture

AD

Directory Sync

Office 365 Datacenter

Off

ice

365

FE

s

Microsoft Online ID

Exchange

Office Sub

SharePoint

LyncO365

Directory

27


Session Agenda




> Federation> UAG





> Demo

28


Office 365 Identity features

> Password policy controls for Microsoft Online IDs

> Single sign-on with corporate credentials

> Role-based administration: Five administration roles> Company Admin

> Billing Admin

> User Account Admin

> HelpDesk Admin

> Service Support Admin

> Support for Hybrid environments for services such as Exchange Online

> Support for Strong Authentication (e.g. Smart cards)

29


Role Based Access

Partner RolesAdmin and End User Roles

Global AdminIncludes full permissions to your company. The initial user created when signing up will be assigned this role. Can assign admin permissions to other users.

Billing Admin

Has full permissions for billing tasks, and read only permissions for company objects (domains, users). Any user with this role will also receive notifications for billing events.

User Account Admin

Has read only permissions to all company objects, and has user administration permissions. Cannot make changes to billing or tenant admins.

Help Desk Admin

Has read only permission to all company objects, and has reset password privileges. Cannot reset password for tenant, billing or user account admins.

Service Support Admin

Has read only permissions to all company objects. Also has the ability to manage individual services.

User This is the default role for all users, and does not include any admin permissions.

Agent Admin

Agent will have full access (Tenant Admin role) on all tenants that the partner has access to

Agent Help Desk Admin

Agent will have access to reset passwords only (Help Desk Admin role) on all tenants that the partner has access to.

Office 365 Roles

– INTERNAL ONLY

SafenetDemos customer premises

Identity Architecture

1. Microsoft Online IDs

AD

MS Online Directory

Sync

Identity Services

Provisioning

platformLync

Online

SharePoint

Online

Exchange Online

Active Directory

Federation Server 2.0

Trust

IdP Directory

Store

Admin Portal

Authentication platform

Office 365

Desktop Setup

Microsoft Online Services

2. Microsoft Online IDs + DirSync

3.Federated IDs + DirSync

IdP

– INTERNAL ONLY

safenetdemos customer premises

Single Sign on Setup for New domains

1. Microsoft Online PowerShell Module for Windows2. Connect to AD FS 2.0 and Microsoft Office 3653. Add Domain (returns details for proof of ownership)4. Add Domain

Identity Services

Provisioningplatform

Active Directory Federation Server

2.0

Trust

DirectoryStore

Admin Portal/PowerShell

Authentication platform

MSOL PowerShell Module

Microsoft Online Services

Add Domain

RequiredCname

Add Trust- Claim Rules- User Source ID = AD ObjectGUID

Verify-Domain- Active/Mex/Passive- Token certs Current/Next- Brand URI etc

Update

32


Identity

32

Windows Server 2008

Users are authenticated by local ADFS server

ADFS 2.0

Different identity options for your organization, including full support for single sign on with the cloud

Federated IDs

•

•

•

• 2 factor authentication options available

•

•

•

•

User Directory Synchronization from On-Premises AD to the Cloud

33


Authentication OptionsIT Administrator considerations

Microsoft Online IDs

> Manages password policy in cloud & on-prem

> Password reset for on-prem & MS Online IDs

> No 2 Factor Auth integration

Federated IDs

> Manages password policy on-

premise only

> Password reset for on-premise

IDs only

> 2 Factor Auth integration

options

> Requires additional on-premise

servers to enable identity

federation

– INTERNAL ONLY

Identity Comparison options comparison1. MS Online IDs

Appropriate for• Smaller orgs

without AD on-premise

Pros• No servers

required on-premise

Cons• No SSO• No 2FA• 2 sets of

credentials to manage with differing password policies

• IDs mastered in the cloud

2. MS Online IDs + Dir Sync

Appropriate for• Medium/Large orgs

with AD on-premise

Pros• Users and groups

mastered on-premise

• Enables co-existence scenarios

Cons• No SSO• No 2FA• 2 sets of

credentials to manage with differing password policies

• Single server deployment

3. Federated IDs + Dir Sync

Appropriate for• Larger enterprise

orgs with AD on-premise

Pros• SSO with corporate

cred• IDs mastered on-

premise• Password policy

controlled on-premise

• 2FA solutions possible

• Enables co-existence scenarios

Cons• High availability

server deployments required

35


Sign On Experience Federated vs. Non-Federated Summary

> Office 365 Desktop setup required for rich clients

> Installs client and operating system updates to enable best sign-on experience

> Enables authentication support for rich clients

> Not required for Web kiosk scenarios (e.g. OWA)

> Passwords can be saved for Outlook on XP/Vista clients and Mobile devices etc.

Outlook2010

Win 7 Vista/XP

Federated IDs, (domain joined)

MS Online IDs

Outlook Web Application

No prompt* No prompt**

Each session

ActiveSync, POP, IMAP, Entourage

Once per Session***

No prompt

Outlook 2007*

Once at setupEach session Each session Each session

Outlook 2007 or 2010

Win 7

Online IDOnline IDOnline IDOnline IDOnline ID

Win 7/Vista/XP

No prompt

Each session

Office 2010, or Office 2007 SP2

SharePoint Online/Lync Online

Online ID

Once per session***

AD credentials

36


Identify Federation Requirements

> Single Active Directory forest Functionality level 2003

> Windows 2008/R2 for Active Directory Federation Services 2.0.

> Hybrid Deployments

> Exchange 2010 SP1 CAS and associated Schema

> Must be an Enterprise AD Account to setup Directory Sync

> Unique third-party SSL certificate

> Windows PowerShell 2.0 feature

> Microsoft Online Services Module for Windows PowerShell tool.

> Establish a relying party trust relationship between the AD FS 2.0 federation server farm and Office 365

> Windows 2003 or above for Directory Synchronization

> Single Forest

> Multiple domains in a single the forest supported

37


ADFS Terminology

> ADFS-Standard base service projecting internal users to the cloud by a trust

> STS (Security Token Service)Microsoft asserts that an STS is a Security Token Service that issues/validates Security Tokens that contain Claims about a Subject.

> federation server-A federation server issues tokens and serves as part of a Federation Service.

>http://technet.microsoft.com/en-us/library/adfs2-help-terminology(v=ws.10).aspx

http://technet.microsoft.com/en-us/library/adfs2-help-terminology(v=ws.10).aspx

http://technet.microsoft.com/en-us/library/adfs2-help-terminology(v=ws.10).aspx

38


Identity FederationAuthentication flow (passive profile)

`

Client(joined to CorpNet)

Federation GatewayAD FS 2.0 Server

Exchange Online

Active Directory

Customer Microsoft Office 365

39


Identity FederationAuthentication flow (active profile)

`

Client(joined to CorpNet)

Federation GatewayAD FS 2.0 Server

Exchange Online

Active Directory

Customer Microsoft Office 365

40


Strong Authentication

> Currently supported scenarios

Rich Applications must not require second factor to authenticate

i.e. Logon to workstation with strong auth and then all connections are based on existing Kerberos tickets

Web Applications

> Unsupported scenarios

Non-Domain Joined

(rich apps)

Mobile applications

Operating system/client mix

Windows 7 Legacy Clients

(Vista/XP)

Outlook 2010 Yes No

Outlook 2007* Yes No

Lync 2010 Yes Yes

SharePoint Online

Yes Yes

Web Applications

Yes Yes

Mobile No

41


Alternative Proxies and Strong Authentication

Authentication Scheme Authentication limitations

AD FS proxy Requires integration of the strong authentication provider with the AD FS proxy login page.

None

Forefront TMG

Publish the AD FS server. Integration with some strong authentication providers is provided out of the box.

Supported but requires each path to be published separately

Forefront UAG SP1

Publish the AD FS server. Integration with some authentication providers is provided out of the box, very flexible integration options.

Web Clients only

42


AD FS 2.0 deployment options

1. Single server configuration

2. AD FS 2.0 server farm and load-balancer

3. AD FS 2.0 proxy server or UAG/TMG

(External Users, Active Sync, Down-level Clients with Outlook)

EnterpriseDMZ

AD FS 2.0 ServerProxy

External user

Internaluser

ActiveDirectory

AD FS 2.0

Server

AD FS 2.0 Server

AD FS 2.0 ServerProxy

43


Session Agenda




> Federation

> UAG> Exchange migration




> Demo

44


Why do I need UAG in a world that is going cloud?> The chance of the future being a hybrid setup cloud + on prem is

very big.

Internet

You will still need to give your clients access to internal apps

You will need a bridge between your corpnet and the could-nets. (think of ADFS publishing)

Internet

45


UAG Solution Architecture

DirectAccess

HTTPS (443)

Layer3 VPN

Business Partners /Sub-Contractors

AD, ADFS, RADIUS, LDAP….

Home / Friend / Kiosk

Employees Managed Machines

Mobile

Exchange

CRM

SharePoint

IIS based

IBM, SAP, Oracle

Terminal / Remote Desktop Services

Non web

HTTPS /

HTTP

NPS, ILM

Internet

• Strong authentication• Endpoint health detection:

• NAP and down-level• Authorization:

• Based on health status• Who + where

• Information leakage prevention• Attachment/Cache wiper

http://en.wikipedia.org/wiki/File:Internet_Explorer_7_Logo.png

46


What is UAG & Compare the Edge

Integrated and comprehensive protection from Internet-

based threats

Internet

Unified platform for all enterprise remote access

needs

Internet

47


TMG vs UAG (at the publishing level)

> TMG

> De-emphesised on publishing

> Limited to HTTP(s) publishing

> Limited to auth as security

> Client unaware

> UAG

> The future of publishing

> Portal approach

> HTTP(s) + Client / server app + VPN (inclueding DA)

> Health check and cleanup

> Very flexibel authentication

> Loads of pre-built templates

> Very detailed reporting

48


Two Keywords in UAG lingo

> Two types of trunks (*UAG can not publish on any other ports)

> HTTP (TCP 80)

> HTTPS (TCP 443)

> Is like an IIS website or a TMG listener => ip + port

> A redirect Trunk can redirect http to https not the other way.

> Can be linked to the portal or direct to application

> Two options

> Portal trunk => homepage of UAG

> ADFS trunk => SSO over the border of forests

ApplicationTrunk

• +/- 40 tempaltes / 5 top-level appsBuild-in services (automatically added to trunk)

File access => ntfs sharesWeb-Monitor => remote UAG mgt

Web (applications)SharepointExchange...Other => create your own setup

Client/server and legacyApps that run outside of the browserSSL vpn for specific appsWhen launching an app the UAG client components loadsRemote Network Access => full network ssl vpn

Browser-embeddedStarts in browser en shifts to binaryCitrixXenApp

Terminal services and remote desktop5 templates

49


UAG Trunks

Endpoint detection& clean up

downloaded to client Evaluate EndpointAccess

Settings

Authenticateuser against

authenticationservers

AuthenticationServers

External IP and URL

HTTP or HTTPS

UAG Trunk

Trunk Portal

Add Applications

to Trunk

50


Require domain membership for

> ADFS

> KCD

> File-Access

> DirectAccess

> UAG Arry

– INTERNAL ONLY

Adding OTP Authentication

ADFS v 2.0

UAG

windows authentication

Publishes

ADFS server

OTP authentication

Active Directory

NPS

SAM

Office 365

https://www.outlook.com/owa/safenetdemos.com

52


Session Agenda




> Federation

> UAG

> Exchange migration> How to build up the Solution



> Demo

How to pick an Exchange migration solution?

1 150 5,000 25,000

Organizational Size in Users

C-EM

S-EM with DirSync

Hybrid

<1 Week 2 Weeks 3 Weeks Several Months

Hybrid

None Mailflow/GalSync Free/Busy, Archive in Cloud

Time For Migration including Planning

54


Deployment PlanChoices to fit your organization

IMA

P migratio

n

Exchange migration

Staged migration

Hybrid

Exchange 5.5 X

Exchange 2000 X

Exchange 2003 X X X X

Exchange 2007 X X X X

Exchange 2010 X X X

Notes/Domino X

GroupWise X

Other X

* Additional options available with tools from migration partners

Mig

ratio

nH

ybrid

IMAP migrationSupports wide range of e-mail platformsE-mail only (no calendar, contacts, or tasks)

Cut-Over Exchange migration (C-EM)Good for fast, cutover migrationsNo server required on-premises

Staged Exchange migration (S-EM)No server required on-premisesIdentity federation with on-premises directory

Hybrid deployment (MRS)Manage users on-premises and online

Enables cross-premises calendaring, smooth migration, and easy off-boarding

55


Migration Options

> Cutover – All mailboxes are moved into the cloud in one big hit. Best suited to smaller companies.(No DirSync MX flip)

> Staged – Mailboxes are moved in batches.(Require Dir Sync)

> Hybrid –On board /Off board.

Existing organization Number of mailboxes to migrate Do you want to maintain mailboxes in your on-premises organization? Deployment option

Exchange 2010, Exchange 2007, or Exchange 2003 Less than 1,000 mailboxes No Cutover

Exchange 2007 or Exchange 2003 No maximum Yes Staged or hybrid

Exchange 2010 More than 1,000 mailboxes No Hybrid

Exchange 2010 More than 1,000 mailboxes Yes Hybrid

Office 365 for professionals and small businesses Fewer than 50 * Not applicable ** Cutover

56


Cutover Exchange migration steps

> Requires Exchange Server 2003 & up

> Enable Outlook Anywhere(RPC over HTTP)

> Enable Certificates

> Run Migrations

> No OST preservations

> All or Nothing migration

> No DDL

> End user performs first logon on 365 and reset password

> End user creates new outlook profile and OST file and do resync al content

57


Staged Exchange migration steps

> Mail flow In Premise >o365 through CAS

> Requires DirSync

> migrate a subset of your on-premises mailboxes to Office 365. With a staged Exchange migration.

> Incremental syncs not needed

> Users start using their mailbox when created…New mail is available immediately , old content fills in

> Stamps targetAddress on source mailbox to support mail flow from in premises to cloud

> Important: You cannot perform a staged Exchange migration to migrate on-premises Exchange 2010 mailboxes to Office 365.

58


HybridStaged Exchange Migration vs Hybrid Feature-setFeature Staged Hybrid

Mail routing between on-premises and cloud (recipients on either side)

Mail routing with shared namespace (if desired) - @company.com on both sides

Unified GAL

Free/Busy and calendar sharing cross-premises

Mailtips, messaging tracking, and mailbox search work cross-premises

OWA Redirection cross-premise (single OWA URL for both on-premises and cloud)

Exchange Online Archive

Exchange Management Console used to manage cross-prem relationship & mailbox migrations

Native mailbox move supports both onboarding and offboarding

No outlook reconfiguration or OST resync required after mailbox migration

Online Mailbox Move allows users to start logged into their mailbox while it is being moved to the cloud

Secure Mail ensure emails cross-premises are encrypted, and the internal auth headers are preserved

Centralized mailflow control, ensures that all email routes inbound/outbound via On Premises

Exchange Sharing

Secure Transport

Mailbox Move

59


HybridFeature summary

> Makes your on-premises organization and cloud organization work together like a single, seamless organization> Offers near-parity of features/experience on-premises

and in the cloud

> Seamless interactions between on-premises and cloud mailboxes

> Migrations in and out of the cloud transparent to end-user

> Features not supported:> Migration of Send As/Full Access permissions

> Multi-forest – Only single forest source environments

60


Hybrid Server Roles

2 Required Server Roles:

> Office 365 Active Directory Synchronization

> Exchange Server 2010 SP1 CAS/Hub*

Exchange Server 2010 SP1 CAS/Hub

Unified Global Address ListOffice 365 Directory Sync

Exchange SharingAD FSSingle Sign On

1 Optional Server Role:Active Directory Federation Services

Mailbox Move

Secure Transport

Exchange Server 2010 SP1 CAS/Hub

FREE!with paid Exchange

Online subscription

61


Federation Scenarios“Federation” – a very overloaded word

Sign-On Scenarios ADFSv2 - “Identity Federation”User uses corporate credentials to access Online resources in the cloud

Cross-premises Free/Busy, Shared

Calendaring

Cross-premises Mailtips

Cross-premises Message Tracking

Cross-premises Mailbox Search

Cross-premises Mailbox Move

authentication

Cross-premises OWA redirection (single

URL)

Cross-premises Archiving

Single Sign-on cloud mailbox login

Applies to all Office 365

services, not just Exchange Online

Delegation Scenarios – “Exchange Federation”Services act on behalf of a user to access Exchange resources

Specific to hybrid features provided by

Exchange Online

62


Hybrid SetupStep 1 – Office 365 configuration steps

Step Details Required/Recommended

Register your custom domains in the Office 365 portal

Register any primary SMTP domains Required

Configure Federated Identity

On-premises ADFS/Geneva server allows on-premises (single) identity to be used for cloud authentication

Recommended

Configure DirSync On-premises appliance synchronizes on-premises directory/GAL with the cloud

Required

Enable DirSync Writeback

Allows rich off-boarding with message-repliability, archiving in the cloud, and UM in the cloud

Recommended

Hybrid SetupStep 1 – Office 365 configuration steps

63


Hybrid SetupStep 2 – Exchange Configuration Steps

Step Details Required/Recommended

Install Exchange Server 2010 SP1 server On-premises

On-premises Exchange Server 2010 SP1 CAS/Hub server required for hybrid features

Required

Configure cloud Autodiscover DNS record

Allows on-premises targeted autodiscover Outlook client to redirect to cloud Required

Publish MRS Proxy Allows Exchange Online Mailbox Replication Service to connect On Premises and perform a move to the cloud

Required

Implement Cloud Configuration Policies

Create configuration policies in the cloud to match (or complement) on-premises configuration policies (e.g. – ActiveSync policies, OWA policies, etc.)

Recommended

Configure RBAC in the cloud

Create/manage Role Based Access Control (RBAC) settings in the cloud to match (or complement) on-premises RBAC configuration

Recommended

Configure Federation Trust / Org Relationship“Federated Sharing”

Enable infrastructure for delegated Live namespace federation. Allows the following features:

Recommended

Cross-premises Free/Busy, Shared Calendaring

Cross-premises OWA redirection (single URL)

Cross-premises Mailtips Cross-premises Mailbox Search

Cross-premises Message Tracking

Cross-premises Archiving

Configure Cross-premises mail routing

Configure Cross-premises mail routing. This configuration ensures proper anti-spam/header handling for mail sent between on-premises and the cloud.

Recommended

Hybrid Setup Step 2 – Exchange Configuration Steps

64


Hybrid MigrationMailbox offboarding

> Why might you care about offboarding?

> Long term hybrid scenarios

> Compliance requirements (retaining ex-employee data)

> Piloting online but not committed to the move

> What you need to know about offboarding?

> Offboarding is available using EMC toolset while in hybrid scenario

> Offboarding to on-premises Exchange Server 2010 database is online mailbox move

65


Deployment FlexibilityRich hybrid capabilities

Connect your Exchange Server to the cloud for smooth migration or long-term coexistence• Share free/busy data between cloud and on-premises users• Migrate users to the cloud with native Exchange tools• Give users a seamless transition, with no OST re-sync• Easily move mailboxes back on-premises

Exchange Server 2003 or 2007

Exchange 2010 SP1 “Hybrid Edition” server

66


FOPE Admin Center

• Run real-time reports• Customize spam

settings• Configure policy

filtering• Perform message

tracking• Office 365 customers

can access FOPE Admin Center

• Provides Office 365 customers with a new level of control

67


Use FOPE Admin Center for these tasks

• Trace messages outside your organization

• Perform transport-related tasks not available in transport rules:• Specific header attributes• Custom dictionaries, character sets• Actions such as quarantine or

encrypt• Configure org-wide safe/blocked senders• Configure granular anti-spam settings

(e.g. backscatter, SPF)• View reports on spam filtering• Configure forced TLS

• Trace messages within your organization

• Set up transport rules to:• Add disclaimers to emails• Look for keywords and regular

expressions• Block email sent to the outside world

(by sender, domain, etc)• Moderate email delivery

• Configure journaling of emails to external archive

Use Exchange Control Panel for these tasks

When to use Admin Center vs. the Exchange Control Panel

68


Session Agenda




> Federation

> UAG


> How to build up the Solution> How to build a pilot


> Demo

69


Steps to build the solution:

> Add and verify your domain name with Office 365

> Prepare your on-premises Active Directory for directory synchronization

> Enable single sign-on (identity federation)

> Install the Directory Synchronization Tool and perform synchronization

> Configure email migrations(Staged or Hybrid )

> Install UAG SP1 and Publish ADFS (Proxy)

> Install SAM 8.0 SP3

> Deploy client applications and the Office 365 desktop setup

> Enroll and provision tokens to clients

> Test and validate

70


Key Activities

71


Session Agenda



> Federation


> Federation

> UAG



> How to build a pilot> Troubleshooting and Tools

> Demo

72


How to pilot single sign-on in a production user forest> set up an Authorization claim rule on the ADFS 2.0 server, that will

only generate a security token (for the authenticated user) if they are a member of an on-premise security group. Hence your pilot users can be put into this security group, as can your other users as you stage rollout to the organization.

http://technet.microsoft.com/en-us/library/ee913560(WS.10).aspx

73


Session Agenda



> Federation


> Federation

> UAG




> Troubleshooting and Tools> Demo

74


Troubleshooting and Tools

> Microsoft Office 365 Deployment Readiness Tool

> Microsoft exchange remote connectivity

> https://www.testexchangeconnectivity.com/

> UAG web monitor

> Powershell Cmdlts

> Outlook test connection

Technology

Mojemoje