35
Sanjeev Thakur Sr. Premier Field Engineer, Microsoft Singapore SINGAPORE Microsoft Exchange Server and Office 365 : Hybrid Deployment Ram Muthukaruppan Sr. Consultant, Microsoft Singapore

MS TechDays 2011 - Microsoft Exchange Server and Office 365 Hybrid Deployment

  • Upload
    spiffy

  • View
    1.758

  • Download
    0

Embed Size (px)

DESCRIPTION

 

Citation preview

Sanjeev Thakur Sr. Premier Field Engineer, Microsoft Singapore

SINGAPORE

Microsoft

Exchange

Server and

Office 365 :

Hybrid

Deployment

Ram Muthukaruppan Sr. Consultant, Microsoft Singapore

Agenda

Overview of Hybrid Deployment

Planning Hybrid Deployment

Mail Flow Architecture

Calendar Sharing

Secure Transport

Deployment

Migration

What’s new in SP2

Q&A

Hybrid

Exchange sharing features

Exchange

IMAP

Lotus Notes

Google

Large

Medium

Small

On-Premises

Single Sign-On

On-Cloud

DirSync

Bulk Provisioning

Seamless interactions between on-premises and cloud

mailboxes

Calendars and free/busy information sharing between

on-Premises and Cloud Mailboxes.

Mailbox Management can be done using on-premises

Exchange Management Console

Users can log on to their email accounts with their

existing credentials regardless of their mailboxes

Location

Migrations into and out of Exchange Online are

transparent to the user.

Overview of Hybrid Deployment

Coexistence of mailbox permissions –Permissions are

migrated, but do not work when Delegator and

Delegate are split between on-premise & cloud

Migration of Send As for non mailbox recipients

Multi-forest – Only single forest source environments

Public Folders

Limitations - Hybrid Deployment

6

Hybrid Server Roles

2 Required Server Roles:

• Office 365 Active Directory Synchronization

• Exchange Server 2010 SP1 CAS/Hub*

1 Optional Server Role:

Planning Hybrid Deployment

To use hybrid deployment, you must maintain at least one Federation technology

Identity Federation

Provides SSO

Requires AD FS 2.0

Applies to all Office 365 services

Exchange Federation

Exchange Federation Trust

Organization relationships

Applies only to all Exchange Online services

Planning Hybrid Deployment

Identity Vs. Exchange Federation

Primary SMTP Domain : contoso.com

MX record points to on-premises

Service Domain :- service.contoso.com

MX record points to Office 365

Used for Mail routing between On-premises and Office 365

Delegation Domain :exchangedelegation.contoso.com

Only used for setting up the Federation Trust

DNS TXT records configured for proof of ownership purposes

Domain Name Requirement

A public certificate is required to successfully setup both

Identity Federation and Exchange Federation

A public certificate is required for the following services:

AD FS endpoints (AD FS Proxy)

Exchange Web Services

Autodiscover

The Exchange Federation Trust can use a self-signed, public,

or internal CA generated certificate

The Exchange Management Console wizard creates a self-signed

certificate if one does not exist.

This certificate is only used to sign and encrypt delegation tokens

Exchange automatically distributes this certificate to other CAS

servers.

Certificate Requirement

Mail Routing Architecture

Single Namespace – Core

Concepts

DC

On Premises AD Forest

Exchange 2003 FE/BE Server

MX for contoso.com = On Premises

External Recipient([email protected])

Internet

Email from [email protected] to [email protected]

Shared Namespace-Core Concepts

MX for service.contoso.com = Exchange Online

DC

On Premises AD Forest

Exchange 2003 FE/BE Server

MX for contoso.com = On Premises

External Recipient([email protected])

Internet

Exchange Online

Email from [email protected] to [email protected]

Calendar Sharing

On Premises

On Premises User “Ben”

Client Access Server

Mailbox Server

Standard On-Premises Free/busy

Ben

Brad

Federated Free/busy

On Premises

On Premises User “Ben”

Client Access Server

Microsoft Federation Gateway

Exchange Online

Mailbox Server

Joe

Ben

Free Busy Request From Ben To Joe

Exchange Online Archive

On Premises

On Premises User “Ben”

Client Access Server

Microsoft Federation Gateway

Exchange Online

Mailbox ServerBen

Archive Request From Ben To Archive

Secure Transport

Secure Mail – TLS

On Premises

Exchange Online

Mailbox Server

Hub Transport

Server

On Premises Mailbox “Ben”

ForeFront Online Protection for

Exchange

Cloud Mailbox “Joe”

Domain Secure

On Premises

Exchange Online

Mailbox Server

Hub Transport

Server

On Premises Mailbox “Ben”

ForeFront Online Protection for

Exchange

Cloud Mailbox “Joe”

Secure Mail - Sending Internal Headers

to the Cloud

XOORG Data

XOORG Data

Certificate

Subject

Cross-premises emails are

authenticated as “Internal”

Secure Mail – Sending Internal Headers to

On-premises

On Premises

Exchange Online

Mailbox Server

Hub Transport

Server

On Premises Mailbox “Ben”

ForeFront Online Protection for

Exchange

Cloud Mailbox “Joe”

XOORG Data

Emails from the cloud are seen as

Internal by Transport

XOORG Data

On Premises

Exchange Online

Mailbox Server

Hub Transport

Server

ForeFront Online Protection for

Exchange

Internet

Centralized Mail flow Control

Centralized Mail flow Control

Deployment

Exchange Deployment Assistant

Step 1 – Office 365 Configuration

Step 2 – Exchange Configuration

Creating the Exchange Federation

Trust

Exchange Online

On Premises AD Forest

Exchange 2010 CAS/HUB Server

MSO ID

Microsoft Federation Gateway (MFG)

Automatic implied trust between the Exchange Online tenant and MFG

Create Exchange Federation Trust with the MFG using a “unique namespace”

e.g. “exchangedelegation.contoso.com”

On-premises Org Relationship with “service.contoso.com”

Exchange Online Org Relationship with “contoso.com”

Creating the Secure Mail

Connectors

Exchange Online

On Premises AD Forest

Exchange 2010 CAS/HUB Server

FOPE

Migration

Hybrid Coexistence Migration

It’s a true “online” move – user stays connected to their mailbox through the move

– Client switchover happens automatically at the end

– Traditional “offline” move when moving from Exchange 2003 source

Outlook uses Autodiscover to detect the change and fixes up the user’s Outlook profile automatically on the client machine

Since it’s a move (not a new mailbox + data copy), Outlook doesn’t see it as a new/different mailbox. End result = No OST resync

Moves are queued and paced by the datacenter

Object conversion for mail routing happens automatically after data move

– Mailbox on-premises gets converted to Mail-enabled user automatically

– Admin can override this automation and stage the move-then-convert steps

(1) Where is my mailbox?

(2) Local Exchange passes a redirect to “service.contoso.com”

(3) Outlook attempts to discover endpoint through DNS record “autodiscover.service.contoso.com”

(4) Request Authentication

(6) Profile Builds (5) Authentication Success

Autodiscover

Remote Mailbox Primary SMTP Address = [email protected] Remote Routing Address = [email protected]

Mailbox Primary SMTP Address = [email protected] Secondary SMTP Address = [email protected]

Outlook client

What’s New in Exchange 2010

SP2? New Hybrid Configuration Wizard – Exchange federation trust

– Organization relationships

– Remote domains/accepted domains

– Email address policies

– Send/Receive connector

– Forefront inbound/outbound connectors

– MRSProxy

– Pre-req checks (i.e. Office365 Active Directory Sync, Exchange certificates, registered custom domains, etc…)

New PowerShell cmdlets – New/Get/Set/Update-HybridConfiguration

Namespaces improvements – Removing requirement for unique namespace

– Providing every customer a coexistence domain, for every hybrid deployment • Service.contoso.com is now Contoso.mail.onmicrosoft.com

Pre-SP2: Approximately 50 manual steps With SP2: Now only 6 manual steps

Questions?

37