Preparing for an Exchange 2013 Hybrid

Exchange 2013 – Office 365Preparing for Hybrid

Jethro Seghers

Blogger

Twitter: @jseghersE-mail: [email protected]: [email protected]: http://blog.j-solutions.be

Consultant

Trainer

www.devconnections.com

EXCHANGE 2013 – OFFICE 365: PREPARING FOR HYBRID

WHAT IS HYBRID EXCHANGE?

1 VIRTUAL ORGANIZATION



4

WHY HYBRID DEPLOYMENTS?

Organizations are not ready to go completely to the cloud

Security Concerns

Compliancy Concerns

Management Concerns

Long-term coexistence Large migrations where cutover isn’t possible. Transparent mailbox moves (to or from Exchange

Online)



5

WHY HYBRID DEPLOYMENTS?

Take advantages of features like e.g. Exchange Online Archiving with On Premises Mailboxes

Interaction with 3rd party applications



6

ADVANTAGES OF HYBRID DEPLOYMENT

Secure mail routing between on-premises and Exchange Online organizations

Mail routing with a shared domain namespace A unified global address list (GAL), also called a

“shared address book.” Free/busy and calendar sharing between on-premises

and Exchange Online organizations



7


Centralized control of inbound and outbound mail flow. You can configure all inbound and outbound Exchange Online messages to be routed through the on-premises Exchange organization

A single Microsoft Office Outlook Web App URL for both the on-premises and Exchange Online organizations

The ability to move existing on-premises mailboxes to the Exchange Online organization. Exchange Online mailboxes can also be moved back to the on-premises organization if needed



8


Centralized mailbox management using the on-premises Exchange admin center (EAC)

Message tracking, MailTips, and multi-mailbox search between on-premises and Exchange Online organizations.

Cloud-based message archiving for on-premises Exchange mailboxes



9

DEMOEXCHANGE HYBRID IN ACTION



10

SUPPORTED VERSIONS

Office 365 (v 2010)

Office 365 - W15w/ On-Prem 2010

Office 365 – W15w/ On-Prem 2013

Exchange 2013 N/A X

Exchange 2010 SP3 X X X

Exchange 2010 SP2 X

Exchange 2010 SP1 X

Exchange 2007 SP3 (X) (X) (X)

Exchange 2007 SP2/SP3

(X) (X)

Exchange 2003 SP2 (X) (X)



11

ARCHITECTURE



MAILFLOW



13

BUILDING BLOCKS

Supported Exchange On Premises Version Exchange Online Directory Synchronization Active Directory Federation Services Exchange Online Protection



WHAT IS DIRSYNC?

“…is a Directory Synchronization engine based on Forefront Identity Manager (FIM) that will synchronize a subset of your on-

premise Active Directory with Windows Azure Active Directory (Office 365).”



15

WHY DIRSYNCMain Purpose: Sync Attributes from Active Directory to Windows Azure Active Directory and Back (in case of Hybrid)



16

LESSONS LEARNED

Long term coexistence between Active Directory On Premise and Windows Azure Active Directory.

It’s NOT for easy, quick provisioning of objects, such as groups, contacts, …

It provides a single point of managing Users

Groups & Memberships

Contacts

Sync attributes runs once every 3 hours. Sync AD password once every 2 minutes.



DirSync

SourceADMA

TargetWebService

MA

Active Directory

METAVERSE

DIRSYNC: HOW DOES IT WORK



18

DEPLOYMENT CONSIDERATIONS

Is your Active Directory Ready for DirSync Topology: single forest? Multiple Domains? Broken inheritance user rights?

Check your AD by using the Readiness Tool or OnRamp

Firewall? Can DirSync connect to Azure Active Directory Service Accounts 64 Bit only Activation, Deactivation Time Filtering? SQL Version?



WHAT OBJECTS ARE SYNCED? From AD to Office 365: http://support.microsoft.com/kb/2256198 From Office 365 to AD (aka write-back):

Write-Back attribute Exchange "full fidelity" feature

SafeSendersHashBlockedSendersHashSafeRecipientHash

Filtering: Writes back on-premises filtering and online safe and blocked sender data from clients.

msExchArchiveStatus Online Archive: Enables customers to archive mail.

ProxyAddresses (LegacyExchangeDN <online LegacyDn> as X500)

Enable Mailbox: Off-boards an online mailbox back to on-premises Exchange.

msExchUCVoiceMailSettings

Enable Unified Messaging (UM) - Online voice mail: This new attribute is used only for UM-Microsoft Lync Server 2010 integration to indicate to Lync Server 2010 on-premises that the user has voice mail in online services.



20

TROUBLESHOOTING

Broken Inheritance Active Directory Email Send out by DirSync IDFix : DirSync Remediation Tool MetaVerse Search Expired Password DirSync



21

DEMODIRSYNC IN ACTION



WHAT IS ADFS?

“…is a software component installed on Windows Server operating systems to provide users with

Single Sign-On access to systems and applications located across organizational boundaries. It uses a claims-based access control authorization model to maintain application security and implement

federated identity…”



23

WHY ADFSMain Purpose: Provide Active Directory Users a full Single Sign On experience



ADFS: ON PREMISE TOPOLOGY

Enterprise DMZ

AD FS 2.0 ServerProxy

Internaluser

ActiveDirectory

AD FS 2.0 Server

AD FS 2.0 Server




ADFS: ON PREMISE TOPOLOGY

Enterprise DMZ


Internaluser

ActiveDirectory

AD FS 2.0 Server

AD FS 2.0 Server




WEB (PASSIVE) AUTHENTICATION FLOW

Online

ADFS

DC

Client Exchange/SP Online

Auth. Platform (WAAD)

WEB

Auth



ACTIVE AUTHENTICATION FLOW

Online

ADFS

DC

Client Exchange/SP Online

Auth. Platform (WAAD)

Active

Auth



28

LESSONS LEARNED

Deploy ADFS in High Availability Service account: log on as batch job ADFS requires a public certificate only for client

communications; token signing and encryption can be done with self-signed certificates

Workflow/endpoint is different depending the application you use: Passive (Web)/Active (Outlook)

Troubleshooting is not always easy. e.g. requires understanding how to use tools like fiddler2. E.g. to Analyze Sign-In Flow



29

DEMOADFS IN ACTION



WHAT’S “NEW” IN THE HYBRID CONFIGURATION WIZARD

Single-step, adaptive configuration wizard

Enhanced mail-flow capabilities

Improved centralized mail flow

Easier setup of secure mail flow (no more whitelisting IP’s!)

Integrated support for Exchange 2010 Edge Transport server

Leverages Exchange Online Protection

Enhanced & more detailed logging





32

DEMOHCW IN ACTION

Q&A

Technology

Preparing for an Exchange 2013 Hybrid