Rich Coexistence (wrongfully Hybrid Deployment)
Thomas MoenDirector of Strategy and [email protected]@cloudmovr
5.16.2012
It is GREAT to Have Options…
• On Premise – services on premise
• Hosted – services hosted by someone else
• Segmented – host some users/apps, keep some users/apps on premise
• Hybrid – some services, i.e., filtering, archive encryption, are hosted. Azure Appliance or Azure SQL
Segmented
Agenda
• Introduction• Rich Coexistence Features Explained• Planning• Deployment• Migration• Management
Not for the faint of heart. This is a high impact ride. People with back, neck, heart, or cursing at computer problems, should not attempt this ride. Stay at the Exchange server at all times. Hold on with both hands!
Think I am Joking?
If you are feel any discomfort with…
– ADFS 2.0– Dir Sync– Rich Coexistence– PowerShell
Call a professional immediately! If you do proceed, proceed at your own peril…
… and Keep These Close at Hand!On the occasion of a Service Interrupting Event (SIE), Microsoft Online Services continuously updates the channels below to provide you necessary information to manage your business. Microsoft Online Services strives to earn your business
and trust through our best in class service and ongoing communication.
TwitterFeed is continuously updated as
SIE incidents occur.http://twitter.com/#!/Office365
Service Health DashboardThe best location for Service Update information. Updated regularly through any SIE and notifies you
of any upcoming planned maintenance.
FacebookGet the latest updates, tips
and more delivered straight to your Facebook stream.
http://www.facebook.com/#!/office365
Community BlogWith access to forums, community, and
community, you’re always receiving the most updated information.
http://community.office365.com/en-us/default.aspx
Your Four New Best Friends…
http://www.microsoft.com/en-us/download/confirmation.aspx?id=26509
http://technet.microsoft.com/en-us/exdeploy2010/default.aspx#Index
[email protected]@cloudmovr
Jackhttp://www.jackdaniels.com/
Rich Coexistence Summarized
– Executed over a longer period of time (a week, a month, a year, etc.)
– No requirement to ever “flip a switch”—can run in coexistence scenario indefinitely
– Requires on-premises configuration and hardware
What does coexistence mean?
Rich Coexistence SummarizedSimple vs. Rich Coexistence feature-set
Feature Simple Rich*
Mail routing between on-premises and cloud (recipients on either side)
Mail routing with shared namespace (if desired) - @company.com on both sides
Unified GAL
Free/Busy and calendar sharing cross-premises
Mailtips, messaging tracking, and mailbox search work cross-premises
OWA Redirection cross-premise (single OWA URL for both on-premises and cloud)
Exchange Online Archive
Exchange Management Console used to manage cross-prem relationship & mailbox migrations
Native mailbox move supports both onboarding and offboarding
No outlook reconfiguration or OST resync required after mailbox migration
Online Mailbox Move allows users to start logged into their mailbox while it is being moved to the cloud
Secure Mail ensure emails cross-premises are encrypted, and the internal auth headers are preserved
Centralized mailflow control, ensures that all email routes inbound/outbound via On Premises
Today’sFocus
Exchange Sharing
Secure Transport
Mailbox Move
Directory Synchronization
– Manages online users in Active Directory®
– Eliminates the need to manage users and groups in two places
– Powers unified global address list– Simplifies user provisioning– Enables rich coexistence scenarios– Designed for single-forest topologies– Customer’s Active Directory is the
replication master
Microsoft OnlineDirectory Service
Active Directory
DirSync tool runs on local server
Active Directory Federation Services
Users are authenticated by local Active Directory Federation Services server.
No Microsoft Outlook® sign-in tool is required.
Active Directory Federation Services 2.0
Microsoft OnlineDirectory Service
• Users don’t need to remember separate cloud passwords
• Administrators can retain existing domain security policies
• Supports multi-factor authentication for Outlook Web App
• Allows administrators to block user access outside the corporate network.
• Requires corporate infrastructure
Exchange 2010 Federation• Federated Sharing provides:
– Easy setup of external data sharing– Broader reach without additional steps to set up– More security with controls for admins and users
• Federated Sharing is made possible because:– Server can act on behalf of a specific user
• Specific user identified by email address• User not prompted for credentials
– Microsoft Federation Gateway acts as a trust broker• Reduces explicit point-to-point trust management• No Active Directory trusts, service ,or cloud accounts to manage• Minimizes certificate exchanges• Verifies domain ownership
Cross-Premises Free/Busy and Calendar Sharing*
– Creates the look and feel of a single, seamless organization for meeting scheduling and management of calendars
– Works with any supported Outlook client; the heavy lifting is done by the Exchange Server 2010 CAS servers and the MS Federation Gateway, making this transparent to the end user.
*Caution with Exchange 2003 or earlier
Cross-Premises Free/Busy and Calendar Sharing – How it Works
On Premises
On Premises User “Ben”
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox ServerBen requests
free/busy info for Joe
CAS Server finds that Joe’s mailbox is external and there
is a matching Organization Relationship
Joe
Ben
CAS connects to the MFG to request a
Delegation Token
CAS Server passes the MFG
token and requests Joe’s free/busy on behalf of Ben
MFG returns a Delegation
TokenFreeBusyRequestFrom BenTo Joe
Free/busy info is returned to the
CAS Server
Joe’s free/busy is returned to the Outlook
client
Cross-Premises MailTips
– Creates the look and feel of a single, seamless organization. Correct evaluation of “Internal to” vs. “External to” organization context
– Allows awareness and correct Outlook 2010 representation of MailTips for size and quantity limits on DGs, etc.
Cross-Premises Message Tracking
– Creates the look and feel of a single, seamless organization
– Message tracking started from on-premises or from the cloud will track through to the edge of the combined organization• Tracking fidelity across Exchange Server 2010 SP1
servers will be identical to fully on-premises organizations (i.e., high fidelity)• Tracking fidelity across pre-2010 servers will be
identical to fully on-premises organizations (i.e., lower fidelity)
Cross-Premises Mailbox Search
– Allows administrators to select/manage mailboxes for mailbox searches from on-premises or cloud-hosted mailboxes
– Graphical representation allows to differentiate between on-premises and cloud-hosted mailboxes in the picker
– Search results returned across all selected mailboxes, regardless of mailbox location!
Cross-Premises OWA Redirection
• Single URL– Allows mailbox access to OWA via a single URL (pointed to
on-premises CAS)– Ensures a good end-user experience as mailboxes are moved
in and out of the cloud, since OWA URL remains unchanged
• Better cloud log-in experience– Log-in experience can be greatly improved by adding your
domain name into your cloud URL so that you can access your cloud mailbox without the interruption of “Go There” page
Cross-Premises Mail Flow
• Secure transport
• Rich coexistence adds the ability to preserve internal organizational headers:
• Allows us to treat a message from the cloud as authenticated. This means we trust the message and resolve the sender to a recipient in the GAL.
• Restrictions specified for that recipient get honored.
• When sender is expanded in Outlook, GAL card is opened (not SMTP address).
– Possible centralized mail flow scenario
Cross-Premises Mail Flow
On Premises
Exchange Online
Mailbox Server
Hub Transport
Server
On Premises Mailbox “Ben”
ForeFront Online Protection for
Exchange
Cloud Mailbox “Joe”
TLS
The Hub/Edge transport certificate
subject is “mail.contoso.com”
The FOPE transport certificate subject is
“mail.messaging.microsoft.com”
Domain Secure
Secure TLS Connection
On Premises
Exchange Online
Mailbox Server
Hub Transport
Server
On Premises Mailbox “Ben”
ForeFront Online Protection for
Exchange
Cloud Mailbox “Joe”
Cross-Premises Mail FlowSending Internal Headers to Cloud
TLS
XOORG Data
XOORG Data
Certificate Subject
If the outbound email is destined for Exchange Online, XOORG Data is
added to the email.
FOPE records the sender’s certificate subject. In this example
it is: “mail.contoso.com”
Exchange Online verifies cert subject matches the
configured value. If cert subject is valid, Exchange promotes XOORG data.
Cross-premises emails are
authenticated as “Internal”
On Premises
Exchange Online
Mailbox Server
Hub Transport
Server
On Premises Mailbox “Ben”
ForeFront Online Protection for
Exchange
Cloud Mailbox “Joe”
Cross-Premises Mail FlowSending Internal Headers to On Prem
TLS XOORG Data
Emails from the cloud are seen as Internal by Transport &
Journal Rules
XOORG Data
If the outbound email is destined for Exchange On Premises, XOORG Data is
added to the email.
Exchange On Premises verifies cert subject
matches the configured value. If cert subject is
valid, Exchange promotes XOORG data.
On Premises
Exchange Online
Mailbox Server
Hub Transport
Server
ForeFront Online Protection for
Exchange
Internet
Cross-Premises Mail FlowCentralized mail flow scenario
TLS
All outbound cloud email is sent via on
premises
Exchange Online to On Premises
Connector Address Space = *@*
Only Exchange On Premises is
allowed to send mail into the
cloud
Rich Coexistence
Makes your on-premises organization and cloud organization work together like a single, seamless organization
• Offers near-parity of features/experience on-premises and in the cloud• Seamless interactions between on-premises and cloud mailboxes• Migrations in and out of the cloud transparent to end user
Features not supported:
• Delegation Coexistence—Delegate permissions are migrated, but not available during the move
• Migration of Send As/Full Access permissions• Multi-forest—only single-forest source environments
Feature summary
Federation Scenarios“Federation”: A very overloaded word…• Sign-On Scenarios ADFSv2:
“Federated Identity”• User uses corporate credentials to
access online resources in the cloud
• Cross-premises Free/Busy, Shared Calendaring
• Cross-premises MailTips
• Cross-premises Message Tracking
• Cross-premises Mailbox Search
• Cross-premises MRS authentication
• Cross-premises OWA redirection (single URL)
• Cross-premises Archiving
• Single Sign-on cloud mailbox log in• Direct log on for LOB apps
• Delegation Scenarios: “Federated Sharing”
• Services act on behalf of a user to access Exchange resources
Specific to Rich Coexistence features
provided by Exchange Online
Applies to all Office 365 services, not
just Exchange Online
Rich Coexistence Server Roles3 - 5 Additional Server/Roles Required
Exchange Server 2010 SP1 CAS/Hub
Unified Global Address ListOffice 365 Directory Sync
Exchange SharingAD FS
Single Sign On
Mailbox Move
Secure Transport
* Mbx role is required for legacy Public Folder-based free/busy support
Shared Namespace: Core Concepts
MX for service.contoso.com = Exchange Online
DC
On Premises AD Forest
Exchange 2003 FE/BE Server
MX for contoso.com = On Premises
External Recipient([email protected])
Internet
Exchange Online
Email from [email protected] to [email protected] Email is forwarded to [email protected]
Namespace Planning• Federated Identity
– UPN suffixes need to match an Identity Federation domain
• Email Forwarding & Autodiscover Redirects– Minimum of 1 domain for on-premises and 1 for Exchange Online– Existing primary SMTP domain sufficient for the on-premises
namespace– Additional namespace required for Exchange Online
• Note: Cannot be the sign-up domain (*.onmicrosoft.com)
• Exchange Federated Sharing– Recommend use of a unique domain for the On-Premises to Microsoft
Federation Gateway Exchange Federation Trust– e.g. exchangesharing.contoso.com– Referred to in EMC and EMS as the “Account Namespace” – Does not need to be on any Email Address Policies– Any other domains (e.g. contoso.com) should be added as additional
federated domains
Certificates• Exchange Federation Trust
– Can be any certificate (e.g. self-signed)—it will be pushed/pulled to all Exchange Server 2010 SP1 Client Access Control Servers
– The “New Federation Trust” wizard handles the cert creation and replication to other CAS servers for you
• Exchange CAS– You must ensure that the primary SMTP domain has an Autodiscover DNS
entry and is listed on the CAS certificate– DNS must resolve to a Exchange Server 2010 SP1 CAS server– CAS protocols (EWS, MRSPRoxy) must have the externalUrl listed on the
certificate
• Exchange HUB– Ensure the certificate is both client and server certificate type
You can use the Exchange Certificate wizard in EMC 2010 SP1 to generate the request!
ADFS also requires public certificates for ADFS endpoints in most scenarios
Exchange Deployment Assistant
• http://technet.microsoft.com/exdeploy2010
• Currently supports Rich Coexistence configuration with Exchange Server 2003 and Exchange 2007
• SP2 new Coexistence/Hybrid Wizard
Hybrid Config Wizard Requirements• On Premise Exchange 2003 or Later• All Exchange Updates and SP2 Rollup• Office 365 Tenant and Admin Account• Custom Domains• AD FS 2.0• Dir Sync• CAS/HUB Server• Autodiscover DNS Records Configured• Office 365 Org in the EMC• EWS Config ExternalURL - externally accessible, FQDN• Certificates – self signed certs NOT used and a whole lot of other certification stuff! Like EWS
external URL, the Autodiscover endpoint specified in public DNS have to be listed in the Subject Alternative Name of the certificate. (I hate certificates)
New SP2 Wizard
Here Where We Start…
AD FSDC Dirsync
On Premises AD Forest
Exchange 2003 FE/BE Server
https://mail.contoso.com/exchange
https://mail.contoso.com/rpc
https://mail.contoso.com/Microsoft-Server-ActiveSync
External SMTP Recipient(mailto:[email protected])
The following services may be exposed to the Internet to support remote access:
1. SMTP2. Outlook Web Access3. Outlook Anywhere4. Exchange ActiveSync
Rich Coexistence Setup
• Step 1: Office 365 configuration stepsStep Details Required/
Recommended
Run through Office 365 Onboarding Accelerator
As part of onboarding, the onboarding accelerator steps the admin over to “Rich Coexistence” guidance
Recommended
Configure Federated Identity
On-premises ADFS/Geneva server allows on-premises (single) identity to be used for cloud authentication
Recommended
Configure DirSync On-premises appliance synchronizes on-premises directory/GAL with the cloud
Required
Enable DirSync Writeback Allows rich off-boarding with message-repliability, archiving in the cloud, and UM in the cloud
Recommended*
* Not available during Beta
Exchange Online
Microsoft Online Directory Service
MSO ID
AD FSDC
On Premises AD Forest Company: contoso.onmicrosoft.com
Domains Statuscontoso.com activeservice.contoso.com active
Register MSO Namespaces &Config ADFS(1) Run MSO Federation Config cmdlets:
• “Add-MsolFederatedDomain –DomainName “contoso.com”
• “Add-MsolFederatedDomain –DomainName “service.contoso.com”
Company: contoso.onmicrosoft.com
Domains Statuscontoso.com pendingservice.contoso.com pending
(2) Create Domain Proof of Ownership DNS Records• ms1234567.contoso.com > ps.microsoftonline.com• ms8901234.service.contoso.com > ps.microsoftonline.com
(3) Rerun MSO Federation Config cmdlets:• “Add-MsolFederatedDomain –DomainName
“contoso.com”• “Add-MsolFederatedDomain –DomainName
“service.contoso.com”
*This verifies domain proof of ownership*
(4) New Registered Domains propagate out to MSO ID and Exchange Online
• MSO ID reserves the namespace as a “Federated Namespace”
• MSO ID sets the AD FS endpoint for each namespace to “https://adfs.contoso.com/adfs/ls/”
• Exchange Online creates all registered domains as Accepted Domains Namespace Type Endpoint
contoso.com Federated https://adfs.contoso.com
service.contoso.com Federated https://
adfs.contoso.com
Accepted Domain Typecontoso.com Authoritative
service.contoso.com Authoritative
Deploy Office 365 Directory Sync
Exchange Online
Microsoft Online Directory Service
MSO ID
AD FSDC Dirsync
On Premises AD Forest
(1) Install DirSync(2) Run configuration wizard(3) Run first sync
Sync process will sync out the following object types:
1. Users2. Contacts3. Groups
Only Users are given an MSO ID
If their On-Premises UPN matches a federated domain, then they are given a Federated MSO ID with the same name
Any logons using that ID will be redirected to the On Premises ADFS instance for authentication
Users Only
All mail-enabled
objects
All mail-enabled objects are synced to Exchange Online:
1. Mailuser2. Mailbox3. Mailcontact4. MaildistributionGroup (Inc. security)
Rich Coexistence Setup
• Step 2: Exchange configuration steps*
Step Details Required/Recommended
Install Exchange Server 2010 SP1 server on-premises
On-premises Exchange Server 2010 SP1 CAS/Hub server (also MBX role for some scenarios) required for rich coexistence features
Required
Configure cloud Autodiscover DNS record
Allows on-premises targeted autodiscover Outlook client to redirect to cloud without prompts
Required
Publish MRS Proxy Allows Exchange Online Mailbox Replication Service to connect On Premises and perform a move to the cloud
Required
Implement Cloud Configuration Policies
Create configuration policies in the cloud to match (or complement) on-premises configuration policies (e.g., ActiveSync policies, OWA policies, etc.)
Recommended
Configure RBAC in the cloud Create/manage Role-Based Access Control (RBAC) settings in the cloud to match (or complement) on-premises RBAC configuration
Recommended
Configure Federation Trust / Org Relationship“Federated Sharing”
Enable infrastructure for delegated Live namespace federation. Allows the following features:
Recommended
Cross-premises Free/Busy, Shared Calendaring
Cross-premises OWA redirection (single URL)
Cross-premises MailTips Cross-premises Mailbox Search
Cross-premises Message Tracking Cross-premises Archiving
Configure Cross-premises mail routing
Configure Cross-premises mail routing. This configuration ensures proper anti-spam/header handling for mail sent between on-premises and the cloud.
Recommended**
* Exchange Deployment Assistant will be updated to include Rich Coexistence scenario steps** Not available during Beta
Creating the Exchange Federation Trust
Exchange Online
AD FSDC Dirsync
On Premises AD Forest
Exchange 2003 FE/BE
Server
Exchange 2010 CAS/HUB Server
MSO ID
Microsoft Federation Gateway (MFG)
(2) On Premises Org Relationship with “service.contoso.com” and “contoso.com”
(3) Exchange Online Org Relationship with “contoso.com”
(1) Create Exchange Federation Trust with the “MFG” using a “unique namespace” e.g. exchangesharing.contoso.com
Automatic implied trust between the Exchange Online tenant and MFG
Creating the Secure Mail Connectors
Exchange Online
On Premises AD Forest
Exchange 2010 CAS/HUB Server
FOPE
Create the Exchange
Send Connector
Create the FOPE
Inbound Connector
Create the FOPE
Outbound Connector
Create the Exchange Receive
Connector
Remote Domains
define the use of
XOORG
Remote Domains
define the use of
XOORG
Remote MailboxPrimary Smtp Address = [email protected] Routing Address = [email protected]
MailboxPrimary Smtp Address = [email protected] Smtp Address = [email protected]
MX & AutoD for contoso.com =On PremisesMX & AutoD for service. contoso.com = Exchange Online
External Recipient([email protected])
Internet
Exchange Online
On Premises AD Forest
Mail RoutingExternal recipient to Exchange Online mailbox
TLS
(1) Where is my mailbox?
(2) Local Exchange passes a redirect to “service.contoso.com”
(3) Outlook attempts to discover endpoint through DNS record “autodiscover.service.contoso.com”
(4) Request Authentication
(6) Profile Builds(5) Authentication Success
AutodiscoverOutlook Profile Generation
Post-Exchange Coexistence Server Deployment
AD FSDC Dirsync
On Premises AD Forest
Exchange 2003 FE/BE
Server
Exchange 2010 CAS/HUB Server
https://mail.contoso.com/rpc
https://mail.outlook.com/ews/
https://autodiscover.contoso.com/autodiscover/autodiscover.xml
https://mail.contoso.com/exchangehttps://mail.contoso.com/owa
https://legacymail.contoso.com/exchange
https://mail.contoso.com/Microsoft-Server-ActiveSync
Once 2010 is deployed the following additional services need to be enabled:
1. Autodiscover2. Availability Web Service3. Exchange Web Services
External endpoints:1. mail.contoso.com2. autodiscover.contoso.com3. legacymail.contoso.com
To support OWA redirection to the cloud, logons need to be shifted to 2010
This requires a new “legacy” endpoint for OWA 2003
New Certificate Required
Rich Coexistence: GUI Management
– Once you have installed Exchange Server 2010 SP1 on premises and connected it to your Exchange Online 2010 organization, you can use EMC GUI for a number of the configuration steps on the previous slides
Connecting on-premises GUI to the cloud
Rich Coexistence Setup
– Most of the cool Rich Coexistence features require federated sharing to be configured between on-premises and the cloud
– EMC in Exchange Server 2010 SP1 has GUI for this
Federated Sharing
Rich Coexistence Migration• Administrator uses EMC on-premises tool to manage mailbox moves and
other administrative cross-premise tasks– Note: There is no requirement to move mailboxes on premises to an Exchange Server 2010 server
prior to moving them to the cloud
• DirSync keeps GAL in sync as mailboxes are moved
You’ve configured for cross-premises, now it’s time to move!
Exchange Server
2007
Exchange Server
2010 SP1
Exchange Server 2010 CAS
Exchange
Server 2003
Mailbox migration
Rich Coexistence Migration
• Cross-Premises moves just like on-premises– Cross-Premises mailbox moves driven out of EMC
GUI “Remote Move” wizard– With federated sharing configuration in place, it
eliminates the explicit-credentials requirement, allowing mailbox moves to be executed seamlessly to and from the cloud
Cross-premises mailbox move experience
Rich Coexistence Migration
– It’s a true “online” move: User stays connected to their mailbox through the move• Client switchover happens automatically at the end• Traditional “offline” move when moving from Exchange 2003 source
– Outlook uses Autodiscover to detect the change and fixes up the user’s Outlook profile automatically on the client machine
– Since it’s a move (not a new mailbox + data copy), Outlook doesn’t see it as a new/different mailbox. End result = No OST resync
– Moves are queued and paced by the datacenter – Object conversion for mail routing happens automatically after data
move• Mailbox on-premises gets converted to mail-enabled user automatically• Admin can override this automation and stage the move-then-convert steps
The stuff you need to know
Rich Coexistence Migration
• Why might you care about off-boarding?– Long term coexistence scenarios– Compliance requirements (retaining ex-employee data)– Piloting online but not committed to the move
• What do you need to know about off-boarding?– Off-boarding is available using EMC toolset while in Rich Coexistence
scenario– Off-boarding to on-premises Exchange Server 2010 database is an online
mailbox move– Off-boarding to on-premises Exchange Server 2003/Exchange Server 2007
database is an offline mailbox move– Off-boarding without Rich Coexistence (i.e., any other scenario, including
V1 off-boarding) is PST via Outlook or partner driven
Mailbox off-boarding
Rich Coexistence Recipient Management
– All recipient management should be performed through EMC 2010 SP1
– Objects should be created through the On-Premises node
– Any Policies (e.g. OWA Policy) should be assigned through the Cloud node
Exchange Management Console
Rich Coexistence Recipient Management
• New On-Premises recipient, called “Remote Mailbox”– Represents a Mailbox that exists in Exchange Online
(found under Contacts)– Specific to Rich Coexistence– Appears as a Mail User to legacy Exchange– MRS Mailbox Move to Exchange Online will leave a
Remote Mailbox in the On Premises directory
• New flag on a Remote Domain allows the targetAddress to be automatically calculated
What’s new to recipient management in Exchange Online
Key Takeaways
Rich Coexistence is about 3 core components
• Migration• Exchange Sharing • Secure Transport
Rich Coexistence setup has a bunch of steps, but it’s primarily about getting the planning right
• Namespaces & Certificates are the two key areas to think about• Remember you are performing a partial upgrade to Exchange Server 2010• And moving to Exchange Server 2010 on-premise sets you up for a smooth path to the cloud
Once you’re in fully-configured Rich Coexistence, toggling the federated sharing features on and off in Exchange is simple
• These features are a differentiator and make the cross-premises Exchange Online experience seamless
Than
k
You!