Configuring Hybrid Workloads for SharePoint 2013 and O365 by Neil Hodgkinson

  • View
    132

  • Download
    2

Embed Size (px)

DESCRIPTION

Hybrid scenarios between SharePoint Server 2013 and O365 take a number of guises including search and business connectivity capabilities. All hybrid scenarios require a base identity configuration on which the hybrid workload can be configured. Hybrid workloads can operate in what are known as inbound and outbound directions. Outbound is considered the simplest configuration with inbound being complicated by the addition of extra on premises infrastructure and the perception of it being a difficult task to configure correctly. In this session we want to dispel that myth and show how configuring the identity infrastructure including dirsync with password synchronization to support outbound and inbound hybrid search between SharePoint 2013 server and O365 can be done. Configuration of Windows 2012 R2 Web Application Proxy (WAP) Server to support inbound hybrid authentication will be a key component of this session as well as the use of Windows Azure for the on premises SharePoint roles.

Text of Configuring Hybrid Workloads for SharePoint 2013 and O365 by Neil Hodgkinson

  • 1. Pre-MicrosoftProcess Chemist (Drugs, Poisons and Explosives)CSC SharePoint Specialist 5 YearsMicrosoft (2005-)SharePoint PFE - 5 YearsSharePoint Service Engineering O365 - 3 YearsOffice 365 CXP CAT - CurrentMCM/MCSM SharePoint Instructor TeamContactEmail neil.hodgkinson@microsoft.comTwitter - @nellymo

2. Verbalise the advantages hybrid scenarios bring as a waypointtowards a full cloud experience Discuss the technical implementation of hybrid configurations witharchitects and engineers Understand the role of the reverse proxy server in an inbound hybridsetup, and in particular gain insight into the configuration of WindowsWeb Application Proxy 3. Hybrid Solution 4. On Premises Cloud 5. Microsoft data center Internet IntranetSharePoint Server 2013 FarmPrimary web appMicrosoft Office 365 tenantOn-premises SharePoint Server 2013 Enterprise Search portal: Local and remote search results are availableSharePoint Online search portal: Local search results are availableSharePoint OnlineLocal searchresults onlySite collectionSharePointHybrid searchresultsOutboundInboundSharePoint Online cannot query SharePoint ServerCustomer networkSharePoint Server can query SharePoint Online 6. Customer networkMicrosoft data center Internet IntranetOutboundInboundPerimeternetworkReverse proxyMicrosoft Office 365 tenantSharePoint OnlineSharePoint Server 2013 FarmSharePointSharePoint Online can query SharePoint Server SharePoint Server cannot query SharePoint OnlineOn-premises SharePoint Server 2013 Enterprise Search portal: Local search results are availableSharePoint Online search portal: Local and remote search results are availableHybrid searchresultsSite collectionLocal searchresults onlyPrimary web app 7. Microsoft data center Internet Perimeter IntranetOutboundInboundMicrosoft Office 365 tenantSharePoint Server 2013 FarmOn-premises SharePoint Server 2013 Enterprise Search portal and SharePoint Online search portal: Local and remotesearch results are available.SharePoint Online can query SharePoint ServernetworkCustomer networkReverse proxySharePoint Search can query SharePoint OnlineSharePoint OnlineSharePointHybrid searchresultsSite collection Primary web appHybrid searchresults 8. Results fromCloudResults fromSharePointOn-Premise 9. SharePointOnlineSharePointOn PremisesIndex ComponentIndex ComponentIndex ComponentUser ProfileService AppQuery ProcessingComponent? ?Query ProcessingOn PremisesSearch Center ComponentIndex ComponentAuthenticatedUser 10. SharePointOn PremisesSharePointOnlineUser ProfileService AppQuery Processing? ?O365Index ComponentIndex ComponentIndex ComponentComponentQuery ProcessingComponentSearch Center Index ComponentAuthenticatedUserReverse Proxy 11. Create aBusiness DataConnectivityserviceapplication inSharePointon-premisesConfigure theBusinessConnectivityServicesMetadataStoreConfigure thetargetapplicationfor theSecure StoreServiceDefine theexternalcontent typefor externaldataCreate theexternal listandconfigurepermissions 12. Business ConnectivityServices on-premisesdeploymentClient layerSharePoint service layer External system layer SharePoint 2013Business ConnectivityServices and SecureStore ServiceExternal data sourceA user in need of on-premises data goes to an on-premisesapplication or external listThe external list or application requests data and sendsit to Business Connectivity ServicesBusiness Connectivity Services accesses the external content typeto determine how to gain access to the external data and what credentials to useBusiness Connectivity Services passes a request to a connectorthat retrieves the data by using either the users credentialsor credentials from a secure storeOptional: The user uses Connect to Outlook to take data offlineThe Click Once installation installs the Business ConnectivityServices model on the clientMicrosoft Outlook connects to the external data and synchronizesto the Outlook SharePoint external list (formatted as a contact list)The user interacts with the data, and synchronizes changes withthe external data source manually or automatically 13. Enables users to publish on-premises data to a list or applicationexternal to SharePoint OnlineEnables federated users to gain access to on-premises data fromSharePoint OnlineRequires a two-way authentication topology using an external URLpublished by reverse proxyConnects only through OData source 14. BusinessConnectivityServices must beinstalled on-premises On-premisesinstance must haveconnectivity to theexternal datasource Two-wayauthenticationtopology must beconfigured External URLto SharePointon-premises mustbe configured 15. Using federated credentials, a user in need of on-premisesdata logs on to the online app or external listThe app or external list creates a request for data and sends it toBusiness Connectivity ServicesBusiness Connectivity Services gains access to the external contenttype to determine how to access the external data and what credentials to useBusiness Connectivity Services retrieves a secure-channel certificate from the securestore and an OAuth token from Windows Azure Active Directory for user authenticationBusiness Connectivity Services sends an HTTPS request to the published endpointfor the data source with the certificate and tokenThe reverse proxy authenticates the request and forwardsit to SharePoint on-premisesSharePoint on-premises retrieves the identity from the token and mapsit to the on-premises identity that has access to the dataOn-premises Business Connectivity Services forwards therequest to the OData service endpointThe OData endpoint authenticates the request through InternetInformation Services and returns the dataSharePointOnlinetenancyExternal listBusiness Connectivity ServicesSecurestore andAccessControlServicePerimeternetworkReverse proxyInternalnetworkOn-premises SharePoint farm External data sourceAuthentication flowData flow 16. Enables integration of data into SharePoint Online from SQL AzureEnables external users to gain access to data published onlineConfiguration and requirements Can be configured in addition to or separate from hybrid Business Connectivity Services Does not require a hybrid environment or hybrid identity management infrastructure 17. SharePoint onlineSQL AzureUsers who need online data go to the online application or external listThe external list or online application creates a request fordata and sends it to Business Connectivity ServicesBusiness Connectivity Services accesses the external contenttype to determine how to access the external dataThe external content type tells Business Connectivity Services thecredentials to usein this case, credentials from the secure storeBusiness Connectivity Services passes the request to the endpointof SQL Azure Windows Communication Foundation ServiceSQL Azure returns the dataSharePoint Online displays the data in the browser 18. Infrastructure SetupS2S Trust & Identity ManagementWorkload Integration 19. Infrastructure Setup Domain Setup ADFS Directory Synchronization Reverse ProxyS2S Trust & Identity ManagementWorkload Integration 20. On Premises InfrastructureMicrosoft data center Internet Perimeter IntranetnetworkCustomer networkADFS Proxy AD ServersOffice 365tenantIdentity PlatformAzure AD DirSync ServerDirectory ServiceADFS ServersACS TrustAzure AD Tenant Azure AD ProxySharePointSTSUser ProfileSync ServiceSecure StoreTarget AppSharePointReverse ProxyFederationGatewaySharePoint 21. On Premises InfrastructureMicrosoft data center Internet Perimeter IntranetnetworkCustomer networkOffice 365 Identity PlatformtenantAzure ADDirectory ServiceACS TrustFederationGatewayAzure AD Tenant Azure AD ProxyAD ServersDirSync Serverwith PasswordSyncSharePointSTSUser ProfileSync ServiceSharePointSharePoint 22. Cloud IdentitySingle identity in the cloudSuitable for small organizationswith no integration to on-premisesdirectoriesDirectory & PasswordSynchronization*Single identitysuitable for mediumand large organizationswithout federation*Federated IdentitySingle federated identityand credentials suitablefor medium and largeorganizations 23. Federated IdentitySingle federated identityand credentials suitablefor medium and largeorganizationsCloud IdentitySingle identity in the cloudSuitable for small organizationswith no integration to on-premisesdirectoriesDirectory & PasswordSynchronization*Single identitysuitable for mediumand large organizationswithout federation* 24. Windows AzureActive DirectoryDirectorySynchronizationOn-Premises IdentityEx: DomainAliceUserCloud IdentityEx: alice@contoso.comAD 25. Activate Activate directory synchronization in your tenantAdd Domain Add on-premises domain to O365 tenantTXT or MX Records Update DNS recordsInstall and Configure Run the wizard and start the syncSync In O365 dashboard validate users and groupsActivate Users Activate users and grant licenses For Directory synchronization detailed configuration see: http://aka.ms/directorysync 26. Web Application ProxyThreat Management GatewayF5 Big IPCitrix NetscalerSquid 27. Certificates SSL Client Auth ADFSADFS Install ConfigureWAP Install PublishSharePoint PowerShellTest Access ResultSource 28. On Premises InfrastructureMicrosoft data center Internet Perimeter IntranetnetworkCustomer networkAD ServersOffice 365tenantAzure ADIdentity PlatformDirectory ServiceACS TrustAzure AD Tenant Azure AD ProxySharePointSTSUser ProfileSync ServiceSecure StoreTarget AppSharePointReverse ProxyFederationGatewaySharePoint 29. Infrastructure Setup Directory Synchronization Reverse Proxy for InboundS2S Trust & Identity Management Replace S2S Token Signing Certificate for S2S Trust Validate UPA ACS Trust SetupWorkload Integration 30. For Remote Index to work we need to establish an OAuth Trust with ACS between SharePoint On-Premises and Online.Replace the STScertificate across allSharePoint servers in on-premisesfarmDeploy Windows AzureAD PoSH with th