Your SlideShare is downloading. ×
  • Like
Comment planifier et mettre en place une architecture hybride SharePoint 2013 onPrem et online?
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Comment planifier et mettre en place une architecture hybride SharePoint 2013 onPrem et online?


La vie n'est jamais tout noir ou tout blanc… Ainsi vous êtes et serez nombreux à envisager une architecture SharePoint 2013 hybride onPrem/online, que ce soit pour segmenter vos utilisateurs ou vos …

La vie n'est jamais tout noir ou tout blanc… Ainsi vous êtes et serez nombreux à envisager une architecture SharePoint 2013 hybride onPrem/online, que ce soit pour segmenter vos utilisateurs ou vos scénarios d'usages. Quelles sont les bonnes pratiques, les précautions à prendre et la bonne gouvernance à mettre en place pour réussir votre architecture?

Published in Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide
  • Notation
  • Pierre introduces session in French, and then hands to Mark for first section.
  • Mark to hand back to Pierre.
  • Pierre to hand back to Mark
  • Pierre will first describe what BCS is (in French), and then hand over to Mark


  • 1. Donnez votre avis ! Depuis votre smartphone, sur : De nombreux lots à gagner toutes les heures !!! Claviers, souris et jeux Microsoft… Merci de nous aider à améliorer les TechDays
  • 2. SharePoint – Hybrid Architecture Mark Kashman – Senior Product Manager @mkashman Pierre Vivier Merle – Partner – MVP SP pierre.vivier-merle@vnext.frServeurs / Entreprise / Réseaux / IT
  • 3. Agenda• Why Hybrid?• SharePoint(s) interaction• Hybrid configuration steps• Search• Business Connectivity Services (BCS)
  • 4. The Enterprise Challenge• It saves me $$ • I have existing investments (customized SP deployments w/lots of data and• I always have the latest and greatest settings, custom solutions, LOB collaboration, email and UC tools systems, etc)• Allows me to focus on my core • I can’t do everything in the Cloud that I business, not IT can do on-premise• Microsoft can run SP more reliably and • I want to protect my sensitive data by efficiently than I can keeping it close• I can easily scale up/down according • There is an extra cost to migrate to demand• I can more easily work with customers, partners outside of my company
  • 5. Stages of hybridAll or nothing Split, but on- Cross domain Shared• Cloud Integrated Push/Pull services• On-Premises • Some in Cloud • Read • Single source • Some On- • Write • Split farm roles Premises
  • 6. How Hybrid can Help• Mix technologies and platforms – Use in the cloud the last technologies with a continuous upgrade process – Keep “legacy” technologies on premise with a controlled upgrade process• Extranet scenario – No need to “open” your on-premise architecture – Manage you partners account in several ways (live id, O365 accounts)• Search – Users want to easily find content – Migration can be confusing; don’t force your users to track what’s being moved, and when – Many customers will never move EVERYTHING to the cloud• BCS – Give users everything they need in one placeYou don’t HAVE to do both directions – you can “only” consume o365 dataon-prem, or only on-prem data in o365
  • 7. Agenda• Why Hybrid?• SharePoint(s) interaction• Hybrid configuration steps• Search• BCS
  • 8. Consume / Push data from / To SharePoint Online• SharePoint Online new version is more open in terms of data consumption or CRUD – Web services – JavaScript client object model – REST/OData endpoints – Powershell SharePoint sets of APIs
  • 9. Provider Hosted Integration Register your app On Premise / Azure Deploy your Web Sites app SharePoint Online
  • 10. SharePoint Online Extranets and on-premise site directory
  • 11. Agenda• Why Hybrid?• SharePoint(s) interaction• Hybrid configuration steps• Search• BCS
  • 12. Office 365Environment Configuration• These non-SharePoint itemsneed to be configured to support hybrid: – Reverse Proxy and certificate Reverse Proxy and authentication* Certificate Auth – Identity Provider (ADFS or Shibboleth for o365) UAG – MSOL Tools Dirsync – SSO with o365 – Dirsync Identity Provider MSOL Tools Dirsync and Tools Servers* Only required if you are consumingon-prem data in o365 ADFS Servers MSOL Tools SharePoint Servers
  • 13. Agenda• Why Hybrid?• SharePoint(s) interaction• Hybrid configuration steps• Search• BCS
  • 14. Hybrid Search – Demo Environment
  • 15. Search Center On-premises: Data Flow O365 Search Center CSOM Query EndPoint AD Internet Boundary Sync Results Query CSOM Query EndPoint On-Prem Search Center
  • 16. Search Center in SPOnline: Data Flow O365 Search Center CSOM Query EndPoint Query Results Internet Facing EndPoint AD Reverse Internet Boundary Proxy / F5 Sync CSOM Query EndPoint On-Prem Search Center
  • 17. Design Considerations
  • 18. Agenda• Why Hybrid• SharePoint(s) interaction• Hybrid configuration steps• Search• BCS
  • 19. BCS, what is it?BCS is a way to integrate external data into SharePoint
  • 20. Business Connectivity Services
  • 21. Is it possible to access data across hostingboundaries and sourced in different Apps in aconsistent and secure manner?YES• Connectivity• Security
  • 22. Hybrid ScenariosBCS (connectivity to on-premises OData service) Services Scenarios Descriptions SPO -> CRUDQ Operations Create, Read, Update, Query Operations executed from SharePoint On-Premises Online against on-premises data On-Premises -> Receive Notification Notifications sent from on-premises data store to SharePoint Online SharePointDuet Online (connectivity to on-premises SAP) Services Scenarios Descriptions SPO -> On- Role Sync Synchronize roles from SAP to SharePoint Online Premises Request a Report Request a report for delivery from SAP to SharePoint Online Complete a Task Act upon a task received from SAP (e.g. Accept or Reject) On-Premises -> Receive Report SAP sends a report to SharePoint Online (scheduled, or on-demand) SharePoint Receive Task SAP batch uploads tasks for completion by information workers using SharePoint or Outlook
  • 23. High Level Design for Hybrid BCS Office Company Internet DMZ Company Intranet 365 On-Prem Company Identity Tenancy Provider CSOM Infrastructure App Inboun Identity Mapping Request BCS d Auth Transforms Request Reverse On- Hybrid Proxy or Premises Router Network Response Transforms System Proxy Appliance Response Hybrid Router CSOM REST endpoint SharePoint On-Premise
  • 24. Using BCS from SharePoint Online to pull in an external datasource
  • 25. Conclusion• Cloud is great• Legacy platforms are the real world• Hybrid architecture to provide better responses to business needs• Begin to take advantage of Cloud offerings at your pace
  • 26. Resources• Documentation and Tools – Available on TechNet - • On-premises -> SPO configuration steps • Additional details for non-SharePoint steps – Identity provider and SSO – DirSync – MSOL Sign-In Assistant – MSOL Module for Windows PowerShell – Coming soon • SPO->on-premises configuration steps (late November) • Plan your deployment (January/February) – Reverse Proxy docs • See you provider of choice (MS, F5, etc)
  • 27. Venez nombreux à la Conf’SharePoint !
  • 28. Appendix
  • 29. Reverse Proxy and Authentication*• When using hybrid features o365 sends Office 365 requests from sites in the cloud to your on-prem farm• You need to establish a reverse proxy for these UAG calls to be channeled through to secure the process• Those requests can be authenticated at the Dirsync and Tools Servers ADFS Servers reverse proxy before they are forwarded to SharePoint Servers SharePoint• SharePoint supports using a certificate for
  • 30. Reverse Proxy Requirements• A reverse proxy used for hybrid must support the Office 365 following requirements: – 2 network cards - one connected to the Internet and the other to the internal company network – Route inbound SSL traffic to the on-premises SharePoint farm without rewriting packet UAG headers – Support SSL termination• We currently support two reverse proxy servers: Dirsync and Tools Servers – Microsoft - Forefront Unified Access Gateway ADFS Servers (UAG) SharePoint Servers – F5 - Big IP – We plan to add more as they are tested for compatibility
  • 31. Reverse Proxy Configuration• These are the high level steps for configuring UAG Office 365 for hybrid: – Configure the network in UAG using the Getting Started Wizard – Add an HTTPS trunk – Install an SSL certificate for the endpoint; it must: • Support the names for both the public HTTPS UAG trunk and SharePoint site • Use 2048 bit length encryption; shorter lengths WILL NOT WORK! Dirsync and Tools Servers – Add the PFX in the UAG’s local certificate store ADFS Servers – Publish the SharePoint site collection; use the SharePoint SharePoint Servers Server 2010 Web type• See your Reverse Proxy s/w documentation for full details
  • 32. Identity Provider• In order to have a single-sign on experience, Office 365 you need a federated identity provider like ADFS• This requires the following: UAG – 2 or more load balanced ADFS servers – An SSL certificate for the ADFS site – A proxy device, like the ADFS proxy server Dirsync and Tools Servers – For details on planning and implementation options ADFS Servers see SharePoint Servers us/library/jj151794• All users must have a UPN of a registered
  • 33. MSOL Tools• You will need tools from MS Online (MSOL) in order to complete the next set of tasks: Office 365 – Microsoft Online Services Sign-In Assistant – Microsoft Online Services Module for Windows PowerShell (MSOL PS) – The Directory Synchronization Tool (dirsync) UAG • NOTE: This cannot be installed on a domain controller• You will need to run these on a SharePoint server to Dirsync and Tools Servers configure trust with ACS ADFS Servers• Setting up dirsync and SSO trust is typically done on SharePoint Servers its own server
  • 34. SSO with o365• Install the MSOL PS snap-in to a local server; can be the Office 365 same server being used for dirsync• Set up a federation trust between o365 and ADFS using MSOL PS – Use the Connect-MsolService cmdlet to authenticate and connect to o365 UAG – Use the New-MsolFederatedDomain to start the process to establish the trust – Update DNS as instructed by the cmdlet• Or alternatively: Dirsync and Tools Servers – Use the Office 365 Admin web page to create a new domain ADFS Servers trust – follow the instructions in the domains section SharePoint Servers – Use MSOL PS to run the Convert-MsolDomainToFederated cmdlet• For more info see us/library/jj151794
  • 35. DirSync with o365 Office 365 UAG Dirsync and Tools Servers• Grant accounts licenses to SharePoint, etc. ADFS Servers• Log out then login as an Active Directory user using your Identity Provider SharePoint Servers (i.e. ADFS)
  • 36. SharePoint Configuration TasksThese things need to be configured in SharePoint tosupport hybrid:– New SharePoint STS Token Signing Certificate– Configure a trust between SharePoint on-prem and ACS• Configure Secure Store• Configure UPA• Try out Search or BCS!
  • 37. New SharePoint STS Token Signing Certificate• You need to replace the default token signing certificate for the SharePoint STS because Access Control Service (ACS) will not trust it• You can replace it with: – A certificate issued by a public certificate authority like Verisign, GoDaddy, Thawte, etc. – RECOMMENDED – A new self-signed certificate that you can create in the IIS Manager – Domain-issued certificates DO NOT WORK• Use the Set-SPSecurityTokenServiceConfig with the –
  • 38. Configure Trust Between SharePoint and ACS• Previously you created a federated trust for users to sign into o365• Now you need to create an OAuth trust for applications to exchange data between o365 and on-prem• Using MSOL PowerShell (on prem): – Create an AppPrincipal using New- MsolServicePrincipalCredential – Create a proxy to ACS using New- SPAzureAccessControlServiceApplicationProxy – Complete the trust using New-SPTrustedSecurityTokenIssuer• Complete detailed instructions are available in the documentation described at the end of this session
  • 39. Configure Secure Store• The Secure Store Service is used to create an application that stores the certificate used to authenticate with the UAG HTTPS trunk• In o365 create a new Secure Store Service target application – Save the Target Application ID name because you will use that when configuring a result source• In the credentials field configure it as a Certificate Password• Click the Set button for the Credentials – Browse to the certificate CER file that was used for the UAG HTTPS trunk; leave the password fields blank• Complete detailed instructions are available in the documentation described at the end of this session
  • 40. Configure UPA• It’s critically important that you: – Have a UPA up and running – Have it populated with current data from Active Directory• We use the UPA on the local farm to determine what rights a user has – what claims they have, what groups they belong to, etc.• With a hybrid solution, anything that you grant rights to needs to be in the profile system – E.g., if you augment claims on-prem and use a custom claims provider to grant rights to content using those claims, an o365 user would not see that data because those custom claims are not added when you login to o365 – More details at rehydrated-user-in-sharepoint-2013-how-d-they-do-that-and-what-do-i- need-to-know.aspx
  • 41. Try out Search or BCS!• With all the pieces in place, you can try Hybrid Search: – Create a result source – Create a query rule – See the results
  • 42. Create A Result Source• Create a new result source and: – Use Remote SharePoint as the Protocol – If you are on-prem and getting results from o365: • Use the Url of your o365 for the Remote Service Url • Use Default Authentication for credentials – If you are o365 and getting results from on-prem : • Use the Url of the UAG HTTPS trunk for the Remote Service Url – The Url must use SSL – The SSL cert cannot be domain or self-issued; it must come from a trusted root authority • Use SSO id for credentials and enter the name of the SSO application definition you created to store the UAG certificate
  • 43. Create A Query RuleThis is where you can do a “live” test to see ifeverything is working• Create a new query rule• Remove the default Condition• Click on Add Result Block• Select your result source• Click on the Test tab and then – Click the “Show more” link – Type some query terms in the “{subjectTerms}:” edit box – Click the “Test query” button – If you have configured everything correctly – Voila! – you will see search results from the remote farm
  • 44. See the Results• This query rule fires on every Results search request – from the so users get Cloud query results from both farms Results from On Prem
  • 45. Troubleshooting Tips• If you aren’t getting data back between the two environments here are some things that you can do to narrow down the issue: – In your on prem farm turn up the ULS logging • Go into Central Admin, Monitoring, Configure diagnostic logging; expand SharePoint Foundation and select: – App Auth – Application Authentication – Authentication Authorization – Claims Authentication – Change the “least critical” dropdowns to Verbose and save changes – Monitor the ULS logs each time you execute a query
  • 46. Troubleshooting Tips (cont.)• Use Fiddler as a reverse proxy on your SharePoint server; this requires – Installing Fiddler on the SharePoint server – Write a Fiddler script rule as described in Option #2 here: – Look at the TextView of the Response. Here’s an example of an error that you can see in there:
  • 47. Troubleshooting Tips (cont.)• Be aware of latency in queries across the cloud and on- premises – When a query is executed, ALL results must come back before the result is shown to the user • Latencies can run 1200 to 1500 milliseconds – Because of this you may want to put some thought into when you want to fire a query at a remote source • If you duplicate every single query you could introduce significant load on a farm • Where you want results back ASAP then you wouldn’t want remote queries to fire • You can also create a dedicated page that only queries the remote source • In short – you can mix and match with query rules to decide what works best