Mojemoje

on

  • 578 views

 

Statistics

Views

Total Views
578
Views on SlideShare
578
Embed Views
0

Actions

Likes
0
Downloads
3
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

CC Attribution License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • How to pilot single sign-on in a production user forestThis post describes the steps necessary to pilot single sign-on (also known as identity federation) using corporate credentials within a production user forest through the use of a fictional organization “contoso.com”. This post assumes that the reader is somewhat familiar with single sign-on (identity federation) with Office 365 and that they have already read:How single sign-on worksPreparing for single sign-on Plan and deploy AD FS 2.0 for Office 365Establishing a trust to Office 365 Install and configure the Microsoft Online Services Module for Windows PowerShell for single sign-onThere are two key scenarios involved in piloting and staging rollout of single sign-on to an organization:Scenario 1: The organization knows that it wants single sign-on (identity federation) to Office 365 right from the start. Therefore the organization establishes a trust between its Active Directory (via Active Directory Federation Service 2.0) and Office 365.In this scenario, the organization is able to pilot and stage rollout, to its users, of single sign-on to Office 365 services, by simply licensing directory synchronized federated users in the administration portal (once they have established the trust using the Microsoft Online Services Module for Windows PowerShell)Additionally the organization can set up an Authorization claim rule on the ADFS 2.0 server, that will only generate a security token (for the authenticated user) if they are a member of an on-premise security group. Hence your pilot users can be put into this security group, as can your other users as you stage rollout to the organization.Scenario 2: The organization has decided initially not to use single sign-on (identity federation). Instead the organization’s users are using Microsoft Online cloud IDs (i.e. non-federated IDs) to sign in to Office 365 services. At some point later the organization decides that they want to start using single sign-on, by converting their existing users from standard Microsoft Online cloud IDs to federated IDs. This is a more complicated scenario for piloting and staging rollout, and hence is described in much more detail below.NOTE: Staging rollout of single sign-on to your organization for this scenario is not currently possible with Office 365. This is because conversion of a standard domain to a federated domain is currently an all or nothing switch (all users are automatically converted to use single sign-on at their next login). A federated domain may only contain federated/single sign-on users.However, piloting single sign-on with a set of production users from your production forest is possible and is described in detail below.Setting the stageContoso Ltd. is an Enterprise size organization with over 2000 employees worldwide. Contoso has deployed Active Directory on premise in a single forest contoso.com. Contoso is also an O365 customer and has over 2000 O365 suite licenses. Contoso has verified domain ownership of contoso.com with O365, and uses Directory Sync to synchronize their on premise AD forest contoso.com (users, contacts and groups) with O365. This has automatically created Microsoft Online IDs (cloud credentials) for each of the on premise users (logon enabled users) in the contoso.com forest. Hence, all Contoso employees using O365 have a cloud credential/UPN (separate from their corporate credential) under the contoso.com. Additionally, contoso.com is the organization’s primary SMTP domain. Contoso is very happy with their move to Office 365. However they are evaluating various pain points associated with managing accounts on premise and in the cloud. This has led to Contoso researching single sign-on. As such Contoso has decided that the investment to deploy single sign-on is worth taking. However, before making that investment, Contoso IT Admins would like to first pilot single sign-on with real production users and test various federated authentication scenarios before rolling this out to the rest of their company.AssumptionsContoso Publishing (or your organization) already has:AD on premise.A single forest containing the user accounts.Directory synchronization running in their forest.Users logging in to Office 365 using Microsoft Online cloud IDs that are under the forest domain (like contoso.com). These are non-federated accounts and are therefore authenticated by the Office 365 identity system.Users who have a primary SMTP address under contoso.com. (Note: this is not mandatory.)Not yet set up single sign-on.Steps to Pilot Deploy AD FS 2.0 (as per Plan for and deploy AD FS 2.0 for Office 365) in Contoso’s production environment.Purchase a new domain from a domain registrar. This domain should be distinct from your production domain (i.e. this cannot be a sub-domain of an existing production domain). For example here we will assume purchase of fabrikam.com and use this in the example from now on.Federate the fabrikam.com domain with Office 365 by following the instructions in Install and configure the Microsoft Online Services Module for Windows PowerShell for single sign-on on “how to Add a federated domain”. Add fabrikam.com as another UPN domain suffix in your Active Directory forest (See http://technet.microsoft.com/en-us/library/cc756944(WS.10).aspx for instructions).Select pilot users for this pilot program and inform them (ahead of time via emails) that they are part of this single sign-on pilot and the login changes that they should expect during this pilot, and when this change is scheduled for. Inform them that once the transition is complete that at any time when asked to enter an ID, they need to enter their new UPN (the one under the fabrikam.com domain).Go into Active Directory Administrative Center or ADSI (Active Directory Users and Computers) and toggle the pilot user’s UPNs to be under the fabrikam.com domain.NOTE: If the users who are in the pilot test group have smart cards then this technique may not be appropriate, since it involves changing the UPN of the user and will render their smart cards invalid for the period of the pilot program. Organizations should also review whether there are any internal applications or resource access that makes use of user’s UPNs and whether they need any updating.NOTE: This will not affect the user’s SIP address or SMTP proxy addresses. It is perfectly valid to have a UPN that is different from a primary SMTP address.Once all the pilot users have had their UPNs changed, go to the DirSync machine and “force” a synchronization (or simply wait up to 3 hours for the next sync):Go to %program files%\Microsoft Online Directory Sync.Double click on DirSyncConfigShell.psc1 to open a powershellDirSync snap-in session.At the PS command line type: Start-OnlineCoexistenceSync and press Enter.Check that the DirSync update is complete by logging on to the O365 administration portal and into the Exchange Control Panel (ECP) and looking at the user lists in both places. Your pilot user’s UPN changes should be reflected in both the user lists.Contoso pilot users are asked to thoroughly test various sign in scenarios to ensure that single sign-on (and the AD FS 2.0 deployment) is correctly configured, and that single sign-on is ready to be rolled out across the entire organization. Tests include accessing Office 365 services from both browsers and rich client apps (such as Office 2007 or Office 2010, Lync and Outlook 2007 or Outlook 2010) in the following environments:From a domain joined machine.From a non-domain joined machine inside the corporate network.From a roaming domain joined machine outside the corporate network.From a home PC.From a web kiosk (browser only).From a smart phone (i.e. Exchange Active Sync).Federate the production domain contoso.comOnce Contoso is satisfied that single sign-on is correctly configured and working properly through the pilot testing process outlined earlier, Contoso is now ready to roll this out to the existing production users. This involves 2 main steps:Moving the pilot users back into the production standard domain (contoso.com) and removing the test federated domain (fabrikam.com). Removing the test federated domain means that the AD FS 2.0 deployment can now be used to federate your production domain (contoso.com)Federating the contoso.com domain, by converting this standard domain to be federatedInform the pilot users that they are being moved back to the regular production domain and that their single sign-on experience will temporarily go away. Inform them that their UPN will change back to the production domain (contoso.com) and that they will be issued with a new temporary password to access Office 365 (i.e. the experience they had before the pilot program began). They should also be informed that as part of this move they may experience a brief period of downtime.Toggle the pilot users UPN’s domain back to contoso.com from fabrikam.com.Either wait for DirSync to synchronize the changes or force a synchronization using the instructions given previously.Moving the pilot users back to the production domain (contoso.com)NOTE: Due to a code defect Directory Sync will show an error. Moving from a federated domain to a standard domain in this fashion will be supported in the future once this defect is fixed.Moving the user back to a standard (non-federated) domain in the cloud requires the use of the Microsoft Online Services Module for Windows PowerShell. This is the same module that contains the federation tool cmdlets. For each of your pilot users, move them to the contoso.comdomain by using the Set-MsolUserPrincipalNamecmdlet. For example:set-msoluserprincipalname –UserPrincipalNamejohn@fabrikam.com-newUserPrincipalNamejohn@contoso.comOnce you can see the pilot user’s UPNs updated in the administration portal, reset all those pilot user’s cloud passwords (using the administration portal) and distribute the temporary passwords to the pilot users.The pilot users will be forced to change their passwords the first time they login, after being moved back to the contoso.com domain[1].Federating the production domain (contoso.com)On the AD FS machine, open the Microsoft Online Services Module for Windows PowerShell (see Install and configure the Microsoft Online Services Module for Windows PowerShell for single sign-on for further information). This time, after connecting to the service and AD FS, remove the federated test domain fabrikam.com by using the Remove-MSOLFederatedDomaincmdlet.Inform all production users with Office 365 licenses/accounts in contoso.com that single sign-on is going to be enabled for their Office 365 login accounts and when this is scheduled for. Explain the changes in the login experiences to all end users once the contoso.com domain is federated.Next federate the contoso.com domain using the Convert-MSOLDomainToFederatedcmdlet. NOTE: This conversion process can take up to 24 hours to complete. Microsoft recommends that this operation is performed over a weekend.NOTE: This conversion process will convert all the contoso.com user’s cloud credentials into federated credentials – allowing them to use their corporate credentials to sign in to Office 365 services. Staging of this conversion process is not currently possible with Office 365.[1] Being prompted for credentials may not happen immediately because the client caches a service token for the user. When the service token expires, the user will be prompted for credentials.

Mojemoje Mojemoje Presentation Transcript

  • 1 © SafeNet Confidential and Proprietary © SafeNet Confidential and Proprietary Office 365 integration with UAG SP1 for OTP Authentication
  • OTP Solution overview for o365 ADFS v 2.0 UAG Active Directory NPS SAM Office 365 https://www.outlook.com/owa/safenetdemos.com
  • 3 © SafeNet Confidential and Proprietary Session Agenda > What is Office 365 > Key Solution components > Federation > Directory synchronization > Federation > UAG > Exchange migration > How to build up the Solution > How to build a pilot > Troubleshooting and Tools > Demo
  • 4 © SafeNet Confidential and Proprietary Office 365 Includes… 4
  • 5 © SafeNet Confidential and Proprietary Microsoft Office 365 Value
  • 6 © SafeNet Confidential and Proprietary Microsoft Office 365 Value
  • 7 © SafeNet Confidential and Proprietary Microsoft Office 365 Value
  • 8 © SafeNet Confidential and Proprietary Microsoft Office 365 Value
  • 9 © SafeNet Confidential and Proprietary Microsoft Office 365 Value
  • 10 © SafeNet Confidential and Proprietary World Class Data Centers 1 0 • • • • • • World Class Data Centers
  • 11 © SafeNet Confidential and Proprietary Security Program 11
  • 12 © SafeNet Confidential and Proprietary There‟s an Office 365 for Everyone 1 2 • • • • • • • • • • • • • • • • •
  • 13 © SafeNet Confidential and Proprietary Plans for All of Your Employees Office 365 Plans
  • 14 © SafeNet Confidential and Proprietary User Segments: Right Features for the Right Users
  • 15 © SafeNet Confidential and Proprietary Office Professional Plus (O365) vs. Volume License Office Professional Plus Office Volume License Download location • Office 365 Portal • VL Software Center Software • Office Professional Plus • Office Standard 2010 • Office Professional Plus 2010 Product Key / Activation • Subscription based activation • Term – 30 days (monthly) • No keys to manage – only users • Volume License technologies • MAK perpetual activation, KMS 180 days • Manage KMS and /or MAK keys When Reduced Functionality Mode (RFM) starts • In 60 days since last activation • “hard” RFM • MAK: N/A • KMS: within 180 days • “Notification mode” Deployment options • Office 365 Portal • Unmanaged & Managed options • Unmanaged & Managed Options • App-V • Terminal Services # of copies allowed • 5 active installs on different devices per user • No downgrade rights • Single device per license/activation • Downgrade rights
  • 16 © SafeNet Confidential and Proprietary Session Agenda > What is Office 365 > Key Solution components > Directory synchronization > Federation > UAG > Exchange migration > How to build up the Solution > How to build a pilot > Troubleshooting and Tools > Demo
  • 17 © SafeNet Confidential and Proprietary Directory sync requirements > Office 365 Enterprise subscribers > AD Permissions:member of the Enterprise Admins > Schema Update for Exchange hybrid mode > AD Cleanup: > Remove duplicate proxyAddress and userPrincipalName attributes. > Update blank and invalid userPrincipalName attributes with a valid userPrincipalName. > Remove invalid and questionable characters in the givenName, surname (sn), sAMAccountName, displayName, mail, proxyAddresses, and userPrincipalName attributes
  • 18 © SafeNet Confidential and Proprietary What does Directory Sync do for you > Enables you to manage your company‟s information in one central location for both on-premise intranet and Office 365 > Seamless user experience across on-premise and Office 365 services (Exchange, Lync, SharePoint) > Flavors of Co-Existence Identity Co-Existence (aka Single Sign-On, Federated Identity, Federated Authentication) Application Co-Existence > Runs as an appliance Install and forget > Proactively reports errors via email “No news is good news”
  • 19 © SafeNet Confidential and Proprietary Preparing for Directory sync > Every User must have a UPN > UPN suffix must match a validated domain in Office 365 > UPN Character restrictions > Letters, numbers, dot or dash > No dot before @ symbol > Users may need to understand that they must use UPN to logon to Office 365 Apps > Can be hidden from users with smart links from domain machines
  • 20 © SafeNet Confidential and Proprietary AD Naming v‟s UPN Suffix > Number of different structures for Active Directory Naming Publicly routable Sub domain of a publicly routable domain Private Domain (e.g. contoso.local) Single level Domain (e.g. contoso) > Must use a publicly routable or sub domain of a public routable Domain for your UPN Suffix Required for Realm discovery Must be able to prove ownership (via public DNS record) It does not need to be the same as your AD Domain Name > Domain name must be shorter than 48 characters
  • 21 © SafeNet Confidential and Proprietary UPN Validations > All users should have a defined UPN Where not set: Enterprise Single Sign on Enabled – SAMAccountName@DomainName Cloud Based Identity – MailNickName@[company].onmicrosoft.com > Restrictions on allowed characters in cloud based UPN Letters, numbers, dot, underscore or dash No dot before @ symbol (e.g. ross.adams@contoso.com is ok, but ross.adams.jr.@contoso.com is not) Username must not be longer than 64 characters > Non Validated Domain > Customer ready tool to verify data in AD
  • 22 © SafeNet Confidential and Proprietary How Directory Synchronization works Attribute Validations Attribute Most common issues userPrincipalName • cannot have dot „.‟ immediately preceding „@‟ • cannot exceed 113 chars (64 for username, 48 for domain) • cannot contain ! # $ % & * + - / = ? ^ _` { | } ~ < > ( ) • cannot have duplicate UPNs sAmAccountName • cannot contain “ / [ ] : | < > + = ; ? , • cannot end with dot „.‟ • cannot be more than 20 chars • cannot be empty proxyAddresses • cannot contain smtp addresses with domains that are not registered for the tenant • cannot have duplicate proxy addresses
  • 23 © SafeNet Confidential and Proprietary How Directory Synchronization works Writing to On-Premise AD > If Rich Co-Existence disabled, Directory Sync will not modify customer‟s on-prem AD > If Rich Co-Existence enabled, Directory Sync will modify up to 6 attributes on users: Attribute Feature SafeSendersHash BlockedSendersHash SafeRecipientHash Filtering Coexistence enables on-premise filtering using cloud safe/blocked sender info msExchArchiveStatus Cloud Archive Allows users to archive mail to the Office 365 service ProxyAddresses (cloudLegDN) Mailbox off-boarding Enables off-boarding of mailboxes back to on-premise cloudmsExchUCVoiceMailSetti ngs Voicemail Co-Existence Enables on-premise mailbox users to have Lync in the cloud
  • 24 © SafeNet Confidential and Proprietary Single Forest AD structure and Considerations
  • 25 © SafeNet Confidential and Proprietary Single Sign on setup
  • 26 © SafeNet Confidential and Proprietary How Directory Synchronization works Architecture
  • 27 © SafeNet Confidential and Proprietary Session Agenda > What is Office 365 > Key Solution components > Directory synchronization > Federation > UAG > Exchange migration > How to build up the Solution > How to build a pilot > Troubleshooting and Tools > Demo
  • 28 © SafeNet Confidential and Proprietary Office 365 Identity features > Password policy controls for Microsoft Online IDs > Single sign-on with corporate credentials > Role-based administration: Five administration roles > Company Admin > Billing Admin > User Account Admin > HelpDesk Admin > Service Support Admin > Support for Hybrid environments for services such as Exchange Online > Support for Strong Authentication (e.g. Smart cards)
  • 29 © SafeNet Confidential and Proprietary Role Based Access Office 365 Roles
  • SafenetDemos customer premises IdentityArchitecture 1. Microsoft Online IDs AD MS Online Directory Sync Provisioning platform Lync Online SharePoint Online Exchange Online Active Directory Federation Server 2.0 Trust IdP Directory Store Admin Portal Authentication platform Office 365 Desktop Setup Microsoft Online Services 2. Microsoft Online IDs + DirSync 3.Federated IDs + DirSync IdP
  • safenetdemos customer premises Single Sign on Setup for New domains 1. Microsoft Online PowerShell Module for Windows 2. Connect to AD FS 2.0 and Microsoft Office 365 3. Add Domain (returns details for proof of ownership) 4. Add Domain Identity Services Provisioning platform Active Directory Federation Server 2.0 Trust Directory Store Admin Portal/ PowerShell Authentication platform MSOL PowerShell Module Microsoft Online Services Add Domain Required Cname Add Trust - Claim Rules - User Source ID = AD ObjectGUID Verify-Domain - Active/Mex/Passive - Token certs Current/Next - Brand URI etc Update
  • 32 © SafeNet Confidential and Proprietary Identity 3 2
  • 33 © SafeNet Confidential and Proprietary Authentication Options IT Administrator considerations Microsoft Online IDs > Manages password policy in cloud & on-prem > Password reset for on-prem & MS Online IDs > No 2 Factor Auth integration Federated IDs > Manages password policy on- premise only > Password reset for on-premise IDs only > 2 Factor Auth integration options > Requires additional on-premise servers to enable identity federation
  • Identity Comparison options comparison 1. MS Online IDs Appropriate for • Smaller orgs without AD on-premise Pros • No servers required on-premise Cons • No SSO • No 2FA • 2 sets of credentials to manage with differing password policies • IDs mastered in the cloud 2. MS Online IDs + Dir Sync Appropriate for • Medium/Large orgs with AD on-premise Pros • Users and groups mastered on-premise • Enables co-existence scenarios Cons • No SSO • No 2FA • 2 sets of credentials to manage with differing password policies • Single server deployment 3. Federated IDs + Dir Sync Appropriate for • Larger enterprise orgs with AD on-premise Pros • SSO with corporate cred • IDs mastered on- premise • Password policy controlled on-premise • 2FA solutions possible • Enables co-existence scenarios Cons • High availability server deployments required
  • 35 © SafeNet Confidential and Proprietary Sign On Experience Federated vs. Non- Federated Summary > Office 365 Desktop setup required for rich clients > Installs client and operating system updates to enable best sign-on experience > Enables authentication support for rich clients > Not required for Web kiosk scenarios (e.g. OWA) > Passwords can be saved for Outlook on XP/Vista clients and Mobile devices etc. Outlook 2010 Win 7 Vista/XP Federated IDs, (domain joined) MS Online IDs Outlook Web Application ActiveSync, POP, IMAP, Entourage Outlook 2007* Outlook 2007 or 2010 Win 7 Online IDOnline IDOnline IDOnline IDOnline ID Win 7/Vista/XP Office 2010, or Office 2007 SP2 SharePoint Online/Lync Online Online ID AD credentials
  • 36 © SafeNet Confidential and Proprietary Identify Federation Requirements > Single Active Directory forest Functionality level 2003 > Windows 2008/R2 for Active Directory Federation Services 2.0. > Hybrid Deployments > Exchange 2010 SP1 CAS and associated Schema > Must be an Enterprise AD Account to setup Directory Sync > Unique third-party SSL certificate > Windows PowerShell 2.0 feature > Microsoft Online Services Module for Windows PowerShell tool. > Establish a relying party trust relationship between the AD FS 2.0 federation server farm and Office 365 > Windows 2003 or above for Directory Synchronization > Single Forest > Multiple domains in a single the forest supported
  • 37 © SafeNet Confidential and Proprietary ADFS Terminology > ADFS-Standard base service projecting internal users to the cloud by a trust > STS (Security Token Service) Microsoft asserts that an STS is a Security Token Service that issues/validates Security Tokens that contain Claims about a Subject. > federation server-A federation server issues tokens and serves as part of a Federation Service. > http://technet.microsoft.com/en-us/library/adfs2-help- terminology(v=ws.10).aspx
  • 38 © SafeNet Confidential and Proprietary Identity Federation Authentication flow (passive profile) ` Client (joined to CorpNet) Federation GatewayAD FS 2.0 Server Exchange Online Active Directory Customer Microsoft Office 365
  • 39 © SafeNet Confidential and Proprietary Identity Federation Authentication flow (active profile) ` Client (joined to CorpNet) Federation GatewayAD FS 2.0 Server Exchange Online Active Directory Customer Microsoft Office 365
  • 40 © SafeNet Confidential and Proprietary Strong Authentication > Currently supported scenarios Rich Applications must not require second factor to authenticate i.e. Logon to workstation with strong auth and then all connections are based on existing Kerberos tickets Web Applications > Unsupported scenarios Non-Domain Joined (rich apps) Mobile applications Operating system/client mix Windows 7 Legacy Clients (Vista/XP) Outlook 2010 Yes No Outlook 2007* Yes No Lync 2010 Yes Yes SharePoint Online Yes Yes Web Applications Yes Yes Mobile No
  • 41 © SafeNet Confidential and Proprietary Alternative Proxies and Strong Authentication Authentication Scheme Authentication limitations AD FS proxy Requires integration of the strong authentication provider with the AD FS proxy login page. None Forefront TMG Publish the AD FS server. Integration with some strong authentication providers is provided out of the box. Supported but requires each path to be published separately Forefront UAG SP1 Publish the AD FS server. Integration with some authentication providers is provided out of the box, very flexible integration options. Web Clients only
  • 42 © SafeNet Confidential and Proprietary AD FS 2.0 deployment options 1. Single server configuration 2. AD FS 2.0 server farm and load-balancer 3. AD FS 2.0 proxy server or UAG/TMG (External Users, Active Sync, Down-level Clients with Outlook) Enterprise DMZ AD FS 2.0 Server Proxy External user Internal user Active Directory AD FS 2.0 Server AD FS 2.0 Server AD FS 2.0 Server Proxy
  • 43 © SafeNet Confidential and Proprietary Session Agenda > What is Office 365 > Key Solution components > Directory synchronization > Federation > UAG > Exchange migration > How to build up the Solution > How to build a pilot > Troubleshooting and Tools > Demo
  • 44 © SafeNet Confidential and Proprietary Why do I need UAG in a world that is going cloud? > The chance of the future being a hybrid setup cloud + on prem is very big. Internet You will still need to give your clients access to internal apps You will need a bridge between your corpnet and the could-nets. (think of ADFS publishing) Internet
  • 45 © SafeNet Confidential and Proprietary UAG Solution Architecture DirectAccess HTTPS (443) Layer3 VPN Business Partners / Sub-Contractors AD, ADFS, RADIUS, LDAP…. Home / Friend / Kiosk Employees Managed Machines Mobile Exchange CRM SharePoint IIS based IBM, SAP, Oracle Terminal / Remote Desktop Services Non web NPS, ILM Internet • Strong authentication • Endpoint health detection: • NAP and down-level • Authorization: • Based on health status • Who + where • Information leakage prevention • Attachment/Cache wiper
  • 46 © SafeNet Confidential and Proprietary What is UAG & Compare the Edge Integrated and comprehensive protection from Internet-based threats Internet Unified platform for all enterprise remote access needs Internet
  • 47 © SafeNet Confidential and Proprietary TMG vs UAG (at the publishing level) > TMG > De-emphesised on publishing > Limited to HTTP(s) publishing > Limited to auth as security > Client unaware > UAG > The future of publishing > Portal approach > HTTP(s) + Client / server app + VPN (inclueding DA) > Health check and cleanup > Very flexibel authentication > Loads of pre-built templates > Very detailed reporting
  • 48 © SafeNet Confidential and Proprietary Two Keywords in UAG lingo > Two types of trunks (*UAG can not publish on any other ports) > HTTP (TCP 80) > HTTPS (TCP 443) > Is like an IIS website or a TMG listener => ip + port > A redirect Trunk can redirect http to https not the other way. > Can be linked to the portal or direct to application > Two options > Portal trunk => homepage of UAG > ADFS trunk => SSO over the border of forests ApplicationTrunk • +/- 40 tempaltes / 5 top-level apps Build-in services (automatically added to trunk) File access => ntfs shares Web-Monitor => remote UAG mgt Web (applications) Sharepoint Exchange ... Other => create your own setup Client/server and legacy Apps that run outside of the browser SSL vpn for specific apps When launching an app the UAG client components loads Remote Network Access => full network ssl vpn Browser-embedded Starts in browser en shifts to binary Citrix XenApp Terminal services and remote desktop 5 templates
  • 49 © SafeNet Confidential and Proprietary UAG Trunks Evaluate Endpoint Access Settings Authenticate user against authentication servers Authentication Servers External IP and URL HTTP or HTTPS UAG Trunk Trunk Portal
  • 50 © SafeNet Confidential and Proprietary Require domain membership for > ADFS > KCD > File-Access > DirectAccess > UAG Arry
  • Adding OTP Authentication ADFS v 2.0 UAG Active Directory NPS SAM Office 365 https://www.outlook.com/owa/safenetdemos.com
  • 52 © SafeNet Confidential and Proprietary Session Agenda > What is Office 365 > Key Solution components > Directory synchronization > Federation > UAG > Exchange migration > How to build up the Solution > How to build a pilot > Troubleshooting and Tools > Demo
  • 1 150 5,000 25,000 C-EM S-EM with DirSync Hybrid <1 Week 2 Weeks 3 Weeks Several Months None Mailflow/GalSync Free/Busy, Archive in Cloud
  • 54 © SafeNet Confidential and Proprietary Deployment Plan Choices to fit your organization IMAPmigration Exchangemigration Stagedmigration Hybrid Exchange 5.5 X Exchange 2000 X Exchange 2003 X X X X Exchange 2007 X X X X Exchange 2010 X X X Notes/Domino X GroupWise X Other X
  • 55 © SafeNet Confidential and Proprietary Migration Options > Cutover – All mailboxes are moved into the cloud in one big hit. Best suited to smaller companies.(No DirSync MX flip) > Staged – Mailboxes are moved in batches.(Require Dir Sync) > Hybrid –On board /Off board. Existing organization Number of mailboxes to migrate Do you want to maintain mailboxes in your on-premises organization? Deployment option Exchange 2010, Exchange 2007, or Exchange 2003 Less than 1,000 mailboxes No Cutover Exchange 2007 or Exchange 2003 No maximum Yes Staged or hybrid Exchange 2010 More than 1,000 mailboxes No Hybrid Exchange 2010 More than 1,000 mailboxes Yes Hybrid Office 365 for professionals and small businesses Fewer than 50 * Not applicable ** Cutover
  • 56 © SafeNet Confidential and Proprietary Cutover Exchange migration steps > Requires Exchange Server 2003 & up > Enable Outlook Anywhere(RPC over HTTP) > Enable Certificates > Run Migrations > No OST preservations > All or Nothing migration > No DDL > End user performs first logon on 365 and reset password > End user creates new outlook profile and OST file and do resync al content
  • 57 © SafeNet Confidential and Proprietary Staged Exchange migration steps > Mail flow In Premise >o365 through CAS > Requires DirSync > migrate a subset of your on-premises mailboxes to Office 365. With a staged Exchange migration. > Incremental syncs not needed > Users start using their mailbox when created…New mail is available immediately , old content fills in > Stamps targetAddress on source mailbox to support mail flow from in premises to cloud > Important: You cannot perform a staged Exchange migration to migrate on-premises Exchange 2010 mailboxes to Office 365.
  • 58 © SafeNet Confidential and Proprietary Hybrid Feature Staged Hybrid Mail routing between on-premises and cloud (recipients on either side)   Mail routing with shared namespace (if desired) - @company.com on both sides   Unified GAL   Free/Busy and calendar sharing cross-premises  Mailtips, messaging tracking, and mailbox search work cross-premises  OWA Redirection cross-premise (single OWA URL for both on-premises and cloud)  Exchange Online Archive  Exchange Management Console used to manage cross-prem relationship & mailbox migrations  Native mailbox move supports both onboarding and offboarding  No outlook reconfiguration or OST resync required after mailbox migration  Online Mailbox Move allows users to start logged into their mailbox while it is being moved to the cloud  Secure Mail ensure emails cross-premises are encrypted, and the internal auth headers are preserved  Centralized mailflow control, ensures that all email routes inbound/outbound via On Premises 
  • 59 © SafeNet Confidential and Proprietary Hybrid > Makes your on-premises organization and cloud organization work together like a single, seamless organization > Offers near-parity of features/experience on-premises and in the cloud > Seamless interactions between on-premises and cloud mailboxes > Migrations in and out of the cloud transparent to end- user > Features not supported: > Migration of Send As/Full Access permissions > Multi-forest – Only single forest source environments
  • 60 © SafeNet Confidential and Proprietary Hybrid Server Roles 2 Required Server Roles: > Office 365 Active Directory Synchronization > Exchange Server 2010 SP1 CAS/Hub* 1 Optional Server Role:
  • 61 © SafeNet Confidential and Proprietary Federation Scenarios
  • 62 © SafeNet Confidential and Proprietary Hybrid Setup Step Details Required/ Recommended Register your custom domains in the Office 365 portal Register any primary SMTP domains Required Configure Federated Identity On-premises ADFS/Geneva server allows on-premises (single) identity to be used for cloud authentication Recommended Configure DirSync On-premises appliance synchronizes on- premises directory/GAL with the cloud Required Enable DirSync Writeback Allows rich off-boarding with message- repliability, archiving in the cloud, and UM in the cloud Recommended Hybrid Setup
  • 63 © SafeNet Confidential and Proprietary Hybrid Setup Step Details Required/ Recommended Install Exchange Server 2010 SP1 server On- premises On-premises Exchange Server 2010 SP1 CAS/Hub server required for hybrid features Required Configure cloud Autodiscover DNS record Allows on-premises targeted autodiscover Outlook client to redirect to cloud Required Publish MRS Proxy Allows Exchange Online Mailbox Replication Service to connect On Premises and perform a move to the cloud Required Implement Cloud Configuration Policies Create configuration policies in the cloud to match (or complement) on-premises configuration policies (e.g. – ActiveSync policies, OWA policies, etc.) Recommended Configure RBAC in the cloud Create/manage Role Based Access Control (RBAC) settings in the cloud to match (or complement) on-premises RBAC configuration Recommended Configure Federation Trust / Org Relationship “Federated Sharing” Enable infrastructure for delegated Live namespace federation. Allows the following features: Recommended Cross-premises Free/Busy, Shared Calendaring Cross-premises OWA redirection (single URL) Cross-premises Mailtips Cross-premises Mailbox Search Cross-premises Message Tracking Cross-premises Archiving Configure Cross- premises mail routing Configure Cross-premises mail routing. This configuration ensures proper anti- spam/header handling for mail sent between on-premises and the cloud. Recommended Hybrid Setup
  • 64 © SafeNet Confidential and Proprietary Hybrid Migration > Why might you care about offboarding? > Long term hybrid scenarios > Compliance requirements (retaining ex-employee data) > Piloting online but not committed to the move > What you need to know about offboarding? > Offboarding is available using EMC toolset while in hybrid scenario > Offboarding to on-premises Exchange Server 2010 database is online mailbox move
  • 65 © SafeNet Confidential and Proprietary Deployment Flexibility • • • •
  • 66 © SafeNet Confidential and Proprietary FOPE Admin Center • Run real-time reports • Customize spam settings • Configure policy filtering • Perform message tracking • Office 365 customers can access FOPE Admin Center • Provides Office 365 customers with a new level of control
  • 67 © SafeNet Confidential and Proprietary Use FOPE Admin Center for these tasks • Trace messages outside your organization • Perform transport-related tasks not available in transport rules: • Specific header attributes • Custom dictionaries, character sets • Actions such as quarantine or encrypt • Configure org-wide safe/blocked senders • Configure granular anti-spam settings (e.g. backscatter, SPF) • View reports on spam filtering • Configure forced TLS • Trace messages within your organization • Set up transport rules to: • Add disclaimers to emails • Look for keywords and regular expressions • Block email sent to the outside world (by sender, domain, etc) • Moderate email delivery • Configure journaling of emails to external archive Use Exchange Control Panel for these tasks When to use Admin Center vs. the Exchange Control Panel
  • 68 © SafeNet Confidential and Proprietary Session Agenda > What is Office 365 > Key Solution components > Directory synchronization > Federation > UAG > Exchange migration > How to build up the Solution > How to build a pilot > Troubleshooting and Tools > Demo
  • 69 © SafeNet Confidential and Proprietary Steps to build the solution: > Add and verify your domain name with Office 365 > Prepare your on-premises Active Directory for directory synchronization > Enable single sign-on (identity federation) > Install the Directory Synchronization Tool and perform synchronization > Configure email migrations(Staged or Hybrid ) > Install UAG SP1 and Publish ADFS (Proxy) > Install SAM 8.0 SP3 > Deploy client applications and the Office 365 desktop setup > Enroll and provision tokens to clients > Test and validate
  • 70 © SafeNet Confidential and Proprietary Key Activities
  • 71 © SafeNet Confidential and Proprietary Session Agenda > What is Office 365 > Key Solution components > Federation > Directory synchronization > Federation > UAG > Exchange migration > How to build up the Solution > How to build a pilot > Troubleshooting and Tools > Demo
  • 72 © SafeNet Confidential and Proprietary How to pilot single sign-on in a production user forest > set up an Authorization claim rule on the ADFS 2.0 server, that will only generate a security token (for the authenticated user) if they are a member of an on-premise security group. Hence your pilot users can be put into this security group, as can your other users as you stage rollout to the organization.
  • 73 © SafeNet Confidential and Proprietary Session Agenda > What is Office 365 > Key Solution components > Federation > Directory synchronization > Federation > UAG > Exchange migration > How to build up the Solution > How to build a pilot > Troubleshooting and Tools > Demo
  • 74 © SafeNet Confidential and Proprietary Troubleshooting and Tools > Microsoft Office 365 Deployment Readiness Tool > Microsoft exchange remote connectivity > https://www.testexchangeconnectivity.com/ > UAG web monitor > Powershell Cmdlts > Outlook test connection