Mojemoje

1
© SafeNet Confidential and Proprietary
Office 365 integration with UAG SP1
for OTP Authentication

OTP Solution overview for o365
ADFS v 2.0
UAG
Active
Directory
NPS
SAM
Office 365
https://www.outlook.com/owa/safenetdemos.com

3
Session Agenda
> What is Office 365
> Key Solution components
> Federation
> Directory synchronization
> Federation
> UAG
> Exchange migration
> How to build up the Solution
> How to build a pilot
> Troubleshooting and Tools
> Demo

4
Office 365 Includes…
4

5
Microsoft Office 365 Value

6

7

8

9

10
World Class Data Centers
1
0
•
•
•
•
•
•
World Class Data Centers

11
Security Program
11

12
There’s an Office 365 for Everyone
1
2
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•

13
Plans for All of Your Employees
Office 365 Plans

14
User Segments: Right Features for the Right
Users

15
Office Professional Plus (O365) vs. Volume License
Office Professional Plus Office Volume License
Download location • Office 365 Portal • VL Software Center
Software • Office Professional Plus • Office Standard 2010
• Office Professional Plus 2010
Product Key /
Activation
• Subscription based activation
• Term – 30 days (monthly)
• No keys to manage – only
users
• Volume License technologies
• MAK perpetual activation,
KMS 180 days
• Manage KMS and /or MAK
keys
When Reduced
Functionality Mode
(RFM) starts
• In 60 days since last activation
• “hard” RFM
• MAK: N/A
• KMS: within 180 days
• “Notification mode”
Deployment options • Office 365 Portal
• Unmanaged & Managed
options
• Unmanaged & Managed
Options
• App-V
• Terminal Services
# of copies allowed • 5 active installs on different
devices
per user
• No downgrade rights
• Single device per
license/activation
• Downgrade rights

16
Session Agenda
> Federation
> UAG
> Demo

17
Directory sync requirements
> Office 365 Enterprise subscribers
> AD Permissions:member of the Enterprise Admins
> Schema Update for Exchange hybrid mode
> AD Cleanup:
> Remove duplicate proxyAddress and userPrincipalName attributes.
> Update blank and invalid userPrincipalName attributes with a valid
userPrincipalName.
> Remove invalid and questionable characters in the givenName,
surname (sn), sAMAccountName, displayName, mail, proxyAddresses,
and userPrincipalName attributes

18
What does Directory Sync do for you
> Enables you to manage your company’s information in one central
location for both on-premise intranet and Office 365
> Seamless user experience across on-premise and Office 365
services (Exchange, Lync, SharePoint)
> Flavors of Co-Existence
Identity Co-Existence (aka Single Sign-On, Federated Identity,
Federated Authentication)
Application Co-Existence
> Runs as an appliance
Install and forget
> Proactively reports errors via email
“No news is good news”

19
Preparing for Directory sync
> Every User must have a UPN
> UPN suffix must match a validated domain in Office 365
> UPN Character restrictions
> Letters, numbers, dot or dash
> No dot before @ symbol
> Users may need to understand that they must use UPN to logon to
Office 365 Apps
> Can be hidden from users with smart links from domain machines

20
AD Naming v’s UPN Suffix
> Number of different structures for Active Directory Naming
Publicly routable
Sub domain of a publicly routable domain
Private Domain (e.g. contoso.local)
Single level Domain (e.g. contoso)
> Must use a publicly routable or sub domain of a public routable
Domain for your UPN Suffix
Required for Realm discovery
Must be able to prove ownership (via public DNS record)
It does not need to be the same as your AD Domain Name
> Domain name must be shorter than 48 characters

21
UPN Validations
> All users should have a defined UPN
Where not set:
Enterprise Single Sign on Enabled – SAMAccountName@DomainName
Cloud Based Identity – MailNickName@[company].onmicrosoft.com
> Restrictions on allowed characters in cloud based UPN
Letters, numbers, dot, underscore or dash
No dot before @ symbol (e.g. ross.adams@contoso.com is ok, but
ross.adams.jr.@contoso.com is not)
Username must not be longer than 64 characters
> Non Validated Domain
> Customer ready tool to verify data in AD

22
How Directory Synchronization works
Attribute Validations
Attribute Most common issues
userPrincipalName • cannot have dot ‘.’ immediately preceding ‘@’
• cannot exceed 113 chars (64 for username, 48 for
domain)
• cannot contain ! # $ % & * + - / = ? ^ _` { | } ~ < > ( )
• cannot have duplicate UPNs
sAmAccountName • cannot contain “ / [ ] : | < > + = ; ? ,
• cannot end with dot ‘.’
• cannot be more than 20 chars
• cannot be empty
proxyAddresses • cannot contain smtp addresses with domains that
are not registered for the tenant
• cannot have duplicate proxy addresses

23
Writing to On-Premise AD
> If Rich Co-Existence disabled, Directory Sync will not
modify customer’s on-prem AD
> If Rich Co-Existence enabled, Directory Sync will modify
up to 6 attributes on users:
Attribute Feature
SafeSendersHash
BlockedSendersHash
SafeRecipientHash
Filtering Coexistence
enables on-premise filtering using cloud safe/blocked
sender info
msExchArchiveStatus Cloud Archive
Allows users to archive mail to the Office 365 service
ProxyAddresses (cloudLegDN) Mailbox off-boarding
Enables off-boarding of mailboxes back to on-premise
cloudmsExchUCVoiceMailSetti
ngs
Voicemail Co-Existence
Enables on-premise mailbox users to have Lync in the
cloud

24
Single Forest AD structure and Considerations

25
Single Sign on setup

26
Architecture

27
Session Agenda
> Federation
> UAG
> Demo

28
Office 365 Identity features
> Password policy controls for Microsoft Online IDs
> Single sign-on with corporate credentials
> Role-based administration: Five administration roles
> Company Admin
> Billing Admin
> User Account Admin
> HelpDesk Admin
> Service Support Admin
> Support for Hybrid environments for services such as Exchange
Online
> Support for Strong Authentication (e.g. Smart cards)

29
Role Based Access
Office 365 Roles

SafenetDemos
customer premises
IdentityArchitecture
1. Microsoft Online IDs
AD
MS Online
Directory Sync
Provisioning
platform
Lync
Online
SharePoint
Online
Exchange
Online
Active Directory
Federation
Server 2.0
Trust
IdP Directory
Store
Admin Portal
Authentication
platform
Office 365
Desktop
Setup
Microsoft Online Services
2. Microsoft Online IDs + DirSync
3.Federated IDs + DirSync
IdP

safenetdemos customer
premises
Single Sign on Setup for New domains
1. Microsoft Online PowerShell Module for Windows
2. Connect to AD FS 2.0 and Microsoft Office 365
3. Add Domain (returns details for proof of ownership)
4. Add Domain
Identity Services
Provisioning
platform
Active Directory
Federation Server
2.0
Trust
Directory
Store
Admin Portal/
PowerShell
Authentication
platform
MSOL PowerShell
Module
Microsoft Online Services
Add Domain
Required
Cname
Add Trust
- Claim Rules
- User Source ID = AD ObjectGUID
Verify-Domain
- Active/Mex/Passive
- Token certs Current/Next
- Brand URI etc
Update

32
Identity
3
2

33
Authentication Options
IT Administrator considerations
Microsoft Online IDs
> Manages password policy in
cloud & on-prem
> Password reset for on-prem &
MS Online IDs
> No 2 Factor Auth integration
Federated IDs
> Manages password policy on-
premise only
> Password reset for on-premise
IDs only
> 2 Factor Auth integration
options
> Requires additional on-premise
servers to enable identity
federation

Identity Comparison options comparison
1. MS Online IDs
Appropriate for
• Smaller orgs without
AD on-premise
Pros
• No servers required
on-premise
Cons
• No SSO
• No 2FA
• 2 sets of credentials
to manage with
differing password
policies
• IDs mastered in the
cloud
2. MS Online IDs + Dir
Sync
Appropriate for
• Medium/Large orgs
with AD on-premise
Pros
• Users and groups
mastered on-premise
• Enables co-existence
scenarios
Cons
• No SSO
• No 2FA
• 2 sets of credentials to
manage with differing
password policies
• Single server
deployment
3. Federated IDs + Dir
Sync
Appropriate for
• Larger enterprise orgs
with AD on-premise
Pros
• SSO with corporate
cred
• IDs mastered on-
premise
• Password policy
controlled on-premise
• 2FA solutions possible
• Enables co-existence
scenarios
Cons
• High availability server
deployments required

35
Sign On Experience Federated vs. Non-
Federated Summary
> Office 365 Desktop setup required for rich clients
> Installs client and operating system updates to enable best sign-on
experience
> Enables authentication support for rich clients
> Not required for Web kiosk scenarios (e.g. OWA)
> Passwords can be saved for Outlook on XP/Vista clients and Mobile
devices etc.
Outlook
2010
Win 7 Vista/XP
Federated IDs,
(domain joined)
MS Online IDs
Outlook Web
Application
ActiveSync,
POP, IMAP,
Entourage
Outlook
2007*
Outlook 2007
or 2010
Win 7
Online ID
Online ID
Online ID
Online ID
Online ID
Win 7/Vista/XP
Office 2010, or
Office 2007 SP2
SharePoint
Online/Lync Online
Online ID
AD credentials

36
Identify Federation Requirements
> Single Active Directory forest Functionality level 2003
> Windows 2008/R2 for Active Directory Federation Services 2.0.
> Hybrid Deployments
> Exchange 2010 SP1 CAS and associated Schema
> Must be an Enterprise AD Account to setup Directory Sync
> Unique third-party SSL certificate
> Windows PowerShell 2.0 feature
> Microsoft Online Services Module for Windows PowerShell tool.
> Establish a relying party trust relationship between the AD FS 2.0
federation server farm and Office 365
> Windows 2003 or above for Directory Synchronization
> Single Forest
> Multiple domains in a single the forest supported

37
ADFS Terminology
> ADFS-Standard base service projecting internal users to the cloud
by a trust
> STS (Security Token Service)
Microsoft asserts that an STS is a Security Token Service that
issues/validates Security Tokens that contain Claims about a
Subject.
> federation server-A federation server issues tokens and serves as
part of a Federation Service.
>
http://technet.microsoft.com/en-us/library/adfs2-help-
terminology(v=ws.10).aspx

38
Identity Federation
Authentication flow (passive profile)
`
Client
(joined to CorpNet)
Federation Gateway
AD FS 2.0 Server
Exchange Online
Active Directory
Customer Microsoft Office 365

39
Identity Federation
Authentication flow (active profile)
`
Client
(joined to CorpNet)
Federation Gateway
AD FS 2.0 Server
Exchange Online
Active Directory
Customer Microsoft Office 365

40
Strong Authentication
> Currently supported scenarios
Rich Applications must not require second factor to authenticate
i.e. Logon to workstation with strong auth and then all connections are based
on existing Kerberos tickets
Web Applications
> Unsupported scenarios
Non-Domain Joined
(rich apps)
Mobile applications
Operating
system/client
mix
Windows 7 Legacy
Clients
(Vista/XP)
Outlook 2010 Yes No
Outlook 2007* Yes No
Lync 2010 Yes Yes
SharePoint
Online
Yes Yes
Web
Applications
Yes Yes
Mobile No

41
Alternative Proxies and Strong
Authentication
Authentication Scheme Authentication
limitations
AD FS proxy Requires integration of the strong authentication provider
with the AD FS proxy login page.
None
Forefront
TMG
Publish the AD FS server. Integration with some strong
authentication providers is provided out of the box.
Supported but requires
each path to be published
separately
Forefront
UAG SP1
Publish the AD FS server. Integration with some
authentication providers is provided out of the box, very
flexible integration options.
Web Clients only

42
AD FS 2.0 deployment options
1. Single server configuration
2. AD FS 2.0 server farm and load-balancer
3. AD FS 2.0 proxy server or UAG/TMG
(External Users, Active Sync, Down-level Clients with Outlook)
Enterprise
DMZ
AD FS 2.0
Server
Proxy
External
user
Internal
user
Active
Directory
AD FS
2.0
Server
AD FS 2.0
Server
AD FS 2.0
Server
Proxy

43
Session Agenda
> Federation
> UAG
> Demo

44
Why do I need UAG in a world that is going
cloud?
> The chance of the future being a hybrid setup cloud + on prem is
very big.
Internet
You will still need to
give your clients
access to internal
apps
You will need a bridge
between your corpnet
and the could-nets.
(think of ADFS
publishing) Internet

45
UAG Solution Architecture
DirectAccess
HTTPS (443)
Layer3 VPN
Business Partners /
Sub-Contractors
AD, ADFS,
RADIUS, LDAP….
Home / Friend /
Kiosk
Employees Managed
Machines
Mobile
Exchange
CRM
SharePoint
IIS based
IBM, SAP, Oracle
Terminal /
Remote Desktop
Services
Non web
NPS, ILM
Internet
• Strong authentication
• Endpoint health detection:
• NAP and down-level
• Authorization:
• Based on health status
• Who + where
• Information leakage prevention
• Attachment/Cache wiper

46
What is UAG & Compare the Edge
Integrated and comprehensive
protection from Internet-based
threats
Internet
Unified platform for all enterprise
remote access needs
Internet

47
TMG vs UAG (at the publishing level)
> TMG
> De-emphesised on publishing
> Limited to HTTP(s) publishing
> Limited to auth as security
> Client unaware
> UAG
> The future of publishing
> Portal approach
> HTTP(s) + Client / server app + VPN (inclueding DA)
> Health check and cleanup
> Very flexibel authentication
> Loads of pre-built templates
> Very detailed reporting

48
Two Keywords in UAG lingo
> Two types of trunks (*UAG can not
publish on any other ports)
> HTTP (TCP 80)
> HTTPS (TCP 443)
> Is like an IIS website or a TMG
listener => ip + port
> A redirect Trunk can redirect http
to https not the other way.
> Can be linked to the portal or
direct to application
> Two options
> Portal trunk => homepage of
UAG
> ADFS trunk => SSO over the
border of forests
Application
Trunk
• +/- 40 tempaltes / 5 top-level apps
Build-in services (automatically added to trunk)
File access => ntfs shares
Web-Monitor => remote UAG mgt
Web (applications)
Sharepoint
Exchange
...
Other => create your own setup
Client/server and legacy
Apps that run outside of the browser
SSL vpn for specific apps
When launching an app the UAG client
components loads
Remote Network Access => full network ssl
vpn
Browser-embedded
Starts in browser en shifts to binary
Citrix
XenApp
Terminal services and remote desktop
5 templates

49
UAG Trunks
Evaluate
Endpoint
Access
Settings
Authenticate
user against
authentication
servers
Authentication
Servers
External IP and
URL
HTTP or HTTPS
UAG Trunk
Trunk Portal

50
Require domain membership for
> ADFS
> KCD
> File-Access
> DirectAccess
> UAG Arry

Adding OTP Authentication
ADFS v 2.0
UAG
Active
Directory
NPS
SAM
Office 365
https://www.outlook.com/owa/safenetdemos.com

52
Session Agenda
> Federation
> UAG
> Demo

1 150 5,000 25,000
C-EM
S-EM with DirSync
Hybrid
<1 Week 2 Weeks 3 Weeks Several Months
None Mailflow/GalSync Free/Busy, Archive in Cloud

54
Deployment Plan
Choices to fit your organization
IMAP
migration
Exchange
migration
Staged
migration
Hybrid
Exchange 5.5 X
Exchange 2000 X
Exchange 2003 X X X X
Exchange 2007 X X X X
Exchange 2010 X X X
Notes/Domino X
GroupWise X
Other X

55
Migration Options
> Cutover – All mailboxes are moved into the cloud in one big hit. Best
suited to smaller companies.(No DirSync MX flip)
> Staged – Mailboxes are moved in batches.(Require Dir Sync)
> Hybrid –On board /Off board.
Existing organization Number of mailboxes to migrate
Do you want to maintain mailboxes
in your on-premises organization?
Deployment option
Exchange 2010, Exchange 2007, or
Exchange 2003
Less than 1,000 mailboxes No Cutover
Exchange 2007 or Exchange 2003 No maximum Yes Staged or hybrid
Exchange 2010 More than 1,000 mailboxes No Hybrid
Exchange 2010 More than 1,000 mailboxes Yes Hybrid
Office 365 for professionals and
small businesses
Fewer than 50 * Not applicable ** Cutover

56
Cutover Exchange migration steps
> Requires Exchange Server 2003 & up
> Enable Outlook Anywhere(RPC over HTTP)
> Enable Certificates
> Run Migrations
> No OST preservations
> All or Nothing migration
> No DDL
> End user performs first logon on 365 and reset password
> End user creates new outlook profile and OST file and do resync al
content

57
Staged Exchange migration steps
> Mail flow In Premise >o365 through CAS
> Requires DirSync
> migrate a subset of your on-premises mailboxes to Office 365. With a
staged Exchange migration.
> Incremental syncs not needed
> Users start using their mailbox when created…New mail is available
immediately , old content fills in
> Stamps targetAddress on source mailbox to support mail flow from in
premises to cloud
> Important: You cannot perform a staged Exchange migration to
migrate on-premises Exchange 2010 mailboxes to Office 365.

58
Hybrid
Feature Staged Hybrid
Mail routing between on-premises and cloud (recipients on either side)  
Mail routing with shared namespace (if desired) - @company.com on both sides  
Unified GAL  
Free/Busy and calendar sharing cross-premises 
Mailtips, messaging tracking, and mailbox search work cross-premises 
OWA Redirection cross-premise (single OWA URL for both on-premises and cloud) 
Exchange Online Archive 
Exchange Management Console used to manage cross-prem relationship & mailbox
migrations

Native mailbox move supports both onboarding and offboarding 
No outlook reconfiguration or OST resync required after mailbox migration 
Online Mailbox Move allows users to start logged into their mailbox while it is being moved to
the cloud

Secure Mail ensure emails cross-premises are encrypted, and the internal auth headers are
preserved

Centralized mailflow control, ensures that all email routes inbound/outbound via On Premises 

59
Hybrid
> Makes your on-premises organization and cloud
organization work together like a single,
seamless organization
> Offers near-parity of features/experience on-premises
and in the cloud
> Seamless interactions between on-premises and cloud
mailboxes
> Migrations in and out of the cloud transparent to end-
user
> Features not supported:
> Migration of Send As/Full Access permissions
> Multi-forest – Only single forest source environments

60
Hybrid Server Roles
2 Required Server Roles:
> Office 365 Active Directory Synchronization
> Exchange Server 2010 SP1 CAS/Hub*
1 Optional Server Role:

61
Federation Scenarios

62
Hybrid Setup
Step Details Required/
Recommended
Register your custom
domains in the Office
365 portal
Register any primary SMTP domains Required
Configure Federated
Identity
On-premises ADFS/Geneva server allows
on-premises (single) identity to be used for
cloud authentication
Recommended
Configure DirSync On-premises appliance synchronizes on-
premises directory/GAL with the cloud
Required
Enable DirSync
Writeback
Allows rich off-boarding with message-
repliability, archiving in the cloud, and UM in
the cloud
Recommended
Hybrid Setup

63
Hybrid Setup
Step Details Required/
Recommended
Install Exchange Server
2010 SP1 server On-
premises
On-premises Exchange Server 2010 SP1 CAS/Hub server required for hybrid
features
Required
Configure cloud
Autodiscover DNS
record
Allows on-premises targeted autodiscover Outlook client to redirect to cloud Required
Publish MRS Proxy Allows Exchange Online Mailbox Replication Service to connect On Premises and
perform a move to the cloud
Required
Implement Cloud
Configuration Policies
Create configuration policies in the cloud to match (or complement) on-premises
configuration policies (e.g. – ActiveSync policies, OWA policies, etc.)
Recommended
Configure RBAC in the
cloud
Create/manage Role Based Access Control (RBAC) settings in the cloud to match
(or complement) on-premises RBAC configuration
Recommended
Configure Federation
Trust / Org Relationship
“Federated Sharing”
Enable infrastructure for delegated Live namespace federation. Allows the following
features:
Recommended
Cross-premises Free/Busy,
Shared Calendaring
Cross-premises OWA
redirection (single URL)
Cross-premises Mailtips Cross-premises Mailbox Search
Cross-premises Message
Tracking
Cross-premises Archiving
Configure Cross-
premises mail routing
Configure Cross-premises mail routing. This configuration ensures proper anti-
spam/header handling for mail sent between on-premises and the cloud.
Recommended
Hybrid Setup

64
Hybrid Migration
> Why might you care about offboarding?
> Long term hybrid scenarios
> Compliance requirements (retaining ex-employee data)
> Piloting online but not committed to the move
> What you need to know about offboarding?
> Offboarding is available using EMC toolset while in hybrid scenario
> Offboarding to on-premises Exchange Server 2010 database is online
mailbox move

65
Deployment Flexibility
•
•
•
•

66
FOPE Admin Center
• Run real-time reports
• Customize spam
settings
• Configure policy
filtering
• Perform message
tracking
• Office 365 customers
can access FOPE
Admin Center
• Provides Office 365 customers with a new level of
control

67
Use FOPE Admin Center for these tasks
• Trace messages outside your
organization
• Perform transport-related tasks not
available in transport rules:
• Specific header attributes
• Custom dictionaries, character sets
• Actions such as quarantine or
encrypt
• Configure org-wide safe/blocked senders
• Configure granular anti-spam settings
(e.g. backscatter, SPF)
• View reports on spam filtering
• Configure forced TLS
• Trace messages within your
organization
• Set up transport rules to:
• Add disclaimers to emails
• Look for keywords and regular
expressions
• Block email sent to the outside world
(by sender, domain, etc)
• Moderate email delivery
• Configure journaling of emails to
external archive
Use Exchange Control Panel for these
tasks
When to use Admin Center vs. the Exchange Control
Panel

68
Session Agenda
> Federation
> UAG
> Demo

69
Steps to build the solution:
> Add and verify your domain name with Office 365
> Prepare your on-premises Active Directory for directory synchronization
> Enable single sign-on (identity federation)
> Install the Directory Synchronization Tool and perform synchronization
> Configure email migrations(Staged or Hybrid )
> Install UAG SP1 and Publish ADFS (Proxy)
> Install SAM 8.0 SP3
> Deploy client applications and the Office 365 desktop setup
> Enroll and provision tokens to clients
> Test and validate

70
Key Activities

71
Session Agenda
> Federation
> Federation
> UAG
> Demo

72
How to pilot single sign-on in a production
user forest
> set up an Authorization claim rule on the ADFS 2.0 server, that will
only generate a security token (for the authenticated user) if they are
a member of an on-premise security group. Hence your pilot users
can be put into this security group, as can your other users as you
stage rollout to the organization.

73
Session Agenda
> Federation
> Federation
> UAG
> Demo

74
Troubleshooting and Tools
> Microsoft Office 365 Deployment Readiness Tool
> Microsoft exchange remote connectivity
> https://www.testexchangeconnectivity.com/
> UAG web monitor
> Powershell Cmdlts
> Outlook test connection

Mojemoje

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (19)

Similaire à Mojemoje

Similaire à Mojemoje (20)

Dernier

Dernier (20)

Mojemoje

Notes de l'éditeur