Rich Coexistence (wrongfully Hybrid Deployment)

Thomas MoenDirector of Strategy and Innovationtmoen@avtex.com@cloudmovr

5.16.2012

It is GREAT to Have Options…

• On Premise – services on premise

• Hosted – services hosted by someone else

• Segmented – host some users/apps, keep some users/apps on premise

• Hybrid – some services, i.e., filtering, archive encryption, are hosted. Azure Appliance or Azure SQL

Segmented

Agenda

• Introduction• Rich Coexistence Features Explained• Planning• Deployment• Migration• Management

Not for the faint of heart. This is a high impact ride. People with back, neck, heart, or cursing at computer problems, should not attempt this ride. Stay at the Exchange server at all times. Hold on with both hands!

Think I am Joking?

If you are feel any discomfort with…

– ADFS 2.0– Dir Sync– Rich Coexistence– PowerShell

Call a professional immediately! If you do proceed, proceed at your own peril…

… and Keep These Close at Hand!On the occasion of a Service Interrupting Event (SIE), Microsoft Online Services continuously updates the channels below to provide you necessary information to manage your business. Microsoft Online Services strives to earn your business

and trust through our best in class service and ongoing communication.

TwitterFeed is continuously updated as

SIE incidents occur.http://twitter.com/#!/Office365

Service Health DashboardThe best location for Service Update information. Updated regularly through any SIE and notifies you

of any upcoming planned maintenance.

FacebookGet the latest updates, tips

and more delivered straight to your Facebook stream.

http://www.facebook.com/#!/office365

Community BlogWith access to forums, community, and

community, you’re always receiving the most updated information.

http://community.office365.com/en-us/default.aspx

Your Four New Best Friends…

http://www.microsoft.com/en-us/download/confirmation.aspx?id=26509

http://technet.microsoft.com/en-us/exdeploy2010/default.aspx#Index

tmoen@avtex.com@cloudmovr

Jackhttp://www.jackdaniels.com/

Rich Coexistence Summarized

– Executed over a longer period of time (a week, a month, a year, etc.)

– No requirement to ever “flip a switch”—can run in coexistence scenario indefinitely

– Requires on-premises configuration and hardware

What does coexistence mean?

Rich Coexistence SummarizedSimple vs. Rich Coexistence feature-set

Feature Simple Rich*

Mail routing between on-premises and cloud (recipients on either side)

Mail routing with shared namespace (if desired) - @company.com on both sides

Unified GAL

Free/Busy and calendar sharing cross-premises

Mailtips, messaging tracking, and mailbox search work cross-premises

OWA Redirection cross-premise (single OWA URL for both on-premises and cloud)

Exchange Online Archive

Exchange Management Console used to manage cross-prem relationship & mailbox migrations

Native mailbox move supports both onboarding and offboarding

No outlook reconfiguration or OST resync required after mailbox migration

Online Mailbox Move allows users to start logged into their mailbox while it is being moved to the cloud

Secure Mail ensure emails cross-premises are encrypted, and the internal auth headers are preserved

Centralized mailflow control, ensures that all email routes inbound/outbound via On Premises

Today’sFocus

Exchange Sharing

Secure Transport

Mailbox Move

Directory Synchronization

– Manages online users in Active Directory®

– Eliminates the need to manage users and groups in two places

– Powers unified global address list– Simplifies user provisioning– Enables rich coexistence scenarios– Designed for single-forest topologies– Customer’s Active Directory is the

replication master

Microsoft OnlineDirectory Service

Active Directory

DirSync tool runs on local server

Active Directory Federation Services

Users are authenticated by local Active Directory Federation Services server.

No Microsoft Outlook® sign-in tool is required.

Active Directory Federation Services 2.0

Microsoft OnlineDirectory Service

• Users don’t need to remember separate cloud passwords

• Administrators can retain existing domain security policies

• Supports multi-factor authentication for Outlook Web App

• Allows administrators to block user access outside the corporate network.

• Requires corporate infrastructure

Exchange 2010 Federation• Federated Sharing provides:

– Easy setup of external data sharing– Broader reach without additional steps to set up– More security with controls for admins and users

• Federated Sharing is made possible because:– Server can act on behalf of a specific user

• Specific user identified by email address• User not prompted for credentials

– Microsoft Federation Gateway acts as a trust broker• Reduces explicit point-to-point trust management• No Active Directory trusts, service ,or cloud accounts to manage• Minimizes certificate exchanges• Verifies domain ownership

Cross-Premises Free/Busy and Calendar Sharing*

– Creates the look and feel of a single, seamless organization for meeting scheduling and management of calendars

– Works with any supported Outlook client; the heavy lifting is done by the Exchange Server 2010 CAS servers and the MS Federation Gateway, making this transparent to the end user.

*Caution with Exchange 2003 or earlier

Cross-Premises Free/Busy and Calendar Sharing – How it Works

On Premises

On Premises User “Ben”

Client Access Server

Microsoft Federation Gateway

Exchange Online

Mailbox ServerBen requests

free/busy info for Joe

CAS Server finds that Joe’s mailbox is external and there

is a matching Organization Relationship

Joe

Ben

CAS connects to the MFG to request a

Delegation Token

CAS Server passes the MFG

token and requests Joe’s free/busy on behalf of Ben

MFG returns a Delegation

TokenFreeBusyRequestFrom BenTo Joe

Free/busy info is returned to the

CAS Server

Joe’s free/busy is returned to the Outlook

client

Cross-Premises MailTips

– Creates the look and feel of a single, seamless organization. Correct evaluation of “Internal to” vs. “External to” organization context

– Allows awareness and correct Outlook 2010 representation of MailTips for size and quantity limits on DGs, etc.

Cross-Premises Message Tracking

– Creates the look and feel of a single, seamless organization

– Message tracking started from on-premises or from the cloud will track through to the edge of the combined organization• Tracking fidelity across Exchange Server 2010 SP1

servers will be identical to fully on-premises organizations (i.e., high fidelity)• Tracking fidelity across pre-2010 servers will be

identical to fully on-premises organizations (i.e., lower fidelity)

Cross-Premises Mailbox Search

– Allows administrators to select/manage mailboxes for mailbox searches from on-premises or cloud-hosted mailboxes

– Graphical representation allows to differentiate between on-premises and cloud-hosted mailboxes in the picker

– Search results returned across all selected mailboxes, regardless of mailbox location!

Cross-Premises OWA Redirection

• Single URL– Allows mailbox access to OWA via a single URL (pointed to

on-premises CAS)– Ensures a good end-user experience as mailboxes are moved

in and out of the cloud, since OWA URL remains unchanged

• Better cloud log-in experience– Log-in experience can be greatly improved by adding your

domain name into your cloud URL so that you can access your cloud mailbox without the interruption of “Go There” page

Cross-Premises Mail Flow

• Secure transport

• Rich coexistence adds the ability to preserve internal organizational headers:

• Allows us to treat a message from the cloud as authenticated. This means we trust the message and resolve the sender to a recipient in the GAL.

• Restrictions specified for that recipient get honored.

• When sender is expanded in Outlook, GAL card is opened (not SMTP address).

– Possible centralized mail flow scenario

Cross-Premises Mail Flow

On Premises

Exchange Online

Mailbox Server

Hub Transport

Server

On Premises Mailbox “Ben”

ForeFront Online Protection for

Exchange

Cloud Mailbox “Joe”

TLS

The Hub/Edge transport certificate

subject is “mail.contoso.com”

The FOPE transport certificate subject is

“mail.messaging.microsoft.com”

Domain Secure

Secure TLS Connection

On Premises

Exchange Online

Mailbox Server

Hub Transport

Server

On Premises Mailbox “Ben”

ForeFront Online Protection for

Exchange

Cloud Mailbox “Joe”

Cross-Premises Mail FlowSending Internal Headers to Cloud

TLS

XOORG Data

XOORG Data

Certificate Subject

If the outbound email is destined for Exchange Online, XOORG Data is

added to the email.

FOPE records the sender’s certificate subject. In this example

it is: “mail.contoso.com”

Exchange Online verifies cert subject matches the

configured value. If cert subject is valid, Exchange promotes XOORG data.

Cross-premises emails are

authenticated as “Internal”

On Premises

Exchange Online

Mailbox Server

Hub Transport

Server

On Premises Mailbox “Ben”

ForeFront Online Protection for

Exchange

Cloud Mailbox “Joe”

Cross-Premises Mail FlowSending Internal Headers to On Prem

TLS XOORG Data

Emails from the cloud are seen as Internal by Transport &

Journal Rules

XOORG Data

If the outbound email is destined for Exchange On Premises, XOORG Data is

added to the email.

Exchange On Premises verifies cert subject

matches the configured value. If cert subject is

valid, Exchange promotes XOORG data.

On Premises

Exchange Online

Mailbox Server

Hub Transport

Server

ForeFront Online Protection for

Exchange

Internet

Cross-Premises Mail FlowCentralized mail flow scenario

TLS

All outbound cloud email is sent via on

premises

Exchange Online to On Premises

Connector Address Space = *@*

Only Exchange On Premises is

allowed to send mail into the

cloud

Rich Coexistence

Makes your on-premises organization and cloud organization work together like a single, seamless organization

• Offers near-parity of features/experience on-premises and in the cloud• Seamless interactions between on-premises and cloud mailboxes• Migrations in and out of the cloud transparent to end user

Features not supported:

• Delegation Coexistence—Delegate permissions are migrated, but not available during the move

• Migration of Send As/Full Access permissions• Multi-forest—only single-forest source environments

Feature summary

Federation Scenarios“Federation”: A very overloaded word…• Sign-On Scenarios ADFSv2:

“Federated Identity”• User uses corporate credentials to

access online resources in the cloud

• Cross-premises Free/Busy, Shared Calendaring

• Cross-premises MailTips

• Cross-premises Message Tracking

• Cross-premises Mailbox Search

• Cross-premises MRS authentication

• Cross-premises OWA redirection (single URL)

• Cross-premises Archiving

• Single Sign-on cloud mailbox log in• Direct log on for LOB apps

• Delegation Scenarios: “Federated Sharing”

• Services act on behalf of a user to access Exchange resources

Specific to Rich Coexistence features

provided by Exchange Online

Applies to all Office 365 services, not

just Exchange Online

Rich Coexistence Server Roles3 - 5 Additional Server/Roles Required

Exchange Server 2010 SP1 CAS/Hub

Unified Global Address ListOffice 365 Directory Sync

Exchange SharingAD FS

Single Sign On

Mailbox Move

Secure Transport

* Mbx role is required for legacy Public Folder-based free/busy support

Shared Namespace: Core Concepts

MX for service.contoso.com = Exchange Online

DC

On Premises AD Forest

Exchange 2003 FE/BE Server

MX for contoso.com = On Premises

External Recipient(joe@foo.com)

Internet

Exchange Online

Email from joe@foo.com to ben@contoso.com Email is forwarded to ben@service.contoso.com

Namespace Planning• Federated Identity

– UPN suffixes need to match an Identity Federation domain

• Email Forwarding & Autodiscover Redirects– Minimum of 1 domain for on-premises and 1 for Exchange Online– Existing primary SMTP domain sufficient for the on-premises

namespace– Additional namespace required for Exchange Online

• Note: Cannot be the sign-up domain (*.onmicrosoft.com)

• Exchange Federated Sharing– Recommend use of a unique domain for the On-Premises to Microsoft

Federation Gateway Exchange Federation Trust– e.g. exchangesharing.contoso.com– Referred to in EMC and EMS as the “Account Namespace” – Does not need to be on any Email Address Policies– Any other domains (e.g. contoso.com) should be added as additional

federated domains

Certificates• Exchange Federation Trust

– Can be any certificate (e.g. self-signed)—it will be pushed/pulled to all Exchange Server 2010 SP1 Client Access Control Servers

– The “New Federation Trust” wizard handles the cert creation and replication to other CAS servers for you

• Exchange CAS– You must ensure that the primary SMTP domain has an Autodiscover DNS

entry and is listed on the CAS certificate– DNS must resolve to a Exchange Server 2010 SP1 CAS server– CAS protocols (EWS, MRSPRoxy) must have the externalUrl listed on the

certificate

• Exchange HUB– Ensure the certificate is both client and server certificate type

You can use the Exchange Certificate wizard in EMC 2010 SP1 to generate the request!

ADFS also requires public certificates for ADFS endpoints in most scenarios

Exchange Deployment Assistant

• http://technet.microsoft.com/exdeploy2010

• Currently supports Rich Coexistence configuration with Exchange Server 2003 and Exchange 2007

• SP2 new Coexistence/Hybrid Wizard

Hybrid Config Wizard Requirements• On Premise Exchange 2003 or Later• All Exchange Updates and SP2 Rollup• Office 365 Tenant and Admin Account• Custom Domains• AD FS 2.0• Dir Sync• CAS/HUB Server• Autodiscover DNS Records Configured• Office 365 Org in the EMC• EWS Config ExternalURL - externally accessible, FQDN• Certificates – self signed certs NOT used and a whole lot of other certification stuff! Like EWS

external URL, the Autodiscover endpoint specified in public DNS have to be listed in the Subject Alternative Name of the certificate. (I hate certificates)

New SP2 Wizard

Here Where We Start…

AD FSDC Dirsync

On Premises AD Forest

Exchange 2003 FE/BE Server

https://mail.contoso.com/exchange

https://mail.contoso.com/rpc

https://mail.contoso.com/Microsoft-Server-ActiveSync

External SMTP Recipient(mailto:joe@foo.com)

The following services may be exposed to the Internet to support remote access:

1. SMTP2. Outlook Web Access3. Outlook Anywhere4. Exchange ActiveSync

Rich Coexistence Setup

• Step 1: Office 365 configuration stepsStep Details Required/

Recommended

Run through Office 365 Onboarding Accelerator

As part of onboarding, the onboarding accelerator steps the admin over to “Rich Coexistence” guidance

Recommended

Configure Federated Identity

On-premises ADFS/Geneva server allows on-premises (single) identity to be used for cloud authentication

Recommended

Configure DirSync On-premises appliance synchronizes on-premises directory/GAL with the cloud

Required

Enable DirSync Writeback Allows rich off-boarding with message-repliability, archiving in the cloud, and UM in the cloud

Recommended*

* Not available during Beta

Exchange Online

Microsoft Online Directory Service

MSO ID

AD FSDC

On Premises AD Forest Company: contoso.onmicrosoft.com

Domains Statuscontoso.com activeservice.contoso.com active

Register MSO Namespaces &Config ADFS(1) Run MSO Federation Config cmdlets:

• “Add-MsolFederatedDomain –DomainName “contoso.com”

• “Add-MsolFederatedDomain –DomainName “service.contoso.com”

Company: contoso.onmicrosoft.com

Domains Statuscontoso.com pendingservice.contoso.com pending

(2) Create Domain Proof of Ownership DNS Records• ms1234567.contoso.com > ps.microsoftonline.com• ms8901234.service.contoso.com > ps.microsoftonline.com

(3) Rerun MSO Federation Config cmdlets:• “Add-MsolFederatedDomain –DomainName

“contoso.com”• “Add-MsolFederatedDomain –DomainName

“service.contoso.com”

*This verifies domain proof of ownership*

(4) New Registered Domains propagate out to MSO ID and Exchange Online

• MSO ID reserves the namespace as a “Federated Namespace”

• MSO ID sets the AD FS endpoint for each namespace to “https://adfs.contoso.com/adfs/ls/”

• Exchange Online creates all registered domains as Accepted Domains Namespace Type Endpoint

contoso.com Federated https://adfs.contoso.com

service.contoso.com Federated https://

adfs.contoso.com

Accepted Domain Typecontoso.com Authoritative

service.contoso.com Authoritative

Deploy Office 365 Directory Sync

Exchange Online

Microsoft Online Directory Service

MSO ID

AD FSDC Dirsync

On Premises AD Forest

(1) Install DirSync(2) Run configuration wizard(3) Run first sync

Sync process will sync out the following object types:

1. Users2. Contacts3. Groups

Only Users are given an MSO ID

If their On-Premises UPN matches a federated domain, then they are given a Federated MSO ID with the same name

Any logons using that ID will be redirected to the On Premises ADFS instance for authentication

Users Only

All mail-enabled

objects

All mail-enabled objects are synced to Exchange Online:

1. Mailuser2. Mailbox3. Mailcontact4. MaildistributionGroup (Inc. security)

Rich Coexistence Setup

• Step 2: Exchange configuration steps*

Step Details Required/Recommended

Install Exchange Server 2010 SP1 server on-premises

On-premises Exchange Server 2010 SP1 CAS/Hub server (also MBX role for some scenarios) required for rich coexistence features

Required

Configure cloud Autodiscover DNS record

Allows on-premises targeted autodiscover Outlook client to redirect to cloud without prompts

Required

Publish MRS Proxy Allows Exchange Online Mailbox Replication Service to connect On Premises and perform a move to the cloud

Required

Implement Cloud Configuration Policies

Create configuration policies in the cloud to match (or complement) on-premises configuration policies (e.g., ActiveSync policies, OWA policies, etc.)

Recommended

Configure RBAC in the cloud Create/manage Role-Based Access Control (RBAC) settings in the cloud to match (or complement) on-premises RBAC configuration

Recommended

Configure Federation Trust / Org Relationship“Federated Sharing”

Enable infrastructure for delegated Live namespace federation. Allows the following features:

Recommended

Cross-premises Free/Busy, Shared Calendaring

Cross-premises OWA redirection (single URL)

Cross-premises MailTips Cross-premises Mailbox Search

Cross-premises Message Tracking Cross-premises Archiving

Configure Cross-premises mail routing

Configure Cross-premises mail routing. This configuration ensures proper anti-spam/header handling for mail sent between on-premises and the cloud.

Recommended**

* Exchange Deployment Assistant will be updated to include Rich Coexistence scenario steps** Not available during Beta

Creating the Exchange Federation Trust

Exchange Online

AD FSDC Dirsync

On Premises AD Forest

Exchange 2003 FE/BE

Server

Exchange 2010 CAS/HUB Server

MSO ID

Microsoft Federation Gateway (MFG)

(2) On Premises Org Relationship with “service.contoso.com” and “contoso.com”

(3) Exchange Online Org Relationship with “contoso.com”

(1) Create Exchange Federation Trust with the “MFG” using a “unique namespace” e.g. exchangesharing.contoso.com

Automatic implied trust between the Exchange Online tenant and MFG

Creating the Secure Mail Connectors

Exchange Online

On Premises AD Forest

Exchange 2010 CAS/HUB Server

FOPE

Create the Exchange

Send Connector

Create the FOPE

Inbound Connector

Create the FOPE

Outbound Connector

Create the Exchange Receive

Connector

Remote Domains

define the use of

XOORG

Remote Domains

define the use of

XOORG

Remote MailboxPrimary Smtp Address = ben@contoso.comRemote Routing Address = ben@service.contoso.com

MailboxPrimary Smtp Address = ben@contoso.comSecondary Smtp Address = ben@service.contoso.com

MX & AutoD for contoso.com =On PremisesMX & AutoD for service. contoso.com = Exchange Online

External Recipient(joe@foo.com)

Internet

Exchange Online

On Premises AD Forest

Mail RoutingExternal recipient to Exchange Online mailbox

TLS

(1) Where is my mailbox?

(2) Local Exchange passes a redirect to “service.contoso.com”

(3) Outlook attempts to discover endpoint through DNS record “autodiscover.service.contoso.com”

(4) Request Authentication

(6) Profile Builds(5) Authentication Success

AutodiscoverOutlook Profile Generation

Post-Exchange Coexistence Server Deployment

AD FSDC Dirsync

On Premises AD Forest

Exchange 2003 FE/BE

Server

Exchange 2010 CAS/HUB Server

https://mail.contoso.com/rpc

https://mail.outlook.com/ews/

https://autodiscover.contoso.com/autodiscover/autodiscover.xml

https://mail.contoso.com/exchangehttps://mail.contoso.com/owa

https://legacymail.contoso.com/exchange

https://mail.contoso.com/Microsoft-Server-ActiveSync

Once 2010 is deployed the following additional services need to be enabled:

1. Autodiscover2. Availability Web Service3. Exchange Web Services

External endpoints:1. mail.contoso.com2. autodiscover.contoso.com3. legacymail.contoso.com

To support OWA redirection to the cloud, logons need to be shifted to 2010

This requires a new “legacy” endpoint for OWA 2003

New Certificate Required

Rich Coexistence: GUI Management

– Once you have installed Exchange Server 2010 SP1 on premises and connected it to your Exchange Online 2010 organization, you can use EMC GUI for a number of the configuration steps on the previous slides

Connecting on-premises GUI to the cloud

Rich Coexistence Setup

– Most of the cool Rich Coexistence features require federated sharing to be configured between on-premises and the cloud

– EMC in Exchange Server 2010 SP1 has GUI for this

Federated Sharing

Rich Coexistence Migration• Administrator uses EMC on-premises tool to manage mailbox moves and

other administrative cross-premise tasks– Note: There is no requirement to move mailboxes on premises to an Exchange Server 2010 server

prior to moving them to the cloud

• DirSync keeps GAL in sync as mailboxes are moved

You’ve configured for cross-premises, now it’s time to move!

Exchange Server

2007

Exchange Server

2010 SP1

Exchange Server 2010 CAS

Exchange

Server 2003

Mailbox migration

Rich Coexistence Migration

• Cross-Premises moves just like on-premises– Cross-Premises mailbox moves driven out of EMC

GUI “Remote Move” wizard– With federated sharing configuration in place, it

eliminates the explicit-credentials requirement, allowing mailbox moves to be executed seamlessly to and from the cloud

Cross-premises mailbox move experience

Rich Coexistence Migration

– It’s a true “online” move: User stays connected to their mailbox through the move• Client switchover happens automatically at the end• Traditional “offline” move when moving from Exchange 2003 source

– Outlook uses Autodiscover to detect the change and fixes up the user’s Outlook profile automatically on the client machine

– Since it’s a move (not a new mailbox + data copy), Outlook doesn’t see it as a new/different mailbox. End result = No OST resync

– Moves are queued and paced by the datacenter – Object conversion for mail routing happens automatically after data

move• Mailbox on-premises gets converted to mail-enabled user automatically• Admin can override this automation and stage the move-then-convert steps

The stuff you need to know

Rich Coexistence Migration

• Why might you care about off-boarding?– Long term coexistence scenarios– Compliance requirements (retaining ex-employee data)– Piloting online but not committed to the move

• What do you need to know about off-boarding?– Off-boarding is available using EMC toolset while in Rich Coexistence

scenario– Off-boarding to on-premises Exchange Server 2010 database is an online

mailbox move– Off-boarding to on-premises Exchange Server 2003/Exchange Server 2007

database is an offline mailbox move– Off-boarding without Rich Coexistence (i.e., any other scenario, including

V1 off-boarding) is PST via Outlook or partner driven

Mailbox off-boarding

Rich Coexistence Recipient Management

– All recipient management should be performed through EMC 2010 SP1

– Objects should be created through the On-Premises node

– Any Policies (e.g. OWA Policy) should be assigned through the Cloud node

Exchange Management Console

Rich Coexistence Recipient Management

• New On-Premises recipient, called “Remote Mailbox”– Represents a Mailbox that exists in Exchange Online

(found under Contacts)– Specific to Rich Coexistence– Appears as a Mail User to legacy Exchange– MRS Mailbox Move to Exchange Online will leave a

Remote Mailbox in the On Premises directory

• New flag on a Remote Domain allows the targetAddress to be automatically calculated

What’s new to recipient management in Exchange Online

Key Takeaways

Rich Coexistence is about 3 core components

• Migration• Exchange Sharing • Secure Transport

Rich Coexistence setup has a bunch of steps, but it’s primarily about getting the planning right

• Namespaces & Certificates are the two key areas to think about• Remember you are performing a partial upgrade to Exchange Server 2010• And moving to Exchange Server 2010 on-premise sets you up for a smooth path to the cloud

Once you’re in fully-configured Rich Coexistence, toggling the federated sharing features on and off in Exchange is simple

• These features are a differentiator and make the cross-premises Exchange Online experience seamless

Than

k

You!