exchange on-premises “the internet” exchange online (office 365) “virtual exchange...
TRANSCRIPT
Michael Van HorenbeeckTechnology ConsultantXylos
Building a hybrid deployment in (less than) 75 minutes
DMI301
AgendaIntroduction to Hybrid DeploymentsHybrid ArchitectureHybrid Configuration WizardRemote Mailbox MovesTroubleshooting
Expectations…Many moving partsDifficult to ‘tie’ togetherTime-consumingUnclear where/how to start
What is a hybrid deployment?
ExchangeOn-Premises
“The Internet”
ExchangeOnline
(Office 365)
“Virtual Exchange Organization”
Why deploy hybrid Exchange?Long-term coexistenceTake advantages of hybrid featurese.g. Exchange Online Archiving
Large migrations beyond capabilities of other migration methods (e.g. cutover)
Transparent mailbox movesNo OST resyncOnline Mailbox Moves
Interaction with 3rd party applicationsdevices that need the ability to send via SMTP
Hybrid building blocks
Federation
Secure Mail Flow
DirSync
MailboxMoves
•Encrypted Mail Flow •Header Preservation
•Centralized Mail Flow •Cert-based security
•Unified GAL •Exchange Archiving
•Mailbox Moves (X500)
•Mailbox Replication Service
•Online Mailbox Moves •Fast / Reliable
•Delegates •Free/Busy
•Calendar Sharing •Message Tracking
•Mail Tips
Hybrid PrerequisitesDirectory Synchronization (DirSync)Free “Hybrid Server” (can be Exchange 2010/2013)Certificates Autodiscover / Exchange Web Services / Mail Flow (TLS) 3rd party certificates for TLS between Exchange Online & On-Premises Self-Signed Certificate for use w/ Microsoft Federation Gateway (automatic)
ADFS (optional)Edge Transport Server (optional)may make life easier (more about that later)
Hyb
rid A
rchitect
ure
ACTIVE DIRECTORY
OFFICE 365 TENANT
EXCHANGE ONLINE TENANT
MICROSOFT DATA CENTER INTERNET PERIMETERNETWORK
INTERNAL NETWORK
EXCHANGE ON-PREM ORG.
AZURE AD
ADFSPROXY
ADFS
ACTIVE DIRECTORY
DIRSYNCSERVER
EXCHANGE 2013(CAS)ORGANIZATIONAL RELATIONSHIP
EXCHANGE 2013(MBX)
ONLINE PROTECTION
HYBRID MAIL FLOW
SMTP
EXCHANGE ONLINE
AUTHENTICATION SERVICE
EXTERNAL USER(O365)
SYNC
HTTP(S)
HTTPS
HTTPS
OWA USER(O365)
HTTPS
MAIL FLOW
AUTHENTICATION
SYNCHRONIZATION
APP. ACCESS (HTTP(S))
INTERNAL USER(O365)
EXCHANGE USER
HTTPS
INTERNAL OWA USER(O365)
Typical Deployment Process
“The Internet”
DeployExchange
1.
ConfigureSSO (optional)
2.
Setup DirSync
3.
Configure Certificates
4.
Configure WebServices
5.
Run Hybrid Configuration Wizard
6.
ConfigureMX Records
MX
7.
Supported Topologies
Office 365 (w14) Office 365 (w15)w/ on-prem 2010
Office 365 (w15)w/ on-prem 2013
Exchange 2003 SP2 w/ Ex2010 SP2+ YES NO
Exchange 2007 SP2/SP3 w/ Ex2010 SP2+ YES NO
Exchange 2007 SP3 UR10+
w/ Ex2010 SP2+ YES YES
Exchange 2010 SP1 YES NO NO
Exchange 2010 SP2 YES NO NO
Exchange 2010 SP3 YES YES YES
Exchange 2013 N/A N/A YES
Deployment ConsiderationsDelegatesMigrated, but mailboxes must be moved at the same time
Mailbox PermissionsCross-premises permissions NOT supportedOnly explicit permissions get migrated to Exchange Online.
Interaction with legacy / 3rd party applicationsWeb Services?Use an SMTP gateway?
BandwidthCertificatesData Footprint
Preparing Exchange for Hybrid
A trip down memory lane…
The ‘new’ Hybrid Configuration WizardSingle-step, adaptive configuration wizardEnhanced mail-flow capabilitiesImproved centralized mail flow Easier setup of secure mail flow (no more whitelisting IP’s!)
Integrated support for Edge Transport serverLeverages Exchange Online Protection (EOP)Enhanced & more detailed logging
Hybrid Configuration Wizard Workflow
Current stateDesired state
Hybrid ConfigWizard
Hybrid ConfigurationEngine
Delta-config
HCW step 1 - desired statedReads the configuration from the Hybrid Configuration Object (Get-HybridConfiguration)Determine required Hybrid functionality: FreeBusy, MoveMailbox, Mailtips, MessageTracking, OwaRedirection, OnlineArchive, SecureMail, CentralizedTransport, PhotosList domains in scope of the configurationCheck mail flow parameters (certificates, servers…)
HCW step 2 – determine deltaCompare desired state with as-is configuration:Check Connectors Inbound Connector / Receive Connector Outbound Connector / Send ConnectorVersion level (of the Hybrid Configuration Object)Verify if Organization Relationship(s) already existsCheck Domain configuration
Accepted Domains (Get-AcceptedDomain)Remote Domains
Check Email Address Policies
HCW step 3 – Configure RecipientsCreate hybrid ‘service’ domaintenant.mail.onmicrosoft.com
Configure Email Address Policyadd above domain to the policy
Update the recipient policystamp each recipient with a secondary email address (required for cross-premises mail flow)
HCW step 4 – Configure FederationGather federation informationUses Get-FederationInformation to verify domain ownership
Create Federation Trust with Microsoft Federation Gatewayon-premises only
HCW step 5 – Create on-prem Org. Rel.Create Organization Relationship on-prem to O365
New-OrganizationRelationship -Name ‘On-premises to O365 - <id>’-TargetApplicationUri 'outlook.com' -TargetAutodiscoverEpr 'https://pod<id>.outlook.com/autodiscover/autodiscover.svc/WSSecurity' -Enabled: $true -DomainNames {tenant.mail.onmicrosoft.com}
HCW step 5b – Create cloud Org. Rel.Create Organization Relationship O365 to on-prem
New-OrganizationRelationship -Name 'O365 to On-premises - <id>' -TargetApplicationUri '<appuri>' -TargetAutodiscoverEpr 'https://autodiscover.onprem.tld/autodiscover/autodiscover.svc/WSSecurity' -Enabled: $true -DomainNames {<domains>}
HCW step 5c – Configure Org. Rel.Configure features including:FreeBusyAccess(Level)ArchiveAccessMailtips…
Add Availability Address Space (Free/Busy)on-premises only
HCW step 6 – Configure Mail FlowVerify existing connectorsCreate new Send ConnectorIn on-premises organization
Configure existing Receive ConnectorIn on-premises organization
Create new Inbound ConnectorIn Office 365 tenant
Create new Outbound Connector (tenant)Specific values if centralized mail flow is selected (-RouteAllMessagesViaOnPremises: $true)
Running the Hybrid Configuration Wizard
Running the Hybrid Configuration Wizard
Troubleshooting tipsHybrid Configuration Log Files<drive>:\Program Files\Microsoft\Exchange Server\V15\Logging\Update-HybridConfiguration
Review Federation InformationGet-FederationInformation –DomainName <domainname>
Review OrganizationRelationShipsGet-OrganizationRelationShip | fl *
Troubleshoot connection issues (e.g. AutoDiscover/Web Services)Remote Connectivity Analyzer (www.testexchangeconnectivity.com)
Real-world issues and questionsWhat about 3rd party devices (e.g. IronPort)What if the customer wants to re-use those?
MRS in multiple internet-connected sites?Can we use a WAN Accelerator?How about relaying emails?
SMTP w/ Exchange OnlineExchange Online Exchange Online
Protection (EOP)
Relay to internet YES YES
TCP Port(s) 25, 587 – TLS required 25, TLS optional, static IP(s) required
Requires Auth. YES NO
Bypasses Anti/Spam YES NO
Limits 10k recipients/day ‘reasonable limits’
Licensing Std/Shared MBX EOP license per sender (included in EXO license)
FQDN Smtp.office365.com Tenant-tld.mail.protection.outlook.com
Hybrid Mailbox Moves
ExchangeOn-Prem
“The Internet”
ExchangeOnline
(Office 365)
MRS
Admin
Mailbox Moves: user experienceWhen using SSO, moves to Exchange online are fully transparentExcept for the authentication popup
Without SSO, users get a new passwordLeverage ADFS or Password Sync to avoid user complexity
Outlook profile should be updated automatically through AutodiscoverAlthough this sometimes does not happen…
Depending on the configured, user will get auth pop-up (basic auth)
Known limitations / issuesCalendar federation between two hybrid deploymentsTLS certificate requirementsTLS certificate with a Subject Name > 256 charactersCross-premises permissionsItems larger than 25MBhttp://blogs.technet.com/b/mikehall/archive/2013/06/27/large-mail-item-script.aspx
Common issues/questionsCertificatesExpiredNot from a trusted sourceMissing/Wrong subject (alternative) nameSubject name is too long (> 256 characters)
Single Sign-On not working properlyADFS can be a delicate and complex matter
Free/Busy not workingColleagues not recognized as “internal” employeesOutlook-related (e.g. missing updates)
Common issues/questions ct’edDatacenter IP addresses & FirewallsNot all firewalls support domain-based ACLsDatacenter IP addresses are badly documented
Your hybrid is ready: what’s next?Managing a hybrid deployment is different from a pure on-prem deployment.
You still need to monitor your deployment, but how? What?
Looking forward…oAuth is likely to become the ‘standard’ in the futureCurrently only advised for SP1-only deployments (anyone else should keep on using MFG)Required for cross-premises eDiscoveryMore information: http://technet.microsoft.com/en-us/library/dn497703(v=exchg.150).aspx
Conclusion…
What you thought it would be…What you were told/sold it would be like…
How it will be from now on ;-)(if you stick to the tips from this session!)
Take-awaysPreparation, preparation, preparation…Keep it simple!Let the HCW handle things for youWhere possible, use Exchange 2013
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.