SharePoint In The Cloud: Evaluating Impact, Pros, And Cons - SharePoint Saturday Philly

#SPSPhilly @RHarbridge


Presented By: Richard Harbridge

SharePoint In The CloudEvaluating Impact, Pros, and Cons


Thanks To Our Sponsors!


SharePoint User Group

• SharePoint• End Users• Administrators• Architects• Developers• IT Pros

• Meetings: 2nd Tuesday of the month, Microsoft Malvern, 5:30-8 pm

WEB: www.TriStateSharePoint.org

EMAIL: [email protected]

TWITTER: @tristateSP


SharePoint Network• Are you an independent consultant or remote worker

who deals with SharePoint, Office or Office365? • Do you sometimes feel cut off from the rest of the

SharePoint world?• Do you need help with technical or business issues, or

just want the chance to socialize with others?

If so, then the SharePoint Network might be for you!www.SharePointNetwork.org


Who am I?

BostonWe Washington

http://www.packtpub.com/microsoft-sharepoint-for-business-executives-guide/book


Our Goal Today…

From Here To Here



Information!


What Will We Cover Today?•Why is SharePoint in the Cloud?

•What is SharePoint in the Cloud?

• What is Office 365?

•Concerns in the Cloud?

•Evaluating Cloud Providers


Why is SharePoint in the Cloud?



Minimal Entry Cost


Pay Per Use


Shift From CAPEX to OPEX


Providers Leverage Scale for Discounts


The Outcome

Cloud enables on-demand computing resources to be rapidly provisioned with

minimal management effort.


What to watch out for…While cloud is for everyone, it is not for everything (until solutions, usage and

standards mature).


What is SharePoint in the Cloud?


SharePoint Cloud Models

All-in

SharePoint 2010

Exchange 2010

Lync 2010

Public Facing Websites

Demo/Dev/Test/Prod

External Identity Provider

Trusted Hybrid

Collaboration Scenarios Doc Management

MySites

Extranet

Demo/Dev/Test/Prod

Single Sign On (ADFS)

Un-trusted Hybrid

Exchange 2010

Lync 2010

Extranet

Public Facing Websites

Demo/Dev/Test

External Identity Provider

Dedicated/Shared Dedicated/Shared Dedicated/Shared



SharePoint ExtranetOn Premise Hosted Environment

Externally Hosted Environment

You Manage Firewall Exceptions/Access to Environment

They Manage Firewall Exceptions (most cases fully public facing)/Access to Environment.

You provision a new identity store. You manage two identity stores.

They provision an identity store. You still may manage aspects of it based on business need.

You support the environment infrastructure.

They typically support the environment infrastructure.

You plan for and invest in sizable up front costs installing and configuring the environment.

You pay for what you use under their planned structures (typically OPEX vs CAPEX).


Amazon and SharePoint


Azure and SharePoint


What is Office 365?(Standard/Shared Hosting)


Getting Office 365 (or BPOS) Dedicated Evaluation Criteria

• Do you have less than 5000 people?

Not for you.


But You Still Want Dedicated?

• SPLA (Server Provider License Agreement) – Means hosting companies can offer competitive ‘dedicated’ hosting scenarios at lower costs.

This is for you.


YOU ALREADY USE THESE APPLICATIONS NOW YOU CAN USE THEM IN THE CLOUD

Office 365 Marketing?


Standardization• Single Architecture

Deployment• Initial deploy is still required to migrate data to Office 365• AD clean up and network upgrade is often required• Hybrid phasing is often prolonged period of discomfort.

Service Change• Balance between continuous innovations and minimize change• Customer controls IT policies but not feature availability

Privacy and Security Considerations• Understand your internal security and privacy requirements

What does moving to Office365 mean?


Sites Communities Content Search CompositesInsights

Ask Me About

Blogs

Colleague Suggestions

Colleagues and Memberships

Discussion Forums

Enterprise Wikis

Keyword Suggestions

My Network

My Sites: People Profiles and Personal Sites

Note Board

Organization Browser

Outlook Social Connector

Photos and Presence

Ratings

Recent Activities

Social Bookmarks

Status Updates

Surveys

Tag Clouds

Tag Profiles

Tags

What's New

Wikis

Access Services

Browser-Based Customizations

Customization via SharePoint Designer

Forms: Out-of-box workflows and customization via

SharePoint Designer 2010

InfoPath Forms Services

Sandboxed Solutions

Workflows

Document Sets

Legal Holds

Metadata Driven Navigation

Multi-stage Disposition

Office Integration

Office Web Apps

Rich Media Management

Shared Content Types and the Managed Metadata Service

Support for Accessibility Standards

The Content Organizer

Unique Document IDs

Excel Services

Visio Services

Audience Targeting

Lightweight Public-Facing Site

Cross-Browser Support

Enterprise Management Operations

External Sharing

Fluent UI / Ribbon

Mobile Connectivity

Multi-Lingual Support

Office Client Integration

OOTB Web Parts

Scalability

SharePoint Workspace Integration

Tagging

Video Support, REST, and Silverlight

Best Bets

Duplicate Results

Metadata-based Refinement

People and Expertise Search

Phonetics & Nickname Expansion

Recently Authored Content

Search a Single Site Collection

Search Across Site Collections

Search Scopes

Site Search

Social Behavior Improves Relevance

Taxonomy and Term Store Integration

View in Browser

Data Connection Library

PerformancePoint

Business Intelligence Center

Chart Web Part

Business Connectivity Services (BCS)

SharePoint Timer Jobs

FAST

Word Automation Services

Records Center

Web Analytics

Key:Office365

Future Features

Office 365 Feature Parity (Before 2013)

Now Available with some caveats…• No external data search• No rich client integration• No profile pages• No direct connectivity to SQL Azure without a WCF endpoint.


More Stuff Missing? (Before 2013)• Project Server • Power Pivot • Secure Store Service • Full Trust Solutions • Not all Sandbox Solutions work? *

* Maurice Prather - http://www.bluedoglimited.com/SharePointThoughts/ViewPost.aspx?ID=331

http://www.bluedoglimited.com/SharePointThoughts/ViewPost.aspx?ID=331

http://www.bluedoglimited.com/SharePointThoughts/ViewPost.aspx?ID=331


Translation Services

SharePoint Online Grows up in in the coming release

all new features designed for the

Cloud

PowerShell

Cloud app model

PowerPivot / Power

View

Project Online

BCS Improvements (Direct to SQL Azure)

OData

Workflow 2013

MDS

… and more.

eDiscovery

SkyDrivePro

Records Center

Site Mailbox

deep linkNew

UX

refiners

Mobile apps

Hybrid Search

Quick Preview

Quick Edit

Dev Site

Gest Links

+

exch

ange

onl

ine,

lync

onl

ine

&

office

sub

scrip

tion


Analytics, PerformancePoint

So What is Still Different in 2013?

BI Excel Services, Power View, PowerPivot

SharePoint Online SharePoint 2013

Deep refinement, enhance relevancySearch People/Expertise, hover card, enterprise search

Full-trust code, BCS+Developer Cloud app model, Sandbox, CSOM, BCS

Cross-site scripting, content by searchInternet Public Website, Design Manager, apps/store

Central AdministrationAdmin Tenant-level, PowerShell, IRM, Recycle Bin

ECM / SocialeDiscovery, Records Center, Site Mailbox, Mobile, Newsfeed, Follow, #, @dot dot dot

SharePoint Online Feature Availability - http://technet.microsoft.com/en-us/library/jj819267.aspx

http://technet.microsoft.com/en-us/library/jj819267.aspx





Hybrid Co-ExistenceScenario Works Out of Box?SharePoint: Search Yes (Federated)SharePoint: BCS Yes (WCF Effort Required, No

Profiles and BCS Search)SharePoint: Other Services (MMS, Workflow etc)

No (Though Guidance Coming)

Exchange Integration Limited (eDiscovery, Site Mailboxes, Task Synch – Read Documentation)

Lync Integration Yes (Presence etc)


Configuration Overview (High Level)

Reverse Proxy and Certificate Auth

Identity Provider

MSOL Tools

Dirsync

UAG

ADFS Servers

SharePoint Servers

Office 365

Dirsync and Tools Servers

MSOL Tools

oAuth TrustConfig Secure Store

2013


Licensing Matters


Licensing SummaryName Price (Per User/Month) Details

P – Professional and Small Biz

$6.00 Exchange, Lync, SharePoint, Office Web Apps

E1 – Enterprise $8.00 Exchange, Lync, SharePoint, Yammer Ent

E2 – Enterprise $14.00 E1 + Office Web Apps

E3 – Enterprise $20.00 E2 + Office Pro Plus, BCS, Excel Services, InfoPath Services, Visio Services, & Access Services

E4 – Enterprise $22.00 E3 + Voice Capabilities (VOIP Stuff)

K1 – Kiosk Worker $4.00 Exchange, SharePoint, Office Web Apps (View Only)

K2 – Kiosk Worker $8.00 Exchange, SharePoint, Office Web Apps

E/K - You can split your users (for cost savings).

P = Limited to less than 50 users.


Choosing Enterprise

Only Enterprise has SSL (Both have it on sign in process.)


Quick Example100 Users…E3 - $20 per user per month…$24,000.00 per year…

Business Wants…• SharePoint 2010 Enterprise• Lync 2010• Exchange 2010• Office 2010 Professional

Office 365 E3 Over 3 Years

Year 1 $24,000.00

Year 2 $24,000.00

Year 3 $24,000.00

Total $72,000.00

On Premises

Year 1 $88,708.00

Year 2 $0.00

Year 3 $0.00

Total $88,708.00

On Prem Costs (2010):• $3,500.00 in Services

(Installation/Config)• $6,000.00 - Two Servers• $79,208.00 – Licensing

Quick Total: $88,708.00

At +4 years = more expensive.Consistent cost?

Big investment?More features/flexibility.

*This is meant as only a simplified example scenario


What About SharePoint Standalone?

Office 365 offers two Standalone plans for SharePoint.

Collaboration with Sites, AV

Forms, data visualization, Access/Excel/Visio services

SharePoint Online (Plan 1)

SharePoint Online (Plan 2)

Workload Standalone Plans Key Features

$4.00

$8.00SP Online P1 Over 3 Years

Year 1 $4,800.00

Year 2 $4,800.00

Year 3 $4,800.00

Total $14,400.00

SP Standard On Premises

Year 1 $30,849.00

Year 2 $0.00

Year 3 $0.00

Total $30,849.00 100 Users…

On Prem Costs (2010):• $2,000.00 in Services• $6,000.00 - Two Servers• $22,849.00 – Max Licensing



External Users Subscription LicensesSharePoint Online Partner Access LicenseThe first 10,000 PAL licenses are free. Beyond this there are negotiated prices/sometimes exceptions are made, etc.

SP Online Over 3 Years

Year 1 $0.00

Year 2 $0.00

Year 3 $0.00

Total $0.00

SP On Premises

Year 1 $0.00 (2013)

Year 2 $0.00

Year 3 $0.00

Total $0.00



Understand Additional CostsItem In-Market - Enterprise Coming soon – Small Business

1-50 usersComing soon – Midmarket

1-250 usersComing soon – Enterprise

1-500,000+ users

Base tenancy storage allocation 10 GB 10GB 10GB 10GB

Storage per Standard E & P (allocated to tenant pool) 500 MB/user 500MB/user 500MB/user 500MB/user

SkyDrive Pro (does not contribute to overall pool) 500 MB/user 7 GB 7 GB 7 GB

Storage per Kiosk Worker 0 0 0 0Storage per External User 0 0 0 0Site Collection storage quotas Up to 100 GB Up to 100 GB Up to 100 GB Up to 100 GBTotal max storage per tenant Up to 25 TB Up to 35GB Up to 1.25 TB Up to 25TBMaximum file upload size 250MB Designing for 2GB Designing for 2GB Designing for 2GB

Site collections (total #)* 300 1 20 3,000

Additional storage (per GB per month)

$2.50 0.20/GB/month* $0.20/GB/month $0.20/GB/month $0.20/GB/month

*Price lowered in the second service update of Office 365 SharePoint Online.


The Outcome

We barely scratched the surface with SharePoint in the Cloud but have already seen many ‘trade off’ decision points we

should be aware of.


What to watch out for…Without careful planning cloud

providers can cause considerable cost due to new challenges such as migration

and identity federation.


ConcernsIn The Cloud


BPOS to Office 365?

http://www.microsoft.com/online/transition-center.aspx

Microsoft is responsible for any changes that happen in its datacenters. Customers will not have to migrate any data; however, customers will be responsible for making sure that their client software is compliant with the system requirements. See Office 365 system requirements download.microsoft.com/download/A/6/4/A6479925-C7D2-4C4C-A21B-48BCCF8887A9/FAQ_EN_101010.docx.

Customers will also be responsible for end-user training and configuring any new features and capabilities that will be delivered by Office 365.

1. Customers will not have to migrate any data.

2. You need to have SharePoint 2010 compatible client software/systems.

3. You have to train users on the new 2010 interface.




Office 365 – 2013 Upgrade


Identity Options in the Cloud


Unique Development Challenges

How do you deploy a site structure to #Office365?• Limited/No PowerShell• No Console Apps• No Content Database Copy

Site Templates and Migration Tools Could Work…


Search Challenges (Before 2013)

No search usage statistics?

Remember! We cannot perform a unified search across online/on premise.


A Few Problems After 2013…



Cost Modeling


SecurityCan be an issue, but most of the time is not.

The real issue is lack of standards and accountability…

If it’s a bigger and more respectable hosting provider expect a better level of accountability and security planning/activity.


Security Program

Security Monitoring & Response, Threat & Vulnerability Management

Access Control & Monitoring, File/Data Integrity

Account Management, Training & Awareness, Screening

Secure Development Lifecycle, Access Control & Monitoring, Anti-Malware

Access Control & Monitoring, Anti-Malware, Patch & Config Mgmt

Dual-factor Authentication, Intrusion Detection, Vulnerability Scanning

Edge Routers, Firewalls, Intrusion Detection, Vulnerability Scanning

Video Surveillance, biometrics, Access Control

Security Management

“We ended up with around 800 preventive, detective and corrective controls that were physical, administrative and technical. Then we took the defense-in-depth approach and put the controls throughout the stack.” - John Howie, Microsoft


Privacy Program

Disclosure

Choice

Notice

Documented & enforced privacy requirements • Microsoft Online Services Privacy Statement • Microsoft Online Services Privacy and Regulatory Divisional

Requirements Specific to Software + Services• Corporate-level Privacy Guidelines for Service Development

Privacy disclosures & transparency• Microsoft Online Services Privacy Statement • EU Safe Harbor Certification


What is more reliable?



What is the Offline Story?


Service Level Agreements


Support Is Important

As an example Microsoft provides 24/7 support.Google also provides 24/7 support.

However Google Apps has a rule where only system critical events that affect more than 50% of users can use their phone support.

Don’t forget that with all cloud based providers – you are also adding another layer between IT and the business users.

Example Issue: Can a you put a stop to a providers maintenance schedule so that a business team can finish a critical deliverable without interruption?


Termination/Suspension of Service


• Since the startup costs are lower organizations can run the risk of not doing enough planning.

• Migrating content can be extremely difficult depending on what options are provided by the ‘cloud provider’.

Other Issues?


On Integration


LAN vs WAN


The Outcome

Offloading some management activities to another provider results in additional

planning and consideration.


What to watch out for…Challenges and concerns are different

for every cloud provider.


EvaluatingCloud Providers


Questions To AskSecurity• How do I know if my cloud is secure?

• Who will have access to my sensitive data?

• Do I have full ownership of my data?

• What type of employee / contractor screening you do, before you hire them?

• How do you detect if an application is being attacked (hacked), and how is that reported to me and my employees?

• How do you control administrator access to the service?

• What firewalls are in place?

• What anti-virus technology is in place?

• Can I get virtual layer 2 networking and a stateful virtual firewall?

Evaluating Cloud Providers

https://www.nothingbutsharepoint.com/sites/itpro/Pages/Evaluating-Cloud-Providers-Tools-and-Questions.aspx


Questions To AskStorage• Where will my data be stored?

• Will my data be replicated to any other datacenters around the world (If yes, then which ones)?

• What controls do you have in place to ensure safety for my data while it is stored in your environment?

• Can you tell me where my data physically resides?

• Data Center Location?

• How many live copies of my data are there?

• What happens to my data if I cancel my service?




Questions To AskIdentity & Access• Do you offer single sign-on for your services?

• Can I get flexible role-based access control synchronized with my enterprise directory?

• Do all of my users have to rely on solely web based tools?

• Can users work offline?

• Do you offer a way for me to run your application locally and how quickly I can revert to the local installation?




Questions To AskReliability & Support• What is your Disaster Recovery and Business Continuity strategy?

• How do you back up data?

• What is the retention period and recovery granularity?

• Is your Cloud Computing service SAS70 compliant?

• What measures do you provide to assist compliance and minimize legal risk?

• Who do I contact for support?

• What types of support do you offer?

• Are there additional support options available to me?




Questions To AskPerformance• How fast is the local network?

• What is the storage architecture?

• Usually storage will be the slowest link.

• How can I ensure global consistency across cloud service providers?

• How many locations do you have and how are they connected?

• How many IOPS can I expect at each I/O performance level?

• How does your memory access score on the STREAM benchmark?

• How does your virtualization system score on the SPECvirt benchmark?


http://www.streambench.org/

http://www.spec.org/benchmarks.html



Questions To AskFlexibility (Part 1)• Am I able to load my own VMs?

• Am I able to install software?

• What virtualization technology is being used?

• Are there additional abstraction layers?

• Can I dynamically add memory and CPU to a cloud VM while it’s running?

• How can I ensure CPU and memory are guaranteed?

• What access protocols are available?

• RDP, VNC, ICA, Console, SSH…

• Over non standard ports?




Questions To AskFlexibility (Part 2)• What configuration options do I have?

• Can I add memory?

• Can I add storage?

• Can I use public IPs?

• What domain name mapping options do I have?

• Can I have multiple environments per user?

• Can I archive environments?

• What supporting tools are there?

• Active directory integration

• User management




Questions To AskFlexibility (Part 3)• Do you offer on-premise, web-based, or mixed environments?

• Will the solution work with what I have in place today?

• What pricing, licensing, and payment options are available to me?

• What are the client requirements?

• How often do these change? Example: Must I upgrade my browser to take advantage of new features?




Questions To AskCosts• Can I get predictable service costs that still allow me to scale when I need

to?

• How can I get the cost benefits of multi-tenancy but still access dedicated infrastructure when I need it?

• How do you define a processor / virtual core / Compute Unit?

• What are your SLAs and how do you compensate when it is not met?

• During maintenance windows? Planned vs surprises

• What happens when there is over subscription?

• Can I leverage my existing Agreements?




Tools You Can Use


Service Management IndexCarnegie Mellon launched an initiative for standardized risk and benefit comparisons.

It’s called the Cloud Service Measurement Initiative Consortium (CSMIC)

Service Management Index

http://beta-www.cloudcommons.com/web/cc/about-smi


Cloud Sleuth Viewers

Global Provider ViewCloud Performance Analyzer

https://www.cloudsleuth.net/web/guest/home


Cloud Harmony Benchmarks

http://cloudharmony.com/


Consensus Assessments Initiative

https://cloudsecurityalliance.org/research/initiatives/consensus-assessments-initiative/

https://cloudsecurityalliance.org/research/initiatives/consensus-assessments-initiative/


The Outcome

You now have an arsenal of key questions/tools you can use to evaluate a

cloud provider effectively.


What to watch out for…Trust but verify. Carefully review policies, terms, conditions, and

agreements.


Questions? Ideas? Feedback? Contact me:Twitter: @RHarbridge Blog: http://www.RHarbridge.comEmail: [email protected]:

700+ SharePoint IA Slides at.. PracticalIntranet.com 130+ SharePoint Standards at.. SPStandards.com80+ Downloadable Presentations.. SlideShare.com/RHarbridge

Thank You Organizers, Sponsors and You for Making this Possible.

http://www.twitter.com/rharbridge

http://www.rharbridge.com/


mailto:[email protected]

http://www.practicalintranet.com/

http://www.spstandards.com/

http://www.slideshare.net/rharbridge


Appendix/Resources


Main SharePoint Online marketing site:http://sharepoint.microsoft.com/en-us/SharePoint-Online/Pages/default.aspx

Primary Office 365 marketing site:http://www.office365.com Trials, 100-200 level customer-facing infoContains info about BPOS suite and SPO30-Day trial

SharePoint Online developer resource center (MSDN): http://go.microsoft.com/fwlink/?LinkId=203983 SharePoint Online Administration resource center (TechNet): http://technet.microsoft.com/sharepoint/gg144571.aspx‘Help and How-to’ for SharePoint Online (Office.com): http://office.microsoft.com/redir/FX102052854.aspx

http://sharepoint.microsoft.com/en-us/SharePoint-Online/Pages/default.aspx

http://www.office365.com/

http://go.microsoft.com/fwlink/?LinkId=203983

http://technet.microsoft.com/sharepoint/gg144571.aspx

http://office.microsoft.com/redir/FX102052854.aspx


Microsoft Privacy Guidelines for Developing Software Products and Services http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16048

Cloud Computing Security Considerations paper (by Microsoft) can be found here: http://go.microsoft.com/?linkid=9708479

Office 365: Addressing Cloud Computing Security Considerationshttp://download.microsoft.com/download%2F2%2F2%2F0%2F220AE513-4A01-4D95-9275-11E71215A0C2%2FCloudSecurityConsiderations_MicrosoftOffice365.pdf

Pain Point: http://community.office365.com/en-us/f/148/t/3388.aspx

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16048

http://go.microsoft.com/?linkid=9708479

http://go.microsoft.com/?linkid=9708479

http://download.microsoft.com/download/2/2/0/220AE513-4A01-4D95-9275-11E71215A0C2/CloudSecurityConsiderations_MicrosoftOffice365.pdf

http://download.microsoft.com/download/2/2/0/220AE513-4A01-4D95-9275-11E71215A0C2/CloudSecurityConsiderations_MicrosoftOffice365.pdf

http://community.office365.com/en-us/f/148/t/3388.aspx

http://community.office365.com/en-us/f/148/t/3388.aspx


Sign Up For Office365 Developer Site (2013)http://msdn.microsoft.com/en-us/library/fp179924%28v=office.15%29.aspx

Office and SharePoint App Development:http://msdn.microsoft.com/en-us/library/jj220038%28v=office.15%29.aspx

Available on TechNet - http://aka.ms/oht1dxOn-premises -> SPO configuration stepsAdditional details for non-SharePoint steps

Identity provider and SSODirSyncMSOL Sign-In AssistantMSOL Module for Windows PowerShell

http://msdn.microsoft.com/en-us/library/fp179924(v=office.15).aspx

http://msdn.microsoft.com/en-us/library/fp179924(v=office.15).aspx

http://msdn.microsoft.com/en-us/library/jj220038(v=office.15).aspx

http://msdn.microsoft.com/en-us/library/jj220038(v=office.15).aspx

http://aka.ms/oht1dx

http://technet.microsoft.com/en-us/library/jj151794

http://technet.microsoft.com/en-us/library/hh967642.aspx

http://www.microsoft.com/en-us/download/details.aspx?id=28177



Evolution?

Elasticity is not cloud computing…

http://cloudscaling.com/blog/cloud-computing/elasticity-is-not-cloud-computing-just-ask-google?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+neoTactics+(Cloudscaling)


Evolution?




Evolution?




Cloud = Hosting (Not New)



Transitioning to the Cloud

Determine Intranet Site Strategy Cloud seminars Plan Custom solutions In-house support

Build collaboration strategy S+S workshops Stage Integration services ‘Partner on-behalf’

Gather requirements Assess Active Directory health Deliver Application Lifecycle

Management (ALM)Health analyzer

dashboard

• Reduce friction• Simplify the transition• Drive down costs• Decrease time-to-market (TTM)• Improve satisfaction from all business owners

Primary Goals


SharePoint 2013 Features


SharePoint – Intranet - Feature Tiering


When using hybrid features o365 sends requests from sites in the cloud to your on-prem farmYou need to establish a reverse proxy for these calls to be channeled through to secure the processThose requests can be authenticated at the reverse proxy before they are forwarded to SharePointSharePoint supports using a certificate for authenticating to the reverse proxy server when sending a request

Reverse Proxy and Authentication*

UAG

ADFS Servers

SharePoint Servers

Office 365



A reverse proxy used for hybrid must support the following requirements:

2 network cards - one connected to the Internet and the other to the internal company networkRoute inbound SSL traffic to the on-premises SharePoint farm without rewriting packet headersSupport SSL termination

We currently support two reverse proxy servers:Microsoft - Forefront Unified Access Gateway (UAG)F5 - Big IPWe plan to add more as they are tested for compatibility

Reverse Proxy Requirements

UAG

ADFS Servers

SharePoint Servers

Office 365



These are the high level steps for configuring UAG for hybrid:

Configure the network in UAG using the Getting Started WizardAdd an HTTPS trunkInstall an SSL certificate for the endpoint; it must:

Support the names for both the public HTTPS trunk and SharePoint siteUse 2048 bit length encryption; shorter lengths WILL NOT WORK!

Add the PFX in the UAG’s local certificate storePublish the SharePoint site collection; use the SharePoint Server 2010 Web type

See your Reverse Proxy s/w documentation for full details

Reverse Proxy Configuration

UAG

ADFS Servers

SharePoint Servers

Office 365



In order to have a single-sign on experience, you need a federated identity provider like ADFSThis requires the following:

2 or more load balanced ADFS serversAn SSL certificate for the ADFS siteA proxy device, like the ADFS proxy serverFor details on planning and implementation options see http://technet.microsoft.com/en-us/library/jj151794

All users must have a UPN of a registered domain (i.e. “.local” or similar suffixes will not work)

Identity Provider

UAG

ADFS Servers

SharePoint Servers

Office 365




You will need tools from MS Online (MSOL) in order to complete the next set of tasks:

Microsoft Online Services Sign-In AssistantMicrosoft Online Services Module for Windows PowerShell (MSOL PS)The Directory Synchronization Tool (dirsync)

NOTE: This cannot be installed on a domain controller

You will need to run these on a SharePoint server to configure trust with ACSSetting up dirsync and SSO trust is typically done on its own server

MSOL Tools

UAG

ADFS Servers

SharePoint Servers

Office 365



Install the MSOL PS snap-in to a local server; can be the same server being used for dirsyncSet up a federation trust between o365 and ADFS using MSOL PS

Use the Connect-MsolService cmdlet to authenticate and connect to o365Use the New-MsolFederatedDomain to start the process to establish the trustUpdate DNS as instructed by the cmdlet

Or alternatively:Use the Office 365 Admin web page to create a new domain trust – follow the instructions in the domains sectionUse MSOL PS to run the Convert-MsolDomainToFederated cmdlet

For more info see http://technet.microsoft.com/en-us/library/jj151794

SSO with o365

UAG

ADFS Servers

SharePoint Servers

Office 365




DirSync with o365

• Activate Active Directory Synchronization in your tenant using the o365 Admin web pages

• Install the dirsync tool to a local server and when that’s complete run the dirsync Wizard

• When the wizard is done click Finish to start a sync• Go to the Office 365 Admin web page and click on the users

and groups section to verify that accounts have been imported• Grant accounts licenses to SharePoint, etc.• Log out then login as an Active Directory user using your Identity Provider (i.e.

ADFS)

• For more info see http://technet.microsoft.com/en-us/library/hh967642.aspx.

UAG

ADFS Servers

SharePoint Servers

Office 365


http://technet.microsoft.com/en-us/library/hh967642.aspx


These things need to be configured in SharePoint to support hybrid:New SharePoint STS Token Signing CertificateConfigure a trust between SharePoint on-prem and ACSConfigure Secure StoreConfigure UPA Try out Search or BCS!

SharePoint Configuration Tasks


You need to replace the default token signing certificate for the SharePoint STS because Access Control Service (ACS) will not trust itYou can replace it with:

A certificate issued by a public certificate authority like Verisign, GoDaddy, Thawte, etc. – RECOMMENDED A new self-signed certificate that you can create in the IIS ManagerDomain-issued certificates DO NOT WORK

Use the Set-SPSecurityTokenServiceConfig with the –ImportSigningCertificate flag to change the token signing certificate

New SharePoint STS Token Signing Certificate


Previously you created a federated trust for users to sign into o365Now you need to create an OAuth trust for applications to exchange data between o365 and on-premUsing MSOL PowerShell (on prem):

Create an AppPrincipal using New-MsolServicePrincipalCredentialCreate a proxy to ACS using New-SPAzureAccessControlServiceApplicationProxyComplete the trust using New-SPTrustedSecurityTokenIssuer

Complete detailed instructions are available in the documentation described at the end of this session

Configure Trust Between SharePoint and ACS


The Secure Store Service is used to create an application that stores the certificate used to authenticate with the UAG HTTPS trunkIn o365 create a new Secure Store Service target application

Save the Target Application ID name because you will use that when configuring a result source

In the credentials field configure it as a Certificate PasswordClick the Set button for the Credentials

Browse to the certificate CER file that was used for the UAG HTTPS trunk; leave the password fields blank

Complete detailed instructions are available in the documentation described at the end of this session

Configure Secure Store


It’s critically important that you:Have a UPA up and runningHave it populated with current data from Active Directory

We use the UPA on the local farm to determine what rights a user has – what claims they have, what groups they belong to, etc.With a hybrid solution, anything that you grant rights to needs to be in the profile system

E.g., if you augment claims on-prem and use a custom claims provider to grant rights to content using those claims, an o365 user would not see that data because those custom claims are not added when you login to o365More details at http://blogs.technet.com/b/speschka/archive/2012/08/15/oauth-and-the-rehydrated-user-in-sharepoint-2013-how-d-they-do-that-and-what-do-i-need-to-know.aspx

Configure UPA

http://blogs.technet.com/b/speschka/archive/2012/08/15/oauth-and-the-rehydrated-user-in-sharepoint-2013-how-d-they-do-that-and-what-do-i-need-to-know.aspx




BCS Hybrid Scenario



Questions? Ideas? Feedback? Contact me:Twitter: @RHarbridge Blog: http://www.RHarbridge.comEmail: [email protected]:

700+ SharePoint IA Slides at.. PracticalIntranet.com 130+ SharePoint Standards at.. SPStandards.com80+ Downloadable Presentations.. SlideShare.com/RHarbridge

Thank You Organizers, Sponsors and You for Making this Possible.

http://www.twitter.com/rharbridge



mailto:[email protected]

http://www.practicalintranet.com/

http://www.spstandards.com/

http://www.slideshare.net/rharbridge

Date post:	15-May-2015
Category:	Technology
Upload:	richard-harbridge
View:	2,673 times
Download:	2 times

SharePoint In The Cloud: Evaluating Impact, Pros, And Cons - SharePoint Saturday Philly

Technology