Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
CONTENTS
Executive Summary ............................................................................................................ 3
Hybrid Advantages.............................................................................................................. 4
Cost Savings Due to Cloud Efficiencies
4
Flexible Deployment and Management
12
15
Client Performance
16
Service Dependencies
16
Mail Flow
17
19
22
Situation
Office 365: Exchange Online, offers
Microsoft IT the opportunity to add
flexibility to the messaging
infrastructure and cut costs by
deploying and operating a hybrid
environment
Solution
As part of a long-term strategy,
Microsoft IT onboarded 36,000
mailboxes to Exchange Online with
the goal to migrate 80% of all
mailboxes by 2015. This hybrid
deployment offers the best features
and benefits of both on-premises and
cloud-based approaches.
Benefits
Seamless user experience using
EXECUTIVE SUMMARY
Although hosted solutions for e-mail messaging have been available for many years, recent
improvements have made it possible to deploy and operate a hybrid environment that makes
the most of both on-premises and hosted services. Microsoft began offering Exchange Online
as its multi-tenant enterprise messaging service in the cloud to customers starting at the end
of 2008 based on Exchange Server 2007 technology with the goal of helping customers and
its own workers realize the benefits of cloud computing. After onboarding millions of
mailboxes from companies of all sizes, building out a scalable and highly available
infrastructure, and upgrading Exchange Online to run Exchange Server 2010, Microsoft IT
pursued an initiative to transition from operating its own on-premises Exchange environment
to operating a hybrid environment. With a hybrid approach, Microsoft IT benefits from
continuing to use previous investments in the existing on-premises infrastructure, with ability
to accommodate business growth by using Exchange Online.
To overcome the engineering and business challenges in transitioning to a hybrid
environment, Microsoft IT focused on ensuring user satisfaction by engaging all teams
involved in the deployment effort. One key objective was to provide users with a seamless
transition and automatic Outlook profile update to Exchange Online yet retain the same
features and functionality of the on-premises service. To ensure the best user experience,
the hybrid architecture incorporates design elements that include the following:
Single sign-on (SSO) using existing Active Directory credentials and Active Directory
Federation Services (ADFS)
One microsoft.com domain namespace for both on-premises and Exchange Online
Landing page to inform Exchange Online users who log in to the Outlook Web App onpremises URL about the appropriate Exchange Online Outlook Web App URL
Page 3
HYBRID ADVANTAGES
The hybrid architecture results in many benefits for Microsoft IT not only in overall cost
savings, but also in greater flexibility to accommodate business growth while saving time and
money by not having to do capacity planning, update software, maintain servers, or manage
hardware.
Included technical support Exchange Online includes 24/7 phone support for the
internal Microsoft IT support team, which helps to ensure timely responses and reliability.
Automatic failover Similar to the on-premises solution, Exchange Online also provides
automatic failover for resiliency.
Flexible growth and expansion As Microsoft grows and changes, Exchange Online
makes it straightforward to add mailboxes by simply buying additional licenses. This
requires no capacity planning, server purchasing, or deployment.
Deployment on Microsoft ITs terms A hybrid approach offers Microsoft the flexibility
to migrate mailboxes as needed to and from Exchange Online. As a way of validating the
Page 4
Single namespace and unified experience Microsoft IT's hybrid design relies on auth
headers in Exchange data, making communication appear internal to both on-premises
and Exchange Online. As a result, Exchange features such as MailTips, and out-of-office
(OOF) messages function and appear as expected to users and recipients.
Page 5
On-Premises Environment
North America,
Dublin,
Singapore
Unified
Messaging
Office 365
Internet
Client
Access
Mailbox
Hub
Transport
Forefront Online
Protection
for Exchange
(FOPE)
Page 6
The Exchange Online architecture uses a similar role-based approach as on-premises, but
driven by the following services instead of roles:
Office 365 directory Exchange Online uses its own directory service for user data. To
handle authentication, the directory service relies on Microsoft Online ID.
Exchange Online messaging As the core service that handles messaging, Exchange
Online includes transport and storage functionality to house mailboxes and facilitate mail
flow.
Office 365
On-Premises Environment
Perimeter
Microsoft
Online ID
ADFS
Proxy
Internal
Directory
Microsoft
Federation
Gateway
Domain Directory
ADFS
Controller Sync
Federation
Hosted
messaging
service
Internet
Remote
access
user
FOPE
Microsoft Federation Gateway As an intermediary between Office 365 and onpremises services, the Microsoft Federation Gateway provides an identity service that
connects users to the hosted services they want to use. For more information about the
Page 7
ADFS To enable single sign-on and communicate with the Microsoft Federation
Gateway, Microsoft IT relies on ADFS.
Page 8
Service domain to facilitate single domain namespace To forward e-mail from onpremises to Exchange Online, Microsoft IT configured a new DNS service domain for
coexistence named messaging.microsoft.com. Upon sign up, new companies are
automatically given a customizable coexistence domain with the format <custom
domain>.mail.onmicrosoft.com.
The Microsoft IT environment is specifically designed for Microsoft business needs, yet the
technical requirements and steps for deploying a hybrid environment are the same for all
companies. For a guided lab that shows the steps of configuring on-premises and Exchange
Online components, see http://technet.microsoft.com/en-us/office365/hh744605.
Identity Management
To make the experience seamless for administrators and workers, the messaging
environment must support a single authoritative source of user identity, with associated
authentication, authorization, and permissions management. In a hybrid approach, the
technical solution for a single authoritative source is to populate the Exchange Online
directory with on-premises users, and then keep the two directories synchronized.
As shown in Figure 3, there are three technologies Microsoft IT uses for synchronization to
take place:
ADFS 2.0 To communicate between the on-premises Active Directory environment and
Exchange Online, Microsoft IT relied on the established ADFS infrastructure and created
a relying party trust relationship between the ADFS federation server farm and Exchange
Online. This relying party trust is a conduit for authentication tokens to facilitate single
sign-on.
Microsoft Federation Gateway As an intermediary between Office 365 and onpremises services, Microsoft provides an identity service that connects users to the
hosted services they want to use.
Page 9
contacts and groups, global address list (GAL), on-premises-based safe and blocked
senders, and delegation details.
Page 10
Office 365
On-Premises Environment
Perimeter
Microsoft
Online ID
Directory
ADFS
Proxy
Internal
Microsoft
Federation
Gateway
Domain Directory
ADFS
Controller Sync
Federation
Hosted
messaging
service
Internet
Exchange
organization
FOPE
Page 11
Microsoft on-premises
Internal
network
AD Domain
Controller
Perimeter
network
Office 365
Microsoft
Online ID
AD FS
Proxy
Exchange
Online
Directory
Synchronization
Microsoft
Federation
Gateway
FOPE
ADFS
Federation
Directory sync
ADFS trust
Federation trust
ADFS Architecture
The ADFS infrastructure at Microsoft supports single sign-on for over 300 line-of-business
applications hosted on the cloud or by partners and vendors outside of the internal corporate
network. ADFS handles claim requests to verify identities and returns tokens to the
requesting party to enable applications to verify the identity of a user with Microsoft Active
Directory credentials. ADFS relies on federation servers that authenticate users against
Active Directory and issue claims, as well as federation proxy servers that reside in the
perimeter network in front of the federation servers. Clustered SQL servers store
configuration data, as shown in Figure 4.
Page 12
First Data
Center
Business
Continuity
Second
Data Center
ADFS
Proxy
ADFS
Proxy
Perimeter
ADFS
Proxy
Internal
ADFS
Federation
ADFS
Federation
SQL Server
Cluster
(primary
SQL Server
Cluster
(mirror
ADFS
Federation
Threshold
Details
Authentication token
requests/sec
Below 60
CPU load
Below 50%
The authentication requests per second is the major threshold. Microsoft IT tries to keep this
at an even load of 10-12. During March 2012, Microsoft IT migrated over 14,000 mailboxes,
Page 13
with a plan to monitor performance of the existing ADFS environment, and then add
additional capacity. Figure 5 shows an average of requests per second for March.
Average
daily
auths
Peak
daily
auths
Min
daily
auths
Light:
150
150200
100120
Moderate:
220
350400
150200
Power:
290
400600
150200
Details
These models served as a starting point to determine how many more servers to add in order
to accommodate the additional traffic expected from migrating mailboxes to Exchange
Online.
Page 14
For more information about designing and capacity planning for ADFS proxy and federation
servers, see http://technet.microsoft.com/en-us/library/gg749899(v=WS.10).aspx and
http://technet.microsoft.com/en-us/library/gg749917(v=ws.10).aspx.
Light
Medium
Heavy
Messages sent
10
20
30
Messages received
20
40
80
120
50 KB
50 KB
50 KB
50 KB
Messages read
20
40
80
120
Messages deletes
10
20
40
60
Outlook 2010
1,300 KB/
day
2,600 KB/
day
5,200 KB/
day
7,800 KB/
day
6,190 KB/
day
12,220 KB/
day
24,270
KB/ day
36,330 KB/
day
Power User
E-mail Client
Microsoft IT's considerations for bandwidth requirements based on the user models followed
established best practices of evaluating the connectivity at each gateway and monitoring
performance. As migrations increase, Microsoft IT continues to monitor latency, jitter,
collisions, utilization, and other network metrics to spot gateways and locations that need
improvement. For more information about bandwidth planning, see
http://blogs.technet.com/b/uspartner_ts2team/archive/2011/01/10/bpos-or-office-365bandwidth-needs-determination-a-refresher.aspx.
One more performance consideration is the location of users relative to the Exchange Online
data center, and the latency and bandwidth available between users and the data center.
This is relevant both for the initial onboarding migration, due to the gigabytes of data
transferred, as well as for ongoing needs, especially as Microsoft workers increasingly rely on
mobile devices and work from home and while on the road.
Because Exchange Online relies on Internet infrastructure for mail traffic between office
locations and the Exchange Online data center, performance and SLAs cannot be
guaranteed. It is important to gather performance statistics from your environment. Two tools
Microsoft IT uses for validating connectivity are
https://www.testexchangeconnectivity.com/Default.aspx and
Page 15
http://speedtest.microsoftonline.com/.
Client Performance
Microsoft users are accustomed to high performance levels with messaging, expecting all
message delivery to complete less than 90 seconds, maintain 99.99% or higher availability,
as well as deliver fast e-mail operations to read and manage schedules and e-mail items. In
an on-premises deployment, Microsoft IT controls the messaging infrastructure and its
dependencies because all traffic flows internally within the corporate network, or between
users accessing internal Exchange servers over the Internet. A hybrid deployment introduces
additional variables that affect performance because users accessing Exchange Online from
within the corporate production environment do so over the Internet, same as mobile and
remote workers.
The differences among gateways, client devices, and connectivity in Microsoft locations
mean that user experience at times may not be consistent among all sites. Microsoft IT looks
at two factors when considering client performance: the MAPI RPC latency and the overall
client system indicators, such as CPU, disk, and file fragmentation.
RPC latency includes round-trip latency to the mailbox server and server-side RPC
processing. A helpful tool for determining these values is the connection status dialog
accessible by holding down the CTRL key, right-clicking the Outlook icon, and selecting
Connection Status from the Outlook context menu. Microsoft IT uses the following thresholds
when analyzing latency:
Max Avg Resp Time (Exchange RPC Latency + Network Latency) = 325ms
Service Dependencies
At its core, Exchange Server has always and continues to deliver e-mail messaging and
calendaring capabilities. Yet, Exchange Server 2010 integrates with other services and
applications such as SharePoint, the Office suite, and Lync Server, both on-premises and
through Exchange Online. This integration along with ADFS and directory synchronization
helps to facilitate the following hybrid Exchange capabilities.
Page 16
token from the Microsoft Federation Gateway, impersonates the user, and makes
free/busy requests on each users behalf.
Public folders Exchange Online does not support public folders. This is not an issue
for Microsoft IT because users whose mailboxes are identified for migration do not rely
on public folder functionality. For more information about public folder best practices in a
hybrid deployment, see http://www.microsoft.com/download/en/details.aspx?id=27582.
Outlook Web App redirection In the initial hybrid implementation, Microsoft IT created
a landing page for users who access the on-premises Outlook Web App URL that directs
users to the Exchange Online URL. If a user accesses from within the corporate
network, only one login is required, whereas from the Internet, users see the need to
authenticate twice. While working through the challenges, Microsoft IT collaborated with
the Exchange Server product group to suggest improvements to streamline the
experience. Exchange Server 2010 SP2 incorporates the latest changes with
improvements to the Outlook Web App experience for hybrid deployments. For more
information, see http://blogs.technet.com/b/exchange/archive/2011/12/12/owa-cross-sitesilent-redirection-in-exchange-2010-sp2.aspx.
Mail Flow
Over the course of planning for and deploying the hybrid environment, Microsoft IT validated
possible mail flow scenarios and developed best practices to streamline hybrid deployment
for clients. Many of these configuration options are included in the Exchange Server
Deployment Assistant and as improvements in Exchange Server 2010 SP2 on-premises.
The routing configuration in a hybrid deployment is relatively straightforward. It comes down
to having on-premises or Exchange Online be the authoritative environment, and then
relaying e-mails to the secondary environment. In a hybrid configuration, both the onpremises and the Exchange Online environment see each other as an internal, trusted
environment. Figure 6 illustrates the configuration and mail flow.
Page 17
Office 365
On-Premises Environment
Hub Transport
TLS
to greg
to chris, greg
Transport
certificate subject:
mail.microsoft.com
FOPE
Hub
Transport
Global
Catalog
Mailbox
Transport certificate
subject:
mail.messaging
.microsoft.com
to chris
s
to greg
Delivery
queue
Internet
Exchange
Online mailbox
greg@microsoft.com
On-premises
user mailbox
chris@microsoft.com
Mail flow
E-mail to
greg@microsoft.com
chris@microsoft.com
Recipient lookup
TLS encryption
Figure 6 Message flow overview
To enable mail flow, Microsoft IT configured a dedicated send connector on Hub Transport
servers secured by Transport Layer Security (TLS). That traffic traverses the Internet and
enjoys the following protection measures:
Channel privacy Exchange 2010 forces TLS encryption for all messages by requiring
that a SAN or fully qualified domain name (FQDN) on the associated Secure Sockets
Layer (SSL) certificate for the sending server is configured as authorized on the
receiving server.
Exchange Server appends the auth header to messages to mark internal messages as
trusted and authenticated, making messages and MailTips appear as internal in both
Exchange Online and on-premises. The header works together with the certificates and send
connector to ensure mail flow happens smoothly between Exchange Online and onpremises. Figure 7 illustrates the role of the auth header. Because Exchange Server appends
the auth header to all internal communication, features such as OOF notifications and
MailTips work seamlessly for users.
Page 18
Office 365
On-Premises Environment
Hub Transport
Certificate
Subject
Transport
certificate subject:
mail.microsoft.com
Hub
Transport
Global
Catalog
Mailbox
TLS
XOORG
Data
2
FOPE
Transport certificate
subject:
mail.messaging
.microsoft.com
3
Delivery
queue
Internet
Exchange
Online mailbox
greg@microsoft.com
On-premises
user mailbox
chris@microsoft.com
To Exchange Online
1. Add internal auth header
2. FOPE records sender certificate subject
3. Verify certificate subject, promote if valid
To on-premises
Recipient lookup
1. Add internal auth header
2. Verify certificate subject, promote if valid
TLS encryption
Mail flow on-premises to Exchange Online
Mail flow Exchange Online to on-premises
Figure 7 Auth header
The auth header is relevant in the following mail flow scenarios for Microsoft IT:
E-mail flow between Exchange Online and on-premises When an on-premises user
sends an e-mail to a user whose mailbox resides in Exchange Online, the on-premises
Hub Transport server verifies that the SAN or FQDN of the SSL certificate matches the
configured value. If the certificate subject is valid, then Exchange appends internal
header to the e-mail and sends it to Exchange Online. The message bypasses the Edge
server on premises. The reverse direction follows a similar path where the DNS and SSL
configuration along with the send connector on the Hub Transport server enable
encrypted mail to flow. The built-in features of Exchange Server give Microsoft IT the
functionality needed to configure mail flow.
E-mails between Exchange and Internet hosts For other e-mail communication to
and from Internet hosts, Exchange Online and on-premises use the standard Simple
Mail Transfer Protocol (SMTP) mail flow as detailed in http://technet.microsoft.com/enus/library/ff645372.aspx.
Page 19
For Exchange Online, FOPE provides a similar service. FOPE includes high accuracy SPAM
filtering with over 98% of SPAM filtered, and 100% of viruses filtered by using multiple virusscanning engines. FOPE also gives Microsoft IT a control center for advanced policy rules
and reporting. Although it is possible to use an Edge server on-premises for mail filtering and
SMTP relay in a hybrid architecture, Microsoft IT uses FOPE. The first contact point of
handling e-mail messages is very important in the overall architecture, especially in the
dependencies required when not using FOPE. The Exchange Deployment Assistant
addresses this importance in the guidance it provides and accommodates both scenarios for
initial mail handling. For more information about FOPE, see
http://www.microsoft.com/exchange/en-us/forefront-online-protection-for-exchange.aspx.
Page 20
Synchronize directories and data In order to onboard user mailboxes, users must
exist in Exchange Online. Microsoft IT configures directory synchronization to populate
Exchange Online with users from the Active Directory environment.
Configure DNS and certificates Exchange relies on DNS entries for autodiscover,
which is necessary for a seamless online migration with no user interruptions. After
migration, Outlook uses autodiscover to detect the mailbox move, and upon restart uses
the Exchange Online service. Microsoft IT configured the MX records to point to FOPE.
Verify mail flow The auth header is crucial to bypass filters and mark internal
messages as originating from trusted sources. Microsoft IT configured and verified mail
flow between Exchange Online and on-premises, as well as Internet hosts.
For deployment steps and instructions to deploy a hybrid environment, the best practice is to
use the Exchange Deployment Assistant, which includes the latest steps. To access the
Exchange Deployment Assistant, see http://technet.microsoft.com/enus/exdeploy2010/default.aspx.
Page 21
prerequisites are met for preparing and configuring settings, as well as informing users. The
overall process is as follows:
Verify configuration This includes ensuring that Exchange Online is prepared with the
appropriate objects, directory synchronization functions, and mail flows between
Exchange on-premises and Exchange Online. This step also serves as a safeguard to
verify that there are no schedules service windows or current outages with dependent
services.
Update user computer To ensure that users have the latest Outlook client version and
required software such as Microsoft Online Services Sign-in Assistant, Microsoft IT uses
System Center Configuration Manager (SCCM) to package the required software and
deploy it on user computers.
For more information about determining how many mailboxes to migrate, the anticipated
migration timeframe, and other migration performance details, see the migration performance
guide at http://community.office365.com/enus/b/office_365_technical_blog/archive/2012/03/29/new-exchange-online-migrationperformance-guide.aspx.
Phases
The rate at which Microsoft IT migrates mailboxes is closely tied to the rate that
improvements and change requests from previous phases are implemented as features.
Between the phases, Microsoft IT allowed for a period of one to two weeks to implement
changes and constantly improve the user experience and migration process. The phases
were as follows:
Page 22
Phase 1: Environmental validation The purpose of this phase is to discover and fix
any system configuration errors and integration issues by creating test accounts and
performing usage scenarios.
Phase 2: Early adopter validation The early adopter volunteers troubleshoot, gather
logs, and provide constructive feedback to the project teams. In this phase, Microsoft IT
migrates 10 to 20 mailboxes per week, stopping at approximately 100 mailboxes.
Phase 3: Expanded early adoption During the expanded early adoption phase,
Microsoft IT migrated the accounts of 1,000 additional volunteers who are eager to
explore new options in technology. The migration proceeded in phases, stopping when
major issues are discovered and resuming upon resolution.
Phase 6: Company-wide adoption Once the hybrid infrastructure meets the shared
goals of Microsoft IT, product developers, and other infrastructure team members,
Microsoft IT plans to migrate all mailboxes to Exchange Online, unless there is a
business need to remain on-premises.
Page 23
SUPPORTING USERS
During the transition to a hybrid infrastructure, Microsoft IT minimizes support tickets by
informing users and designing architecture with the goal of least user impact. The typical
process for any Microsoft IT improvement project includes a focus on user education. This
entails a broad, multimedia approach of making help available to users on their own terms,
including the following:
Online help Microsoft IT developed online help to answer frequently asked questions,
provide user self-help capabilities, and inform users about working with Exchange Online
by suggesting best practices.
Updated knowledge for front-line operators The support and escalation path
remains the same for users due to the centralized controls that a hybrid infrastructure
offers. However, as part of preparing for mailbox migration, Microsoft IT collects incident
details and transfers the resolution specifics to internal front-line operators as well as the
support team for Exchange Online to aid in issue resolution. To help facilitate this
knowledge sharing, Microsoft IT established a supportability team to do deep analysis of
each ticket and identify trends in order to support and prioritize change requests made to
the Exchange product group.
Validation team Due to the need to validate many possible customer scenarios and
features for all the scenarios, Microsoft IT created a dedicated validation team. This
team has oversight to validate possible customer configurations, record findings,
recommend improvements, and create best practices. Exchange Server 2010 SP2 onpremises incorporates some of the findings of this team as product improvements to
simplify customer hybrid deployments. This team also validates features and
functionality for Microsoft users to ensure a smooth transition process.
Feedback loop When Microsoft IT migrated the earliest mailboxes, this was done with
the intention to obtain migration and usability feedback. The early volunteer users relied
on a feedback portal to give real-time feedback as a smile, frown, improvement idea, or
issue. This feedback loop complemented the one-week and one-month post-migration
survey users filled out to help Microsoft IT gauge overall user experience such as
migration experience and usage performance. This helped Microsoft IT to identify
improvement areas for infrastructure, configuration and product design changes.
Self-help tool. Microsoft IT treats both on-premises and Exchange Online as a single
service, and the helpdesk supports both groups of users. It is important to be able to
identify the environment that hosts the mailbox, therefore Microsoft IT created a Web
portal that provides information about the mailbox location, Outlook Web App link,
ActiveSync, and other information pertaining to that user.
Page 24
Use available migration tools and wizards Many of the findings that engineers,
architects, and implementers made are implemented in the configuration wizard and
supporting tools that Microsoft makes available to anyone using Office 365. Whenever
an easier solution of configuration step may be automated or implemented as a product
change, Microsoft IT worked to transfer their knowledge into a standard for all
customers.
Engage infrastructure team early Mailbox migration to Exchange Online results in email traffic traversing the Internet across provider backbone routers instead of internal
WAN networks and internal routers. This change may require increasing capacity and
sizing of the Internet proxy egress infrastructure, ADFS, bandwidth, gateway IP
Page 25
Support the support department With a new service, support personnel must be
trained on possible issues, and how to isolate and troubleshoot root causes. Having
tools that identify mailboxes as on-premises or in the cloud helps when isolating root
causes.
Practice change management. With new technology adoption, users generally want to
start using the new and exciting features. Yet with messaging, there is a high
expectation that the service needs to be reliable with high service availability, which may
not be possible at very early deployment stages. Microsoft IT mitigates this by ensuring
users have all possible collaboration tools so that when one service is not available,
workers may continue to carry out their tasks. For example, when e-mail service is
unavailable, users can continue to collaborate with colleagues through Lync 2010 via
instant messaging or voice call. They may also work on documents via SharePoint or
send documents via Lync. At Microsoft, many early innovators and adopters are very
keen to be early adopters because service outages do not severely affect their ability to
work. After Microsoft IT achieves stability with a new service, it migrates the rest of the
company. This methodology satisfies all user needs, creates high satisfaction, gives
Microsoft IT the ability to support the developers in testing, and create a better product.
Communicate with users Active communication to users via Web portal, newsletter
and e-mails keep users excited about the program and informs them about new features
or issues. Microsoft IT rewards and recognizes users who provides the most constructive
feedback and support, which maintains user motivation and commitment to dogfooding
additional products and services.
Page 26
Page 27