Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
I1
Step-by-Step Guide to Office 365 Hybrid Deployment
This eBook does not provide you with legal rights to the ownership of a Microsoft product, but just
the use, unless this is explicitly stated in the eBook. "Trial” keys are provided for a single purpose of
the experiment.
Tung has been recognized as an Office Services & Servers Most Valuable
Professional (MVP) by Microsoft from 2014 until now. He is an active
speaker in the Microsoft Technical community.
I2
Step-by-Step Guide to Office 365 Hybrid Deployment
and Servers MVP (from 2015 until now). He has been a guest speaker at
number of different events and conferences such as SharePoint Saturday
Vietnam, Microsoft SharePoint Day Malaysia, Azure Global Bootcamp,
Business 365 Saturday Singapore and European SharePoint Conference.
I3
Step-by-Step Guide to Office 365 Hybrid Deployment
Introduction
Inspired by Microsoft, its products and technologies, our heads huddled together thinking about an
eBook which would provide step-by-step guide to you in the Office 365 Hybrid deployment because
we’ve realized the huge trend for the modern collaboration during our work today. We consider
ourselves to be fortunate to have worked and discussed with number of different IT executives and
CIO during the last three years before kicking off writing this eBook.
This eBook is not only written for the audience of IT Pros, but also for anyone who starts thinking
about the hybrid deployment of Office 365 to maximize the usage of infrastructure resource, and to
contribute to cost-effective technology adoption in business. What people will learn from this eBook
is how to install and configure number of different Office Services and Server products in an on-
premises environment to work with Microsoft Office 365 - an innovative SaaS digital workplace
platform.
We are not going to dig into Hybrid scenario in cloud computing because that is not our main
purpose writing this eBook. When it comes to Hybrid there are many scenarios to be considered,
including gotchas which may happen. Such a topic can be found easily via Internet
This eBook assumes that you have fundamental knowledge of Microsoft SharePoint Server 2013,
Microsoft Exchange Server 2013, Skype for Business 2016, Windows Server, Forefront Threat
Management Gateway and Office 365. At least you know what they are, and how they are helpful in
your organization. If you do not, we still appreciate your time as this eBook provides you
progressively many steps including screenshots that always simplifies your followup.
I4
Step-by-Step Guide to Office 365 Hybrid Deployment
In Office 365 scenario, the Hybrid deployment is when you wish your end users whose accounts are
hosted in on-premises Active Directory to be able to have access to a SharePoint Online site
collection. Offering the capability of sharing calendar across on-premises to Exchange Online is also
considered a scenario of Office 365 Hybrid deployment. In a nutshell, when you do a hybrid
deployment, you are going to connect services between on-premises and public cloud infrastructure
no matter where it is. Sometimes people consider the separate use of public and private cloud a
hybrid, for example, developing application on Office 365 then deploying into SharePoint on-
premises environment.
Perimeter
Microsoft Data Center Internet On-Premises
Network
1 1 ||4
w*
. 1
ib
)
Office 365 Identity
End-user
AD FS
SharePoint Online t
0
That said via a few examples above, realizing the fact that hybrid is to balance the infrastructure
DirSync
resource between both cloud environments. For example, before Public Site features were
deactivated by Microsoft on Office 365, folks utilized the cloud resources of Microsoft Cloud
infrastructure to cater massive number of public users for their internet facing website deployment,
while the identity of website’s content editor was hosted in in-house Active Directory. With this case,
I5
Step-by-Step Guide to Office 365 Hybrid Deployment
you are to make the best use of your investment to high availability for your internet facing website,
while still meeting compliance such as authentication and identity management.
Why should you consider Office 365 hybrid deployment? It’s perhaps everyone else is doing it. Cost
for hybrid is not going to be discussed here. However, when you do the hybrid, you are going to cut
at least operational infrastructure and licensing cost which occupies entirely your cloud budget. In
many cases when doing hybrid, you are to outsource data security responsibility which might be a
big concern.
The following articles below would give you more helpful information about Pros & Cons of Hybrid
Cloud:
■ http://blog.rackspace.com/10-reasons-whv-a-hybrid-cloud-is-better
■ http://www.zdnet.com/article/hvbrid-cloud-whv-hvbrid-it-mav-be-the-better-choice/
■ http://www.datacenterknowledge.com/archives/2015/02/16/hybrid-cloud-continues-grow-
look-real-use-cases/
■ http://www.cio.com.au/brand-post/content/607556/whv-hvbrid-cloud/
I6
Step-by-Step Guide to Office 365 Hybrid Deployment
Environment Preparation
Below is the environment we used during the step-by-step guide. You could have less than the
number of servers as ours by combining roles into a group of servers. However, we highly
recommend to isolate roles and services to make it more practical in the deployment.
NO. SERVER IP ADDRESS SUBNET MASK GATEWAY OS
1 AD01 192.168.1.5 255.255.255.0 192.168.1.100 Windows Srv 2012 R2
2 ADFS01 192.168.1.6 255.255.255.0 192.168.1.100 Windows Srv 2012 R2
3 EX01 192.168.1.7 255.255.255.0 192.168.1.100 Windows Srv 2012 R2
4 SFB 192.168.1.8 255.255.255.0 192.168.1.100 Windows Srv 2012 R2
5 SP01 192.168.1.10 255.255.255.0 192.168.1.100 Windows Srv 2012 R2
192.168.1.100 255.255.255.0
6 TMG 125.253.124.163 255.255.255.240 125.253.124.161 Windows Srv 2008
255.255.255.0 172.16.1.100
192.168.1.9 255.255.255.0 192.168.1.100
7 EDGE 172.16.1.9 255.255.255.0 172.16.1.100 Windows Srv 2012 R2
125.253.124.164 255.255.255.240 125.253.124.161
192.168.1.15 255.255.255.0 192.168.1.100
8 WAP01 Windows Srv 2012 R2
125.253.124.162 255.255.255.240 125.253.124.161
All of these servers above are virtualized in a physical host with the deployment of Microsoft Hyper-V
Virtualization. Microsoft Hyper-V is not required but it supports virtualizing Microsoft workload with
optimal performance. Here is the overall picture of the hybrid topology.
I7
Step-by-Step Guide to Office 365 Hybrid Deployment
■ AD01: this is an Active Directory domain controller virtual machine, playing as an identity
provider in an on-premises environment.
■ ADFS01: this is an Active Directory Federation Service virtual machine, playing as a
federation party to provide federation trust between the identity providers in both
environment (on-premises and cloud).
■ EX01: this is a server running Microsoft Exchange Server 2013
■ SFB: this is a server running Microsoft Skype for Business 2015
■ SP01: this is a server running Microsoft SharePoint Server 2013
■ TMG: this is a server running Microsoft Forefront Threat Management Gateway 2010.
Although this product is no longer supported, we still would like to use it to do the
configuration to help you get more understanding of the deployment context.
■ EDGE: this is a server running Skype For Business Server 2015, playing as edge server
role.
■ WAP: this is a server running Web Application Proxy service.
I8
Step-by-Step Guide to Office 365 Hybrid Deployment
■ Third-party certificate across multiple servers: with this option, you purchase a single
certificate which is purposely used for all servers and services. This is an advantage for an
environment of many servers. Wildcard SSL certificate is commonly preferred.
■ Third-party certificate for each server: with this option, you purchase a dedicated
certificate for each server or service. When the certificate is expired, you must renew and
replace it on that server or service. This type of certificate is used commonly for the number
of servers less than 5.
Digicert Digicert Global Root Certification Authority Server authentication, client authentication
Digicert High Assurance EV Digicert Global Root Certification Authority Server authentication, client authentication
Entrust Entrust.net Secure Server Certification Authority Server authentication, client authentication
Entrust (2048) Entrust.net Secure Server Certification Authority Server authentication, client authentication
Network Solutions Network Solutions Certification Authority Server authentication, client authentication
SECOM SECOM Trust Systems Certification Authority Server authentication, client authentication
Verisign Class 3 Public Primary Certification Authority Server authentication, client authentication
1. Create a request with private key from IIS. Open IIS Management Console and click Server
Certificates.
I9
Step-by-Step Guide to Office 365 Hybrid Deployment
2. Click Create Certificate Request and fill in information. In this case, we entered
*.ict24h.info because we decided to use Wildcard SSL.
3. Select a cryptographic service provider you want. We selected Microsoft RSA Schannel
Cryptographic Provider with the bit length of 2048
4. Specify the location to store your certificate content which is used for signing.
| 10
Step-by-Step Guide to Office 365 Hybrid Deployment
5. If you open the file, the content may look like below
CertREQ - Notepad
File Edit Fo mat Help
Vie«
I----- BEGIN NEW CERTIFICATE REQUEST -
MIIEXjCCA0YCAQAwajELMAkGA1UEBhMCVk4xDDAKBgNVBAgMA0hDTT
EMMAoGAlUE
BwwDSENNMQ8wDQYDVQQKDAZIQ0gyNEgxFjAUBgNVBAsMDUlUIERlcG
FydGllbnQx Fj AUB gNVBAMMDSouaWN0MjRoLmluZm8wggE1MA0G CS
qG SIb3DQE BAQUAA4IBDwAw ggEKAolBAQDqmdzyS/f73Wbt42e
kehDmshf]pNWh/Hwc 7a 2bZ0Zxd Z9IvhKOxEat
s7MLFM2wO249opr0jlB2GBT85IbOz7Mm+O071XCyYHHtV0wtIlvGq4Hyf
7/Xiebw mpoZD3+62A8Xshia Kx0YRoIMS5f/Z /u U4P7z0r9G KMdPll
cU7Hg01y90t KmgJ cPU
LCuUgsCuNmHdNjh5xzBqD23TBENOCDL0CYkIuvIGYCTSq9MVQnb0A8kx
LE9kt/5F
b4Ht/20VDqT0IlcwgOqoLInrDGNw5r8BGXlfudOVPUXVEZUz91nuTkH+M
kITzDX2
MDxk+nNvi73YHqRZu0IC5AP/VdEjbFlgjAgMBAAGgggGtMBoGCisGAQQB
gjcNAgMx
DBYKNi4yL:kyMDAuHjBIBgkrBgEEAYI3FRQxPDA6AgEFDBIBREZTMDEua
WN0MjRo
LmluZm8MFElDVDI0SFxhZGlpbralzdHIhdG9yDAtIbmV0TWdyLraV4ZTBy
BgorBgEE
AYI3DQICMWQwYgIBAR5aAE0AaQBjAHIAbwBzAG8AZgB0ACAAUgBTAE
EAIABTAEMA
aABhAG4AbgBlAGwAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQB j
ACAAUAByAGSA
HQYDVR0OBBYEFGVLxmGXwEBsIPZAIuycG4M3MIO4MA0GCSqGSIb3DQ
EBBQUAA4IB
AQAfNKGnijVUoGGQMsuolVBarnit06CDuRq9AZ50kBZqA3/ZdF9QCf0CLr'
P/CyeGu
VgcS14ICbX5H6qw4FgboZcz4WI6gi72RoGYSXqGqS99GEyZFsG31i»Q50
c6M+0H2W alXhO0aTPlyVtA8bHKEu
Z+TC/I8WWe]w+/fFYaceyTe0DkfLPKjxj UG/3AuE7Vb0
SNUhpS7jGaKMnQ±KlPEBKPXUYs9GjZW2ZS/MBP9jLhR7hWowZYyGgoo
GRXWnGmxq
I9yHOpu2mtSErM/M8U7H73+WxXBuvQ+x44niEZBuG9L0kn0c0Dq+FRY
ehMEGkNzp8 aSj Cye5 HydQxwclHGq 9t 21nl END NEW
CERTIFICATE REQUEST -----------------------
7. Fill all information required in the form, including your credit card information.
| 11
Step-by-Step Guide to Office 365 Hybrid Deployment
8. After the payment is processed successfully, you will receive an email along with a guide to
configuring the certificate.
^ SSLSHOP JP™
Hi. Tung Pham
Credit: to.oa add logout
My Orders view all orders »
Quick Links
order No. Date Product Name Price Details -r My Dashboard -> My invoices
10. Enter your code that Comodo has sent to you via email and click Go!
I 12
Step-by-Step Guide to Office 365 Hybrid Deployment
Configuration PIN: If you don't have this information, please login your account and get PIN or contact support.
CSR Key: Certificate Signing Request key for the domain name you want to generate SSL Certificate.
Contact Details: Organization, Administrator and Technical contact details: Organization Name, Address, Phone, Email, etc.
Verify (jNZDCl J Nz D G
11. Copy the CRS (Certificate Request Signing) content you have requested in step 5 into CRS
box and click Finish. If this step is complete, you will receive a *.ZIP file sent from Comodo
to your registered email.
Complete Certificate Request from the Actions panel. Locate to your certificate, and enter
Friendly name. Select Personal.
I 13
Step-by-Step Guide to Office 365 Hybrid Deployment
15. Because you purchased a Wildcard certificate, you can use for every of virtual machines you
have. You simply need to export this certificate into the format of *.pfx with private key. Go to
MMC > Local Computer > Personal > Certificate.
16. Right click on your wildcard certificate, select All Tasks > Export.
| 14
Step-by-Step Guide to Office 365 Hybrid Deployment
18. Select Yes, export the private key option. Click Next.
I 15
Step-by-Step Guide to Office 365 Hybrid Deployment
19. Select Personal Information Exchange - PKCS #12 (.PFX) option. Select Include all
certificates in the certification path if possible and Export all extended properties. Click
Next.
21. Specify the location to export your certificate (*.pfx). Click Next.
I 16
Step-by-Step Guide to Office 365 Hybrid Deployment
Now you already had a certified certificate which can be imported to all virtual machines you need.
All the virtual machines that connect to Office 365 need to have the certificate imported. This
certificate is to encrypt the traffic passed over the Internet. Perform the following steps to import
the certificate onto another virtual machine:
1. Login to the virtual machine you want to import the certificate then go to MMC > Local
Computer > Personal > Certificate.
2. Right click on Personal > All Tasks > Import.
I 17
Step-by-Step Guide to Office 365 Hybrid Deployment
Find Certificates...
> [3 Tru:
> Q Ente All Tasks ► Find Certificates...
> 3 Inte
View ► Request New Certificate...
> □ Tru:
New Window from Here Import...
> L3 Unt
> □ Thir
New Taskpad View... Advanced Operations ►
> □ Tru:
> □ Clie Refresh
> Q Rerr Export List...
> Q Sme Help
> Q Tru: ---------- ------
5. Specify the password that you entered earlier into the Password box. Click Next.
| 18
Step-by-Step Guide to Office 365 Hybrid Deployment
Certificate 5tore
Certificate stores are system areas where certificates
are kept,
Certificate store:
| Personal | | Browse,., ]
| 19
Step-by-Step Guide to Office 365 Hybrid Deployment
8. After completing import step, you will see the list of certificates in your personal store
Now we assume you have already successfully imported certificates to all virtual machines which are
required to connect to Microsoft Office 365 we will configure later in the eBook. Because the
connection is over the Internet, make sure you purchase certificate from internationally trusted third-
party providers.
1
I
I
| 20
Step-by-Step Guide to Office 365 Hybrid Deployment
Perform the following steps to install and configure DirSync before you synchronize on-premises Active
Directory user accounts to Office 365.
A USERS
| Activ^^^^^ Select a view: 1 All users
+
4*
Q.
I 21
Step-by-Step Guide to Office 365 Hybrid Deployment
3. In Set up and manage Active Directory synchronization page you will see 7 basic steps for
Active Directory synchronization. From step 3, click Activate.
| 22
Step-by-Step Guide to Office 365 Hybrid Deployment
4. Office 365 will ask for your confirmation to activate Active Directory synchronization. Click
Activate.
| 23
Step-by-Step Guide to Office 365 Hybrid Deployment
You have done the activation of Active Directory synchronization in Office 365 portal. Now you need
to install Azure Active Directory Sync. Perform the following steps to install the tool:
| 24
Step-by-Step Guide to Office 365 Hybrid Deployment
4. Specify directory where you want to store the tool binaries and files. Click Next.
I 25
Step-by-Step Guide to Office 365 Hybrid Deployment
7. Select Start Configuration Wizard now from the next screen. Click Finish.
8. In Welcome page, read the information and brief guide. Click Next.
I 26
Step-by-Step Guide to Office 365 Hybrid Deployment
9. Enter your Windows Azure Active Directory account. This account must have
administrator permission in your Office 365. Click Next.
10. In Active Directory Credential page, enter your Active Directory domain administrator
account. Click Next.
| 27
Step-by-Step Guide to Office 365 Hybrid Deployment
11. In Hybrid Deployment page, select Enable Hybrid Deployment option. Click Next.
12. In Password Synchronization page, select Enable Password Sync option. Click Next.
I 28
Step-by-Step Guide to Office 365 Hybrid Deployment
13. In Configuration page, you can track progress of the configuration you have done.
| 29
Step-by-Step Guide to Office 365 Hybrid Deployment
15. In Finish page, select Synchronize your directories now. Click Finish.
Now you have done the configuration of Active Directory synchronization. Depending on the number
of user accounts to be synced, the duration may vary. You will realize which type of accounts under
Status column (e.g. Synced with Active Directory)
| 30
Step-by-Step Guide to Office 365 Hybrid Deployment
Active Users + ps
Deleted Users 1 1 Display name User name * Status
Partner
□ TUNG IPHAM admin@ict24h.info In cloud
Relationships
MEETING ROOMS
2 Nguyen Pham nguyen@ict24h.info Synced with Active Directory
GROUPS DOMAINS
□ Thanh Chu thanh@ict24h.info In cloud
PUBLIC WEBSITE ^
□ Thi Vo thi@ict24h.info In cloud
BILLING
2 Thinh Nguyen thlnh@ict24h.info Synced with Active Directory
^ EXTERNAL
DEVICES ^ SERVICE
SETTINGS REPORTS
In the simplest explanation, Single Sign-On (SSO) is to allow users to have access to different
services using a single account and password. With this, users do not have to remember different
accounts for different services. Moreover, SSO helps administrator simplify identity management.
To enable SSO in Office 365 hybrid deployment, there are several third-party products in the market,
for example PingFederate, CA Single Sign-On, Active Directory Federation Services (AD FS). In this
case, we would like to introduce Active Directory Federation Services because it’s a free tool.
| 31
Step-by-Step Guide to Office 365 Hybrid Deployment
Perform the following steps to configure SSO, install and configure Active Directory Federation
Services on ADFS01 virtual machine:
i + ^p0
BILLING
□ Hoan Tran hoan @ict24h.info Synced with Active Directory
I 32
Step-by-Step Guide to Office 365 Hybrid Deployment
3. In Set up and manage single sign-on page, Microsoft provides you 10 steps for SSO
configuration. From step 3, select Windows 64-bit version (if your operating system only
supports 64-bit) to download Windows Azure Active Directory Module for Windows
PowerShell in order to configure trust relationship.
4. After downloading, execute installation file and start installing the tool. In Welcome page,
read the information and brief guide. Click Next.
| 33
Step-by-Step Guide to Office 365 Hybrid Deployment
5. In License Terms page, read carefully licensing terms and select I accept the terms in the
License Terms. Click Next.
x
Windows Azure Active Directory Module for Windows PowerShel...
License Terms
Please read the following license terms carefully.
These license terms are an agreement between Microsoft Corporation (or based on
where you live, one of its affiliates) and you. Please read them. They apply to the
software named above, which includes the media on which you received it, if any. The
terms also apply to any
(§) I accept the terms in the License Terms O I do not accept the terms in the License Terms
6. In Install Location page, specify the location for Windows Azure Active Directory Module for
Windows PowerShell directory. Click Next.
| 34
Step-by-Step Guide to Office 365 Hybrid Deployment
Now you have done the installation of Windows Azure Active Directory Module for Windows
PowerShell. Next, you need to install and configure Active Directory Federation Services. Perform
the following steps:
1. On ADFS01 virtual machine, open Server Manager. Select Add Roles and Features.
I 35
Step-by-Step Guide to Office 365 Hybrid Deployment
r Server Manager
3. In Select installation type page, select Role-based or feature-based installation option. Click
Next.
I 36
Step-by-Step Guide to Office 365 Hybrid Deployment
4. In Select destination server page, select Select a server from the server pool and select
your AD FS virtual machine. Click Next.
5. In Select server roles page, select Active Directory Federation Services. Click Next.
6. In Select feature page, select .NET Framework 3.5 Features (1 of 3 installed) and .NET
Framework 4.5 Features (3 of 7 installed). Click Next.
| 37
Step-by-Step Guide to Office 365 Hybrid Deployment
7. In Active Directory Federation Services (AD FS) page, read information of AD FS introduction
and notes provided by Microsoft. Click Next.
8. In Web Server Role (IIS) page, read information of web server introduction and notes provided
by Microsoft. Click Next.
I 38
Step-by-Step Guide to Office 365 Hybrid Deployment
9. In Select role services page, make sure you have services selected in the below screen.
Click Next.
I 39
Step-by-Step Guide to Office 365 Hybrid Deployment
10. In Confirm installation selections page, select Restart the destination sever
automatically if required. Click Install.
11. In Installation progress page, review all services and features you have installed. Click Close.
12. Open Server Manager, you are notified to continue the AD FS configuration. Click
Configure the federation service on this server.
| 40
Step-by-Step Guide to Office 365 Hybrid Deployment
*• Server Manager
| Post-deployment
WHAT'S NEW
Configure,
m 4 Create a server gr|
I Local Server ■i All Servers -? 5 Correct this serve
AD FS : the federation service on this
server, I
■i File and Storage Services > Feature installation
13. In Welcome page, select Create the first federation server in a federation server farm. Click
Next.
14. In Connect to Active Directory Domain Services page, specify your Active Directory domain
administrator account. Click Next.
| 41
Step-by-Step Guide to Office 365 Hybrid Deployment
15. In Specify Service Properties page, select wildcard SSL certificate you imported.
Federation Service Name is the ADFS01 virtual machine FQDN (Full Qualified Domain
Name). You can create a CNAME and point to the ADFS01 virtual machine’s FQDN (for
example sts.ict24h.info). Enter Federation Service Display Name. Click Next.
Welcome
SSL Certificate: | *.ict24h.info |T| upon..
Connect to AD DS
16. In Specify Service Account page, enter service account which is automatically added to
Managed Service Account group. Click Next.
TARGET
Specify Service Account SERVER
ADFS.ict24h.info
Show more X
Welcome Connect to AD
Specify a domain user account or group Managed Service Account O
DS Specify Service
Create a Group Managed Service Account Account Name:
Properties
Specify Service Account ICT24H\
(?) Use an existing domain user account or group Managed Service
Specify Database Account
Account
Name:
Account
Password:
A Group Managed Service Accounts are not available because the KDS Root Key has not been set Use the following PowerSheil command to create the key: “Add-KdsRootKey -EffectiveTime (Get-Date),AddHours(-IO)"
17. In Specify Configuration Database page, select Create a database on this server using
Windows Internal Database. Click Next.
TARGET
Specify Configuration Database SERVER
ADFS.ict24h.inf
o
Welcome Connect to AD
Specify a database to store the Active Directory Federation Service configuration
DS Specify Service data.
Properties Specify (?) Create a database on this server using Windows Internal Database.
Service Account
O Specify the location of a SQL Server database,
Specify Database
Review Database Host Name:
Options Pre-
Database Instance:
requisite
To use the default instance, leave this field blank.
Checks
| 42
Step-by-Step Guide to Office 365 Hybrid Deployment
19. In Review Options page, review your configuration again. Click Next.
lAKtitl StKVtK
Review Options ADFS.ict24h.rnf
o
DS Specify Service This server will be configured as the primary server in a new AD FS farm
Properties Specify
'adfs.ict24h.info'.
Service Account Specify
AD FS configuration will be stored in Windows Internal Database.
Database Confirm
Overwrite Windows Internal Database feature will be installed on this server if it is not already
Review Options
installed. All existing configuration in the database will be deleted.
Pre-requisite
Checks Federation service will be configured to run as iCT24H\Administrator.
20. In Pre-Requisite Checks page, AD FS automatically runs check to verify if all pre-
requisites are passed. Click Next.
TARGET SERVER
Pre-requisite Checks ADFS,ict24h.info
© All prerequisite checks passed successfully. Click 'Configure' to begin Show more X
installation.
Welcome Connect to AD
Prerequisites must be validated before Active Directory Federation Services is configured on this
DS Specify Service
computer, Rerun prerequisites check
Properties Specify
A
Service Account Specify View results
Overwrite Review Q All prerequisite checks passed successfully, Click 'Configure' to begin installation.
Options
Pre-requisite Checks
21. Wait until the installation is complete and open AD FS Management to review
information.
I 43
Step-by-Step Guide to Office 365 Hybrid Deployment
To securely connect AD FS services to Office 365, you need to deploy an AD FS proxy using Web
Application Proxy in Windows Server 2012 R2. Perform the following steps to install and configure
Web Application Proxy:
1. On WAP virtual machine, open Server Manager. Select Add Roles and Features.
2. In Before you begin page, Click Next.
3. In Select installation type page, select Role-based or feature-based installation. Click
Next.
4. In Select destination server page, select WAP virtual machine. Click Next.
5. In Select server roles page, select Remote Access. Click Next.
6. In Select role services page, select Web Application Proxy. Click Next.
I 44
Step-by-Step Guide to Office 365 Hybrid Deployment
After you have successfully done the installation of Web Application Proxy (WAP), you need to
connect WAP service to the AD FS virtual machine. Perform the following steps to configure WAP:
| 45
Step-by-Step Guide to Office 365 Hybrid Deployment
5. In Confirmation page, review the configuration again and make sure the thumbprint of your
certificate is valid. Click Configure.
6. In Result page, you will receive a message "Web Application Proxy was configured
successfully”. Click Close.
| 46
Step-by-Step Guide to Office 365 Hybrid Deployment
After successfully configuring Web Application Proxy, you need to publish it through AD FS virtual
machine. Perform the following steps:
1. Open Remote Access Management. Select Web Application Proxy. Select Publish from
General panel on the right hand.
2. In Welcome page, Click Next.
| 47
Step-by-Step Guide to Office 365 Hybrid Deployment
No preauthentication is performed by Web Application Proxy. All requests are forwarded to the backend server.
4. In Publishing Settings page, enter name of WAP and external URL, certificate and backed
server URL. These are required before you can publish your service.
5. In Confirmation page, review information of your Web Application Proxy setting. Click
Publish.
Welcome The following PowerShell command will be run when you click Publish. It can also be used to set up additional published applications. If
you want to re-use the command, copy it before you click Publish.
Preauthentication
Publishing Settings
Add-WebApplicationProxyApplication
Confirmation
-BackendServerUrl 'https://sts.ict24h.info/'
-ExternalCertificateThumbprint '1F9FE135FBBD4A9B4521B5318624F53327B090B3' -ExternalUrl
'https://sts.ict24h.info/'
-Name 'ADFS'
-ExternalPreAuthentication PassThrough
I 48
Step-by-Step Guide to Office 365 Hybrid Deployment
6. To verify whether you have successfully published WAP or not, open the URL
https://sts.ict24h.info/adfs/ls/idpinitiatedsignon on a computer which has Internet connection.
7. Try with an account in your Active Directory and see how it goes.
If you have done these steps above successfully without any error, when opening an Office 365 site,
you shall be redirected to federation URL for federation trust.
Now you have successfully done enabling SSO in Hybrid deployment. Every time when you open
site in Office 365 and enter federated account, Office 365 recognizes that there is a trusted party
then it redirects you to published AD FS for authentication.
| 49
Step-by-Step Guide to Office 365 Hybrid Deployment
1. Log into Exchange admin center. Select mail flow > send connectors. Select plus icon.
2. From the Send Connector windows, name your connector and select Custom (For example,
to send mail to other non-Exchange servers). Click Next.
4. In Address Space windows, select SMTP under Type and allow all emails to be sent
through this connector by entering * under FQDN, and 1 under Cost. Click Save.
| 50
Step-by-Step Guide to Office 365 Hybrid Deployment
5. In Select a Server windows, select server which is responsible for sending email. Select
add button to add the server. Click OK.
| 51
Step-by-Step Guide to Office 365 Hybrid Deployment
Digicert Digicert Global Root Certification Authority Server authentication, client authentication
Digicert High Assurance EV Digicert Global Root Certification Authority Server authentication, client authentication
Entrust Entrust.net Secure Server Certification Authority Server authentication, client authentication
Entrust (2045) Entrust.net Secure Server Certification Authority Server authentication, client authentication
Network Solutions Network Solutions Certification Authority Server authentication, client authentication
SECOM SECOM Trust Systems Certification Authority Server authentication, client authentication
Verisign Class 3 Public Primary Certification Authority Server authentication, client authentication
We already purchased a wildcard certificate and imported onto Exchange Server virtual machine.
Now you need to open Exchange admin center to verify that certificate. Perform the following steps:
I 52
Step-by-Step Guide to Office 365 Hybrid Deployment
4. You are asked to overwrite the existing default SMTP certificate. Click Yes.
I 53
Step-by-Step Guide to Office 365 Hybrid Deployment
Now your certificate is successfully configured. You are going to need to publish Exchange service
over the Internet through Web Application Proxy you configured in Lab 1.3.
1. Log into internet domain control panel, create record A mail.ict24h.info then point to the
WAP01 virtual machine’s public IP address.
| 54
Step-by-Step Guide to Office 365 Hybrid Deployment
o ™ https: ■ dcc
godaddy.i
:c50/C P - A GoDaddy.co,,, (J
STS At Cisco Unified CM Console & IIM and Presence Service C„, CJ Office 365 Login Portal f* Godday Sign in to Office
365
u;s
ADD ZONE RECORD !3W AH*
HK H4?4Fi MT f-
ICT24H.INFO
POINTS TO: * @
Custom
MX (Mail Exchanger)
HOST: * Q
e
POINTS TO; *0
mail.ict24h.info
PRIORITY: *0
20| X
-- TfLt "171 --------------------------------------------------
| 55
Step-by-Step Guide to Office 365 Hybrid Deployment
4. Open Exchange admin center. Select server > virtual directories. The external URL is blank.
Click edit icon and add EX01 virtual machine which is the Exchange Server you prepared at the
beginning. Click OK.
| 56
Step-by-Step Guide to Office 365 Hybrid Deployment
6. Repeat from step 4 - 5 for other virtual directories in your Exchange Server.
| 57
Step-by-Step Guide to Office 365 Hybrid Deployment
Welcome
You need to configure Web Application Proxy to publish Exchange service over the Internet. Perform
the following steps:
CONNECTED TO AD FS jts.ict24h.info
Publish |*~| Cancel |
| 58
Step-by-Step Guide to Office 365 Hybrid Deployment
Publishing
Welcome Settings
Preauthentication Specify the preauthentication method:
Preauthentication CUNNtCItU IU AL> t-b
sts.ict24h.info
O Active Directory Federation Services (AD FS)
All unauthenticated client requests are redirected to the federation server. After successful authentication by
AD FS, client requests are forwarded to the backend server. Web Application Proxy can also provide
credentials to backend servers that are configured to use Integrated Windows authentication.
(§) Pass-through
No preauthentication is performed by Web Application Proxy. All requests are forwarded to the backend
server.
4. In Publishing Setting page, enter name of the new publishing for your Exchange
service, including external URL and backend server URL. Make sure wildcard SSL
certificate is chosen because this is used over the Internet. Click Next.
5. In Results page, you will receive message "Web application published successfully”. Select
Close.
6. You need to repeat step 1 - 5 for other services.
Now you have done the configuration of publishing. To verify the connection, Microsoft provides a
tool named Microsoft Remote Connectivity Analyzer http://testconnectivity.microsoft.com. From the
website, select Exchange Server. Select Exchange ActiveSync Autodiscover. Click Next on
your right hand.
I 59
Step-by-Step Guide to Office 365 Hybrid Deployment
Fill all information the tool asks and select Perform Test. If the result is green then your Exchange
is publicly available over the Internet.
| 60
Step-by-Step Guide to Office 365 Hybrid Deployment
cancel
| 61
Step-by-Step Guide to Office 365 Hybrid Deployment
| 62
Step-by-Step Guide to Office 365 Hybrid Deployment
9. The wizard can automatically detect Exchange Server virtual machine which is playing CAS role.
In this case, it’s EX01 virtual machine. If you have more than one virtual machine, select
Specify a server running Exchange 2013 CAS or Exchange 2016. Click next.
On-premises Exchange Server Organization ® Detect a server running Exchange 2013 CAS or Exchange 2016
EX01
Derain ietSih.info
Version Version 15.0 (Build 11307) Unofficial Build
StaDdardEvaluotion Edition R:I
Maibox. OientAccess
10. In Credentials page, Office 365 Hybrid wizard asks you to provide domain administrator account
and Office 365 administrator account. Click next.
Credentials
Exchange hybrid setup needs both on-premises and Office 365 account credentials before it can confine.
Both accounts must be members of the Organization Management role group.
Learn more
ICT24H\administrator
Enter your Office 365 credentials. Office 365 user ID: admin@ict24happs.onmicrosoftcom Password:
I 63
Step-by-Step Guide to Office 365 Hybrid Deployment
11. The wizard will validate the credential and connection. Click next
12. In Hybrid Configuration page, select Configure my Client Access and Mailbox servers for
secure mail transport (typical). If you want to have centralized mail transport, select Enable
centralized mail transport option. Microsoft already explained what this feature is in the page.
Click next.
| 64
Step-by-Step Guide to Office 365 Hybrid Deployment
13. In Receive Connector Configuration page, select your Exchange virtual to host Receive
connector. Click next.
Choose one or more on-premises Exchange Servers to host receive connectors for secure mail transport
with Exchange Online. If you are using Exchange 2013 these servers must have the Client Access Server
role.
Learn more
LAV
Dorra r iet24h.info
or: c Version 15.0 (Build 1130.7) Unofficial Build
StartSardEvaluaiion Edit Roles Mailbox,
OientAccess
★ Give Feedback
14. In Send Connector Configuration page, select your Exchange virtual machine to host Send
connector. Click next.
| 65
Step-by-Step Guide to Office 365 Hybrid Deployment
15. In Organization FQDN page, select the FQDN of your on-premises Exchange virtual machine to
start configuring outbound mail connector to route email from Exchange Online to On-premises
one.
Organization FQDN
Enter a fully qualified domain name (DomainFqdn) for your on-premises organization. This will configure the outbound
mail connector to route mail from the Exchange Online Protection (EOP) service to your on-premises organization.
Learn more
For example: mail.contoso.com m ail. ict24h.info
★ Give Feedback
back next cancel
| 66
Step-by-Step Guide to Office 365 Hybrid Deployment
Configuring..
Click 'stop' to cancel the operation. Stopping the operation won't undo the changes already applied.
Now the configuration is done. To verify whether your configuration is successful or not, perform the
following steps:
2. Select mail flow. Select accepted domain to verify a newly added domain, in our case, it’s
ict24happs.mail.onmicrosoft.com.
| 67
Step-by-Step Guide to Office 365 Hybrid Deployment
3. Select recipient. Select mailboxes and open any mailbox, you will see the new stmp
address from Exchange Online.
4. Select mail flow. Select send connectors. There is a new Send connector whose name is
Outbound to Office 365 which is automatically added after your hybrid configuration was
successful.
5. If you edit this new Send connector, you will see both addresses from your on-premises
Exchange and Exchange Online.
| 68
Step-by-Step Guide to Office 365 Hybrid Deployment
6. Next, you can test by migrating email from your on-premises Exchange to Office 365. From
Exchange admin center, select Office 365 from top bar.
7. Select recipients. Select migration. Click plus icon to add a new migration.
8. There are two migration options: migration from your on-premises to Office 365 and vice
versa. Select the first option
I 69
Step-by-Step Guide to Office 365 Hybrid Deployment
recipients
Click to view the status for all current migration batches. Status for all batches
permissions
+- / m o
compliance management
Migrate to Exchange Online * STATUS TOTAL SY
organization Migrate from txchange Online There are no items to show in this view.
protection
9. From the windows, select Remote move migration (supported by Exchange Server 2010 and
later version) for experiment. Click Next.
ES Remote move migration (supported by Exchange Server 2010 and later versions)
O Staged migration (supported by Exchange Server 2003 and Exchange Server 2007 only)
< migrate all mailboxes to
Exchange Online over a long
Cutover migration (supported by Exchange Server 2003 and later versions)
period of time, this migration
O IMAP migration (supported by Exchange and other email systems)
type lets you use hybrid
10. Select on-premises account you want to migrate. Click deployment features during
migration. After the migration,
| 70
Step-by-Step Guide to Office 365 Hybrid Deployment
11. Enter username and password of the administrator account. Click Next.
12. Enter FQDN of your on-premises Exchange virtual machine where the Mailbox Replication
Service (MRS) Proxy is enabled.
13. From the windows, name your migration batch and select the Exchange Online address under
Target delivery domain. Select Move the primary mailbox and the archive mailbox if one
exists option and enter the bad item limit you want.
Archive:
Move the primary mailbox and the archive mailbox if one exists
I10
Large item limit:
14. Select the recipient which receives the report after the batch is complete. Select Automatically
start the batch and Automatically complete the migration batch depending on your
expectation.
| 71
Step-by-Step Guide to Office 365 Hybrid Deployment
recipients Click to view the status for all current migration batches. Status for all batches
permissions +- ,/§s -
' '
Migrate LamCT to 0365 Completed 1 0
compliance
management
organization
protection
Now you have done the migration test to verify the hybrid configuration. As seen, when hybrid is
successfully configured you can work with both on-premises Exchange and Exchange Online in the
same experience.
Before hybrid deployment, you need to install some features and roles required for Skype for
Business 2015, including the installation of pre-requisites. Perform the following steps:
1. Log into your virtual machine you are going to deploy Skype for Business 2015.
I 72
Step-by-Step Guide to Office 365 Hybrid Deployment
2. Open PowerShell to install required features and roles for Skype for Business 2015
deployment.
PS C:\Users\administrator.ICT24H> .
3. Now you need to create a file share because Skype for Business 2015 requires that in order
to exchange file among servers.
4. Grant Full Control, Change and Read permission on this file share for domain
administrator account.
I 73
Step-by-Step Guide to Office 365 Hybrid Deployment
5. Open DVD where Skype for Business Server 2015 installation source is stored. Run
setup.exe file or autorun.
PC k DVD Drive
6. From Skype for Business Server 2015 installation windows, select Don’t check for the
update right now. Specify installation location then click Install.
7. In License Agreement page, read licensing agreement carefully. Select I accept the terms in
the license agreement. Click OK.
I 74
Step-by-Step Guide to Office 365 Hybrid Deployment
You have successfully installed administrative tools for Skype for Business Server 2015 deployment.
Now you are going to need to prepare Active Directory with the support of Deployment Wizard. Perform
the following steps:
I 75
Step-by-Step Guide to Office 365 Hybrid Deployment
I 76
Step-by-Step Guide to Office 365 Hybrid Deployment
I 77
Step-by-Step Guide to Office 365 Hybrid Deployment
In this lab, we are going to install and configure Skype for Business Server 2015 in an onpremises
environment. The topology for lab consists of two virtual machine: Front-End Pool and Edge Server.
Before the lab, create internal DNS records as follows:
I 78
Step-by-Step Guide to Office 365 Hybrid Deployment
> Q _sites l> □ Jcp t> Q @WAC Host (A) 192.168,1,11 9/17/2015 7:00:00 PM
_udp gADFSOI Host [A) 192.168,1.12 9/17/2015 6:00:00 PM
@sts Host (A) 192.168,1,12 static
Perform the following steps to install Front End Pool Server on SFB virtual machine
(sfb.ict24h.info)
1. Open DVD source. Navigate to amd64 folder (under Setup folder) and install SQL Express
Edition (SQLEXPR_x64)
I 79
Step-by-Step Guide to Office 365 Hybrid Deployment
2. Install SQL Express with the instance name is RTC. After the installation is complete, go to
SQL Server Configuration Manager to enable TCP/IP to allow your SQL Express to be able to
communicate via TCP/IP protocol.
3. You also need to verify the default port 1433 and make sure SQL Server Browser is
running with Automatic mode.
4. .Now you need design and publish topology for your Skype For Business Server 2015. This
can be done by Skype For Business Server Topology Builder tool you installed in lab 3.1.
Run Topology Builder, select New Topology. Click OK
5. Specify the location to store topology configuration file, and name your topology.
6. In Define the primary domain page, enter your primary SIP domain. Click Next.
I 80
Step-by-Step Guide to Office 365 Hybrid Deployment
7. In Specify additional supported domains page, if you have no additional SIP domain,
leave it blank and select Next.
8. In Define the first site page, enter your site name. Select Next.
9. In Specify site details page, provide more information about your new site. Select Next.
I 81
Step-by-Step Guide to Office 365 Hybrid Deployment
10. In New topology was successfully defined page, select Open the New Front End
Wizard when this wizard closes in order to start defining the Front End Pool server. Click
Finish.
11. In Define the New Front End pool page, click Next.
| 82
Step-by-Step Guide to Office 365 Hybrid Deployment
12. In Define the Front End pool FQDN page, enter FQDN of your SFB virtual machine. Select
Standard Edition Server. Click Next.
13. In Select features page, select Conferencing (includes audio, video, and application
sharing). Select Call Admission Control. We need these things for experience and lab
testing purpose only. Click Next.
| 83
Step-by-Step Guide to Office 365 Hybrid Deployment
14. In Select collocated server roles and Associate server roles with this Front End
pool pages you can assign more role for the Front End pool you are configuring.
15. In Define the SQL Server store page, select your SQL Express instance you configured.
Click Next.
16. In Define the file store page, enter file server FQDN and file share. Click Next.
| 84
Step-by-Step Guide to Office 365 Hybrid Deployment
17. In Specify the Web Services URL page, enter external base URL. Click Next.
18. In Select an Office Web App Server page, if you have a server hosting Office Web App
services select one, unless leave it blank. Click Finish.
| 85
Step-by-Step Guide to Office 365 Hybrid Deployment
19. Once you have done, from Topology Builder windows, you will active status (green icon)
20. Right click on Skype for Business Server 2015. Select Topology > Publish.
| 86
Step-by-Step Guide to Office 365 Hybrid Deployment
22. In Select Central Management Server page, select Front End pool server you just configured.
| 87
Step-by-Step Guide to Office 365 Hybrid Deployment
23. In Publishing wizard complete page, you may need to click to open to-do list. Unless click
Finish.
You have done the tasks of defining Front End Pool server and publishing topology. Perform the
following steps to start installing Skype for Business Server 2015
1. On SFB virtual machine, run Skype For Business Server 2015 Deployment Wizard. Click
Install or Update Skype for Business Server System.
| 88
Step-by-Step Guide to Office 365 Hybrid Deployment
2. In Install or update member system page, click Run from Step 1: Install Local
Configuration Store.
3. In Configure Local Replica of Central Management Store page, select Retrieve directly
from the Central Management store (requires read access to the Central Management
store). Click Next.
I 89
Step-by-Step Guide to Office 365 Hybrid Deployment
4. In Executing Commands page, wait until the process is complete. Click Finish.
5. Now you need to start installing Skype for Business Server Component. Click Run from Step
2.
| 90
Step-by-Step Guide to Office 365 Hybrid Deployment
7. In Executing Commands page, wait until the process is complete. Click Finish.
| 91
Step-by-Step Guide to Office 365 Hybrid Deployment
9. From Certificate Wizard windows, select Import Certificate to import certificate you
purchased (in this case Comodo)
| 92
Step-by-Step Guide to Office 365 Hybrid Deployment
10. Browse to your certificate, and enter password of the private key you set before. Click
Next.
11. In Import Certificate Summary page, review your configuration. Click Next.
| 93
Step-by-Step Guide to Office 365 Hybrid Deployment
12. In Executing Commands page, wait until the process is complete. Click Finish.
13. Back to Certificate Wizard windows, click Assign to assign certificate to Front End Pool
server.
| 94
Step-by-Step Guide to Office 365 Hybrid Deployment
14. In Certificate Store page, you will see your wildcard certificate. Click Next.
15. In Certificate Assignment Summary page, review your certificate information again. Click
Next.
| 95
Step-by-Step Guide to Office 365 Hybrid Deployment
16. In Executing Commands page, wait until the process is complete. Click Finish.
17. Repeat assigning certificate steps for other web services. Click Close.
18. Back to Deployment Wizard windows, from step 4 you are guided to run Start-
CsWindowsService on every server. Open PowerShell to run it.
. ___________ Ariminktratnr; . Windows PowerShell
PS C:\Users\admmstrator. ICT24H> St art-Cs Windows Service _______ _________
PS C :\U s er s\adirn n i st r at ar. ICT24h> ”
| 96
Step-by-Step Guide to Office 365 Hybrid Deployment
20. Open Services.msc to verify all running services for Skype for Business Server.
Services bdaJ *
M |[S| B 1 Is- □ H
Services [Local) Name * Description Status Startup Type Log On As -
^Secondary Logon Enables star... Manual Local Syste..,
■^Secure Socket Tunneling Protocol Service Provides su... Manual Local Service
3% Security Accounts Manager The startup... Running Automatic Local Syste..,
£i} Server Supports fil„. Running Automatic Local Syste..,
Shell Hardware Detection Provides no... Running Automatic Local Syste..,
;. Skype for Business Server Application Sharing Skype for B... Running Automatic (D... Network S...
£4 Skype for Business Server Audio Test Service Skype for B... Running Automatic (D... Network S...
£4 Skype for Business Server Audio/Video Conferencing Skype for B... Running Automatic (D... Network S...
£4 Skype for Business Server Centralized Logging Agent Skype for B... Running Automatic (D... Network S...
Service
£4 Skype for Business Server File Transfer Agent Skype for B... Running Automatic (D... Network S...
2 Skype for Business Server Front-End Skype for B... Running Automatic (D... Network S...
£4 Skype for Business Server Health Agent Skype for B... Running Automatic (D... Network S... |—|
£ 4 Skype for Business Server IM Conferencing Skype for B... Running Automatic (D... Network S...
£ 4 Skype for Business Server Master Replicator Agent Skype for B... Running Automatic (D... Network S...
£4 Skype for Business Server Replica Replicator Agent Skype for B... Running Automatic (D... Network S...
£4 Skype for Business Server Web Conferencing Skype for B... Running Automatic (D... Network S...
£4 Skype for Business Server XMPP Translating Skype for B... Running Automatic (D... Network S...
—
Gateway
^
■Vjsmart ^i_ara
, .. Manages ac... -
** 111
iuisaoiea Local Service
£4 Smart Card Device Enumeration Service Creates soft... Running Manual (Trig,.. Local Syste...
£4Smart Card Removal Policy Allows the s... Manual Local Syste...
SNMP Trap Receives tra... Manual Local Service
Software Proteetion Enables the... Automatic (D... Networks..,
V
<) ....... ...................... ................ ~ Ill
\ Extended /, Standard /
11■
21. Click Run from Enable Microsoft Update.
| 97
Step-by-Step Guide to Office 365 Hybrid Deployment
22. In Enable Microsoft Update page, select Use Microsoft Update when I check for
updates (recommended). Click OK.
23. Wait until the process is complete. You have completed the Front End Server installation.
Now you need to install and configure Edge Server. Perform the following steps:
1. Because Edge server is not joined to domain controller and is put in DMZ, you need to
configure Primary DNS suffix for this server.
| 98
Step-by-Step Guide to Office 365 Hybrid Deployment
2. Configure IP address for two network card interfaces on the Edge server.
IPS C:\Users\Administrator> ipconfig^^^n
Windows IP Configuration
3. Before installing Edge server, you need .NET Framework 3.5. Go to Server Manager and
install features.
I 99
Step-by-Step Guide to Office 365 Hybrid Deployment
4. Import wildcard certificate from Front End to Edge server. You can refer the step in Lab 1.1
5. On the Front End server (sfb.ict24h.info), run Topology Builder. Right click on Edge pools
and select New Edge Pool
7. Enter FQDN of Edge server (in our case it’s edge.ict24h.info) you just configured IP Address.
Select This pool has one server. Click Next.
| 100
Step-by-Step Guide to Office 365 Hybrid Deployment
9. In Select features page, select Use a single FQDN and IP address. Click Next.
| 101
Step-by-Step Guide to Office 365 Hybrid Deployment
10. In Select IP options page, enable IPv4 for both internal and external interfaces. Select The
external IP address of this Edge pool is translated by NAT. Click Next.
11. In External FQDNs page, enter FQDN of your Edge server and enter correct port. Click
Next.
| 102
Step-by-Step Guide to Office 365 Hybrid Deployment
12. In Define the internal IP address page, enter the internal IP address of your Edge
server. Click Next.
13. In Define the external IP address page, enter external IP address of your Edge server. Click
Next.
| 103
Step-by-Step Guide to Office 365 Hybrid Deployment
14. In Define the public IP address page, enter the public IP address of your Edge server. Click
Next.
15. In Define the next hop server page, select Front End Pool. Click Next.
| 104
Step-by-Step Guide to Office 365 Hybrid Deployment
16. In Associate Front End or Mediation pools page, select your Front End pool to
associate with your Edge pool. Click Finish.
| 105
Step-by-Step Guide to Office 365 Hybrid Deployment
18. Right click on Site name (ICT24h). Select Edit properties. Configure all settings per
screenshot below. Click OK.
| 106
Step-by-Step Guide to Office 365 Hybrid Deployment
20. Export configuration into zip file by running the following command with PowerShell
21. Copy edge.zip file onto the Edge server and start installing Skype for Business Server
2015 on this server.
22. Open DVD source and run Setup.exe. Select Connect to the internet to check for
updates. Click Install.
23. In Licensing Agreement page, read license terms carefully. Select I accept the terms in the
| 107
Step-by-Step Guide to Office 365 Hybrid Deployment
24. From Deployment Wizard on Edge server, select Install or Update Skype for Business
Server System. Click OK.
| 108
Step-by-Step Guide to Office 365 Hybrid Deployment
26. Select Import from a file (recommended for Edge Servers) and browser to your
edge.zip file you exported before. Click Next.
27. In Executing Commands page, wait until the process is complete. Click Finish.
| 109
Step-by-Step Guide to Office 365 Hybrid Deployment
29. In Set Up Skype for Business Server Component page, click Next.
| 110
Step-by-Step Guide to Office 365 Hybrid Deployment
30. In Executing Commands page, wait until the process is complete. Click Finish.
| 111
Step-by-Step Guide to Office 365 Hybrid Deployment
T> n
Deploy > Install or update
Prerequisites ▼
• Local administrator rights
• Domain user credentials with read access to Active Directory users and groups in the current
domain
Help ► Run
This step starts the Certificate Wizard. Create certificate request for local system. Install, and assign certificates for this system
based on the topology definition.
Prerequisites ►
Help ► I Kun
Prerequisites ►
Help ►
| 112
Step-by-Step Guide to Office 365 Hybrid Deployment
34. In Certificate Store page, select your wildcard certificate. Click Next.
35. In Certificate Assignment Summary page, review your certificate information. Click
Next.
| 113
Step-by-Step Guide to Office 365 Hybrid Deployment
36. In Executing Commands page, wait until the process is complete. Click Finish.
37. In Certificate Wizard page, select other web services to assign certificate. Click
Assign.
| 114
Step-by-Step Guide to Office 365 Hybrid Deployment
39. In Certificate Store page, select your wildcard certificate. Click Next.
40. In Certificate Assignment Summary page, review your certificate information. Click
Next.
| 115
Step-by-Step Guide to Office 365 Hybrid Deployment
41. In Executing Commands page, wait until the process is complete. Review status in
Certificate Wizard windows again. Click Close.
42. Now you need to open PowerShell to run Start-CsWindowsService command and also verify
all running services from Services.msc.
| 116
Step-by-Step Guide to Office 365 Hybrid Deployment
43. From Deployment Wizard, run Windows Update to check all updates available for Skype for
Business Server 2015.
You have successfully set up and configured Skype for Business Server 2015 on your Edge server.
Lab 3.3 - Configure Hybrid Mode for Skype for Business Server 2015
Before this lab, make sure you completed Active Directory Federation Services installation and
configuration in Lab 1.3. Perform the following steps to configure Hybrid mode:
1. On Front End Server (sfb.ict24h.info). Run PowerShell with administrator account and run the
following commands. When you are asked your Office 365 credential, enter administrator
account
cmdlet Get-Credential at command pipeline position 1 Supply values for the following parameters:
Credential
PS C:\Users\administrator.ICT24H> SCSSession = New-CsOnlineSession -Credential Icred PS C:\Users\administrator.ICT24H> Import-PSSession jCSSession -
AllowClobber
oduleType
|FS Version
C :\User5\administrator. ICT24H> ExportedCommands
| 117
Step-by-Step Guide to Office 365 Hybrid Deployment
PS G:\Users\Administrator> Set-CsHostingProvider -Identity "Skype For Business Online" -EnabledSharedAddressSpace Strui -HostsOCSUsers Itrue -VerificationLevel UseSourceVerification -
AutodiscoverUr1 https://webdirOf.online.lync.com/Autodi cover/AutodiscoverService.svc/root PS C:\Users\Administrator> Get-CsHostingProvider
3. Open Skype for Business Control Panel and log into Office 365 with administrator
Identity Skype For Business Onlii Skype For
Name Business Onlii sipfed.online.lync.com
ProxyFqdn IlseSnurceVerification
VerificationLevel
Enabled
EnabledSharedAddr essSpace
HostsOCSUsers
IsLocal Activat
AutodiscoverUrl https: //webdi r Of. online, lync. com/Aut odi s cover/Autodi s cover Servi ce. svc/root Go to Sys
account.
Skype for Business Server Administrator | Sign out 6.0.9319.0 | Privacy statement
4. Click Set up hybrid with Skype for Business Online
Home
Enable users for Skype for Business Server Edit Using Office 365
Users
Persistent Chat
Welcome,
or move users ViewAdministrator
topology status Getting Started
"+ View your roles First Run Checklist
Topology v View Monitoring reports Getting Help
Using Control Panel
Voice Routing
Online Documentation on Tech Met Ubrary
IM and Presence Top Actions Skype for Business Server 2015
Skype for Business Server Management Shell
Voice Features Connection
Enable toBusiness
users for Skype for Skype Serverfor
Edit orBusiness SkypeOffice
Using for Business
365 Server Management Shell Script Library
Persistent Chat move users View topology status Skype for Business Server Resource Kit Tools
Response Groups Online
Voice Routing vCheck recommendations
View Monitoring reports from Office 365 Getting Help
Conferencing Community
Online Documentation onTechMet Library
Voice Features
Clients Connection to Skype for Business Skype for Business Server Management Shell
Skype for Business Server Management Shell Script Library
FederationGroups
and Blogs
Response
External Access
Online
You are signed on to Office 365 as: Skype for Business Server Resource Kit Tools
Check recommendations from Office 365
admin@ict24happs,onmicrosoftcom Sign-in to
Conferencing
Monitoring and Office 365 using a different account Set up hybrid
You are signed on to Office 365 as: ad
with Skype for Business Online
Community
Archiving
Clients min@ict24ha pps.onm icrosoft.com
^ign-in tn Office 365 using a Hiffprent account
Federation and Blogs
Security Set up hybrid with Skype for Business Online I
External Access
Network
Monitoring and
Configuration
Archiving
Activate Windows
Go to System in Control Panel to activate
WinrlnuK
Security
Network
Administrator | Sign out 6.0.9319.0 | Privacy statement
Configuration Activate Windows
Go to System in Control Panel to activate
Winrlnwc
| 118
Step-by-Step Guide to Office 365 Hybrid Deployment
5. In Set up Hybrid with Skype for Business Online windows, click Next.
6. The tool will check if your on-premises configuration is configured correctly with federation
service. Make sure all configuration needed are verified.
| 119
Step-by-Step Guide to Office 365 Hybrid Deployment
7. Check by moving one user from on-premises Skype for Business to Office 365. Select User from
the left navigation. Choose one user and select Action > Move selected users to Skype for
Business Online.
8. Read carefully Microsoft’s guidance. Make sure the user you want to move have Skype for
Business Online license assigned. Click Next.
Before you move the selected users to Skype for Business Online, you should make sure that:
• Each user is assigned a license for Office 365. A license is required to sign in to Office 365 and use services such as
Skype for Business Online.
• You are familiar with the differences between the features supported in Skype for Business Server and Skype for
Business Online. The user experience may be different for some users depending on how they use Skype for
Business. For more information, see
Compare Skype for Business Options
| 120
Step-by-Step Guide to Office 365 Hybrid Deployment
9. You will see the status from the windows. Click Close.
10. Verify the status in Skype for Business Server control panel.
You have done setting up Hybrid mode for on-premises Skype for Business Server and Skype for
Business Online.
The last step is to publish your on-premises Skype for Business Server over the Internet and test its
functionality for both type of users: on-premises and online. Before doing that, make sure your
firewall rules are configured correctly for required port:
| 121
Step-by-Step Guide to Office 365 Hybrid Deployment
Perform the following steps on TMG virtual machine you prepared at the beginning of your lab:
1. Create a Network Rule to translate outbound traffic from Edge server (172.16.1.9) to
Internet using this IP address: 125.253.124.164 (your IP address may be different)
| 122
Step-by-Step Guide to Office 365 Hybrid Deployment
3. Create publishing i| [3| Edge to all Allow 5^ All Outbound ... 1 Edge-Server ^ All Networks (., ; All Users |
rules Non-Web
server for listed ports above by select Tasks tab. Select Publish Non-Web Server
Protocols
Firewall PoRcy Tasks
_fj Publish Exchange;
Client Access _f) Publish Mail Servers
_f) Publish Sh a rePoint Sites _f) Publish
WebSites
_f] Publish Non-Web Server
Protocols ______________
4. In the welcome page, enter name for server publishing rule. Click Next.
New Server Publishing Rule Wizard
This wizard helps you create a new server publishing rule. Server publishing
rules map incoming client requests to the appropriate internal server.
Next Cancel
>
| 123
Step-by-Step Guide to Office 365 Hybrid Deployment
5. In Select Server page, enter the IP address of your Edge server. Click Next.
| 124
Step-by-Step Guide to Office 365 Hybrid Deployment
| 125
Step-by-Step Guide to Office 365 Hybrid Deployment
Published Service:
5 PS Server
Listen on:
Btena
- nwh
a- :.e
10. Repeat from step 3 - 9 for other ports: TCP 443 - 444, TCP 5268, UDP 3478.
:
SIPS Server ^ Allow tjj SIPS Server 40 External 2 172.16.1.9
RDP to SFB Allow fc^RDP 3392 2 192.168,1.8
40 External
H10 RDP to AD Allow IjJ^RDP 3392 ^ External 2 192.168,1.5
| 126
Step-by-Step Guide to Office 365 Hybrid Deployment
| 127
Step-by-Step Guide to Office 365 Hybrid Deployment
12. To publish UDP port 3478, create a protocol named STUN Edge. The direction is
Receive Send.
13. To publish TCP port 5269, create a protocol named XMPP Server.
| 128
Step-by-Step Guide to Office 365 Hybrid Deployment
16. In Publishing Type page, select Publish a single Web site or load balancer. Click
Next.
17. In Server Connection Security page, select Use SSL to connect to the published
Webb server or server farm. Click Next.
18. In Internal Publishing Details page, enter internal site name. Click Next.
| 129
Step-by-Step Guide to Office 365 Hybrid Deployment
20. Select This domain name (type below): at Accept requests for setting. Enter the
public domain you configured before with path “/*". Click Next.
| 130
Step-by-Step Guide to Office 365 Hybrid Deployment
21. Now you need to create a new web listener. In welcome page, enter your web listener
name. Click Next.
New Web Listener Definition Wizard
This wizard helps you create a new Web listener. Web listeners specify how Forefront TMG listens for and
authenticates incoming Web requests from clients
Next >
22. In Client Connection Security page, select Require SSL secure connections with
clients. Click Next.
| 131
Step-by-Step Guide to Office 365 Hybrid Deployment
23. In Web Listener IP Addresses page, select External. Click Select IP Addresses
24. From the selection windows, select Specified IP addresses on the Forefront TMG
computer in the selected network and add available IP address. Click OK.
| 132
Step-by-Step Guide to Office 365 Hybrid Deployment
25. In Listener SSL Certificates page, select Assign a certificate for each IP address and
select your IP address. Click Select Certificate.
26. In Select Certificate windows, select your wildcard certificate you already imported. Click
Select.
| 133
Step-by-Step Guide to Office 365 Hybrid Deployment
27. Verify information with assigned certificate again in Listener SSL Certificates page.
Click Next.
| 134
Step-by-Step Guide to Office 365 Hybrid Deployment
| 135
Step-by-Step Guide to Office 365 Hybrid Deployment
31. In User Sets page, add All Users that the rule is applied to. Click Next.
32. Go to Skype for Business 2015 rule and edit its property on TMG.
33. Click Bridging tab, select Redirect requests to SSL port and change to 4443 port. Click
OK.
| 136
Step-by-Step Guide to Office 365 Hybrid Deployment
34. Click Public Name tab, add two addresses to the list: dialin.ict24h.info and
meet.ict24h.info.
| 137
Step-by-Step Guide to Office 365 Hybrid Deployment
35. Now you just need to test the publishing rule by browsing meet.ict24h.info. If you are asked
to provide credential before calling and chatting, you have done the Hybrid configuration for
Skype for Business Online.
■ Outbound Search: allow users to search information stored in SharePoint Online from on-
premises SharePoint Server.
■ Inbound Search: allows users to search information stored in on-premises SharePoint
Server from SharePoint Online
■ Two-way Search: include Outbound and Inbound Search.
| 138
Step-by-Step Guide to Office 365 Hybrid Deployment
1. The very first step is to establish trust between on-premises SharePoint Server and Azure
Access Control Services. On SharePoint Server, open IIS > Server Certificates.
| 139
Step-by-Step Guide to Office 365 Hybrid Deployment
3. In Specify Friendly Name page, enter name for your certificate. Select Personal. Click OK.
4. Open the certificate you just created. Click Details tab > Copy to File.
| 140
Step-by-Step Guide to Office 365 Hybrid Deployment
This wizard helps you copy certificates, certificate trust lists and certificate revocation lists from
a certificate store to your disk.
Next | Cancel |
7. Select Personal Information Exchange - PKCS #12 (.PFX). Select Include all
certificates in the certification path if possible. Click Next.
| 141
Step-by-Step Guide to Office 365 Hybrid Deployment
8. Add your account which can have access to the certificate and enter password to protect the
private key. Click Next.
| 142
Step-by-Step Guide to Office 365 Hybrid Deployment
Now you need to establish server-to-server (S2S) trust by PowerShell. Perform the following steps:
$spcn="*.<public_root_domain_name>.com"
$spsite=Get-Spsite <principal_web_application_URL>
$site=Get-Spsite $spsite
$spoappid="00000003-0000-0ff1-ce00-000000000000"
$spocontextID = (Get-MsolCompanyInformation).ObjectID
$metadataEndpoint = "https://accounts.accesscontrol.windows.net/" + $spocontextID +
"/metadata/json/1"
'isplayName TypeName Id
CS Azure Access Cont... 73705d66-104a-4123-ac0f-110b9a7a32e2
| 143
Step-by-Step Guide to Office 365 Hybrid Deployment
3. You need to update STS certificate into SharePoint Online. The model looks like the below
illustration
6. Register SharePoint Online application principal object ID with your on-premises SharePoint
Server
7. Create a new Azure Access Control Service application proxy and Security Token Issuer
New-SPAzureAccessControlServiceApplicationProxy -Name "ACS" -MetadataServiceEndpointUri
$metadataEndpoint -DefaultProxyGroup
New-SPTrustedSecurityTokenIssuer -MetadataEndpoint $metadataEndpoint -IsTrustBroker:$true -
Name "ACS"
| 144
Step-by-Step Guide to Office 365 Hybrid Deployment
[Issuer]
CN-accounts.accesscontrol.windows.net
[Serial Number]
B1188CD2385E15984A938F580F448AD5
[Not Before]
1/1/2014 2:00:00 PM
[Not After]
1/1/2016 2:00:00 PM
[Thumbprint 1
92B88C3DD981BF1EBCB244FCFA63C007706C79E0
<[Subject 1
AdditionalSigningCertificates
CN-accounts.accesscontrol.windows.net
[Issuer]
CN=accounts.accesscontrol.windows.net
[Serial Number]
40D5EB9B384B37B5469545C3602453DF
[Not Before]
10/28/2014 7:00:00 AM
[Not After]
10/27/2016 7:00:00 AM
[Thumbprint]
3270BF5597004DF339A4E62224731B6BDB2B10A6
letadataEndPoint https://accounts.accesscontrol.windows.net/meta data/json/1/
IsAutomaticallyUpdated True
Hame ACS
typeName Microsoft.SharePoint.Administration.Claims.SPTr
DisplayName ustedSecurityTokenSeroice
Id ACS
Status a284f82f-c26b-4559-98bS-d687b38eb689
Parent Online
Jersion SPSecurityTokenServiceManager
Properties Name=SecurityToEenSeroicerianager
Farm 14798
LI pgradedPers ist edPro pe rt ies <>
SPFarm Name=SharePoint_Config {>
PS C:\>
You have successfully established server-to-server trust between your on-premises SharePoint
Server and the identity provider of SharePoint Online.
Now you need to configure Search for testing. Perform the following steps:
Site Contents
Site Administration
Regional settings Site
libraries and lists
Settings > Search Result Sources.
Look and Feel
RSS Title, description, and logo
Sites and workspaces Quick launch
Workflow settings Site Top link bar
Closure and Deletion Tree view
Popularity Trends Change the look
/ EDIT LINKS
Site Actions
Manage site features
Save site as template
Enable search configuration export
Reset to site definition
Delete this site
| 145
Step-by-Step Guide to Office 365 Hybrid Deployment
| 146
Step-by-Step Guide to Office 365 Hybrid Deployment
3. Enter name for the new resource. Select Remote SharePoint protocol
General information Naas ___________________
l| ICT24H Portal Outbound
Search
Description
Protocol
Select Local SharePoint for results from the index of this Search Service.
Select Open Search 1.0/1.1 for results from a search engine that uses that protocol
4. Enter your site collection in SharePoint Online at Remote Service URL. Select
SharePoint Search Results. Click Save.
| 147
Step-by-Step Guide to Office 365 Hybrid Deployment
6. Select the result source you just created from the list of result sources.
Newsfeed OneDrive Sites Administrator 0 ?
Q SHARE ft FCUOW X
Use query rules to conditionally promote important results, show blocks of additional results, and even tune ranking. Changes may take several seconds to take effect, but you can
test immediately with Test a Query below. Note that dictionaries may take several minutes to update. Learn more about query rules.
7. Enter name for the search query rule. Select One of these sources which indicates the new
result source you just created. Select All categories and All user segments.
| 148
Step-by-Step Guide to Office 365 Hybrid Deployment
General Information
* Con text
You can restrict this rule to queries
performed on a particular mult source,
Query is performed on these sources OAII sources ®
from a particular category of topic
One of these sources
page, or by a user matching a
particular user segment For instance, ICT24h Portal Outbound Search remove Add
restrict a rule to the Local Video
Results source so that rt only fires in Source
Video search, Query is performed from these categories ® AM
categories OOne of these categories Add Category
Query is performed by these user segments ® All user
segments Oone of these user segments Add User
Segment
| 149
Step-by-Step Guide to Office 365 Hybrid Deployment
10. Under Settings, select This block is always shown above core results. Click Save.
11. Review your configuration again
Use query rules to conditionally promote important results, show blocks of additional results, and even tune ranking. Changes may take several seconds to take effect but you
can test immediately with Test a Query below. Note that dictionaries may take several minutes to update. Learn more about query rules.
For what rnntprt dra ynu want tn rmfigure riilpv1
ICT24h Portal Outbound Searciv All User Segments [vj 1 All Topic Categories m
sir New Query Rule | Order Selected Rules
Test a Query... ____________0| find rules that fire for a query ^1 3
12. Go to your on-premises SharePoint site collection and SharePoint Online to test hybrid search
| 150
Step-by-Step Guide to Office 365 Hybrid Deployment
Search
doc -P
Doc online 3
ICT24h Portal
Doc onprem2 ... Doc onprem3 ... Doc onpreml sp01
Doc onpreml
1. Log into Office 365 portal. Select DOMAINS. Click Add domain
| 151
Step-by-Step Guide to Office 365 Hybrid Deployment
4. Office 365 will recognize the domain provider that you purchase your domain. In our case, Office
365 recognized GoDaddy. Office 365 will ask you to sign in to the domain control panel. For
example, in our case, click Sign in to GoDaddy.
5. Enter credential in GoDaddy Login page.
| 152
Step-by-Step Guide to Office 365 Hybrid Deployment
6. From Confirm Access page, GoDaddy will ask you to accept to allow Office 365 to make some
changes to the domain. Click Accept.
Confirm Access
Office 365 is requesting permission to make changes to your domain ict24h.info at GoDaddy.
7. Office 365 shall automatically complete the domain verification. Click Next.
| 153
Step-by-Step Guide to Office 365 Hybrid Deployment
1 Office 365
*
Step 1 *
Verify domain
Step 2
Add users
Next ©
Step 3
Set up domain l/V
8. Select user in Office 365 you want to update domain. For example, updating from
admin@ict24happs.onmicrosoft.com to admin@ict24h.info. Click Update selected users.
i Office 365 1
□P
X
Step 2
Add users
Step 3 Next ©
set up domain
< Back
| 154
Step-by-Step Guide to Office 365 Hybrid Deployment
11. Sign in to your Office 365 portal with the newly updated account.
13. Select No, I have an existing website or prefer to manage my own DNS
records.
| 155
Step-by-Step Guide to Office 365 Hybrid Deployment
a:H Office 365
14. By default, Office 365 assists you to update configuration for Exchange, Skype for
Business and Mobile Device Management. Click Next.
Office 365
Step l
Verily domain
Step 2
Add users
Step 3
Set up domain
15. From the record page, there are number of different records in Office 365. Click Add
records to add a new one.
16. Add your own records with custom domain.
17. Once you have finished, you are redirected to the final page. Click Finish.
| 156
Step-by-Step Guide to Office 365 Hybrid Deployment
18. From DOMAINS page, verify the new domain you just added and configure.
--End--
| 157