Office 365 Hybrid Deployment
Continuing my blog series on setting up a Hybrid Office 365 deployment with Exchange 2010 SP2. This part will detail the ADFS and SSO setup.
So I went with the recommended, actually required, two NIC configuration for UAG, one NIC dedicated to External and one to Internal communications. To properly setup the NICs (in my lab all VMs are in the same VLAN) I had to issue the following commands to set the internal routing using the NIC named ‘Internal’:
Netsh Interface ipv4 add route prefix=10.0.0.0/8 "Internal" nexthop=192.168.100.1 store=persistent
Netsh Interface ipv4 add route prefix=172.16.0.0/12 "Internal" nexthop=192.168.100.1 store=persistent
Netsh Interface ipv4 add route prefix=192.168.0.0/16 "Internal" nexthop=192.168.100.1 store=persistent
The route prefixes indicate internal networks and the Nethop is the gateway.
UAG Getting Started Wizard after Install, http://technet.microsoft.com/en-us/library/dd857324.aspx this will explain how to setup your UAG for your environment.
This is how my lab environment is setup for UAG:
Great detail huh? J
I have renamed the NICs on my UAG server as Internal and External (I know, I am so clever, maybe I should try to patent this!) A note the in my lab the External NIC has the Default Gateway set as 192.168.100.1 and the Internal has no Default Gateway set. The External also is using an External DNS server, 188.8.131.52, and the Internal NIC is pointed to my domain DNS.
So to assist me with the complete setup I used the Exchange Deployment Assistant website, http://technet.microsoft.com/en-us/exdeploy2010/default.aspx#Index. Much of the information in this blog series has come from this great tool that Microsoft has made available. I also setup UAG 2010 to publish Exchange 2010 Web Services, and used this guide about Publishing Exchange 2010 with TMG and UAG, http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=8946
The first step is to install and configure ADFS 2.0
Create an internal DNS entry for the ADFS Service that will point to the ADFS internal server, like ADFS.Domain.com. FYI I have split DNS setup, which means I have a separate internal and external DNS provider. If you do not have this it will make the implementation a bit more difficult, but can be done. I would recommend that you Bing (hey I’m a Microsoft guy so will not see me use the G word in my blog posts) to find out the differences with a single DNS namespace spared both for internal and external access. The biggest issue you will find is around ADFS for SSO as you will need to probably route all authentication via the ADFS proxy, in my case I am going to utilize Forefront Unified Access Gateway (UAG) for my ADFS proxy. I am also utilizing UAG for publishing the Exchange 2010 on-premises web services, OWA, Outlook Anywhere, ActiveSync, etc.
Create dedicated Service Account for ADFS, Domain account with password never expire, this account does not need any additional privileges within the domain, just a standard domain user.
Obtain a SSL Certificate. My strong recommendation, as the information in the http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652539.aspx Link will state is to use a Public Certificate Authority, I used GoDaddy.com to obtain my public Unified Communications(UC)/Subject Alternate Name(SAN) certificate.
Launch ADFSSEtup.exe (download from http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=10909)
Click Next ( so you will see Click Next throughout this and future posts, this really means read everything on the page, but no changes from the default settings are needed, so basically just Click Next!)
Be sure to read the entire EULA (and send me a condensed understanding in under 50 words) and then accept and Click Next
Ensure Federation server is selected and Click Next
Install SP1 Hotfix for ADFS 2.0 (download from http://support.microsoft.com/kb/2607496) standard next next next finish J
After the AD FS 2.0 software installation is complete, click Start, then Administrative Tools, and then AD FS 2.0 Management to open the AD FS 2.0 Management snap-in.
Click on the AD FS 2.0 Federation Server Configuration Wizard link
Ensure the proper Certificate and Federation Service Name is set and Click Next
Set the Service Account (you remember now, the one I told you that was needed to be created earlier in this blog) and Click Next
Above can be ignored, will be setup later
Below verification steps have been taken from: http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652539.aspx
Procedure 1: To verify that the federation server is operational
- Log on to a client computer that is located in the same forest as the federation server.
- Open a browser window. In the address bar, type the federation server’s DNS host name, and then append /adfs/fs/federationserverservice.asmx to it for the new federation server; for example:
- Press ENTER, and then complete the next procedure on the federation server computer. If you see the message There is a problem with this website’s security certificate, click Continue to this website.
The expected output is a display of XML with the service description document. If this page appears, IIS on the federation server is operational and serving pages successfully.
Procedure 2: To verify that the federation server is operational
- Log on to the new federation server as an Administrator.
- Click Start, point to Administrative Tools, and then click Event Viewer.
- In the details pane, double-click Applications and Services Logs, double-click AD FS 2.0 Eventing, and then click Admin.
- In the Event ID column, look for event ID 100. If the federation server is configured properly, you see a new event—in the Application log of Event Viewer—with the event ID 100. This event verifies that the federation server was able to successfully communicate with the Federation Service.
ADFS Proxy, Using UAG
http://technet.microsoft.com/en-us/library/gg274295.aspx this is the site I used to configure ADFS proxy, and really not sure if you can call it proxy as it is more involved than that and more secure, for the internal ADFS service. You can also use the ADFS Proxy role in a DMZ as explained in the help file here: http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652539.aspx
Create a new Authentication Server, Click……….OK
Create a new UAG Trunk, Click Next
Name the Trunk and apply the public DNS name and External IP address, Click Next
Select the Authentication Provider, Click Next
Select the proper Certificate, Click Next
Install the MSOL Powershell Module for Office 365
Accept and Click Next
Change if you want but I recommend….. Click Next
Add a domain
- Open the Microsoft Online Services Module.
- Run $cred=Get-Credential. When the cmdlet prompts you for credentials, type your Office 365 administration account credentials.
- Run Connect-MsolService -Credential $cred. This cmdlet connects you to Office 365. Creating a context that connects you to Office 365 is required before running any of the additional cmdlets installed by the tool.
- Run Set-MsolAdfscontext -Computer <AD FS 2.0 primary server>, where <AD FS 2.0 primary server> is the internal FQDN name of the primary AD FS 2.0 server. This cmdlet creates a context that connects you to AD FS 2.0.
If you have installed the Microsoft Online Services Module on the primary AD FS 2.0 server, then you do not need to run this cmdlet.
- Run New-MsolFederatedDomain -DomainName <domain>, where <domain> is the domain to be added and enabled for single sign-on. This cmdlet adds the domain.
- Using the information provided by the results of the New-MsolFederatedDomain cmdlet, contact your domain registrar to create the required DNS record. This verifies that you own the domain. Note that this may take up to 15 minutes to propagate, depending on your registrar. It can take up to 72 hours for changes to propagate through the system. For more information, see Locate my domain name registrar and Verify a domain at any domain name registrar.
- Run New-MsolFederatedDomain a second time, specifying the same domain name to finalize the process.
The above is what the commands from the steps look like for adding a new domain
The above is what the commands look like for converting a domain
Add a Relying Trust in ADFS for UAG
This is only needed if you are using UAG for the ADFS Proxy http://technet.microsoft.com/en-us/library/gg274305.aspx
I downloaded the UAG Metadata from the UAG Server and then selected the import method, and then I Clicked Next
Name to Relaying party and give some notes and Click Next
Click Next at the next screen (sorry missed a screen shot on this one, so shot me!)
Click Add Rule…(highlighted button)
Select ‘Pass Through or Filter an Incoming Claim and you guessed it, Click Next
Name the rule and choose the same Claim Type and Click Next
DIR SYNC Install and Setup
Below steps are detailed here to enable Directory Sync in your Office 365 Enviornment, http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652544.aspx#BKMK_EnableDirectorySynchronization
Enable DirSync from Portal\Users\Active Directory Sync Setup Item #3 Activate
Download from the Portal\Users\Active Directory Sync Setup link
Choose the appropriate version and download
Click Next after accepting and reading the complete EULA!
Change at your own RISK and then Click Next
You’ll wait awhile for this then………… Click Next
You guessed it, Click Next
Enter your Admin Credentials for Office 365 (will blog later about setting this password to not expire, but not tonight!) then Click Next
Enter Credentials for your On-premises AD, the account needs to have Enterprise Admin privileges but can be deleted after the completion of the setup as a new account is created to run the sync, Click Next
Waiting…..listen to some music, take a break, walk outside, etc…..
Yep… Click Next
Check the DirSync server to ensure the sync completed successfully
Best testing site is https://www.testexchangeconnectivity.com/
Please check back for Part 3 about the SP2 Hybrid Wizard in Exchange 2010!