Embed Size (px)
Citation preview
So, You're Going to the Cloud?Start Preparing NOW!
Wes Morgan, ICS SWAT [email protected] Toole, ICS SWAT [email protected]
Why Are We Here?
2 1/17/17
There are many “moving parts” in cloud migration
For instance, did you know you’ll have to be able to change your DNS?
Most of them should be addressed BEFORE you start migrating users
End users are now “multi-vector” - office, mobile, home
You probably have problems or concerns in at least one of these areas
Proper prior planning prevents pretty poor performance!
First and Foremost – USE THE PRODUCTION PILOT!
3 1/17/17
You can do everything we'll discuss in a production pilot
Work out any kinks before you ever move a “real user”
Conduct performance tests before going live
Allows you to test particular locations and/or technology
Can perform network testing (e.g. throughput, performance)
Gain access to Hybrid Pre-Configuration Tool, Domain Configuration Tool, etc.
Transitioning from production pilot to full production is easy
Make a Communications Plan!
4 1/17/17
Let your end users know:
What’s going to happen
Who it’s going to happen to
When/where it’s going to happen
Avoids confusion (and telephone calls!)
Lets you lead users through the process
Start with the fundamental - Identity
5 1/17/17
Assuming that you're providing authentication services on-premises
Directory consolidation – get to “one directory”, one view of enterprise
Might mean cleaning up AD forests or Domino domains
AD? Use Global Catalog Server for top-level domain
Domino? Can use Extended Directory Catalog
Directory cleanup
Audit current directory – purge old/unused users
Resolve all pending name changes, clean up groups
Identity – Setting up a SAML Identity Provider (IdP)
6 1/17/17
Free/open-source alternatives are available (e.g. Shibboleth)
We support either SAML 1.1 or 2.0 – recommend 2.0
Other tools to help you design and test SAML infrastructure
samltool.com – various online tools to examine/decode SAML queries and responses
SAML tracer – Firefox plugin that identifies/extracts SAML traffic from web sessions (can cut-and-paste, save to file, etc.)
Use secure protocols throughout identity infrastructure (e.g. LDAPS, HTTPS)
Identity – Where to Deploy Your IdP
7 1/17/17
IdP in extranet (i.e. Internet-accessible) = ease of use for external clients, but also heightens security risk
IdP on internal network = requires external users to connect via VPN before they can authenticate to cloud
NOTE: Notes client does not use SAML by default, but can do so with Notes Federated Login (requires access to IdP)
NOTE: Mobile devices can use application passwords or SAML(depends on the particular client in use)
Identity – Other Considerations
8 1/17/17
Password expiration
Cloud requirements more stringent than are most enterprises
Probably want to change this prior to migration
SAML SSO time-to-live (TTL)
TTL determines how long authentication token remains valid
Recommend setting of 8-12 hours to accommodate typical working day
High-security environments may require shorter TTL
Discuss with your security team
Network Considerations
9 1/17/17
Keep in mind just how much traffic you'll be pushing to the Internet
What's the current utilization on your Internet connection(s)?
Do you have areas in your internal network which perform poorly?
Common pain points:
Proxy server and firewall configurations
VPN users
Unexpected (!) bandwidth usage
Geographic issues (location of both data center and end users)
Network Considerations
10 1/17/17
For more details on these – and MORE!
Session 1548A “Going Cloud, Going Mobile: Don’t Let Your Network Be a Showstopper!”
Tomorrow (Thursday), 12:00-12:45pm, Room 2008
Going Hybrid? Special Planning/Considerations
11 1/17/17
Set up your Domino passthru server(s)
To internal Directory (dirsync) server
To internal NRPC mail hub
Must be a separate Domino domain
Should be placed in DMZ (extranet)
Ensure FTP connectivity to cloud server(s) (if desired for mail file uploads)
Pick Your Platform: Standardize Clients
12 1/17/17
Supported browsers are described under “Connections Cloud System Requirements”
Do NOT configure browsers for automatic updates!
Plugin installation required for some features
Know how to debug/trace plugins
NOTE: Audio/video and desktop/screen sharing only in 32-bit browsers
May want to consider standardizing on a single browser client
Notes clients
8.5.1FP5 or later – Standard configuration ONLY
Mobile Clients: Additional Considerations
13 1/17/17
Do NOT accept automatic mobile OS updates (e.g. OTA updates)
If you use a segmented environment (e.g. Good, Secure WorkPlace)
Extra testing required
Cloud security may eliminate need for segmented environment
Discuss with mobile/security team
Remember that mobile devices will probably have the broadest range of performance of any clients (roaming, cellular provider performance vary)
You may not want mobile devices using enterprise wifi (control per app in iOS)
NOTE: IBM Cloud REQUIRES fingerprint swipe or passcode!
A Quick Word on Governance/Compliance
14 1/17/17
Keep in mind that some of your users (e.g. legal counsel, R&D) may have different compliance requirements.
You may have entire divisions/subsidiaries (e.g. healthcare) subject to particular compliance restrictions and policies
May affect where your data “lives”
Discuss/review with compliance/legal staff
Realize that part of governance/compliance is determining who has administrator authority in your cloud deployment
New tools for ‘partitioning’ users and assigning granular roles
Controlling Third-Party Applications
15 1/17/17
Several third-party apps available for integration with the IBM Cloud
You can control them via policies
You can go down to enabling/disabling individual use of specific apps
Know the licensing for those products
Discuss/develop appropriate policies BEFORE deploying to users!
Prepare for the Move – Mail Migration
16 1/17/17
Many customers experience headaches here
Clean up existing mail queues (e.g. mail.box) – NO dead messages!
First discussion – mail quotas
Do your users really need 5 years' email in the cloud?
For Notes client users – local archives for older mail can be a big win
Second discussion – mail retention
How long are you going to keep old mail around?
Review naming conventions
Prepare for the Move – Mail Migration
17 1/17/17
Consider creating an agent and/or database to identify potential “problem children” mail databases:
Excessively large (> 10GB)
Excessive number of folders (> 400)
Excessive number of messages (100,000 is too many!)
Excessive attachments
Unused/obsolete mailfiles
Consider setting up local mail replica and MMR configuration before migration
Note that MMRs migrate transparently
Prepare for the Move – Mail Migration
18 1/17/17
Plan for admin access to mailfiles after migration
By default, only users have access to their mailfile
You can create groups and assign them in ACLs BEFORE migration
Local Administrators
Support personnel (e.g. Help Desk?)
Use new group names – do NOT use LocalDomainAdmins, etc…
Create [ExcludeDelegate] role in the ACL
Create groups, apply [ExcludeDelegate] role to each
Apply via agent or third-party tool
Prepare for the Move – Mail Migration
19 1/17/17
Be careful with delegations
Migrate delegates first – delegation breaks if target is moved before delegate
You may have delegations that cross geographies or business units
Practice using Mail Onboarding Manager (MOM)
For < 1000 users, MOM should be fine
For > 1000 users, discuss with your IBM team
Non-Domino email?
Consider setting up Domino environment, migrating in-house, then migrating to cloud
Remember that YOU DON'T HAVE TO MIGRATE MAIL FIRST!
While You’re Migrating, Think About SMTP
20 1/17/17
Inbound SMTP can be handled by SmartCloud once the bulk of your users have been migrated
Do you WANT to do this?
You may have other on-premises services receiving SMTP mail
You may want to keep your anti-spam/anti-virus infrastructure
You may want to track/verify inbound SMTP (and dead SMTP mail) yourself
You may have multiple domains going through a single inbound SMTP host
What’s your daily inbound SMTP volume?
You can go either way on this one…
Avoiding Unexpected Problems – Hidden “Gotchas”
21 1/17/17
Make sure Domino adminp is clean
Leftover requests can complicate name changes, group management, etc.
Personal contacts (i.e. pernames.nsf) may not migrate to cloud
Ensure Personal NAB template is 8.5.3 design or later
If using Notes client, ALL mail replicas will replicate to cloud
Make sure users do not have multiple local replicas of their mail file
Users have only Editor access to cloud mail files (including MMRs/replicas)
They will be unable to make OR change customizations
22 1/17/17
Questions
and
Answers
Notices and disclaimers
Copyright © 2017 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmittedin any form without written permission from IBM.
U.S. Government Users Restricted Rights — Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.
Information in these presentations (including information relating to products that have not yet been announced by IBM) has beenreviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.
IBM products are manufactured from new parts or new and used parts. In some cases, a product may not be new and may have beenpreviously installed. Regardless, our warranty terms apply.”
Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice.
Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presentedas illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary.
References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law
23 1/17/17
Notices and disclaimers continued
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.
IBM, the IBM logo, ibm.com, Aspera®, Bluemix, Blueworks Live, CICS, Clearcase, Cognos®, DOORS®, Emptoris®, Enterprise Document Management System™, FASP®, FileNet®, Global Business Services ®, Global Technology Services ®, IBM ExperienceOne™, IBM SmartCloud®, IBM Social Business®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, Smarter Commerce®, SoDA, SPSS, Sterling Commerce®, StoredIQ, Tealeaf®, Tivoli®, Trusteer®, Unica®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBMtrademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.
24 1/17/17
25 1/17/17
THANK YOU FOR BEING HERE!
Please complete a session survey...
