Upload
richard-harbridge
View
2.674
Download
2
Tags:
Embed Size (px)
Citation preview
#SPSPhilly @RHarbridge
#SPSPhilly @RHarbridge
Presented By: Richard Harbridge
SharePoint In The CloudEvaluating Impact, Pros, and Cons
#SPSPhilly @RHarbridge
Thanks To Our Sponsors!
#SPSPhilly @RHarbridge
SharePoint User Group
• SharePoint• End Users• Administrators• Architects• Developers• IT Pros
• Meetings: 2nd Tuesday of the month, Microsoft Malvern, 5:30-8 pm
WEB: www.TriStateSharePoint.org
EMAIL: [email protected]
TWITTER: @tristateSP
#SPSPhilly @RHarbridge
SharePoint Network• Are you an independent consultant or remote worker
who deals with SharePoint, Office or Office365? • Do you sometimes feel cut off from the rest of the
SharePoint world?• Do you need help with technical or business issues, or
just want the chance to socialize with others?
If so, then the SharePoint Network might be for you!www.SharePointNetwork.org
#SPSPhilly @RHarbridge
Who am I?
BostonWe Washington
#SPSPhilly @RHarbridge
Our Goal Today…
From Here To Here
#SPSPhilly @RHarbridge
#SPSPhilly @RHarbridge
Information!
#SPSPhilly @RHarbridge
What Will We Cover Today?•Why is SharePoint in the Cloud?
•What is SharePoint in the Cloud?
• What is Office 365?
•Concerns in the Cloud?
•Evaluating Cloud Providers
#SPSPhilly @RHarbridge
Why is SharePoint in the Cloud?
#SPSPhilly @RHarbridge
#SPSPhilly @RHarbridge
Minimal Entry Cost
#SPSPhilly @RHarbridge
Pay Per Use
#SPSPhilly @RHarbridge
Shift From CAPEX to OPEX
#SPSPhilly @RHarbridge
Providers Leverage Scale for Discounts
#SPSPhilly @RHarbridge
The Outcome
Cloud enables on-demand computing resources to be rapidly provisioned with
minimal management effort.
#SPSPhilly @RHarbridge
What to watch out for…While cloud is for everyone, it is not for everything (until solutions, usage and
standards mature).
#SPSPhilly @RHarbridge
What is SharePoint in the Cloud?
#SPSPhilly @RHarbridge
SharePoint Cloud Models
All-in
SharePoint 2010
Exchange 2010
Lync 2010
Public Facing Websites
Demo/Dev/Test/Prod
External Identity Provider
Trusted Hybrid
Collaboration Scenarios Doc Management
MySites
Extranet
Demo/Dev/Test/Prod
Single Sign On (ADFS)
Un-trusted Hybrid
Exchange 2010
Lync 2010
Extranet
Public Facing Websites
Demo/Dev/Test
External Identity Provider
Dedicated/Shared Dedicated/Shared Dedicated/Shared
#SPSPhilly @RHarbridge
#SPSPhilly @RHarbridge
SharePoint ExtranetOn Premise Hosted Environment
Externally Hosted Environment
You Manage Firewall Exceptions/Access to Environment
They Manage Firewall Exceptions (most cases fully public facing)/Access to Environment.
You provision a new identity store. You manage two identity stores.
They provision an identity store. You still may manage aspects of it based on business need.
You support the environment infrastructure.
They typically support the environment infrastructure.
You plan for and invest in sizable up front costs installing and configuring the environment.
You pay for what you use under their planned structures (typically OPEX vs CAPEX).
#SPSPhilly @RHarbridge
Amazon and SharePoint
#SPSPhilly @RHarbridge
Azure and SharePoint
#SPSPhilly @RHarbridge
What is Office 365?(Standard/Shared Hosting)
#SPSPhilly @RHarbridge
Getting Office 365 (or BPOS) Dedicated Evaluation Criteria
• Do you have less than 5000 people?
Not for you.
#SPSPhilly @RHarbridge
But You Still Want Dedicated?
• SPLA (Server Provider License Agreement) – Means hosting companies can offer competitive ‘dedicated’ hosting scenarios at lower costs.
This is for you.
#SPSPhilly @RHarbridge
YOU ALREADY USE THESE APPLICATIONS NOW YOU CAN USE THEM IN THE CLOUD
Office 365 Marketing?
#SPSPhilly @RHarbridge
Standardization• Single Architecture
Deployment• Initial deploy is still required to migrate data to Office 365• AD clean up and network upgrade is often required• Hybrid phasing is often prolonged period of discomfort.
Service Change• Balance between continuous innovations and minimize change• Customer controls IT policies but not feature availability
Privacy and Security Considerations• Understand your internal security and privacy requirements
What does moving to Office365 mean?
#SPSPhilly @RHarbridge
Sites Communities Content Search CompositesInsights
Ask Me About
Blogs
Colleague Suggestions
Colleagues and Memberships
Discussion Forums
Enterprise Wikis
Keyword Suggestions
My Network
My Sites: People Profiles and Personal Sites
Note Board
Organization Browser
Outlook Social Connector
Photos and Presence
Ratings
Recent Activities
Social Bookmarks
Status Updates
Surveys
Tag Clouds
Tag Profiles
Tags
What's New
Wikis
Access Services
Browser-Based Customizations
Customization via SharePoint Designer
Forms: Out-of-box workflows and customization via
SharePoint Designer 2010
InfoPath Forms Services
Sandboxed Solutions
Workflows
Document Sets
Legal Holds
Metadata Driven Navigation
Multi-stage Disposition
Office Integration
Office Web Apps
Rich Media Management
Shared Content Types and the Managed Metadata Service
Support for Accessibility Standards
The Content Organizer
Unique Document IDs
Excel Services
Visio Services
Audience Targeting
Lightweight Public-Facing Site
Cross-Browser Support
Enterprise Management Operations
External Sharing
Fluent UI / Ribbon
Mobile Connectivity
Multi-Lingual Support
Office Client Integration
OOTB Web Parts
Scalability
SharePoint Workspace Integration
Tagging
Video Support, REST, and Silverlight
Best Bets
Duplicate Results
Metadata-based Refinement
People and Expertise Search
Phonetics & Nickname Expansion
Recently Authored Content
Search a Single Site Collection
Search Across Site Collections
Search Scopes
Site Search
Social Behavior Improves Relevance
Taxonomy and Term Store Integration
View in Browser
Data Connection Library
PerformancePoint
Business Intelligence Center
Chart Web Part
Business Connectivity Services (BCS)
SharePoint Timer Jobs
FAST
Word Automation Services
Records Center
Web Analytics
Key:Office365
Future Features
Office 365 Feature Parity (Before 2013)
Now Available with some caveats…• No external data search• No rich client integration• No profile pages• No direct connectivity to SQL Azure without a WCF endpoint.
#SPSPhilly @RHarbridge
More Stuff Missing? (Before 2013)• Project Server • Power Pivot • Secure Store Service • Full Trust Solutions • Not all Sandbox Solutions work? *
* Maurice Prather - http://www.bluedoglimited.com/SharePointThoughts/ViewPost.aspx?ID=331
#SPSPhilly @RHarbridge
Translation Services
SharePoint Online Grows up in in the coming release
all new features designed for the
Cloud
PowerShell
Cloud app model
PowerPivot / Power
View
Project Online
BCS Improvements (Direct to SQL Azure)
OData
Workflow 2013
MDS
… and more.
eDiscovery
SkyDrivePro
Records Center
Site Mailbox
deep linkNew
UX
refiners
Mobile apps
Hybrid Search
Quick Preview
Quick Edit
Dev Site
Gest Links
+
exch
ange
onl
ine,
lync
onl
ine
&
office
sub
scrip
tion
#SPSPhilly @RHarbridge
Analytics, PerformancePoint
So What is Still Different in 2013?
BI Excel Services, Power View, PowerPivot
SharePoint Online SharePoint 2013
Deep refinement, enhance relevancySearch People/Expertise, hover card, enterprise search
Full-trust code, BCS+Developer Cloud app model, Sandbox, CSOM, BCS
Cross-site scripting, content by searchInternet Public Website, Design Manager, apps/store
Central AdministrationAdmin Tenant-level, PowerShell, IRM, Recycle Bin
ECM / SocialeDiscovery, Records Center, Site Mailbox, Mobile, Newsfeed, Follow, #, @dot dot dot
SharePoint Online Feature Availability - http://technet.microsoft.com/en-us/library/jj819267.aspx
#SPSPhilly @RHarbridge
Hybrid Co-ExistenceScenario Works Out of Box?SharePoint: Search Yes (Federated)SharePoint: BCS Yes (WCF Effort Required, No
Profiles and BCS Search)SharePoint: Other Services (MMS, Workflow etc)
No (Though Guidance Coming)
Exchange Integration Limited (eDiscovery, Site Mailboxes, Task Synch – Read Documentation)
Lync Integration Yes (Presence etc)
#SPSPhilly @RHarbridge
Configuration Overview (High Level)
Reverse Proxy and Certificate Auth
Identity Provider
MSOL Tools
Dirsync
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
MSOL Tools
oAuth TrustConfig Secure Store
2013
#SPSPhilly @RHarbridge
Licensing Matters
#SPSPhilly @RHarbridge
Licensing SummaryName Price (Per User/Month) Details
P – Professional and Small Biz
$6.00 Exchange, Lync, SharePoint, Office Web Apps
E1 – Enterprise $8.00 Exchange, Lync, SharePoint, Yammer Ent
E2 – Enterprise $14.00 E1 + Office Web Apps
E3 – Enterprise $20.00 E2 + Office Pro Plus, BCS, Excel Services, InfoPath Services, Visio Services, & Access Services
E4 – Enterprise $22.00 E3 + Voice Capabilities (VOIP Stuff)
K1 – Kiosk Worker $4.00 Exchange, SharePoint, Office Web Apps (View Only)
K2 – Kiosk Worker $8.00 Exchange, SharePoint, Office Web Apps
E/K - You can split your users (for cost savings).
P = Limited to less than 50 users.
#SPSPhilly @RHarbridge
Choosing Enterprise
Only Enterprise has SSL (Both have it on sign in process.)
#SPSPhilly @RHarbridge
Quick Example100 Users…E3 - $20 per user per month…$24,000.00 per year…
Business Wants…• SharePoint 2010 Enterprise• Lync 2010• Exchange 2010• Office 2010 Professional
Office 365 E3 Over 3 Years
Year 1 $24,000.00
Year 2 $24,000.00
Year 3 $24,000.00
Total $72,000.00
On Premises
Year 1 $88,708.00
Year 2 $0.00
Year 3 $0.00
Total $88,708.00
On Prem Costs (2010):• $3,500.00 in Services
(Installation/Config)• $6,000.00 - Two Servers• $79,208.00 – Licensing
Quick Total: $88,708.00
At +4 years = more expensive.Consistent cost?
Big investment?More features/flexibility.
*This is meant as only a simplified example scenario
#SPSPhilly @RHarbridge
What About SharePoint Standalone?
Office 365 offers two Standalone plans for SharePoint.
Collaboration with Sites, AV
Forms, data visualization, Access/Excel/Visio services
SharePoint Online (Plan 1)
SharePoint Online (Plan 2)
Workload Standalone Plans Key Features
$4.00
$8.00SP Online P1 Over 3 Years
Year 1 $4,800.00
Year 2 $4,800.00
Year 3 $4,800.00
Total $14,400.00
SP Standard On Premises
Year 1 $30,849.00
Year 2 $0.00
Year 3 $0.00
Total $30,849.00 100 Users…
On Prem Costs (2010):• $2,000.00 in Services• $6,000.00 - Two Servers• $22,849.00 – Max Licensing
*This is meant as only a simplified example scenario
#SPSPhilly @RHarbridge
External Users Subscription LicensesSharePoint Online Partner Access LicenseThe first 10,000 PAL licenses are free. Beyond this there are negotiated prices/sometimes exceptions are made, etc.
SP Online Over 3 Years
Year 1 $0.00
Year 2 $0.00
Year 3 $0.00
Total $0.00
SP On Premises
Year 1 $0.00 (2013)
Year 2 $0.00
Year 3 $0.00
Total $0.00
*This is meant as only a simplified example scenario
#SPSPhilly @RHarbridge
Understand Additional CostsItem In-Market - Enterprise Coming soon – Small Business
1-50 usersComing soon – Midmarket
1-250 usersComing soon – Enterprise
1-500,000+ users
Base tenancy storage allocation 10 GB 10GB 10GB 10GB
Storage per Standard E & P (allocated to tenant pool) 500 MB/user 500MB/user 500MB/user 500MB/user
SkyDrive Pro (does not contribute to overall pool) 500 MB/user 7 GB 7 GB 7 GB
Storage per Kiosk Worker 0 0 0 0Storage per External User 0 0 0 0Site Collection storage quotas Up to 100 GB Up to 100 GB Up to 100 GB Up to 100 GBTotal max storage per tenant Up to 25 TB Up to 35GB Up to 1.25 TB Up to 25TBMaximum file upload size 250MB Designing for 2GB Designing for 2GB Designing for 2GB
Site collections (total #)* 300 1 20 3,000
Additional storage (per GB per month)
$2.50 0.20/GB/month* $0.20/GB/month $0.20/GB/month $0.20/GB/month
*Price lowered in the second service update of Office 365 SharePoint Online.
#SPSPhilly @RHarbridge
The Outcome
We barely scratched the surface with SharePoint in the Cloud but have already seen many ‘trade off’ decision points we
should be aware of.
#SPSPhilly @RHarbridge
What to watch out for…Without careful planning cloud
providers can cause considerable cost due to new challenges such as migration
and identity federation.
#SPSPhilly @RHarbridge
ConcernsIn The Cloud
#SPSPhilly @RHarbridge
BPOS to Office 365?
http://www.microsoft.com/online/transition-center.aspx
Microsoft is responsible for any changes that happen in its datacenters. Customers will not have to migrate any data; however, customers will be responsible for making sure that their client software is compliant with the system requirements. See Office 365 system requirements download.microsoft.com/download/A/6/4/A6479925-C7D2-4C4C-A21B-48BCCF8887A9/FAQ_EN_101010.docx.
Customers will also be responsible for end-user training and configuring any new features and capabilities that will be delivered by Office 365.
1. Customers will not have to migrate any data.
2. You need to have SharePoint 2010 compatible client software/systems.
3. You have to train users on the new 2010 interface.
#SPSPhilly @RHarbridge
Office 365 – 2013 Upgrade
#SPSPhilly @RHarbridge
Identity Options in the Cloud
#SPSPhilly @RHarbridge
Unique Development Challenges
How do you deploy a site structure to #Office365?• Limited/No PowerShell• No Console Apps• No Content Database Copy
Site Templates and Migration Tools Could Work…
#SPSPhilly @RHarbridge
Search Challenges (Before 2013)
No search usage statistics?
Remember! We cannot perform a unified search across online/on premise.
#SPSPhilly @RHarbridge
A Few Problems After 2013…
#SPSPhilly @RHarbridge
#SPSPhilly @RHarbridge
Cost Modeling
#SPSPhilly @RHarbridge
SecurityCan be an issue, but most of the time is not.
The real issue is lack of standards and accountability…
If it’s a bigger and more respectable hosting provider expect a better level of accountability and security planning/activity.
#SPSPhilly @RHarbridge
Security Program
Security Monitoring & Response, Threat & Vulnerability Management
Access Control & Monitoring, File/Data Integrity
Account Management, Training & Awareness, Screening
Secure Development Lifecycle, Access Control & Monitoring, Anti-Malware
Access Control & Monitoring, Anti-Malware, Patch & Config Mgmt
Dual-factor Authentication, Intrusion Detection, Vulnerability Scanning
Edge Routers, Firewalls, Intrusion Detection, Vulnerability Scanning
Video Surveillance, biometrics, Access Control
Security Management
“We ended up with around 800 preventive, detective and corrective controls that were physical, administrative and technical. Then we took the defense-in-depth approach and put the controls throughout the stack.” - John Howie, Microsoft
#SPSPhilly @RHarbridge
Privacy Program
Disclosure
Choice
Notice
Documented & enforced privacy requirements • Microsoft Online Services Privacy Statement • Microsoft Online Services Privacy and Regulatory Divisional
Requirements Specific to Software + Services• Corporate-level Privacy Guidelines for Service Development
Privacy disclosures & transparency• Microsoft Online Services Privacy Statement • EU Safe Harbor Certification
#SPSPhilly @RHarbridge
What is more reliable?
#SPSPhilly @RHarbridge
#SPSPhilly @RHarbridge
What is the Offline Story?
#SPSPhilly @RHarbridge
Service Level Agreements
#SPSPhilly @RHarbridge
Support Is Important
As an example Microsoft provides 24/7 support.Google also provides 24/7 support.
However Google Apps has a rule where only system critical events that affect more than 50% of users can use their phone support.
Don’t forget that with all cloud based providers – you are also adding another layer between IT and the business users.
Example Issue: Can a you put a stop to a providers maintenance schedule so that a business team can finish a critical deliverable without interruption?
#SPSPhilly @RHarbridge
Termination/Suspension of Service
#SPSPhilly @RHarbridge
• Since the startup costs are lower organizations can run the risk of not doing enough planning.
• Migrating content can be extremely difficult depending on what options are provided by the ‘cloud provider’.
Other Issues?
#SPSPhilly @RHarbridge
On Integration
#SPSPhilly @RHarbridge
LAN vs WAN
#SPSPhilly @RHarbridge
The Outcome
Offloading some management activities to another provider results in additional
planning and consideration.
#SPSPhilly @RHarbridge
What to watch out for…Challenges and concerns are different
for every cloud provider.
#SPSPhilly @RHarbridge
EvaluatingCloud Providers
#SPSPhilly @RHarbridge
Questions To AskSecurity• How do I know if my cloud is secure?
• Who will have access to my sensitive data?
• Do I have full ownership of my data?
• What type of employee / contractor screening you do, before you hire them?
• How do you detect if an application is being attacked (hacked), and how is that reported to me and my employees?
• How do you control administrator access to the service?
• What firewalls are in place?
• What anti-virus technology is in place?
• Can I get virtual layer 2 networking and a stateful virtual firewall?
Evaluating Cloud Providers
#SPSPhilly @RHarbridge
Questions To AskStorage• Where will my data be stored?
• Will my data be replicated to any other datacenters around the world (If yes, then which ones)?
• What controls do you have in place to ensure safety for my data while it is stored in your environment?
• Can you tell me where my data physically resides?
• Data Center Location?
• How many live copies of my data are there?
• What happens to my data if I cancel my service?
Evaluating Cloud Providers
#SPSPhilly @RHarbridge
Questions To AskIdentity & Access• Do you offer single sign-on for your services?
• Can I get flexible role-based access control synchronized with my enterprise directory?
• Do all of my users have to rely on solely web based tools?
• Can users work offline?
• Do you offer a way for me to run your application locally and how quickly I can revert to the local installation?
Evaluating Cloud Providers
#SPSPhilly @RHarbridge
Questions To AskReliability & Support• What is your Disaster Recovery and Business Continuity strategy?
• How do you back up data?
• What is the retention period and recovery granularity?
• Is your Cloud Computing service SAS70 compliant?
• What measures do you provide to assist compliance and minimize legal risk?
• Who do I contact for support?
• What types of support do you offer?
• Are there additional support options available to me?
Evaluating Cloud Providers
#SPSPhilly @RHarbridge
Questions To AskPerformance• How fast is the local network?
• What is the storage architecture?
• Usually storage will be the slowest link.
• How can I ensure global consistency across cloud service providers?
• How many locations do you have and how are they connected?
• How many IOPS can I expect at each I/O performance level?
• How does your memory access score on the STREAM benchmark?
• How does your virtualization system score on the SPECvirt benchmark?
Evaluating Cloud Providers
#SPSPhilly @RHarbridge
Questions To AskFlexibility (Part 1)• Am I able to load my own VMs?
• Am I able to install software?
• What virtualization technology is being used?
• Are there additional abstraction layers?
• Can I dynamically add memory and CPU to a cloud VM while it’s running?
• How can I ensure CPU and memory are guaranteed?
• What access protocols are available?
• RDP, VNC, ICA, Console, SSH…
• Over non standard ports?
Evaluating Cloud Providers
#SPSPhilly @RHarbridge
Questions To AskFlexibility (Part 2)• What configuration options do I have?
• Can I add memory?
• Can I add storage?
• Can I use public IPs?
• What domain name mapping options do I have?
• Can I have multiple environments per user?
• Can I archive environments?
• What supporting tools are there?
• Active directory integration
• User management
Evaluating Cloud Providers
#SPSPhilly @RHarbridge
Questions To AskFlexibility (Part 3)• Do you offer on-premise, web-based, or mixed environments?
• Will the solution work with what I have in place today?
• What pricing, licensing, and payment options are available to me?
• What are the client requirements?
• How often do these change? Example: Must I upgrade my browser to take advantage of new features?
Evaluating Cloud Providers
#SPSPhilly @RHarbridge
Questions To AskCosts• Can I get predictable service costs that still allow me to scale when I need
to?
• How can I get the cost benefits of multi-tenancy but still access dedicated infrastructure when I need it?
• How do you define a processor / virtual core / Compute Unit?
• What are your SLAs and how do you compensate when it is not met?
• During maintenance windows? Planned vs surprises
• What happens when there is over subscription?
• Can I leverage my existing Agreements?
Evaluating Cloud Providers
#SPSPhilly @RHarbridge
Tools You Can Use
#SPSPhilly @RHarbridge
Service Management IndexCarnegie Mellon launched an initiative for standardized risk and benefit comparisons.
It’s called the Cloud Service Measurement Initiative Consortium (CSMIC)
Service Management Index
#SPSPhilly @RHarbridge
Cloud Sleuth Viewers
Global Provider ViewCloud Performance Analyzer
#SPSPhilly @RHarbridge
Consensus Assessments Initiative
#SPSPhilly @RHarbridge
The Outcome
You now have an arsenal of key questions/tools you can use to evaluate a
cloud provider effectively.
#SPSPhilly @RHarbridge
What to watch out for…Trust but verify. Carefully review policies, terms, conditions, and
agreements.
#SPSPhilly @RHarbridge
Questions? Ideas? Feedback? Contact me:Twitter: @RHarbridge Blog: http://www.RHarbridge.comEmail: [email protected]:
700+ SharePoint IA Slides at.. PracticalIntranet.com 130+ SharePoint Standards at.. SPStandards.com80+ Downloadable Presentations.. SlideShare.com/RHarbridge
Thank You Organizers, Sponsors and You for Making this Possible.
#SPSPhilly @RHarbridge
Appendix/Resources
#SPSPhilly @RHarbridge
Main SharePoint Online marketing site:http://sharepoint.microsoft.com/en-us/SharePoint-Online/Pages/default.aspx
Primary Office 365 marketing site:http://www.office365.com Trials, 100-200 level customer-facing infoContains info about BPOS suite and SPO30-Day trial
SharePoint Online developer resource center (MSDN): http://go.microsoft.com/fwlink/?LinkId=203983 SharePoint Online Administration resource center (TechNet): http://technet.microsoft.com/sharepoint/gg144571.aspx‘Help and How-to’ for SharePoint Online (Office.com): http://office.microsoft.com/redir/FX102052854.aspx
#SPSPhilly @RHarbridge
Microsoft Privacy Guidelines for Developing Software Products and Services http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16048
Cloud Computing Security Considerations paper (by Microsoft) can be found here: http://go.microsoft.com/?linkid=9708479
Office 365: Addressing Cloud Computing Security Considerationshttp://download.microsoft.com/download%2F2%2F2%2F0%2F220AE513-4A01-4D95-9275-11E71215A0C2%2FCloudSecurityConsiderations_MicrosoftOffice365.pdf
Pain Point: http://community.office365.com/en-us/f/148/t/3388.aspx
#SPSPhilly @RHarbridge
Sign Up For Office365 Developer Site (2013)http://msdn.microsoft.com/en-us/library/fp179924%28v=office.15%29.aspx
Office and SharePoint App Development:http://msdn.microsoft.com/en-us/library/jj220038%28v=office.15%29.aspx
Available on TechNet - http://aka.ms/oht1dxOn-premises -> SPO configuration stepsAdditional details for non-SharePoint steps
Identity provider and SSODirSyncMSOL Sign-In AssistantMSOL Module for Windows PowerShell
#SPSPhilly @RHarbridge
Evolution?
Elasticity is not cloud computing…
#SPSPhilly @RHarbridge
Evolution?
Elasticity is not cloud computing…
#SPSPhilly @RHarbridge
Evolution?
Elasticity is not cloud computing…
#SPSPhilly @RHarbridge
Cloud = Hosting (Not New)
#SPSPhilly @RHarbridge
#SPSPhilly @RHarbridge
Transitioning to the Cloud
Determine Intranet Site Strategy Cloud seminars Plan Custom solutions In-house support
Build collaboration strategy S+S workshops Stage Integration services ‘Partner on-behalf’
Gather requirements Assess Active Directory health Deliver Application Lifecycle
Management (ALM)Health analyzer
dashboard
• Reduce friction• Simplify the transition• Drive down costs• Decrease time-to-market (TTM)• Improve satisfaction from all business owners
Primary Goals
#SPSPhilly @RHarbridge
SharePoint 2013 Features
#SPSPhilly @RHarbridge
SharePoint – Intranet - Feature Tiering
#SPSPhilly @RHarbridge
When using hybrid features o365 sends requests from sites in the cloud to your on-prem farmYou need to establish a reverse proxy for these calls to be channeled through to secure the processThose requests can be authenticated at the reverse proxy before they are forwarded to SharePointSharePoint supports using a certificate for authenticating to the reverse proxy server when sending a request
Reverse Proxy and Authentication*
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
#SPSPhilly @RHarbridge
A reverse proxy used for hybrid must support the following requirements:
2 network cards - one connected to the Internet and the other to the internal company networkRoute inbound SSL traffic to the on-premises SharePoint farm without rewriting packet headersSupport SSL termination
We currently support two reverse proxy servers:Microsoft - Forefront Unified Access Gateway (UAG)F5 - Big IPWe plan to add more as they are tested for compatibility
Reverse Proxy Requirements
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
#SPSPhilly @RHarbridge
These are the high level steps for configuring UAG for hybrid:
Configure the network in UAG using the Getting Started WizardAdd an HTTPS trunkInstall an SSL certificate for the endpoint; it must:
Support the names for both the public HTTPS trunk and SharePoint siteUse 2048 bit length encryption; shorter lengths WILL NOT WORK!
Add the PFX in the UAG’s local certificate storePublish the SharePoint site collection; use the SharePoint Server 2010 Web type
See your Reverse Proxy s/w documentation for full details
Reverse Proxy Configuration
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
#SPSPhilly @RHarbridge
In order to have a single-sign on experience, you need a federated identity provider like ADFSThis requires the following:
2 or more load balanced ADFS serversAn SSL certificate for the ADFS siteA proxy device, like the ADFS proxy serverFor details on planning and implementation options see http://technet.microsoft.com/en-us/library/jj151794
All users must have a UPN of a registered domain (i.e. “.local” or similar suffixes will not work)
Identity Provider
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
#SPSPhilly @RHarbridge
You will need tools from MS Online (MSOL) in order to complete the next set of tasks:
Microsoft Online Services Sign-In AssistantMicrosoft Online Services Module for Windows PowerShell (MSOL PS)The Directory Synchronization Tool (dirsync)
NOTE: This cannot be installed on a domain controller
You will need to run these on a SharePoint server to configure trust with ACSSetting up dirsync and SSO trust is typically done on its own server
MSOL Tools
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
#SPSPhilly @RHarbridge
Install the MSOL PS snap-in to a local server; can be the same server being used for dirsyncSet up a federation trust between o365 and ADFS using MSOL PS
Use the Connect-MsolService cmdlet to authenticate and connect to o365Use the New-MsolFederatedDomain to start the process to establish the trustUpdate DNS as instructed by the cmdlet
Or alternatively:Use the Office 365 Admin web page to create a new domain trust – follow the instructions in the domains sectionUse MSOL PS to run the Convert-MsolDomainToFederated cmdlet
For more info see http://technet.microsoft.com/en-us/library/jj151794
SSO with o365
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
#SPSPhilly @RHarbridge
DirSync with o365
• Activate Active Directory Synchronization in your tenant using the o365 Admin web pages
• Install the dirsync tool to a local server and when that’s complete run the dirsync Wizard
• When the wizard is done click Finish to start a sync• Go to the Office 365 Admin web page and click on the users
and groups section to verify that accounts have been imported• Grant accounts licenses to SharePoint, etc.• Log out then login as an Active Directory user using your Identity Provider (i.e.
ADFS)
• For more info see http://technet.microsoft.com/en-us/library/hh967642.aspx.
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
#SPSPhilly @RHarbridge
These things need to be configured in SharePoint to support hybrid:New SharePoint STS Token Signing CertificateConfigure a trust between SharePoint on-prem and ACSConfigure Secure StoreConfigure UPA Try out Search or BCS!
SharePoint Configuration Tasks
#SPSPhilly @RHarbridge
You need to replace the default token signing certificate for the SharePoint STS because Access Control Service (ACS) will not trust itYou can replace it with:
A certificate issued by a public certificate authority like Verisign, GoDaddy, Thawte, etc. – RECOMMENDED A new self-signed certificate that you can create in the IIS ManagerDomain-issued certificates DO NOT WORK
Use the Set-SPSecurityTokenServiceConfig with the –ImportSigningCertificate flag to change the token signing certificate
New SharePoint STS Token Signing Certificate
#SPSPhilly @RHarbridge
Previously you created a federated trust for users to sign into o365Now you need to create an OAuth trust for applications to exchange data between o365 and on-premUsing MSOL PowerShell (on prem):
Create an AppPrincipal using New-MsolServicePrincipalCredentialCreate a proxy to ACS using New-SPAzureAccessControlServiceApplicationProxyComplete the trust using New-SPTrustedSecurityTokenIssuer
Complete detailed instructions are available in the documentation described at the end of this session
Configure Trust Between SharePoint and ACS
#SPSPhilly @RHarbridge
The Secure Store Service is used to create an application that stores the certificate used to authenticate with the UAG HTTPS trunkIn o365 create a new Secure Store Service target application
Save the Target Application ID name because you will use that when configuring a result source
In the credentials field configure it as a Certificate PasswordClick the Set button for the Credentials
Browse to the certificate CER file that was used for the UAG HTTPS trunk; leave the password fields blank
Complete detailed instructions are available in the documentation described at the end of this session
Configure Secure Store
#SPSPhilly @RHarbridge
It’s critically important that you:Have a UPA up and runningHave it populated with current data from Active Directory
We use the UPA on the local farm to determine what rights a user has – what claims they have, what groups they belong to, etc.With a hybrid solution, anything that you grant rights to needs to be in the profile system
E.g., if you augment claims on-prem and use a custom claims provider to grant rights to content using those claims, an o365 user would not see that data because those custom claims are not added when you login to o365More details at http://blogs.technet.com/b/speschka/archive/2012/08/15/oauth-and-the-rehydrated-user-in-sharepoint-2013-how-d-they-do-that-and-what-do-i-need-to-know.aspx
Configure UPA
#SPSPhilly @RHarbridge
BCS Hybrid Scenario
#SPSPhilly @RHarbridge
#SPSPhilly @RHarbridge
Questions? Ideas? Feedback? Contact me:Twitter: @RHarbridge Blog: http://www.RHarbridge.comEmail: [email protected]:
700+ SharePoint IA Slides at.. PracticalIntranet.com 130+ SharePoint Standards at.. SPStandards.com80+ Downloadable Presentations.. SlideShare.com/RHarbridge
Thank You Organizers, Sponsors and You for Making this Possible.