Exchange | IT Professional Services Limited

Federation and the cloud

Posted by Nick Bowyer in Cloud, Office365 on April 21, 2012

The term Federation is something I am familiar with, thanks largely to may hours spent watching Star Trek as a kid. The United Federation of Planets in the TV series/movies referred to very different cultures having a common bond, in a political sense. Federation when it comes to cloud services has more than one meaning, and I want to use this blog to explain the term Federation and how it relates to various cloud services and how it improves the overall cloud experience.

We will talk about federation relating to cloud services hosted by Microsoft specifically Office 365, although Windows Intune and Azure also use the term Federation (ill save those for a future blog post). There are many other technologies that deliver similar results with other cloud services but I really want to focus on the term federation when it relates specifically to a Microsoft solution.

Identity Federation

ADFS

In the old days of Windows NT if you wanted to access information in another Domain you would need to setup a trust , a trust was setup either one way or two way and was generally quite unreliable. It did however address the issue of sharing information between business units or organizations (if you were brave). There needed to be a better more secure way of sharing information while limiting the access either party had to the other party’s security context.

Along came Active Directory Federation Services or ADFS, it has been around for some time and uses Microsoft’s version of the Security Assertion Markup Language or SAML claims based authentication model. It is now in its second generation and with version 2.0 comes the ability to federate your Active Directory with Office 365. ADFS 2.0 isn’t just restricted to Office 365 for its federation options, there are a number of cloud providers that support ADFS including IBM Tivoli, Novell Access manager, Sun Open SSO and CA (Site Minder and Federation Manager) using SAML, Microsoft is also a founding member of OpenID the organisation that is promoting standards in identity management.

ADFS 2.0 allows a customer to federate their identity to the cloud services contained within Office 365, creating what is known as a Single Sign On experience for end users. Single Sign On or SSO allows users to login to their PCs (assuming they are connected to an Active Directory service with ADFS installed) and seamlessly connect to any Online Service they are licensed for and have permission to access. SSO is the holy grail of any cloud service and removes one of the biggest barriers to cloud adoption in the enterprise.

ADFS is a pre-requisite when you want to configure Exchange or Lync (Lync will allow this in a future release) to run in a hybrid scenario (what used to be called co-existence). For more information on running a hybrid deployment of Exchange 2010 SP2 go here: http://technet.microsoft.com/en-us/library/gg577584.aspx

Due to its complexity and demand on resources (servers and administration) ADFS is only suited to larger organizations, thus ADFS implementations are only possible with the Enterprise offering of Office 365 (E and K plans). ADFS also requires an additional Windows Sever 2008 (or R2) and some thought into providing a resilient installation (read more than one ADFS server!), if the ADFS service fails… users will no longer be able to connect to their cloud services either from inside their network or externally.

To learn more about ADFS go here : http://technet.microsoft.com/en-us/library/cc736690(v=ws.10).aspx

For a tutorial video on identity and Office 365 go here: http://technet.microsoft.com/en-us/edge/office-365-jump-start-04-microsoft-office-365-identity-and-access-solutions

Virtual Labs on ADFS and Federation here: http://technet.microsoft.com/en-us/office365/hh744605

DirSync

Given the complex nature of setting up a resilient ADFS service there needs to be another way to synchronize user accounts from an on-premise Active Directory to the cloud. The previous version of Microsoft Online Services (Business Productivity Online Services) or BPOS attempted to make life easier for administrators by providing a one-way sync from the on premise Active Directory Server to the cloud. This sync known as DirSync would create the user ID’s in the cloud (over writing whatever was there to begin with), the one major problem was that it didn’t synchronize the users Passwords. This option is still available to all users of Office 365 and doesn’t require the complexity associated with ADFS, it will however only synchronize objects from the on-premise AD to the cloud, including groups and users. The DirSync application has been updated to include a x64 version that in turn must be installed on a members server (non-domain controller). From the admin portal under users you are able to setup the DirSync function.

To learn more about DirSync go here: http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652543.aspx

Application Specific Federation

Now that we have covered the use of Federation when it relates to your user identity its nice to know that the word Federation is also used when describing the sharing of information between applications existing in separate organizations.

Lync Online

Lync Online delivers its Federation experience by putting you in touch with those who are not part of your organization. It has the ability to federate presence, instant messaging and voice/video calls with the following deployments:

On-premise Office Communications Server 2007 R2
On-premise Lync Server
MSN (Live) Messenger
Other Office 365 customers

Obviously the other organizations will need to have federation setup themselves. For your Office 365 deployment it is as easy as ensuring the SRV record is configured in your DNS settings as described previously here and the federation is enabled in your Office 365 administration portal / Lync Online Control Panel as pictured below.

There is a tool which searches you contacts for those who are available to federate via Lync here: http://gallery.technet.microsoft.com/Who-Can-Federate-Tool-a9e00d23 There is also a database maintained of the organizations with either OCS 2007 R2 or Lync on-premise / Online who are available for federation available here: http://www.lyncdirectory.com/

Exchange Online

Federation relating to Microsoft Exchange is a one-to-one relationship between two federated Exchange organizations that allows recipients to share free/busy (calendar availability) information. It is also known by the term “federated delegation“. Both sides of the Federation need to be configured, for an on-premise Exchange 2010 deployment a connection must be made to the Microsoft Federation Gateway. The Microsoft Federation Gateway provides applications with a free, simple, standards-based method of establishing trust between separate organizations that uses SSL certificates to prove domain ownership. Because the organizations federate with the gateway instead of with each other, it is much easier for an organization to establish trust relationships with multiple partners than is possible when it uses conventional one-on-one federation or other trust relationships. The scope of the federation can be easily controlled by creating allow or deny lists of users and domains for licensing and by specifying the domains that can receive publishing licenses. This guarantees that only appropriate organizations are given access to protected information. More information for a local deployment of Exchange 2010 can be found here: http://technet.microsoft.com/en-us/library/dd335047.aspx or here http://technet.microsoft.com/en-us/library/dd638083.aspx .

With Office 365 the hard work is done for you. All of the detail described above is baked right in and it is up to the users to delegate the access to their own calendars individually. This is turned off by default and can be enabled to the following degree:

No free/busy access
Free/busy access with time only
Free/busy access with time, plus subject and location

This access can be granted via the Outlook application and can be granted to users outside the organization if they are using a Federated Exchange Server or another Office 365 tenant. There is a tool that will tell which one of your contacts is available to view you calendar available to download here: http://gallery.technet.microsoft.com/Exchange-Federation-fdf8a324

Sharepoint Online

Although not strictly Federation at the application level, it utilizes Federation between the Office 365 tenant and Windows Live ID’s. Within any deployment of Office 365 and Sharepoint Online you are able to invite external users to view or edit your documents by simply sharing the site/library and use their email address. If the recipient hasn’t done so already they will be prompted to create a Live ID when they attempt to access your site using their email address. This external access is included in Sharepoint Online within Office 365 and doesn’t consume any licenses. Keep in mind as I mentioned previously that the P plan of Sharepoint Online does NOT deliver the content over a secure channel (SSL) so you should ensure you choose the right plan for your intention.

Federation is a term that will be used hand in hand with any cloud conversation in the future. As with any technology it pays to understand it ahead of time and ensure your customers/users are using it in an appropriate manner.

Active Directory, Active Directory Federation Services, ADFS, ADFS 2.0, assertion markup language, Bowyer, cloud-computing, DirSync, Exchange, Exchange Online, federation, lync, Lync Online, microsoft, Microsoft Office 365, Microsoft Online Services, nick bowyer, Office 365, Security Assertion Markup Language, Star Trek, United Federation of Planets

2 Comments

Robust email for business

Posted by Nick Bowyer in Cloud, Office365 on April 2, 2012

I may have a better appreciation of the things I can do within my Office 365 environment due to my past life as an IT administrator, but I thought it would be good to point a few of those features out and describe why they may mean something to the average business user. The application that is most attractive out of the Office 365 suite has to be Exchange Online. This hosted email service is available as a base component of all of the suites on offer and is probably the “first cab off the rank” when a customer looks to a cloud offering.

Exchange Online launched in New Zealand back in April 2009 and it formed part of what was then known as BPOS or Business Productivity Online Suite. This product was based on a multi-tenanted version of Exchange 2007. In the middle of last year Office 365 launched and with it came a better Exchange Online experience, offering some of the great features you would get with an on premise installation of Exchange 2010. As with any hosted offering the products get better over time and since the release of Office 365 certain features have been added to the suite. These features are make it easier for non-technical employees to administer the functionality of what would be normally complex back-end systems all via a web portal.

Mobile device management

One of the biggest advances in email technology over the past few years has been the introduction of Mobile access. Microsoft set the standard in my opinion with ActiveSync, blowing away the previous market leader RIM (aka Blackberry). With the RIM offering you needed middleware to connect and manage the mobile handsets, furthermore they needed to be Blackberry handsets. ActiveSync on the other hand is now licensed by Microsoft to many handset providers including Apple’s iPhone and iPad, Google Android devices and obviously Windows Phone 7 devices. ActiveSync allows the management of devices from the Outlook Web App experience, remote wipe etc as well as push notification and contact/calendar/contact sync. As an administrator you are also able to restrict access to mailboxes by mobile devices as well.

While Office 365 supports Blackberry devices, the “native” support is for ActiveSync devices as shown above. There has also been an announcement recently to introduce the ability to connect mobile devices via ActiveSync to the Kiosk Worker plan at $3.06 per user per month for a 1Gb mailbox. The kiosk worker plan is great for a mobile worker who is rarely in the office and doesn’t use a desktop PC on a regular basis, it won’t let you connect Outlook to the mailbox but the Outlook Web App is more than enough for occasional users. For more information on Exchange Online Plans visit www.office365.com

Legal Hold and Archive

Legal hold is something that I believe should be part of any email solution. In the press you hear often how emails can get people, and more importantly businesses into and sometimes out of trouble. The legal hold functionality of Exchange Online is provided by the premium product in either the Exchange Online Plan 2 stand alone product or the E3 and E4 suites. Do not confuse legal hold with the personal archive capability.

Personal Archive – Provides the ability for users to manage the retention of mail in their mailboxes. Personal archive is available to all suites and product versions of Exchange Online with the exemption of the Kiosk Plans. (Kiosk Plans are able to add the archive product separately). For P1 plans of Exchange Online the Archive and Mailbox capacity is a combined total of 25Gb, Plan 2 is unlimited.

Legal Hold – Provides legal hold capabilities to preserve users’ deleted and edited mailbox items (including email messages, appointments, and tasks) from both their primary mailboxes and personal archives. Administrators can use the Exchange Control Panel or Remote Power Shell to set legal holds on individual mailboxes or across an organization. The administrator can then choose to notify the user of the legal hold or not.

Deleted Item Retention – Provides the end-user with the ability to recover a deleted item from any folder for up to 14 days. This timeframe can be changed using remote Power Shell commands or via a Service request.

E-Discovery

Multi-mailbox search is available in Exchange Online. This comes in useful when investigation is undertaken by Human Resources or a legal investigation takes place. This is a very powerful feature and can be accessed via a web portal (under the Exchange Management Portal from your Admin Site) or via remote power shell cmdlets. The e-discovery power shell scripts can also be used to find and remove email items from multiple mailboxes that match a certain criteria. For more information see: http://www.microsoft.com/exchange/en-us/email-archiving-and-retention.aspx

Filtering

Exchange Online is protected by The Microsoft Forefront Service for anti-spam and malware. This product can be tuned via the Exchange Management portal which is accessible to administrators through the Admin Portal. Most businesses I have dealt with have paid an additional cost to filter un-wanted email from their inboxes using a product hosted by a third-party (ISP or other hosted provider) or in some instances another product sitting on a separate server. This feature comes with all product versions of Exchange Online and in my experience hasn’t failed me yet. The administrator is able to configure the Forefront product to alert users if any spam has been filtered by way of email or indeed turn the feature off altogether and let the spam be dealt with by the Junk Mail folder within Outlook.

Role Based Access

Exchange Online uses a Role-Based Access Control (RBAC) model that allows organizations to finely control what users and administrators can do in the service. Using RBAC, administrators can delegate tasks to employees in the IT department as well as to non-IT employees. For example, if a compliance officer is responsible for mailbox search requests, the administrator can delegate this administrative feature to the officer. It is important to note that many of the features above need to be restricted to certain people within your organization.

These are but a few enterprise features delivered by Exchange Online that expands the value email has to a business. Anywhere access, reliability and security are components of what a robust email solution needs to provide. The pricing for Office 365 Exchange Online products are below (New Zealand $).

Kiosk (deskless) Users – 1Gb Mailbox for Mobile device access using ActiveSync and Outlook Web App – NZD $3.06 per user per month
Exchange Online Plan 1 – 25Gb Mailbox for users connecting via Outlook and Mobile devices, includes personal archive – NZD $6.11 per user per month
Exchange Online Plan 2 – Unlimited mailbox for users connecting via Outlook and Mobile devices, includes personal archive and legal hold ability – NZD $12.25 per user per month.

The products above are also available in select Office 365 Suites. For more information visit http://www.office365.com. Or click here : http://bit.ly/ProvokeTrial

ActiveSync, Blackberry, Bowyer, Business, cloud-computing, e-discovery, ediscovery, Exchange, Exchange Online, Hong Kong, Hosted Email, HR, human resources, iPad, iPhone, mailbox, microsoft, Microsoft Exchange Server, Microsoft Office 365, Microsoft Online Services, mobile, mobile device management, mobile handsets, New Zealand, nick bowyer, Office 365, Outlook Web App, Provoke, Role-Based Access Control, search, Servers, Singapore, Windows Small Business Server

IT Professional Services Limited

Posts Tagged Exchange

Recent Blog Posts

Find something

The vault

Follow Blog via Email

Musings…