La vie n'est jamais tout noir ou tout blanc… Ainsi vous êtes et serez nombreux à envisager une architecture SharePoint 2013 hybride onPrem/online, que ce soit pour segmenter vos utilisateurs ou vos scénarios d'usages. Quelles sont les bonnes pratiques, les précautions à prendre et la bonne gouvernance à mettre en place pour réussir votre architecture?
Comment planifier et mettre en place une architecture hybride SharePoint 2013 onPrem et online?
1. Donnez votre avis !
Depuis votre smartphone, sur :
http://notes.mstechdays.fr
De nombreux lots à gagner toutes les heures !!!
Claviers, souris et jeux Microsoft…
Merci de nous aider à améliorer les TechDays
http://notes.mstechdays.fr
2. SharePoint –
Hybrid Architecture
Mark Kashman – Senior Product Manager
@mkashman
Pierre Vivier Merle – Partner – MVP SP
pierre.vivier-merle@vnext.fr
Serveurs / Entreprise / Réseaux / IT
4. The Enterprise Challenge
• It saves me $$ • I have existing investments (customized
SP deployments w/lots of data and
• I always have the latest and greatest
settings, custom solutions, LOB
collaboration, email and UC tools
systems, etc)
• Allows me to focus on my core
• I can’t do everything in the Cloud that I
business, not IT
can do on-premise
• Microsoft can run SP more reliably and
• I want to protect my sensitive data by
efficiently than I can
keeping it close
• I can easily scale up/down according
• There is an extra cost to migrate
to demand
• I can more easily work with customers,
partners outside of my company
5. Stages of hybrid
All or nothing Split, but on- Cross domain Shared
• Cloud Integrated Push/Pull services
• On-Premises • Some in Cloud • Read • Single source
• Some On- • Write • Split farm roles
Premises
6. How Hybrid can Help
• Mix technologies and platforms
– Use in the cloud the last technologies with a continuous upgrade process
– Keep “legacy” technologies on premise with a controlled upgrade process
• Extranet scenario
– No need to “open” your on-premise architecture
– Manage you partners account in several ways (live id, O365 accounts)
• Search
– Users want to easily find content
– Migration can be confusing; don’t force your users to track what’s being moved, and when
– Many customers will never move EVERYTHING to the cloud
• BCS
– Give users everything they need in one place
You don’t HAVE to do both directions – you can “only” consume o365 data
on-prem, or only on-prem data in o365
8. Consume / Push data from / To SharePoint
Online
• SharePoint Online new version is more open
in terms of data consumption or CRUD
– Web services
– JavaScript client
object model
– REST/OData
endpoints
– Powershell
SharePoint sets of APIs
12. Office 365
Environment Configuration
• These non-SharePoint
itemsneed to be configured to
support hybrid:
– Reverse Proxy and certificate Reverse Proxy and
authentication* Certificate Auth
– Identity Provider (ADFS or
Shibboleth for o365) UAG
– MSOL Tools Dirsync
– SSO with o365
– Dirsync
Identity Provider MSOL Tools
Dirsync and Tools Servers
* Only required if you are consuming
on-prem data in o365
ADFS Servers MSOL Tools
SharePoint Servers
15. Search Center On-premises: Data Flow
O365 Search Center
CSOM Query EndPoint
AD
Internet Boundary Sync
Results
Query
CSOM Query EndPoint
On-Prem Search Center
16. Search Center in SPOnline: Data Flow
O365 Search Center
CSOM Query EndPoint
Query Results
Internet Facing EndPoint
AD
Reverse
Internet Boundary Proxy / F5 Sync
CSOM Query EndPoint
On-Prem Search Center
21. Is it possible to access data across hosting
boundaries and sourced in different Apps in a
consistent and secure manner?
YES
• Connectivity
• Security
22. Hybrid Scenarios
BCS (connectivity to on-premises OData service)
Services Scenarios Descriptions
SPO -> CRUDQ Operations Create, Read, Update, Query Operations executed from SharePoint
On-Premises Online against on-premises data
On-Premises -> Receive Notification Notifications sent from on-premises data store to SharePoint Online
SharePoint
Duet Online (connectivity to on-premises SAP)
Services Scenarios Descriptions
SPO -> On- Role Sync Synchronize roles from SAP to SharePoint Online
Premises
Request a Report Request a report for delivery from SAP to SharePoint Online
Complete a Task Act upon a task received from SAP (e.g. Accept or Reject)
On-Premises -> Receive Report SAP sends a report to SharePoint Online (scheduled, or on-demand)
SharePoint
Receive Task SAP batch uploads tasks for completion by information workers using
SharePoint or Outlook
23. High Level Design for Hybrid BCS
Office Company
Internet DMZ Company Intranet
365
On-Prem
Company Identity
Tenancy Provider
CSOM Infrastructure
App Inboun Identity
Mapping Request
BCS d Auth Transforms
Request Reverse On-
Hybrid Proxy or Premises
Router Network Response
Transforms System
Proxy Appliance
Response
Hybrid Router
CSOM REST
endpoint
SharePoint On-Premise
24. Using BCS from SharePoint Online to pull in an external data
source
25. Conclusion
• Cloud is great
• Legacy platforms are the real world
• Hybrid architecture to provide better
responses to business needs
• Begin to take advantage of Cloud offerings
at your pace
26. Resources
• Documentation and Tools
– Available on TechNet - http://aka.ms/oht1dx
• On-premises -> SPO configuration steps
• Additional details for non-SharePoint steps
– Identity provider and SSO
– DirSync
– MSOL Sign-In Assistant
– MSOL Module for Windows PowerShell
– Coming soon
• SPO->on-premises configuration steps (late November)
• Plan your deployment (January/February)
– Reverse Proxy docs
• See you provider of choice (MS, F5, etc)
29. Reverse Proxy and Authentication*
• When using hybrid features o365 sends Office 365
requests from sites in the cloud to your on-prem
farm
• You need to establish a reverse proxy for these
UAG
calls to be channeled through to secure the
process
• Those requests can be authenticated at the Dirsync and Tools Servers
ADFS Servers
reverse proxy before they are forwarded to
SharePoint Servers
SharePoint
• SharePoint supports using a certificate for
30. Reverse Proxy Requirements
• A reverse proxy used for hybrid must support the Office 365
following requirements:
– 2 network cards - one connected to the Internet
and the other to the internal company network
– Route inbound SSL traffic to the on-premises
SharePoint farm without rewriting packet UAG
headers
– Support SSL termination
• We currently support two reverse proxy servers: Dirsync and Tools Servers
– Microsoft - Forefront Unified Access Gateway ADFS Servers
(UAG) SharePoint Servers
– F5 - Big IP
– We plan to add more as they are tested for
compatibility
31. Reverse Proxy Configuration
• These are the high level steps for configuring UAG Office 365
for hybrid:
– Configure the network in UAG using the Getting Started
Wizard
– Add an HTTPS trunk
– Install an SSL certificate for the endpoint; it must:
• Support the names for both the public HTTPS UAG
trunk and SharePoint site
• Use 2048 bit length encryption; shorter lengths
WILL NOT WORK! Dirsync and Tools Servers
– Add the PFX in the UAG’s local certificate store ADFS Servers
– Publish the SharePoint site collection; use the SharePoint
SharePoint Servers
Server 2010 Web type
• See your Reverse Proxy s/w documentation for full
details
32. Identity Provider
• In order to have a single-sign on experience, Office 365
you need a federated identity provider like
ADFS
• This requires the following: UAG
– 2 or more load balanced ADFS servers
– An SSL certificate for the ADFS site
– A proxy device, like the ADFS proxy server Dirsync and Tools Servers
– For details on planning and implementation options ADFS Servers
see http://technet.microsoft.com/en- SharePoint Servers
us/library/jj151794
• All users must have a UPN of a registered
33. MSOL Tools
• You will need tools from MS Online (MSOL) in order
to complete the next set of tasks: Office 365
– Microsoft Online Services Sign-In Assistant
– Microsoft Online Services Module for Windows
PowerShell (MSOL PS)
– The Directory Synchronization Tool (dirsync) UAG
• NOTE: This cannot be installed on a domain
controller
• You will need to run these on a SharePoint server to Dirsync and Tools Servers
configure trust with ACS ADFS Servers
• Setting up dirsync and SSO trust is typically done on SharePoint Servers
its own server
34. SSO with o365
• Install the MSOL PS snap-in to a local server; can be the Office 365
same server being used for dirsync
• Set up a federation trust between o365 and ADFS using
MSOL PS
– Use the Connect-MsolService cmdlet to authenticate and
connect to o365 UAG
– Use the New-MsolFederatedDomain to start the process to
establish the trust
– Update DNS as instructed by the cmdlet
• Or alternatively: Dirsync and Tools Servers
– Use the Office 365 Admin web page to create a new domain ADFS Servers
trust – follow the instructions in the domains section
SharePoint Servers
– Use MSOL PS to run the Convert-MsolDomainToFederated
cmdlet
• For more info see http://technet.microsoft.com/en-
us/library/jj151794
35. DirSync with o365
Office 365
UAG
Dirsync and Tools Servers
• Grant accounts licenses to SharePoint, etc. ADFS Servers
• Log out then login as an Active Directory user using your Identity Provider
SharePoint Servers
(i.e. ADFS)
http://technet.microsoft.com/en-
us/library/hh967642.aspx
36. SharePoint Configuration Tasks
These things need to be configured in SharePoint to
support hybrid:
– New SharePoint STS Token Signing Certificate
– Configure a trust between SharePoint on-prem and ACS
• Configure Secure Store
• Configure UPA
• Try out Search or BCS!
37. New SharePoint STS Token Signing
Certificate
• You need to replace the default token signing certificate for
the SharePoint STS because Access Control Service (ACS)
will not trust it
• You can replace it with:
– A certificate issued by a public certificate authority like
Verisign, GoDaddy, Thawte, etc. – RECOMMENDED
– A new self-signed certificate that you can create in the IIS
Manager
– Domain-issued certificates DO NOT WORK
• Use the Set-SPSecurityTokenServiceConfig with the –
38. Configure Trust Between SharePoint and
ACS
• Previously you created a federated trust for users to sign into o365
• Now you need to create an OAuth trust for applications to
exchange data between o365 and on-prem
• Using MSOL PowerShell (on prem):
– Create an AppPrincipal using New-
MsolServicePrincipalCredential
– Create a proxy to ACS using New-
SPAzureAccessControlServiceApplicationProxy
– Complete the trust using New-SPTrustedSecurityTokenIssuer
• Complete detailed instructions are available in the documentation
described at the end of this session
39. Configure Secure Store
• The Secure Store Service is used to create an application that
stores the certificate used to authenticate with the UAG HTTPS
trunk
• In o365 create a new Secure Store Service target application
– Save the Target Application ID name because you will use that when
configuring a result source
• In the credentials field configure it as a Certificate Password
• Click the Set button for the Credentials
– Browse to the certificate CER file that was used for the UAG
HTTPS trunk; leave the password fields blank
• Complete detailed instructions are available in the documentation
described at the end of this session
40. Configure UPA
• It’s critically important that you:
– Have a UPA up and running
– Have it populated with current data from Active Directory
• We use the UPA on the local farm to determine what rights a user has
– what claims they have, what groups they belong to, etc.
• With a hybrid solution, anything that you grant rights to needs to be in
the profile system
– E.g., if you augment claims on-prem and use a custom claims provider to
grant rights to content using those claims, an o365 user would not see that
data because those custom claims are not added when you login to o365
– More details at
http://blogs.technet.com/b/speschka/archive/2012/08/15/oauth-and-the-
rehydrated-user-in-sharepoint-2013-how-d-they-do-that-and-what-do-i-
need-to-know.aspx
41. Try out Search or BCS!
• With all the pieces in place, you can try Hybrid
Search:
– Create a result source
– Create a query rule
– See the results
42. Create A Result Source
• Create a new result source and:
– Use Remote SharePoint as the
Protocol
– If you are on-prem and getting results
from o365:
• Use the Url of your o365 for the Remote
Service Url
• Use Default Authentication for credentials
– If you are o365 and getting results from
on-prem :
• Use the Url of the UAG HTTPS trunk for the
Remote Service Url
– The Url must use SSL
– The SSL cert cannot be domain or self-issued; it
must come from a trusted root authority
• Use SSO id for credentials and enter the name of
the SSO application definition you created to store
the UAG certificate
43. Create A Query Rule
This is where you can do a “live” test to see if
everything is working
• Create a new query rule
• Remove the default Condition
• Click on Add Result Block
• Select your result source
• Click on the Test tab and then
– Click the “Show more” link
– Type some query terms in the “{subjectTerms}:” edit
box
– Click the “Test query” button
– If you have configured everything correctly – Voila! –
you will see search results from the remote farm
44. See the Results
• This query rule
fires on every
Results
search request – from the
so users get Cloud
query results
from both farms
Results
from On
Prem
45. Troubleshooting Tips
• If you aren’t getting data back between the two
environments here are some things that you can do
to narrow down the issue:
– In your on prem farm turn up the ULS logging
• Go into Central Admin, Monitoring, Configure diagnostic logging; expand
SharePoint Foundation and select:
– App Auth
– Application Authentication
– Authentication Authorization
– Claims Authentication
– Change the “least critical” dropdowns to Verbose and save
changes
– Monitor the ULS logs each time you execute a query
46. Troubleshooting Tips (cont.)
• Use Fiddler as a reverse proxy on your SharePoint
server; this requires
– Installing Fiddler on the SharePoint server
– Write a Fiddler script rule as described in Option #2 here:
http://www.fiddler2.com/Fiddler/help/reverseproxy.asp
– Look at the TextView of the Response. Here’s an example of an
error that you can see in there:
47. Troubleshooting Tips (cont.)
• Be aware of latency in queries across the cloud and on-
premises
– When a query is executed, ALL results must come back before the
result is shown to the user
• Latencies can run 1200 to 1500 milliseconds
– Because of this you may want to put some thought into when you
want to fire a query at a remote source
• If you duplicate every single query you could introduce significant load on a farm
• Where you want results back ASAP then you wouldn’t want remote queries to fire
• You can also create a dedicated page that only queries the remote source
• In short – you can mix and match with query rules to decide what works best
Editor's Notes
Notation
Pierre introduces session in French, and then hands to Mark for first section.
Mark to hand back to Pierre.
Pierre to hand back to Mark
Pierre will first describe what BCS is (in French), and then hand over to Mark