Comment planifier et mettre en place une architecture hybride SharePoint 2013 onPrem et online?
-
Upload
microsoft-decideurs-it -
Category
Technology
-
view
1.149 -
download
2
description
Transcript of Comment planifier et mettre en place une architecture hybride SharePoint 2013 onPrem et online?
Donnez votre avis !Depuis votre smartphone, sur : http://notes.mstechdays.fr
De nombreux lots à gagner toutes les heures !!!
Claviers, souris et jeux Microsoft…
Merci de nous aider à améliorer les TechDays
http://notes.mstechdays.fr
SharePoint – Hybrid Architecture
Mark Kashman – Senior Product Manager @mkashman
Pierre Vivier Merle – Partner – MVP [email protected]
Serveurs / Entreprise / Réseaux / IT
• Why Hybrid?• SharePoint(s) interaction• Hybrid configuration steps• Search• Business Connectivity Services (BCS)
Agenda
The Enterprise ChallengeOffice 365 is attractive…• It saves me $$
• I always have the latest and greatest collaboration, email and UC tools
• Allows me to focus on my core business, not IT
• Microsoft can run SP more reliably and efficiently than I can
• I can easily scale up/down according to demand
• I can more easily work with customers, partners outside of my company
…But my business is run on-premises…• I have existing investments
(customized SP deployments w/lots of data and settings, custom solutions, LOB systems, etc)
• I can’t do everything in the Cloud that I can do on-premise
• I want to protect my sensitive data by keeping it close
• There is an extra cost to migrate
All or nothing• Cloud• On-Premises
Split, but on-Integrated• Some in
Cloud• Some On-
Premises
Cross domain Push/Pull• Read• Write
Shared services• Single
source• Split farm
roles
Stages of hybrid
• Mix technologies and platforms– Use in the cloud the last technologies with a continuous upgrade process– Keep “legacy” technologies on premise with a controlled upgrade process
• Extranet scenario– No need to “open” your on-premise architecture– Manage you partners account in several ways (live id, O365 accounts)
• Search– Users want to easily find content– Migration can be confusing; don’t force your users to track what’s being moved, and when– Many customers will never move EVERYTHING to the cloud
• BCS– Give users everything they need in one place
You don’t HAVE to do both directions – you can “only” consume o365 data on-prem, or only on-prem data in o365
How Hybrid can Help
• Why Hybrid?• SharePoint(s) interaction• Hybrid configuration steps• Search• BCS
Agenda
• SharePoint Online new version is more open in terms of data consumption or CRUD– Web services– JavaScript client
object model– REST/OData
endpoints– Powershell
Consume / Push data from / To SharePoint Online
SharePoint sets of APIs
Provider Hosted Integration
Deploy yourapp
On Premise / Azure Web Sites
Sharepoint App CatalogRegister your
app
SharePoint Online
Documents
Search Workflow
Feeds User Profile
and more…
Retrieve/modify data using OData/REST calls
Notify app usingevent receivers
demoSharePoint Online Extranets and on-premise site directory
• Why Hybrid?• SharePoint(s) interaction• Hybrid configuration steps• Search• BCS
Agenda
Environment Configuration
Reverse Proxy and Certificate Auth
Identity Provider
MSOL Tools
Dirsync
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
MSOL Tools
• These non-SharePoint itemsneed to be configured to support hybrid:– Reverse Proxy and
certificate authentication*– Identity Provider (ADFS or
Shibboleth for o365)– MSOL Tools– SSO with o365– Dirsync
* Only required if you are consuming on-prem data in o365
• Why Hybrid?• SharePoint(s) interaction• Hybrid configuration steps• Search• BCS
Agenda
Hybrid Search – Demo EnvironmentOn-premises O365
SharePoint content
Other indexed content
SharePoint content
Search Center On-premises: Data Flow
On-Prem Search Center
O365 Search Center
Internet Boundary
CSOM Query EndPoint
CSOM Query EndPoint
AD Sync
QueryResults
Search Center in SPOnline: Data Flow
On-Prem Search Center
O365 Search Center
Internet Boundary
CSOM Query EndPoint
CSOM Query EndPoint
AD Sync
Reverse Proxy /
F5
Internet Facing EndPoint
Query Results
• Crawl vs Query• UI Presentation• Relevance/Clicks• Backward Compatibility
Design Considerations
• Why Hybrid• SharePoint(s) interaction• Hybrid configuration steps• Search• BCS
Agenda
BCS provides developers with APIs for connecting to external data.
BCS provides admins with tools to manage connections, security, and troubleshooting.
BCS, what is it?
Developers leverage BCS APIs for data connectivity
Admins manage BCS connections and use telemetry for troubleshooting
BCS is a way to integrate external data into SharePoint
Business Connectivity Services
Is it possible to access data across hosting boundaries and sourced in different Apps in a consistent and secure manner?
But you need to take care of issues around:• Connectivity• Security
YES
Hybrid Scenarios
Services Scenarios Descriptions
SPO -> On-Premises
CRUDQ Operations
Create, Read, Update, Query Operations executed from SharePoint Online against on-premises data
On-Premises -> SharePoint
Receive Notification
Notifications sent from on-premises data store to SharePoint Online
BCS (connectivity to on-premises OData service)
Duet Online (connectivity to on-premises SAP)Services Scenarios Descriptions
SPO -> On-Premises
Role Sync Synchronize roles from SAP to SharePoint Online
Request a Report Request a report for delivery from SAP to SharePoint Online
Complete a Task Act upon a task received from SAP (e.g. Accept or Reject)
On-Premises -> SharePoint
Receive Report SAP sends a report to SharePoint Online (scheduled, or on-demand)
Receive Task SAP batch uploads tasks for completion by information workers using SharePoint or Outlook
High Level Design for Hybrid BCS
Company Tenancy
BCS
App
Company IntranetOffice
365 Internet
Hybrid Router Proxy
On-Prem Identity Provider
On-Premise
s System
Identity Mapping
Inbound
Auth
Hybrid Router CSOM REST
endpoint
Request Transforms
Response Transforms
Reverse Proxy or Network Applianc
e
SharePoint On-Premise
CSOM Infrastructure
Request
Response
CompanyDMZ
demoUsing BCS from SharePoint Online to pull in an external data source
• Cloud is great• Legacy platforms are the real world• Hybrid architecture to provide better
responses to business needs• Begin to take advantage of Cloud
offerings at your pace
Conclusion
• Documentation and Tools– Available on TechNet - http://aka.ms/oht1dx
• On-premises -> SPO configuration steps• Additional details for non-SharePoint steps
– Identity provider and SSO– DirSync– MSOL Sign-In Assistant– MSOL Module for Windows PowerShell
– Coming soon• SPO->on-premises configuration steps (late November)• Plan your deployment (January/February)
– Reverse Proxy docs• See you provider of choice (MS, F5, etc)
Resources
Venez nombreux à la Conf’SharePoint !
3 jours
22, 23 et 24 mai 2013
1000 visiteurs
1 + 15 partenaires
Microsoft 3 Platinum5 Gold7 Silver
4 thèmes
Usages & Retours ClientInfrastructureDéveloppementGouvernance & Stratégie
1 sujet
SharePointet son écosystème
www.confsharepoint.com
Appendix
• When using hybrid features o365 sends requests from sites in the cloud to your on-prem farm
• You need to establish a reverse proxy for these calls to be channeled through to secure the process
• Those requests can be authenticated at the reverse proxy before they are forwarded to SharePoint
• SharePoint supports using a certificate for authenticating to the reverse proxy server when sending a request
Reverse Proxy and Authentication*
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
• A reverse proxy used for hybrid must support the following requirements:– 2 network cards - one connected to the Internet
and the other to the internal company network– Route inbound SSL traffic to the on-premises
SharePoint farm without rewriting packet headers– Support SSL termination
• We currently support two reverse proxy servers:– Microsoft - Forefront Unified Access Gateway
(UAG)– F5 - Big IP– We plan to add more as they are tested for
compatibility
Reverse Proxy Requirements
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
• These are the high level steps for configuring UAG for hybrid:– Configure the network in UAG using the Getting Started Wizard– Add an HTTPS trunk– Install an SSL certificate for the endpoint; it must:
• Support the names for both the public HTTPS trunk and SharePoint site
• Use 2048 bit length encryption; shorter lengths WILL NOT WORK!
– Add the PFX in the UAG’s local certificate store– Publish the SharePoint site collection; use the SharePoint
Server 2010 Web type
• See your Reverse Proxy s/w documentation for full details
Reverse Proxy Configuration
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
• In order to have a single-sign on experience, you need a federated identity provider like ADFS
• This requires the following:– 2 or more load balanced ADFS servers– An SSL certificate for the ADFS site– A proxy device, like the ADFS proxy server– For details on planning and implementation options see
http://technet.microsoft.com/en-us/library/jj151794
• All users must have a UPN of a registered domain (i.e. “.local” or similar suffixes will not work)
Identity Provider
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
• You will need tools from MS Online (MSOL) in order to complete the next set of tasks:– Microsoft Online Services Sign-In Assistant– Microsoft Online Services Module for Windows
PowerShell (MSOL PS)– The Directory Synchronization Tool (dirsync)
• NOTE: This cannot be installed on a domain controller
• You will need to run these on a SharePoint server to configure trust with ACS
• Setting up dirsync and SSO trust is typically done on its own server
MSOL Tools
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
• Install the MSOL PS snap-in to a local server; can be the same server being used for dirsync
• Set up a federation trust between o365 and ADFS using MSOL PS– Use the Connect-MsolService cmdlet to authenticate and connect
to o365– Use the New-MsolFederatedDomain to start the process to
establish the trust– Update DNS as instructed by the cmdlet
• Or alternatively:– Use the Office 365 Admin web page to create a new domain trust
– follow the instructions in the domains section– Use MSOL PS to run the Convert-MsolDomainToFederated cmdlet
• For more info see http://technet.microsoft.com/en-us/library/jj151794
SSO with o365
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
DirSync with o365• Activate Active Directory Synchronization in
your tenant using the o365 Admin web pages• Install the dirsync tool to a local server and
when that’s complete run the dirsync Wizard• When the wizard is done click Finish to start a
sync• Go to the Office 365 Admin web page and click
on the users and groups section to verify that accounts have been imported• Grant accounts licenses to SharePoint, etc.• Log out then login as an Active Directory user using your Identity
Provider (i.e. ADFS)
• For more info see http://technet.microsoft.com/en-us/library/hh967642.aspx.
UAG
ADFS Servers
SharePoint Servers
Office 365
Dirsync and Tools Servers
These things need to be configured in SharePoint to support hybrid:– New SharePoint STS Token Signing Certificate– Configure a trust between SharePoint on-prem and
ACS• Configure Secure Store• Configure UPA • Try out Search or BCS!
SharePoint Configuration Tasks
• You need to replace the default token signing certificate for the SharePoint STS because Access Control Service (ACS) will not trust it
• You can replace it with:– A certificate issued by a public certificate authority
like Verisign, GoDaddy, Thawte, etc. – RECOMMENDED
– A new self-signed certificate that you can create in the IIS Manager
– Domain-issued certificates DO NOT WORK• Use the Set-SPSecurityTokenServiceConfig with the –
ImportSigningCertificate flag to change the token signing certificate
New SharePoint STS Token Signing Certificate
• Previously you created a federated trust for users to sign into o365
• Now you need to create an OAuth trust for applications to exchange data between o365 and on-prem
• Using MSOL PowerShell (on prem):– Create an AppPrincipal using New-
MsolServicePrincipalCredential– Create a proxy to ACS using New-
SPAzureAccessControlServiceApplicationProxy– Complete the trust using New-SPTrustedSecurityTokenIssuer
• Complete detailed instructions are available in the documentation described at the end of this session
Configure Trust Between SharePoint and ACS
• The Secure Store Service is used to create an application that stores the certificate used to authenticate with the UAG HTTPS trunk
• In o365 create a new Secure Store Service target application– Save the Target Application ID name because you will use that when
configuring a result source
• In the credentials field configure it as a Certificate Password• Click the Set button for the Credentials
– Browse to the certificate CER file that was used for the UAG HTTPS trunk; leave the password fields blank
• Complete detailed instructions are available in the documentation described at the end of this session
Configure Secure Store
• It’s critically important that you:– Have a UPA up and running– Have it populated with current data from Active Directory
• We use the UPA on the local farm to determine what rights a user has – what claims they have, what groups they belong to, etc.
• With a hybrid solution, anything that you grant rights to needs to be in the profile system– E.g., if you augment claims on-prem and use a custom claims provider
to grant rights to content using those claims, an o365 user would not see that data because those custom claims are not added when you login to o365
– More details at http://blogs.technet.com/b/speschka/archive/2012/08/15/oauth-and-the-rehydrated-user-in-sharepoint-2013-how-d-they-do-that-and-what-do-i-need-to-know.aspx
Configure UPA
• With all the pieces in place, you can try Hybrid Search:– Create a result source– Create a query rule– See the results
Try out Search or BCS!
• Create a new result source and:
– Use Remote SharePoint as the Protocol
– If you are on-prem and getting results from o365:
• Use the Url of your o365 for the Remote Service Url
• Use Default Authentication for credentials
– If you are o365 and getting results from on-prem :• Use the Url of the UAG HTTPS trunk for the
Remote Service Url– The Url must use SSL– The SSL cert cannot be domain or self-issued;
it must come from a trusted root authority• Use SSO id for credentials and enter the name of
the SSO application definition you created to store the UAG certificate
Create A Result Source
This is where you can do a “live” test to see if everything is working• Create a new query rule• Remove the default Condition• Click on Add Result Block• Select your result source• Click on the Test tab and then
– Click the “Show more” link
– Type some query terms in the “{subjectTerms}:” edit box
– Click the “Test query” button
– If you have configured everything correctly – Voila! – you will see search results from the remote farm
Create A Query Rule
• This query rule fires on every search request – so users get query results from both farms
See the Results
Results from the
Cloud
Results from On
Prem
• If you aren’t getting data back between the two environments here are some things that you can do to narrow down the issue:– In your on prem farm turn up the ULS logging
• Go into Central Admin, Monitoring, Configure diagnostic logging; expand SharePoint Foundation and select:– App Auth– Application Authentication– Authentication Authorization– Claims Authentication
– Change the “least critical” dropdowns to Verbose and save changes
– Monitor the ULS logs each time you execute a query
Troubleshooting Tips
• Use Fiddler as a reverse proxy on your SharePoint server; this requires– Installing Fiddler on the SharePoint server– Write a Fiddler script rule as described in Option #2 here:
http://www.fiddler2.com/Fiddler/help/reverseproxy.asp – Look at the TextView of the Response. Here’s an
example of an error that you can see in there:
Troubleshooting Tips (cont.)
• Be aware of latency in queries across the cloud and on- premises– When a query is executed, ALL results must come back
before the result is shown to the user• Latencies can run 1200 to 1500 milliseconds
– Because of this you may want to put some thought into when you want to fire a query at a remote source• If you duplicate every single query you could introduce significant load
on a farm• Where you want results back ASAP then you wouldn’t want remote
queries to fire• You can also create a dedicated page that only queries the remote
source• In short – you can mix and match with query rules to decide what works
best
Troubleshooting Tips (cont.)