Donnez votre avis !Depuis votre smartphone, sur : http://notes.mstechdays.fr

De nombreux lots à gagner toutes les heures !!!

Claviers, souris et jeux Microsoft…

Merci de nous aider à améliorer les TechDays

http://notes.mstechdays.fr

SharePoint – Hybrid Architecture

Mark Kashman – Senior Product Manager @mkashman

Pierre Vivier Merle – Partner – MVP SPpierre.vivier-merle@vnext.fr

Serveurs / Entreprise / Réseaux / IT

• Why Hybrid?• SharePoint(s) interaction• Hybrid configuration steps• Search• Business Connectivity Services (BCS)

Agenda

The Enterprise ChallengeOffice 365 is attractive…• It saves me $$

• I always have the latest and greatest collaboration, email and UC tools

• Allows me to focus on my core business, not IT

• Microsoft can run SP more reliably and efficiently than I can

• I can easily scale up/down according to demand

• I can more easily work with customers, partners outside of my company

…But my business is run on-premises…• I have existing investments

(customized SP deployments w/lots of data and settings, custom solutions, LOB systems, etc)

• I can’t do everything in the Cloud that I can do on-premise

• I want to protect my sensitive data by keeping it close

• There is an extra cost to migrate

All or nothing• Cloud• On-Premises

Split, but on-Integrated• Some in

Cloud• Some On-

Premises

Cross domain Push/Pull• Read• Write

Shared services• Single

source• Split farm

roles

Stages of hybrid

• Mix technologies and platforms– Use in the cloud the last technologies with a continuous upgrade process– Keep “legacy” technologies on premise with a controlled upgrade process

• Extranet scenario– No need to “open” your on-premise architecture– Manage you partners account in several ways (live id, O365 accounts)

• Search– Users want to easily find content– Migration can be confusing; don’t force your users to track what’s being moved, and when– Many customers will never move EVERYTHING to the cloud

• BCS– Give users everything they need in one place

You don’t HAVE to do both directions – you can “only” consume o365 data on-prem, or only on-prem data in o365

How Hybrid can Help

• Why Hybrid?• SharePoint(s) interaction• Hybrid configuration steps• Search• BCS

Agenda

• SharePoint Online new version is more open in terms of data consumption or CRUD– Web services– JavaScript client

object model– REST/OData

endpoints– Powershell

Consume / Push data from / To SharePoint Online

SharePoint sets of APIs

Provider Hosted Integration

Deploy yourapp

On Premise / Azure Web Sites

Sharepoint App CatalogRegister your

app

SharePoint Online

Documents

Search Workflow

Feeds User Profile

and more…

Retrieve/modify data using OData/REST calls

Notify app usingevent receivers

demoSharePoint Online Extranets and on-premise site directory

• Why Hybrid?• SharePoint(s) interaction• Hybrid configuration steps• Search• BCS

Agenda

Environment Configuration

Reverse Proxy and Certificate Auth

Identity Provider

MSOL Tools

Dirsync

UAG

ADFS Servers

SharePoint Servers

Office 365

Dirsync and Tools Servers

MSOL Tools

• These non-SharePoint itemsneed to be configured to support hybrid:– Reverse Proxy and

certificate authentication*– Identity Provider (ADFS or

Shibboleth for o365)– MSOL Tools– SSO with o365– Dirsync

* Only required if you are consuming on-prem data in o365

• Why Hybrid?• SharePoint(s) interaction• Hybrid configuration steps• Search• BCS

Agenda

Hybrid Search – Demo EnvironmentOn-premises O365

SharePoint content

Other indexed content

SharePoint content

Search Center On-premises: Data Flow

On-Prem Search Center

O365 Search Center

Internet Boundary

CSOM Query EndPoint

CSOM Query EndPoint

AD Sync

QueryResults

Search Center in SPOnline: Data Flow

On-Prem Search Center

O365 Search Center

Internet Boundary

CSOM Query EndPoint

CSOM Query EndPoint

AD Sync

Reverse Proxy /

F5

Internet Facing EndPoint

Query Results

• Crawl vs Query• UI Presentation• Relevance/Clicks• Backward Compatibility

Design Considerations

• Why Hybrid• SharePoint(s) interaction• Hybrid configuration steps• Search• BCS

Agenda

BCS provides developers with APIs for connecting to external data.

BCS provides admins with tools to manage connections, security, and troubleshooting.

BCS, what is it?

Developers leverage BCS APIs for data connectivity

Admins manage BCS connections and use telemetry for troubleshooting

BCS is a way to integrate external data into SharePoint

Business Connectivity Services

Is it possible to access data across hosting boundaries and sourced in different Apps in a consistent and secure manner?

But you need to take care of issues around:• Connectivity• Security

YES

Hybrid Scenarios

Services Scenarios Descriptions

SPO -> On-Premises

CRUDQ Operations

Create, Read, Update, Query Operations executed from SharePoint Online against on-premises data

On-Premises -> SharePoint

Receive Notification

Notifications sent from on-premises data store to SharePoint Online

BCS (connectivity to on-premises OData service)

Duet Online (connectivity to on-premises SAP)Services Scenarios Descriptions

SPO -> On-Premises

Role Sync Synchronize roles from SAP to SharePoint Online

Request a Report Request a report for delivery from SAP to SharePoint Online

Complete a Task Act upon a task received from SAP (e.g. Accept or Reject)

On-Premises -> SharePoint

Receive Report SAP sends a report to SharePoint Online (scheduled, or on-demand)

Receive Task SAP batch uploads tasks for completion by information workers using SharePoint or Outlook

High Level Design for Hybrid BCS

Company Tenancy

BCS

App

Company IntranetOffice

365 Internet

Hybrid Router Proxy

On-Prem Identity Provider

On-Premise

s System

Identity Mapping

Inbound

Auth

Hybrid Router CSOM REST

endpoint

Request Transforms

Response Transforms

Reverse Proxy or Network Applianc

e

SharePoint On-Premise

CSOM Infrastructure

Request

Response

CompanyDMZ

demoUsing BCS from SharePoint Online to pull in an external data source

• Cloud is great• Legacy platforms are the real world• Hybrid architecture to provide better

responses to business needs• Begin to take advantage of Cloud

offerings at your pace

Conclusion

• Documentation and Tools– Available on TechNet - http://aka.ms/oht1dx

• On-premises -> SPO configuration steps• Additional details for non-SharePoint steps

– Identity provider and SSO– DirSync– MSOL Sign-In Assistant– MSOL Module for Windows PowerShell

– Coming soon• SPO->on-premises configuration steps (late November)• Plan your deployment (January/February)

– Reverse Proxy docs• See you provider of choice (MS, F5, etc)

Resources

Venez nombreux à la Conf’SharePoint !

3 jours

22, 23 et 24 mai 2013

1000 visiteurs

1 + 15 partenaires

Microsoft 3 Platinum5 Gold7 Silver

4 thèmes

Usages & Retours ClientInfrastructureDéveloppementGouvernance & Stratégie

1 sujet

SharePointet son écosystème

www.confsharepoint.com

Appendix

• When using hybrid features o365 sends requests from sites in the cloud to your on-prem farm

• You need to establish a reverse proxy for these calls to be channeled through to secure the process

• Those requests can be authenticated at the reverse proxy before they are forwarded to SharePoint

• SharePoint supports using a certificate for authenticating to the reverse proxy server when sending a request

Reverse Proxy and Authentication*

UAG

ADFS Servers

SharePoint Servers

Office 365

Dirsync and Tools Servers

• A reverse proxy used for hybrid must support the following requirements:– 2 network cards - one connected to the Internet

and the other to the internal company network– Route inbound SSL traffic to the on-premises

SharePoint farm without rewriting packet headers– Support SSL termination

• We currently support two reverse proxy servers:– Microsoft - Forefront Unified Access Gateway

(UAG)– F5 - Big IP– We plan to add more as they are tested for

compatibility

Reverse Proxy Requirements

UAG

ADFS Servers

SharePoint Servers

Office 365

Dirsync and Tools Servers

• These are the high level steps for configuring UAG for hybrid:– Configure the network in UAG using the Getting Started Wizard– Add an HTTPS trunk– Install an SSL certificate for the endpoint; it must:

• Support the names for both the public HTTPS trunk and SharePoint site

• Use 2048 bit length encryption; shorter lengths WILL NOT WORK!

– Add the PFX in the UAG’s local certificate store– Publish the SharePoint site collection; use the SharePoint

Server 2010 Web type

• See your Reverse Proxy s/w documentation for full details

Reverse Proxy Configuration

UAG

ADFS Servers

SharePoint Servers

Office 365

Dirsync and Tools Servers

• In order to have a single-sign on experience, you need a federated identity provider like ADFS

• This requires the following:– 2 or more load balanced ADFS servers– An SSL certificate for the ADFS site– A proxy device, like the ADFS proxy server– For details on planning and implementation options see

http://technet.microsoft.com/en-us/library/jj151794

• All users must have a UPN of a registered domain (i.e. “.local” or similar suffixes will not work)

Identity Provider

UAG

ADFS Servers

SharePoint Servers

Office 365

Dirsync and Tools Servers

• You will need tools from MS Online (MSOL) in order to complete the next set of tasks:– Microsoft Online Services Sign-In Assistant– Microsoft Online Services Module for Windows

PowerShell (MSOL PS)– The Directory Synchronization Tool (dirsync)

• NOTE: This cannot be installed on a domain controller

• You will need to run these on a SharePoint server to configure trust with ACS

• Setting up dirsync and SSO trust is typically done on its own server

MSOL Tools

UAG

ADFS Servers

SharePoint Servers

Office 365

Dirsync and Tools Servers

• Install the MSOL PS snap-in to a local server; can be the same server being used for dirsync

• Set up a federation trust between o365 and ADFS using MSOL PS– Use the Connect-MsolService cmdlet to authenticate and connect

to o365– Use the New-MsolFederatedDomain to start the process to

establish the trust– Update DNS as instructed by the cmdlet

• Or alternatively:– Use the Office 365 Admin web page to create a new domain trust

– follow the instructions in the domains section– Use MSOL PS to run the Convert-MsolDomainToFederated cmdlet

• For more info see http://technet.microsoft.com/en-us/library/jj151794

SSO with o365

UAG

ADFS Servers

SharePoint Servers

Office 365

Dirsync and Tools Servers

DirSync with o365• Activate Active Directory Synchronization in

your tenant using the o365 Admin web pages• Install the dirsync tool to a local server and

when that’s complete run the dirsync Wizard• When the wizard is done click Finish to start a

sync• Go to the Office 365 Admin web page and click

on the users and groups section to verify that accounts have been imported• Grant accounts licenses to SharePoint, etc.• Log out then login as an Active Directory user using your Identity

Provider (i.e. ADFS)

• For more info see http://technet.microsoft.com/en-us/library/hh967642.aspx.

UAG

ADFS Servers

SharePoint Servers

Office 365

Dirsync and Tools Servers

These things need to be configured in SharePoint to support hybrid:– New SharePoint STS Token Signing Certificate– Configure a trust between SharePoint on-prem and

ACS• Configure Secure Store• Configure UPA • Try out Search or BCS!

SharePoint Configuration Tasks

• You need to replace the default token signing certificate for the SharePoint STS because Access Control Service (ACS) will not trust it

• You can replace it with:– A certificate issued by a public certificate authority

like Verisign, GoDaddy, Thawte, etc. – RECOMMENDED

– A new self-signed certificate that you can create in the IIS Manager

– Domain-issued certificates DO NOT WORK• Use the Set-SPSecurityTokenServiceConfig with the –

ImportSigningCertificate flag to change the token signing certificate

New SharePoint STS Token Signing Certificate

• Previously you created a federated trust for users to sign into o365

• Now you need to create an OAuth trust for applications to exchange data between o365 and on-prem

• Using MSOL PowerShell (on prem):– Create an AppPrincipal using New-

MsolServicePrincipalCredential– Create a proxy to ACS using New-

SPAzureAccessControlServiceApplicationProxy– Complete the trust using New-SPTrustedSecurityTokenIssuer

• Complete detailed instructions are available in the documentation described at the end of this session

Configure Trust Between SharePoint and ACS

• The Secure Store Service is used to create an application that stores the certificate used to authenticate with the UAG HTTPS trunk

• In o365 create a new Secure Store Service target application– Save the Target Application ID name because you will use that when

configuring a result source

• In the credentials field configure it as a Certificate Password• Click the Set button for the Credentials

– Browse to the certificate CER file that was used for the UAG HTTPS trunk; leave the password fields blank

• Complete detailed instructions are available in the documentation described at the end of this session

Configure Secure Store

• It’s critically important that you:– Have a UPA up and running– Have it populated with current data from Active Directory

• We use the UPA on the local farm to determine what rights a user has – what claims they have, what groups they belong to, etc.

• With a hybrid solution, anything that you grant rights to needs to be in the profile system– E.g., if you augment claims on-prem and use a custom claims provider

to grant rights to content using those claims, an o365 user would not see that data because those custom claims are not added when you login to o365

– More details at http://blogs.technet.com/b/speschka/archive/2012/08/15/oauth-and-the-rehydrated-user-in-sharepoint-2013-how-d-they-do-that-and-what-do-i-need-to-know.aspx

Configure UPA

• With all the pieces in place, you can try Hybrid Search:– Create a result source– Create a query rule– See the results

Try out Search or BCS!

• Create a new result source and:

– Use Remote SharePoint as the Protocol

– If you are on-prem and getting results from o365:

• Use the Url of your o365 for the Remote Service Url

• Use Default Authentication for credentials

– If you are o365 and getting results from on-prem :• Use the Url of the UAG HTTPS trunk for the

Remote Service Url– The Url must use SSL– The SSL cert cannot be domain or self-issued;

it must come from a trusted root authority• Use SSO id for credentials and enter the name of

the SSO application definition you created to store the UAG certificate

Create A Result Source

This is where you can do a “live” test to see if everything is working• Create a new query rule• Remove the default Condition• Click on Add Result Block• Select your result source• Click on the Test tab and then

– Click the “Show more” link

– Type some query terms in the “{subjectTerms}:” edit box

– Click the “Test query” button

– If you have configured everything correctly – Voila! – you will see search results from the remote farm

Create A Query Rule

• This query rule fires on every search request – so users get query results from both farms

See the Results

Results from the

Cloud

Results from On

Prem

• If you aren’t getting data back between the two environments here are some things that you can do to narrow down the issue:– In your on prem farm turn up the ULS logging

• Go into Central Admin, Monitoring, Configure diagnostic logging; expand SharePoint Foundation and select:– App Auth– Application Authentication– Authentication Authorization– Claims Authentication

– Change the “least critical” dropdowns to Verbose and save changes

– Monitor the ULS logs each time you execute a query

Troubleshooting Tips

• Use Fiddler as a reverse proxy on your SharePoint server; this requires– Installing Fiddler on the SharePoint server– Write a Fiddler script rule as described in Option #2 here:

http://www.fiddler2.com/Fiddler/help/reverseproxy.asp – Look at the TextView of the Response. Here’s an

example of an error that you can see in there:

Troubleshooting Tips (cont.)

• Be aware of latency in queries across the cloud and on- premises– When a query is executed, ALL results must come back

before the result is shown to the user• Latencies can run 1200 to 1500 milliseconds

– Because of this you may want to put some thought into when you want to fire a query at a remote source• If you duplicate every single query you could introduce significant load

on a farm• Where you want results back ASAP then you wouldn’t want remote

queries to fire• You can also create a dedicated page that only queries the remote

source• In short – you can mix and match with query rules to decide what works

best

Troubleshooting Tips (cont.)