Face up to a double life with hybrid Office 365
Integrating Lync, SharePoint and Exchange
“Cloud first” is Microsoft’s new mantra. The vision is of businesses using Office 365, running in Microsoft’s Global data centres, for collaborating, conferencing, messaging and calendaring.
The shift towards Office 365 becomes more marked every quarter as more IT departments adopt Microsoft’s cloud offerings. The appeal is that you reduce the server fleet in your data centre and cut your operational costs.
If you are migrating to Office 365 from on-premises you will need to set up a hybrid deployment to get your services migrated to the cloud. Once you have done that you can decommission your on-premises environment.
But it often turns out that businesses with Exchange, SharePoint and Lync deployed on-premises will need to keep a small portion of that environment running.
Long-term hybrid deployments consist of running Office 365 in the cloud while maintaining an on-premises environment for various reasons. There may be compatibility issues with existing applications that use the on-premises deployment, or a business may need to keep certain functions on-premises.
The big question that comes to mind is: how does all this hybrid stuff really work?
Hybrid mode for Exchange, SharePoint and Lync are all configured individually but one thing they share is that they use the same core dependencies to make hybrid work.
All of these services require the use of the Azure Active Directory Sync tool, and depending on your client user experience requirements may need Active Directory Federation Services (ADFS).
Azure Active Directory Sync replicates user object changes between the on-premises Active Directory and online Active Directory, which keeps the two Active Directory user objects in sync. ADFS is used for trust and enabling single sign (SSO) on to allow seamless authentication between the online and on-premises versions.
You can use Azure Active Directory Sync without ADFS if your environment doesn’t require the use of SSO. If you don’t require any granular permission to authenticate to Office 365 Azure Active Directory Sync would suit most deployments.
Let’s do a breakdown of each type of hybrid.
Office 365/Exchange 2013 hybrid
Exchange hybrid deployments are complicated and best if your on-premises servers are running Exchange 2010 or Exchange 2013.
Some key features of hybrid Exchange are that it allows mailboxes of cloud and on-premises to see each other in the Global Address List as well as viewing everybody’s calendaring data.
With hybrid Exchange, administrators can move mailboxes between the environments if they need to. Before you decide to go hybrid review your mailbox permissions requirements, as cross-premises is not supported.
User mailbox permissions can be given only to someone on the same premises; that is not possible if a user needs access to a mailbox sitting in the cloud. These limitations can affect your decision.
Hybrid Exchange deployments connect the two premises together, allowing both to function as one mail system using your existing domain name. With ADFS and Azure Active Directory Sync, user objects authenticate and are replicated to the online environment.
All mailboxes in hybrid mode receive an additional SMTP address which indicates the premises the mailbox is located in. This is known as the hybrid routing address and is set up during the configuration of hybrid mode.
Office 365 uses Exchange Online Protection (EOP) to receive emails. It can be set up to receive either all your inbound emails from the internet or only emails that are sent from your on-premises server.
There are two ways for this hybrid mail flow to work: your on-premises can continue to receive inbound emails destined for your domain as they previously did; or you can route inbound emails through Office 365.
Emails sent from the internet to a user in your organisation will route to your on-premises servers.
Your mail exchanger record will continue to point to on-premises servers and emails will be continue to be delivered to your Exchange Client Access (CAS) server. If you have any spam filters the emails will flow through that system before getting to your CAS servers.
Once the email reaches your CAS servers, these will do a lookup against your on-premises global catalog server. The global catalog lookup will determine if the mailbox is on-premises or if it belongs in Office 365 by checking the hybrid routing address that is added to each mailbox.
If the mailbox is on-premises the CAS server sends the email to the on-premises mailbox server and delivers to the mailbox. If the mailbox is in Office 365, the CAS server sends the email to EOP using a TLS configured Send connector.
Once EOP receives the email it sends it to Office 365 to be delivered to the mailbox.
Emails sent your organisation will now route to EOP because you will point your mail exchanger records to EOP
When EOP receives the messages it sends the email to Office 365. Once Exchange Online receives the emails it will do a lookup on the account to determine if the mailbox is on-premises or if it belongs in Office 365 by checking the hybrid routing address that is added to each mailbox.
Outbound emails through EOP
If the mailbox is on-premises the Office 365 servers sends the email to on-premises mailbox server and delivers it to the mailbox. If the mailbox is in Office 365, the email is delivered directly to the mailbox.
When hybrid mode is enabled you can choose how emails from Office 365 delivers outbound emails by either routing through your on-premises server or sending it directly through EOP through DNS lookup and out to the internet.
routing through Office 365
All internet outbound emails from on-premises servers are always sent directly from the on-premises servers using DNS.
When a user who has a mailbox in Office 365 and sends an email outbound, Office 365 scans the emails for viruses; then it sends the email to EOP, which is configured to send all outbound messages to an on-premises server. The email is routed to an on-premises CAS server using TLS.
An Exchange CAS server performs all the required checks such as compliance and anti-virus screening.
The CAS server looks up the mail exchanger record and sends the message to the appropriate mail servers.
When a user mailbox in Office 365 sends an internet bound email Office 365 scans the email for viruses first, then sends it to the EOP.
When EOP receives the email it looks up the mail exchanger record for external domain and sends the email to the server that is somewhere on the internet.
Lync hybrid deployments
In a similar way to Exchange hybrid mode, Lync hybrid mode allows you configure your users either to run in Lync online or Lync on-premises, but all your existing DNS records continue to point to your on-premises servers.
Hybrid mode allows users to move back and forth between environments but management of users depends on their location.
Lync hybrid mode requires ADFS and Azure Active Directory Sync to be set up and configured with the appropriate certificates, but it also needs the Microsoft Online Services module for Windows PowerShell to configure certain components.
Users in hybrid mode are created on-premises, then the data is synchronised to Lync Online. If users are created on Lync Online first the user’s data is not replicated to the on-premises Active Directory.
The process of configuring Lync hybrid mode is simpler than for Exchange hybrid and SharePoint hybrid. It involves federating your Lync on-premises Edge service and configuring on-premises to share SIP address space with Lync Online by using the following PowerShell cmdlets:
Set-CSAccessEdgeConfiguration -AllowOutsideUsers 1 -AllowFederatedUsers 1 –UseDnsSrvRouting New-CSHostingProvider -Identity LyncOnline -ProxyFqdn "sipfed.online.lync.com" -Enabled $true -EnabledSharedAddressSpace $true -HostsOCSUsers $true -VerificationLevel UseSourceVerification -IsLocal $false -AutodiscoverUrl https://webdir.online.lync.com/Autodiscover/AutodiscoverService.svc/root Set-CsTenantFederationConfiguration -SharedSipAddressSpace $True
The shared SIP address space needs to be configured on both Lync Online and on-premises. If the shared SIP is not completed on both sides you won’t be able to move users between the two environments.
Using a remote PowerShell session with Lync Online, run the following cmdlet to configure Lync Online for shared SIP address space:
Set-CsTenantFederationConfiguration -SharedSipAddressSpace $true
Once the federation and shared SIP address space is completed you are in hybrid mode and can move your users between the two environments using PowerShell.
Users who are homed to Lync Online are managed on the Office 365 online portal and those who are homed to on-premises are managed on the on-premises Lync control panel.
SharePoint hybrid mode
Saying that SharePoint hybrid mode is complex is an understatement. It can be downright confusing because there are so many layers to consider, such as SQL, service applications and domain name space.
Once that is figured out you have to decide on one of three types of topology: one-way outbound authentication; one way inbound authentication; and two-way hybrid, where user authentication is between both topologies.
Just reviewing the different types of hybrid will require some deep planning. The high-level overview of how SharePoint hybrid works depends on your chosen topology.
Reverse proxy is set up and configured to secure inbound traffic to your on-premises SharePoint servers
SharePoint hybrid provides integrated Search, Business Connectivity Services and integrated Duet (only if you are running SAP), and that is it.
Considering that those are the only components that are truly integrated with hybrid mode, you may need to consider whether running SharePoint in hybrid mode is worth the time and investment.®
Sponsored: Today’s most dangerous security threats