1 / 32

Federation in Microsoft Exchange Server 2010

Federation in Microsoft Exchange Server 2010. Paul Tischhauser Program Manager Microsoft UNC 315 . Outline. Sharing Goals How Federated Sharing Works in Exchange 2010 Free Busy Calendar and Contact Sharing Sharing Policy Federation and Exchange Online. Exchange 2010 Sharing Goals.

dotty
Download Presentation

Federation in Microsoft Exchange Server 2010

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Federation in Microsoft Exchange Server 2010 Paul Tischhauser Program Manager Microsoft UNC 315

  2. Outline • Sharing Goals • How Federated Sharing Works in Exchange 2010 • Free Busy • Calendar and Contact Sharing • Sharing Policy • Federation and Exchange Online

  3. Exchange 2010 Sharing Goals Sharing Relationships • Make it convenient • Users can share easily • Low admin overhead • Leverage relationships • Make it secure • Set the sharing dial • Allow admin to scope • Avoid exposure Mary Joe people fabrikam.com contoso.com orgs Sharing Dial DISCOVER MANAGE VIEW EDIT

  4. How Should Free Busy Work? Viewing free busy for someone else should be as simple as typing in their e-mail address. External user

  5. Cross Org Free Busy Solutions Outlook 2003/2007 Exchange 2000/2003 Exchange 2007 Exchange 2010 Web Services and Federation Web Services and Service Account Public Folders and Service Account Internet Clearinghouse Convenient User Solve it once for all clients Admin Secure User Admin

  6. Free Busy – Internet ClearinghouseOutlook 2003/2007 Contoso Fabrikam Clearinghouse Mary Joe mary23 @live.com joe72 @live.com Convenient contoso\joe Required LiveId, client always on No admin action required Secure Must know other people’s LiveIds Exchange No admin control

  7. Free Busy – Public FoldersExchange 2003 Contoso Fabrikam Mary Joe fabrikam\mary Convenient contoso\joe No user action required Service accounts, PF/AD replication Secure Public Folders Mailbox Public Folders No per-user access joe@ contoso.com joe@ contoso.com fabrikam\svcacct Admin selects orgs AD AD

  8. Free Busy – Web ServicesExchange 2007 Contoso Fabrikam Joe Mary Free busy request joe@contoso.com Free busy response joe@contoso.com Convenient fabrikam\mary contoso\svcacct No user action required Client Access Client Access Service accounts, AD replication Org Info contoso.com Secure Mailbox contoso\svcacct contoso endpt Per-user access only within org joe@ contoso.com joe@ contoso.com Admin selects orgs AD AD fabrikam\svcacct

  9. Free Busy – WS and FederationExchange 2010 Contoso Fabrikam No user action or client publishing Mary Joe Free busy request joe@contoso.com Free busy response joe@contoso.com fabrikam\mary Convenient Admin controls which users participate Token: mary@fabrikam.com No user action required No directory replication Client Access Client Access No service accounts, no replication Federated token fabrikam.com No AD trusts or service accounts contoso.com Org Relationship Org Relationship Microsoft Federation Gateway Secure Admin controls which orgs have access Mailbox Can specify external users Federated Trust Federated Trust Admin can control per user

  10. Benefits of Exchange 2010 Federation • Allows server to act on behalf of specific user • Specific user identified by e-mail address • User not prompted for credentials • Reduces explicit trust management • No AD trusts, service or cloud accounts to manage • Minimizes certificate exchanges • Verifies domain ownership

  11. Establishing Federation in Exchange 2010One-time setup Federation Gateway Fabrikam Contoso Certificate Certificate Certificate Federation trust Organization ID: C293… URL: http://... Federation trust Organization ID: A154… URL: http://... Organization Id: A154… Domains: contoso.com Organization Id: C293… Domains: DNS Record DNS Record fabrikam.com contoso.com TXT appId= A154… fabrikam.com TXT appId= C293… • Step 1 – Create trust with certificate exchange • Step 2 – Prove domain ownership • Step 3 – Add domains

  12. demo Setting Up Federation in Exchange 2010

  13. Federation Commands in Exchange 2010 New-FederationTrust • Establish federation trust • Install signing certificate on CAS servers • Exchange certificate with federation gateway • Prove domain ownership • Create DNS TXT record • Add domains to trust • Must be accepted domains Contoso.com IN TXT AppId = 1C2… Set-FederatedOrganization Identifier Add-FederatedDomain

  14. Federation Certificate Management AD FederationTrust object Federation Gateway Reads the certificate from local machine store and set thumbprint in Active Directory. Current Certificate: 1 New-FederationTrust –thumbprint 1 Uploads public cert to gateway Organization Id: A154… Public Cert: 1 2010 Admin Box Securely installs certificate to all CAS/HUB servers in the same site the task runs Certificate 1 Certificate 1 Certificate 1 2010 CAS/HUB 2010 CAS/HUB Machine where task is run Cert distribution Service Local service pulls cert from remote sites to all CAS/HUB servers based on thumbprint information in AD Local cert store Servers in same site where task is run Servers in other sites Import-ExchangeCertificate Imports certificate from a file into the local machine’s certificate store Local cert store Local cert store

  15. demo Creating Organization Relationships

  16. Organization Relationship CommandsConfigure Per Organization • Enter External Org Info • Domain name, endpoint • Discover info with cmdlet • Set the dial • Maximum level of detail • Scope target users • Specify which users in your org will share their free busy • Does not restrict outbound free busy requests Get-FederationInformation –DomainName contoso.com | New-OrganizationalRelationship Set-OrganizationRelationship –FreeBusyAccessEnabled $TRUE -FreeBusyAccessLevel freebusy Set-OrganizationRelationship -FreeBusyAccessScope department1 fabrikam.com contoso.com orgs • Org-level relationship removes need for individual AD recipients

  17. Federated Free Busy Access 1 5 Free busy request joe@contoso.com Free busy request joe@contoso.com Mary Fabrikam Contoso Federated Token 8 7 Free busy response joe@contoso.com Free busy response joe@contoso.com CAS CAS Org-Org relationship Domain: fabrikam.com Freebusy: true Level: Free busy Group: Department1 … Org-Org relationship Domain: contoso.com Endpoint: https://... … Crack token, lookup info for requesting org, and enforce restrictions 6 Lookup info for target org Organization Id: A154… Domains: contoso.com 2 3 4 All connections over SSL Organization Id: C293… Domains: fabrikam.com Encrypted token has requestor’s e-mail address, can only be cracked by target org Exchange server submits signed request for token on behalf of user Token request Alias: mary@fabrikam.com To: contoso.com For: Free busy Federated Token Alias: mary@fabrikam.com To: contoso.com For: Free busy No e-mail addresses are stored in the cloud No accounts need to be managed MS Federation Gateway Gateway verifies signature, ensures e-mail alias matches domains Signs token and encrypts with target org’spublic key Encrypted

  18. Exchange 2010 Federated Free BusyInterop with Exchange 2007 • Use Exchange 2010 to proxy down-level requests • Configure Exchange 2007 SP2 to proxy requests to Exchange 2010 • Outlook 2007 still requires recipients in AD Free busy request joe@contoso.com Add-AvailabilityAddressSpace -ForestName contoso.com -AccessMethodInternalProxy Exchange 2010 Client Access Server Exchange 2007 SP2 Client Access Server Fabrikam

  19. demo Creating Personal Sharing Relationships

  20. Federated Calendar Sharing • Uses federation infrastructure • Requires federation trust, but not org-org relationship • Ad-hoc, person-person sharing • Does not require person to be in the GAL • Relationship created with sharing invitation • Server maintains calendar subscription • Updated when user views the calendar • Server uses federated token to fetch data on user’s behalf • Can be viewed by any client that views mailbox folders • Attachments, attendees never not brought over • Exchange Web Services supports invitation, sync Joe Mary people

  21. Federated Contact Sharing • Same approach as federated calendar sharing • Same invitation model • Same server-based subscription model • Exchange 2010 and Outlook 2010 only

  22. Sharing Policy Contoso • Sharing policy limits level of personal sharing • Calendar – free busy, detailed free busy, reviewer • Contacts – reviewer • Identify specific domains or * • Enforced during invitations • Permissions monitored • Default Policy • User can share free busy w/ anyone • Admin can add policies • Apply per user Mailbox: Joe Sharing Policy: Default Policy Default Policy: Mailbox: Bill Sharing Policy: Sales Policy Sales Policy:

  23. demo Controlling Federated Sharing

  24. Federation and Exchange Online Microsoft cloud services Dynamics CRM Online SharePoint Online Enterprise Apps ISV Apps Azure Services Platform Exchange Online OC Online Microsoft Federation Gateway Microsoft Online Federated sharing Single sign-on Fabrikam Geneva Contoso Active Directory Employee Exchange Exchange • Sharing with partners • Free/busy sharing • Full calendar sharing • Contact sharing • Cross-premises coexistence • Free/busy sharing • Full calendar sharing • Secure message delivery • Single sign-on/single identity • Exchange Online • Microsoft Online Services • Applications hosted on Azure™

  25. Summing Up • Exchange Federation makes sharing convenient • Sharing between two orgs or two people • No trusts or service accounts • No end user accounts and credential prompts • Exchange federation makes sharing secure • Control which orgs you share with • Control which users can share and at what level • Exchange Federation works with online services

  26. question & answer

  27. Call to Action Learn More! • Related Content at TechEd on “Related Content” Slide • Attend in-person or consume post-event at TechEd Online • Check out online learning/training resources • http://technet.microsoft.com/exchange/2010 • http://technet.microsoft.com/office/ocs Try It Out! • Download the Exchange Server 2010 Beta Evaluation • http://www.microsoft.com/exchange/2010/try-it • Get a 5-Day Trial of Office Communications Server 2007 R2 • https://r2.uctrial.com/

  28. You’re Invited! Be the first in the world to join the invitation-only Office 2010 puts the power of Exchange 2010 into the hands of users. See how Office 2010 will help people work together to bring ideas to life across the PC, phone and browser.

  29. Required Slide Speakers, please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session. Related Content Breakout Sessions UNC320 Microsoft Exchange Server Outlook Web Access 2010: The Future of Web-Based E-mail UNC317 Microsoft Exchange Server 2010 Management Tools

  30. Required Slide Complete an evaluation on CommNet and enter to win!

  31. Required Slide © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related