Академический Документы
Профессиональный Документы
Культура Документы
1
Step-by-Step Guide to Office 365 Hybrid Deployment
This eBook does not provide you with legal rights to the ownership of a Microsoft product, but
just the use, unless this is explicitly stated in the eBook. “Trial” keys are provided for a single
purpose of the experiment.
2
Step-by-Step Guide to Office 365 Hybrid Deployment
and Servers MVP (from 2015 until now). He has been a guest speaker
at number of different events and conferences such as SharePoint
Saturday Vietnam, Microsoft SharePoint Day Malaysia, Azure Global
Bootcamp, Business 365 Saturday Singapore and European SharePoint
Conference.
3
Step-by-Step Guide to Office 365 Hybrid Deployment
Introduction
Inspired by Microsoft, its products and technologies, our heads huddled together thinking about
an eBook which would provide step-by-step guide to you in the Office 365 Hybrid deployment
because we’ve realized the huge trend for the modern collaboration during our work today. We
consider ourselves to be fortunate to have worked and discussed with number of different IT
executives and CIO during the last three years before kicking off writing this eBook.
This eBook is not only written for the audience of IT Pros, but also for anyone who starts
thinking about the hybrid deployment of Office 365 to maximize the usage of infrastructure
resource, and to contribute to cost-effective technology adoption in business. What people will
learn from this eBook is how to install and configure number of different Office Services and
Server products in an on-premises environment to work with Microsoft Office 365 – an
innovative SaaS digital workplace platform.
We are not going to dig into Hybrid scenario in cloud computing because that is not our main
purpose writing this eBook. When it comes to Hybrid there are many scenarios to be
considered, including gotchas which may happen. Such a topic can be found easily via Internet
This eBook assumes that you have fundamental knowledge of Microsoft SharePoint Server
2013, Microsoft Exchange Server 2013, Skype for Business 2016, Windows Server, Forefront
Threat Management Gateway and Office 365. At least you know what they are, and how they
are helpful in your organization. If you do not, we still appreciate your time as this eBook
provides you progressively many steps including screenshots that always simplifies your follow-
up.
4
Step-by-Step Guide to Office 365 Hybrid Deployment
In Office 365 scenario, the Hybrid deployment is when you wish your end users whose accounts
are hosted in on-premises Active Directory to be able to have access to a SharePoint Online
site collection. Offering the capability of sharing calendar across on-premises to Exchange
Online is also considered a scenario of Office 365 Hybrid deployment. In a nutshell, when you
do a hybrid deployment, you are going to connect services between on-premises and public
cloud infrastructure no matter where it is. Sometimes people consider the separate use of public
and private cloud a hybrid, for example, developing application on Office 365 then deploying
into SharePoint on-premises environment.
That said via a few examples above, realizing the fact that hybrid is to balance the infrastructure
resource between both cloud environments. For example, before Public Site features were
deactivated by Microsoft on Office 365, folks utilized the cloud resources of Microsoft Cloud
infrastructure to cater massive number of public users for their internet facing website
5
Step-by-Step Guide to Office 365 Hybrid Deployment
deployment, while the identity of website’s content editor was hosted in in-house Active
Directory. With this case, you are to make the best use of your investment to high availability for
your internet facing website, while still meeting compliance such as authentication and identity
management.
Why should you consider Office 365 hybrid deployment? It’s perhaps everyone else is doing it.
Cost for hybrid is not going to be discussed here. However, when you do the hybrid, you are
going to cut at least operational infrastructure and licensing cost which occupies entirely your
cloud budget. In many cases when doing hybrid, you are to outsource data security
responsibility which might be a big concern.
The following articles below would give you more helpful information about Pros & Cons of
Hybrid Cloud:
http://blog.rackspace.com/10-reasons-why-a-hybrid-cloud-is-better
http://www.zdnet.com/article/hybrid-cloud-why-hybrid-it-may-be-the-better-choice/
http://www.datacenterknowledge.com/archives/2015/02/16/hybrid-cloud-continues-grow-
look-real-use-cases/
http://www.cio.com.au/brand-post/content/607556/why-hybrid-cloud/
6
Step-by-Step Guide to Office 365 Hybrid Deployment
Environment Preparation
Below is the environment we used during the step-by-step guide. You could have less than the
number of servers as ours by combining roles into a group of servers. However, we highly
recommend to isolate roles and services to make it more practical in the deployment.
All of these servers above are virtualized in a physical host with the deployment of Microsoft
Hyper-V Virtualization. Microsoft Hyper-V is not required but it supports virtualizing Microsoft
workload with optimal performance. Here is the overall picture of the hybrid topology.
7
Step-by-Step Guide to Office 365 Hybrid Deployment
AD01: this is an Active Directory domain controller virtual machine, playing as an identity
provider in an on-premises environment.
ADFS01: this is an Active Directory Federation Service virtual machine, playing as a
federation party to provide federation trust between the identity providers in both
environment (on-premises and cloud).
EX01: this is a server running Microsoft Exchange Server 2013
SFB: this is a server running Microsoft Skype for Business 2015
SP01: this is a server running Microsoft SharePoint Server 2013
TMG: this is a server running Microsoft Forefront Threat Management Gateway 2010.
Although this product is no longer supported, we still would like to use it to do the
configuration to help you get more understanding of the deployment context.
EDGE: this is a server running Skype For Business Server 2015, playing as edge server
role.
WAP: this is a server running Web Application Proxy service.
8
Step-by-Step Guide to Office 365 Hybrid Deployment
Configuring Office 365 Hybrid requires initial steps to configure DirSync, Single Sign-On (SSO).
Before the configuration, you must purchase certificate from trusted third-party. There are the
following options:
Third-party certificate across multiple servers: with this option, you purchase a single
certificate which is purposely used for all servers and services. This is an advantage for
an environment of many servers. Wildcard SSL certificate is commonly preferred.
Third-party certificate for each server: with this option, you purchase a dedicated
certificate for each server or service. When the certificate is expired, you must renew
and replace it on that server or service. This type of certificate is used commonly for the
number of servers less than 5.
1. Create a request with private key from IIS. Open IIS Management Console and click
Server Certificates.
9
Step-by-Step Guide to Office 365 Hybrid Deployment
2. Click Create Certificate Request and fill in information. In this case, we entered
*.ict24h.info because we decided to use Wildcard SSL.
4. Specify the location to store your certificate content which is used for signing.
10
Step-by-Step Guide to Office 365 Hybrid Deployment
5. If you open the file, the content may look like below
7. Fill all information required in the form, including your credit card information.
11
Step-by-Step Guide to Office 365 Hybrid Deployment
8. After the payment is processed successfully, you will receive an email along with a guide
to configuring the certificate.
10. Enter your code that Comodo has sent to you via email and click Go!
12
Step-by-Step Guide to Office 365 Hybrid Deployment
11. Copy the CRS (Certificate Request Signing) content you have requested in step 5 into
CRS box and click Finish. If this step is complete, you will receive a *.ZIP file sent from
Comodo to your registered email.
13. Use certificate you’ve purchased from Comodo to import onto the ADFS01 virtual
machine. Click Complete Certificate Request from the Actions panel. Locate to your
certificate, and enter Friendly name. Select Personal.
13
Step-by-Step Guide to Office 365 Hybrid Deployment
15. Because you purchased a Wildcard certificate, you can use for every of virtual machines
you have. You simply need to export this certificate into the format of *.pfx with private
key. Go to MMC > Local Computer > Personal > Certificate.
16. Right click on your wildcard certificate, select All Tasks > Export.
14
Step-by-Step Guide to Office 365 Hybrid Deployment
18. Select Yes, export the private key option. Click Next.
15
Step-by-Step Guide to Office 365 Hybrid Deployment
19. Select Personal Information Exchange – PKCS #12 (.PFX) option. Select Include all
certificates in the certification path if possible and Export all extended properties.
Click Next.
21. Specify the location to export your certificate (*.pfx). Click Next.
16
Step-by-Step Guide to Office 365 Hybrid Deployment
Now you already had a certified certificate which can be imported to all virtual machines you
need. All the virtual machines that connect to Office 365 need to have the certificate imported.
This certificate is to encrypt the traffic passed over the Internet. Perform the following steps to
import the certificate onto another virtual machine:
1. Login to the virtual machine you want to import the certificate then go to MMC > Local
Computer > Personal > Certificate.
2. Right click on Personal > All Tasks > Import.
17
Step-by-Step Guide to Office 365 Hybrid Deployment
5. Specify the password that you entered earlier into the Password box. Click Next.
18
Step-by-Step Guide to Office 365 Hybrid Deployment
19
Step-by-Step Guide to Office 365 Hybrid Deployment
8. After completing import step, you will see the list of certificates in your personal store
Now we assume you have already successfully imported certificates to all virtual machines
which are required to connect to Microsoft Office 365 we will configure later in the eBook.
Because the connection is over the Internet, make sure you purchase certificate from
internationally trusted third-party providers.
In every hybrid deployment, DirSync is very critical to identity synchronization between on-
premises Active Directory with Azure Active Directory which plays as a Microsoft Cloud identity
provider. DirSync tool allows directory objects including user accounts and password hashes to
be synchronized to Office 365.
20
Step-by-Step Guide to Office 365 Hybrid Deployment
Perform the following steps to install and configure DirSync before you synchronize on-premises
Active Directory user accounts to Office 365.
3. In Set up and manage Active Directory synchronization page you will see 7 basic
steps for Active Directory synchronization. From step 3, click Activate.
21
Step-by-Step Guide to Office 365 Hybrid Deployment
4. Office 365 will ask for your confirmation to activate Active Directory synchronization.
Click Activate.
22
Step-by-Step Guide to Office 365 Hybrid Deployment
You have done the activation of Active Directory synchronization in Office 365 portal. Now you
need to install Azure Active Directory Sync. Perform the following steps to install the tool:
23
Step-by-Step Guide to Office 365 Hybrid Deployment
4. Specify directory where you want to store the tool binaries and files. Click Next.
24
Step-by-Step Guide to Office 365 Hybrid Deployment
7. Select Start Configuration Wizard now from the next screen. Click Finish.
8. In Welcome page, read the information and brief guide. Click Next.
25
Step-by-Step Guide to Office 365 Hybrid Deployment
9. Enter your Windows Azure Active Directory account. This account must have
administrator permission in your Office 365. Click Next.
10. In Active Directory Credential page, enter your Active Directory domain administrator
account. Click Next.
26
Step-by-Step Guide to Office 365 Hybrid Deployment
11. In Hybrid Deployment page, select Enable Hybrid Deployment option. Click Next.
12. In Password Synchronization page, select Enable Password Sync option. Click Next.
27
Step-by-Step Guide to Office 365 Hybrid Deployment
13. In Configuration page, you can track progress of the configuration you have done.
28
Step-by-Step Guide to Office 365 Hybrid Deployment
15. In Finish page, select Synchronize your directories now. Click Finish.
Now you have done the configuration of Active Directory synchronization. Depending on the
number of user accounts to be synced, the duration may vary. You will realize which type of
accounts under Status column (e.g. Synced with Active Directory)
29
Step-by-Step Guide to Office 365 Hybrid Deployment
In the simplest explanation, Single Sign-On (SSO) is to allow users to have access to different
services using a single account and password. With this, users do not have to remember
different accounts for different services. Moreover, SSO helps administrator simplify identity
management.
To enable SSO in Office 365 hybrid deployment, there are several third-party products in the
market, for example PingFederate, CA Single Sign-On, Active Directory Federation Services
(AD FS). In this case, we would like to introduce Active Directory Federation Services because
it’s a free tool.
30
Step-by-Step Guide to Office 365 Hybrid Deployment
Perform the following steps to configure SSO, install and configure Active Directory Federation
Services on ADFS01 virtual machine:
31
Step-by-Step Guide to Office 365 Hybrid Deployment
3. In Set up and manage single sign-on page, Microsoft provides you 10 steps for SSO
configuration. From step 3, select Windows 64-bit version (if your operating system
only supports 64-bit) to download Windows Azure Active Directory Module for Windows
PowerShell in order to configure trust relationship.
4. After downloading, execute installation file and start installing the tool. In Welcome
page, read the information and brief guide. Click Next.
32
Step-by-Step Guide to Office 365 Hybrid Deployment
5. In License Terms page, read carefully licensing terms and select I accept the terms in
the License Terms. Click Next.
6. In Install Location page, specify the location for Windows Azure Active Directory
Module for Windows PowerShell directory. Click Next.
33
Step-by-Step Guide to Office 365 Hybrid Deployment
Now you have done the installation of Windows Azure Active Directory Module for Windows
PowerShell. Next, you need to install and configure Active Directory Federation Services.
Perform the following steps:
1. On ADFS01 virtual machine, open Server Manager. Select Add Roles and Features.
34
Step-by-Step Guide to Office 365 Hybrid Deployment
35
Step-by-Step Guide to Office 365 Hybrid Deployment
4. In Select destination server page, select Select a server from the server pool and
select your AD FS virtual machine. Click Next.
5. In Select server roles page, select Active Directory Federation Services. Click Next.
36
Step-by-Step Guide to Office 365 Hybrid Deployment
8. In Web Server Role (IIS) page, read information of web server introduction and notes
provided by Microsoft. Click Next.
37
Step-by-Step Guide to Office 365 Hybrid Deployment
9. In Select role services page, make sure you have services selected in the below
screen. Click Next.
10. In Confirm installation selections page, select Restart the destination sever
automatically if required. Click Install.
38
Step-by-Step Guide to Office 365 Hybrid Deployment
11. In Installation progress page, review all services and features you have installed. Click
Close.
12. Open Server Manager, you are notified to continue the AD FS configuration. Click
Configure the federation service on this server.
39
Step-by-Step Guide to Office 365 Hybrid Deployment
13. In Welcome page, select Create the first federation server in a federation server
farm. Click Next.
14. In Connect to Active Directory Domain Services page, specify your Active Directory
domain administrator account. Click Next.
40
Step-by-Step Guide to Office 365 Hybrid Deployment
15. In Specify Service Properties page, select wildcard SSL certificate you imported.
Federation Service Name is the ADFS01 virtual machine FQDN (Full Qualified Domain
Name). You can create a CNAME and point to the ADFS01 virtual machine’s FQDN (for
example sts.ict24h.info). Enter Federation Service Display Name. Click Next.
16. In Specify Service Account page, enter service account which is automatically added
to Managed Service Account group. Click Next.
17. In Specify Configuration Database page, select Create a database on this server
using Windows Internal Database. Click Next.
41
Step-by-Step Guide to Office 365 Hybrid Deployment
19. In Review Options page, review your configuration again. Click Next.
20. In Pre-Requisite Checks page, AD FS automatically runs check to verify if all pre-
requisites are passed. Click Next.
21. Wait until the installation is complete and open AD FS Management to review
information.
42
Step-by-Step Guide to Office 365 Hybrid Deployment
To securely connect AD FS services to Office 365, you need to deploy an AD FS proxy using
Web Application Proxy in Windows Server 2012 R2. Perform the following steps to install and
configure Web Application Proxy:
1. On WAP virtual machine, open Server Manager. Select Add Roles and Features.
2. In Before you begin page, Click Next.
3. In Select installation type page, select Role-based or feature-based installation.
Click Next.
4. In Select destination server page, select WAP virtual machine. Click Next.
5. In Select server roles page, select Remote Access. Click Next.
6. In Select role services page, select Web Application Proxy. Click Next.
43
Step-by-Step Guide to Office 365 Hybrid Deployment
After you have successfully done the installation of Web Application Proxy (WAP), you need to
connect WAP service to the AD FS virtual machine. Perform the following steps to configure
WAP:
44
Step-by-Step Guide to Office 365 Hybrid Deployment
5. In Confirmation page, review the configuration again and make sure the thumbprint of
your certificate is valid. Click Configure.
6. In Result page, you will receive a message “Web Application Proxy was configured
successfully”. Click Close.
45
Step-by-Step Guide to Office 365 Hybrid Deployment
After successfully configuring Web Application Proxy, you need to publish it through AD FS
virtual machine. Perform the following steps:
1. Open Remote Access Management. Select Web Application Proxy. Select Publish
from General panel on the right hand.
2. In Welcome page, Click Next.
46
Step-by-Step Guide to Office 365 Hybrid Deployment
4. In Publishing Settings page, enter name of WAP and external URL, certificate and
backed server URL. These are required before you can publish your service.
5. In Confirmation page, review information of your Web Application Proxy setting. Click
Publish.
47
Step-by-Step Guide to Office 365 Hybrid Deployment
6. To verify whether you have successfully published WAP or not, open the URL
https://sts.ict24h.info/adfs/ls/idpinitiatedsignon on a computer which has Internet
connection.
7. Try with an account in your Active Directory and see how it goes.
If you have done these steps above successfully without any error, when opening an Office 365
site, you shall be redirected to federation URL for federation trust.
Now you have successfully done enabling SSO in Hybrid deployment. Every time when you
open site in Office 365 and enter federated account, Office 365 recognizes that there is a
trusted party then it redirects you to published AD FS for authentication.
48
Step-by-Step Guide to Office 365 Hybrid Deployment
1. Log into Exchange admin center. Select mail flow > send connectors. Select plus icon.
2. From the Send Connector windows, name your connector and select Custom (For
example, to send mail to other non-Exchange servers). Click Next.
49
Step-by-Step Guide to Office 365 Hybrid Deployment
4. In Address Space windows, select SMTP under Type and allow all emails to be sent
through this connector by entering * under FQDN, and 1 under Cost. Click Save.
5. In Select a Server windows, select server which is responsible for sending email. Select
add button to add the server. Click OK.
50
Step-by-Step Guide to Office 365 Hybrid Deployment
We already purchased a wildcard certificate and imported onto Exchange Server virtual
machine. Now you need to open Exchange admin center to verify that certificate. Perform the
following steps:
51
Step-by-Step Guide to Office 365 Hybrid Deployment
4. You are asked to overwrite the existing default SMTP certificate. Click Yes.
52
Step-by-Step Guide to Office 365 Hybrid Deployment
Now your certificate is successfully configured. You are going to need to publish Exchange
service over the Internet through Web Application Proxy you configured in Lab 1.3.
To publish Exchange service over the Internet, you need to use public IP address and Web
Application Proxy. Perform the following steps:
1. Log into internet domain control panel, create record A mail.ict24h.info then point to the
WAP01 virtual machine’s public IP address.
53
Step-by-Step Guide to Office 365 Hybrid Deployment
54
Step-by-Step Guide to Office 365 Hybrid Deployment
4. Open Exchange admin center. Select server > virtual directories. The external URL
is blank. Click edit icon and add EX01 virtual machine which is the Exchange Server you
prepared at the beginning. Click OK.
6. Repeat from step 4 – 5 for other virtual directories in your Exchange Server.
55
Step-by-Step Guide to Office 365 Hybrid Deployment
You need to configure Web Application Proxy to publish Exchange service over the Internet.
Perform the following steps:
56
Step-by-Step Guide to Office 365 Hybrid Deployment
4. In Publishing Setting page, enter name of the new publishing for your Exchange
service, including external URL and backend server URL. Make sure wildcard SSL
certificate is chosen because this is used over the Internet. Click Next.
5. In Results page, you will receive message “Web application published successfully”.
Select Close.
6. You need to repeat step 1 – 5 for other services.
Now you have done the configuration of publishing. To verify the connection, Microsoft provides
a tool named Microsoft Remote Connectivity Analyzer http://testconnectivity.microsoft.com.
From the website, select Exchange Server. Select Exchange ActiveSync Autodiscover.
Click Next on your right hand.
57
Step-by-Step Guide to Office 365 Hybrid Deployment
Fill all information the tool asks and select Perform Test. If the result is green then your
Exchange is publicly available over the Internet.
Before this lab, make sure you have done from Lab 2.1 to 2.3 without any error, especially
certificate stuffs. Now you are going to need to establish a hybrid connection between your
Exchange Server and Office 365.
58
Step-by-Step Guide to Office 365 Hybrid Deployment
59
Step-by-Step Guide to Office 365 Hybrid Deployment
60
Step-by-Step Guide to Office 365 Hybrid Deployment
9. The wizard can automatically detect Exchange Server virtual machine which is playing
CAS role. In this case, it’s EX01 virtual machine. If you have more than one virtual
machine, select Specify a server running Exchange 2013 CAS or Exchange 2016.
Click next.
10. In Credentials page, Office 365 Hybrid wizard asks you to provide domain administrator
account and Office 365 administrator account. Click next.
61
Step-by-Step Guide to Office 365 Hybrid Deployment
11. The wizard will validate the credential and connection. Click next
12. In Hybrid Configuration page, select Configure my Client Access and Mailbox
servers for secure mail transport (typical). If you want to have centralized mail
transport, select Enable centralized mail transport option. Microsoft already explained
what this feature is in the page. Click next.
62
Step-by-Step Guide to Office 365 Hybrid Deployment
13. In Receive Connector Configuration page, select your Exchange virtual to host
Receive connector. Click next.
14. In Send Connector Configuration page, select your Exchange virtual machine to host
Send connector. Click next.
63
Step-by-Step Guide to Office 365 Hybrid Deployment
15. In Organization FQDN page, select the FQDN of your on-premises Exchange virtual
machine to start configuring outbound mail connector to route email from Exchange
Online to On-premises one.
64
Step-by-Step Guide to Office 365 Hybrid Deployment
Now the configuration is done. To verify whether your configuration is successful or not, perform
the following steps:
2. Select mail flow. Select accepted domain to verify a newly added domain, in our case,
it’s ict24happs.mail.onmicrosoft.com.
65
Step-by-Step Guide to Office 365 Hybrid Deployment
3. Select recipient. Select mailboxes and open any mailbox, you will see the new stmp
address from Exchange Online.
4. Select mail flow. Select send connectors. There is a new Send connector whose
name is Outbound to Office 365 which is automatically added after your hybrid
configuration was successful.
5. If you edit this new Send connector, you will see both addresses from your on-premises
Exchange and Exchange Online.
66
Step-by-Step Guide to Office 365 Hybrid Deployment
6. Next, you can test by migrating email from your on-premises Exchange to Office 365.
From Exchange admin center, select Office 365 from top bar.
7. Select recipients. Select migration. Click plus icon to add a new migration.
8. There are two migration options: migration from your on-premises to Office 365 and vice
versa. Select the first option
67
Step-by-Step Guide to Office 365 Hybrid Deployment
9. From the windows, select Remote move migration (supported by Exchange Server 2010
and later version) for experiment. Click Next.
68
Step-by-Step Guide to Office 365 Hybrid Deployment
11. Enter username and password of the administrator account. Click Next.
12. Enter FQDN of your on-premises Exchange virtual machine where the Mailbox
Replication Service (MRS) Proxy is enabled.
13. From the windows, name your migration batch and select the Exchange Online address
under Target delivery domain. Select Move the primary mailbox and the archive
mailbox if one exists option and enter the bad item limit you want.
14. Select the recipient which receives the report after the batch is complete. Select
Automatically start the batch and Automatically complete the migration batch
depending on your expectation.
69
Step-by-Step Guide to Office 365 Hybrid Deployment
Now you have done the migration test to verify the hybrid configuration. As seen, when hybrid is
successfully configured you can work with both on-premises Exchange and Exchange Online in
the same experience.
Before hybrid deployment, you need to install some features and roles required for Skype for
Business 2015, including the installation of pre-requisites. Perform the following steps:
1. Log into your virtual machine you are going to deploy Skype for Business 2015.
70
Step-by-Step Guide to Office 365 Hybrid Deployment
2. Open PowerShell to install required features and roles for Skype for Business 2015
deployment.
3. Now you need to create a file share because Skype for Business 2015 requires that in
order to exchange file among servers.
4. Grant Full Control, Change and Read permission on this file share for domain
administrator account.
71
Step-by-Step Guide to Office 365 Hybrid Deployment
5. Open DVD where Skype for Business Server 2015 installation source is stored. Run
setup.exe file or autorun.
6. From Skype for Business Server 2015 installation windows, select Don’t check for the
update right now. Specify installation location then click Install.
7. In License Agreement page, read licensing agreement carefully. Select I accept the
terms in the license agreement. Click OK.
72
Step-by-Step Guide to Office 365 Hybrid Deployment
You have successfully installed administrative tools for Skype for Business Server 2015
deployment. Now you are going to need to prepare Active Directory with the support of
Deployment Wizard. Perform the following steps:
73
Step-by-Step Guide to Office 365 Hybrid Deployment
74
Step-by-Step Guide to Office 365 Hybrid Deployment
75
Step-by-Step Guide to Office 365 Hybrid Deployment
In this lab, we are going to install and configure Skype for Business Server 2015 in an on-
premises environment. The topology for lab consists of two virtual machine: Front-End Pool and
Edge Server. Before the lab, create internal DNS records as follows:
76
Step-by-Step Guide to Office 365 Hybrid Deployment
Perform the following steps to install Front End Pool Server on SFB virtual machine
(sfb.ict24h.info)
1. Open DVD source. Navigate to amd64 folder (under Setup folder) and install SQL
Express Edition (SQLEXPR_x64)
2. Install SQL Express with the instance name is RTC. After the installation is complete, go
to SQL Server Configuration Manager to enable TCP/IP to allow your SQL Express to be
able to communicate via TCP/IP protocol.
77
Step-by-Step Guide to Office 365 Hybrid Deployment
3. You also need to verify the default port 1433 and make sure SQL Server Browser is
running with Automatic mode.
4. .Now you need design and publish topology for your Skype For Business Server 2015.
This can be done by Skype For Business Server Topology Builder tool you installed in
lab 3.1. Run Topology Builder, select New Topology. Click OK
5. Specify the location to store topology configuration file, and name your topology.
6. In Define the primary domain page, enter your primary SIP domain. Click Next.
78
Step-by-Step Guide to Office 365 Hybrid Deployment
7. In Specify additional supported domains page, if you have no additional SIP domain,
leave it blank and select Next.
8. In Define the first site page, enter your site name. Select Next.
9. In Specify site details page, provide more information about your new site. Select Next.
79
Step-by-Step Guide to Office 365 Hybrid Deployment
10. In New topology was successfully defined page, select Open the New Front End
Wizard when this wizard closes in order to start defining the Front End Pool server.
Click Finish.
11. In Define the New Front End pool page, click Next.
80
Step-by-Step Guide to Office 365 Hybrid Deployment
12. In Define the Front End pool FQDN page, enter FQDN of your SFB virtual machine.
Select Standard Edition Server. Click Next.
13. In Select features page, select Conferencing (includes audio, video, and
application sharing). Select Call Admission Control. We need these things for
experience and lab testing purpose only. Click Next.
81
Step-by-Step Guide to Office 365 Hybrid Deployment
14. In Select collocated server roles and Associate server roles with this Front End
pool pages you can assign more role for the Front End pool you are configuring.
15. In Define the SQL Server store page, select your SQL Express instance you
configured. Click Next.
16. In Define the file store page, enter file server FQDN and file share. Click Next.
82
Step-by-Step Guide to Office 365 Hybrid Deployment
17. In Specify the Web Services URL page, enter external base URL. Click Next.
18. In Select an Office Web App Server page, if you have a server hosting Office Web App
services select one, unless leave it blank. Click Finish.
83
Step-by-Step Guide to Office 365 Hybrid Deployment
19. Once you have done, from Topology Builder windows, you will active status (green icon)
20. Right click on Skype for Business Server 2015. Select Topology > Publish.
84
Step-by-Step Guide to Office 365 Hybrid Deployment
22. In Select Central Management Server page, select Front End pool server you just
configured.
85
Step-by-Step Guide to Office 365 Hybrid Deployment
23. In Publishing wizard complete page, you may need to click to open to-do list. Unless
click Finish.
You have done the tasks of defining Front End Pool server and publishing topology. Perform the
following steps to start installing Skype for Business Server 2015
1. On SFB virtual machine, run Skype For Business Server 2015 Deployment Wizard. Click
Install or Update Skype for Business Server System.
86
Step-by-Step Guide to Office 365 Hybrid Deployment
2. In Install or update member system page, click Run from Step 1: Install Local
Configuration Store.
87
Step-by-Step Guide to Office 365 Hybrid Deployment
4. In Executing Commands page, wait until the process is complete. Click Finish.
5. Now you need to start installing Skype for Business Server Component. Click Run from
Step 2.
88
Step-by-Step Guide to Office 365 Hybrid Deployment
7. In Executing Commands page, wait until the process is complete. Click Finish.
89
Step-by-Step Guide to Office 365 Hybrid Deployment
9. From Certificate Wizard windows, select Import Certificate to import certificate you
purchased (in this case Comodo)
90
Step-by-Step Guide to Office 365 Hybrid Deployment
10. Browse to your certificate, and enter password of the private key you set before. Click
Next.
11. In Import Certificate Summary page, review your configuration. Click Next.
91
Step-by-Step Guide to Office 365 Hybrid Deployment
12. In Executing Commands page, wait until the process is complete. Click Finish.
13. Back to Certificate Wizard windows, click Assign to assign certificate to Front End Pool
server.
92
Step-by-Step Guide to Office 365 Hybrid Deployment
14. In Certificate Store page, you will see your wildcard certificate. Click Next.
15. In Certificate Assignment Summary page, review your certificate information again.
Click Next.
93
Step-by-Step Guide to Office 365 Hybrid Deployment
16. In Executing Commands page, wait until the process is complete. Click Finish.
17. Repeat assigning certificate steps for other web services. Click Close.
18. Back to Deployment Wizard windows, from step 4 you are guided to run Start-
CsWindowsService on every server. Open PowerShell to run it.
94
Step-by-Step Guide to Office 365 Hybrid Deployment
20. Open Services.msc to verify all running services for Skype for Business Server.
95
Step-by-Step Guide to Office 365 Hybrid Deployment
22. In Enable Microsoft Update page, select Use Microsoft Update when I check for
updates (recommended). Click OK.
23. Wait until the process is complete. You have completed the Front End Server
installation.
Now you need to install and configure Edge Server. Perform the following steps:
1. Because Edge server is not joined to domain controller and is put in DMZ, you need to
configure Primary DNS suffix for this server.
96
Step-by-Step Guide to Office 365 Hybrid Deployment
2. Configure IP address for two network card interfaces on the Edge server.
3. Before installing Edge server, you need .NET Framework 3.5. Go to Server Manager
and install features.
4. Import wildcard certificate from Front End to Edge server. You can refer the step in Lab
1.1
5. On the Front End server (sfb.ict24h.info), run Topology Builder. Right click on Edge
pools and select New Edge Pool
97
Step-by-Step Guide to Office 365 Hybrid Deployment
7. Enter FQDN of Edge server (in our case it’s edge.ict24h.info) you just configured IP
Address. Select This pool has one server. Click Next.
98
Step-by-Step Guide to Office 365 Hybrid Deployment
9. In Select features page, select Use a single FQDN and IP address. Click Next.
99
Step-by-Step Guide to Office 365 Hybrid Deployment
10. In Select IP options page, enable IPv4 for both internal and external interfaces. Select
The external IP address of this Edge pool is translated by NAT. Click Next.
11. In External FQDNs page, enter FQDN of your Edge server and enter correct port. Click
Next.
100
Step-by-Step Guide to Office 365 Hybrid Deployment
12. In Define the internal IP address page, enter the internal IP address of your Edge
server. Click Next.
13. In Define the external IP address page, enter external IP address of your Edge server.
Click Next.
101
Step-by-Step Guide to Office 365 Hybrid Deployment
14. In Define the public IP address page, enter the public IP address of your Edge server.
Click Next.
15. In Define the next hop server page, select Front End Pool. Click Next.
102
Step-by-Step Guide to Office 365 Hybrid Deployment
16. In Associate Front End or Mediation pools page, select your Front End pool to
associate with your Edge pool. Click Finish.
103
Step-by-Step Guide to Office 365 Hybrid Deployment
18. Right click on Site name (ICT24h). Select Edit properties. Configure all settings per
screenshot below. Click OK.
104
Step-by-Step Guide to Office 365 Hybrid Deployment
20. Export configuration into zip file by running the following command with PowerShell
Export-CSConfiguration -Filename c:\edge.zip
21. Copy edge.zip file onto the Edge server and start installing Skype for Business Server
2015 on this server.
22. Open DVD source and run Setup.exe. Select Connect to the internet to check for
updates. Click Install.
105
Step-by-Step Guide to Office 365 Hybrid Deployment
23. In Licensing Agreement page, read license terms carefully. Select I accept the terms
in the license agreement. Click OK.
24. From Deployment Wizard on Edge server, select Install or Update Skype for Business
Server System. Click OK.
106
Step-by-Step Guide to Office 365 Hybrid Deployment
26. Select Import from a file (recommended for Edge Servers) and browser to your
edge.zip file you exported before. Click Next.
27. In Executing Commands page, wait until the process is complete. Click Finish.
107
Step-by-Step Guide to Office 365 Hybrid Deployment
29. In Set Up Skype for Business Server Component page, click Next.
108
Step-by-Step Guide to Office 365 Hybrid Deployment
30. In Executing Commands page, wait until the process is complete. Click Finish.
109
Step-by-Step Guide to Office 365 Hybrid Deployment
110
Step-by-Step Guide to Office 365 Hybrid Deployment
34. In Certificate Store page, select your wildcard certificate. Click Next.
35. In Certificate Assignment Summary page, review your certificate information. Click
Next.
111
Step-by-Step Guide to Office 365 Hybrid Deployment
36. In Executing Commands page, wait until the process is complete. Click Finish.
37. In Certificate Wizard page, select other web services to assign certificate. Click
Assign.
112
Step-by-Step Guide to Office 365 Hybrid Deployment
39. In Certificate Store page, select your wildcard certificate. Click Next.
40. In Certificate Assignment Summary page, review your certificate information. Click
Next.
113
Step-by-Step Guide to Office 365 Hybrid Deployment
41. In Executing Commands page, wait until the process is complete. Review status in
Certificate Wizard windows again. Click Close.
42. Now you need to open PowerShell to run Start-CsWindowsService command and also
verify all running services from Services.msc.
114
Step-by-Step Guide to Office 365 Hybrid Deployment
43. From Deployment Wizard, run Windows Update to check all updates available for Skype
for Business Server 2015.
You have successfully set up and configured Skype for Business Server 2015 on your Edge
server.
Lab 3.3 – Configure Hybrid Mode for Skype for Business Server 2015
Before this lab, make sure you completed Active Directory Federation Services installation and
configuration in Lab 1.3. Perform the following steps to configure Hybrid mode:
1. On Front End Server (sfb.ict24h.info). Run PowerShell with administrator account and
run the following commands. When you are asked your Office 365 credential, enter
administrator account
Import-Module SkypeOnlineConnector
$cred = Get-Credential
$CSSession = New-CsOnlineSession -Credential $cred
Import-PSSession $CSSession –AllowClobber
Set-CsTenantFederationConfiguration -SharedSipAddressSpace $true
115
Step-by-Step Guide to Office 365 Hybrid Deployment
3. Open Skype for Business Control Panel and log into Office 365 with administrator
account.
116
Step-by-Step Guide to Office 365 Hybrid Deployment
5. In Set up Hybrid with Skype for Business Online windows, click Next.
6. The tool will check if your on-premises configuration is configured correctly with
federation service. Make sure all configuration needed are verified.
7. Check by moving one user from on-premises Skype for Business to Office 365. Select
User from the left navigation. Choose one user and select Action > Move selected
users to Skype for Business Online.
117
Step-by-Step Guide to Office 365 Hybrid Deployment
8. Read carefully Microsoft’s guidance. Make sure the user you want to move have Skype
for Business Online license assigned. Click Next.
9. You will see the status from the windows. Click Close.
118
Step-by-Step Guide to Office 365 Hybrid Deployment
10. Verify the status in Skype for Business Server control panel.
You have done setting up Hybrid mode for on-premises Skype for Business Server and Skype
for Business Online.
The last step is to publish your on-premises Skype for Business Server over the Internet and
test its functionality for both type of users: on-premises and online. Before doing that, make sure
your firewall rules are configured correctly for required port:
119
Step-by-Step Guide to Office 365 Hybrid Deployment
Perform the following steps on TMG virtual machine you prepared at the beginning of your lab:
1. Create a Network Rule to translate outbound traffic from Edge server (172.16.1.9) to
Internet using this IP address: 125.253.124.164 (your IP address may be different)
120
Step-by-Step Guide to Office 365 Hybrid Deployment
3. Create publishing rules Non-Web server for listed ports above by select Tasks tab.
Select Publish Non-Web Server Protocols
4. In the welcome page, enter name for server publishing rule. Click Next.
121
Step-by-Step Guide to Office 365 Hybrid Deployment
5. In Select Server page, enter the IP address of your Edge server. Click Next.
122
Step-by-Step Guide to Office 365 Hybrid Deployment
123
Step-by-Step Guide to Office 365 Hybrid Deployment
10. Repeat from step 3 – 9 for other ports: TCP 443 – 444, TCP 5268, UDP 3478.
11. To publish port 443 and 444, create a publishing rule and name it AV WebConf with the
inbound port range is 443-444.
124
Step-by-Step Guide to Office 365 Hybrid Deployment
12. To publish UDP port 3478, create a protocol named STUN Edge. The direction is
Receive Send.
13. To publish TCP port 5269, create a protocol named XMPP Server.
125
Step-by-Step Guide to Office 365 Hybrid Deployment
16. In Publishing Type page, select Publish a single Web site or load balancer. Click
Next.
17. In Server Connection Security page, select Use SSL to connect to the published
Webb server or server farm. Click Next.
18. In Internal Publishing Details page, enter internal site name. Click Next.
126
Step-by-Step Guide to Office 365 Hybrid Deployment
20. Select This domain name (type below): at Accept requests for setting. Enter the
public domain you configured before with path “/*”. Click Next.
127
Step-by-Step Guide to Office 365 Hybrid Deployment
21. Now you need to create a new web listener. In welcome page, enter your web listener
name. Click Next.
22. In Client Connection Security page, select Require SSL secure connections with
clients. Click Next.
128
Step-by-Step Guide to Office 365 Hybrid Deployment
23. In Web Listener IP Addresses page, select External. Click Select IP Addresses
24. From the selection windows, select Specified IP addresses on the Forefront TMG
computer in the selected network and add available IP address. Click OK.
129
Step-by-Step Guide to Office 365 Hybrid Deployment
25. In Listener SSL Certificates page, select Assign a certificate for each IP address
and select your IP address. Click Select Certificate.
26. In Select Certificate windows, select your wildcard certificate you already imported.
Click Select.
130
Step-by-Step Guide to Office 365 Hybrid Deployment
27. Verify information with assigned certificate again in Listener SSL Certificates page.
Click Next.
131
Step-by-Step Guide to Office 365 Hybrid Deployment
132
Step-by-Step Guide to Office 365 Hybrid Deployment
31. In User Sets page, add All Users that the rule is applied to. Click Next.
32. Go to Skype for Business 2015 rule and edit its property on TMG.
33. Click Bridging tab, select Redirect requests to SSL port and change to 4443 port.
Click OK.
133
Step-by-Step Guide to Office 365 Hybrid Deployment
34. Click Public Name tab, add two addresses to the list: dialin.ict24h.info and
meet.ict24h.info.
134
Step-by-Step Guide to Office 365 Hybrid Deployment
35. Now you just need to test the publishing rule by browsing meet.ict24h.info. If you are
asked to provide credential before calling and chatting, you have done the Hybrid
configuration for Skype for Business Online.
Outbound Search: allow users to search information stored in SharePoint Online from
on-premises SharePoint Server.
Inbound Search: allows users to search information stored in on-premises SharePoint
Server from SharePoint Online
Two-way Search: include Outbound and Inbound Search.
135
Step-by-Step Guide to Office 365 Hybrid Deployment
1. The very first step is to establish trust between on-premises SharePoint Server and
Azure Access Control Services. On SharePoint Server, open IIS > Server Certificates.
136
Step-by-Step Guide to Office 365 Hybrid Deployment
3. In Specify Friendly Name page, enter name for your certificate. Select Personal. Click
OK.
4. Open the certificate you just created. Click Details tab > Copy to File.
137
Step-by-Step Guide to Office 365 Hybrid Deployment
7. Select Personal Information Exchange – PKCS #12 (.PFX). Select Include all
certificates in the certification path if possible. Click Next.
138
Step-by-Step Guide to Office 365 Hybrid Deployment
8. Add your account which can have access to the certificate and enter password to protect
the private key. Click Next.
139
Step-by-Step Guide to Office 365 Hybrid Deployment
Now you need to establish server-to-server (S2S) trust by PowerShell. Perform the following
steps:
$spcn="*.<public_root_domain_name>.com"
$spsite=Get-Spsite <principal_web_application_URL>
$site=Get-Spsite $spsite
$spoappid="00000003-0000-0ff1-ce00-000000000000"
$spocontextID = (Get-MsolCompanyInformation).ObjectID
$metadataEndpoint = "https://accounts.accesscontrol.windows.net/" + $spocontextID +
"/metadata/json/1"
3. You need to update STS certificate into SharePoint Online. The model looks like the
below illustration
140
Step-by-Step Guide to Office 365 Hybrid Deployment
7. Create a new Azure Access Control Service application proxy and Security Token Issuer
New-SPAzureAccessControlServiceApplicationProxy -Name "ACS" -MetadataServiceEndpointUri
$metadataEndpoint -DefaultProxyGroup
New-SPTrustedSecurityTokenIssuer -MetadataEndpoint $metadataEndpoint -IsTrustBroker:$true
-Name "ACS"
141
Step-by-Step Guide to Office 365 Hybrid Deployment
You have successfully established server-to-server trust between your on-premises SharePoint
Server and the identity provider of SharePoint Online.
Now you need to configure Search for testing. Perform the following steps:
1. Open a SharePoint site collection > Site Settings > Search Result Sources.
142
Step-by-Step Guide to Office 365 Hybrid Deployment
3. Enter name for the new resource. Select Remote SharePoint protocol
4. Enter your site collection in SharePoint Online at Remote Service URL. Select
SharePoint Search Results. Click Save.
143
Step-by-Step Guide to Office 365 Hybrid Deployment
6. Select the result source you just created from the list of result sources.
7. Enter name for the search query rule. Select One of these sources which indicates the
new result source you just created. Select All categories and All user segments.
144
Step-by-Step Guide to Office 365 Hybrid Deployment
8. In Query Conditions setting, select Query Matches Keyword Exactly (for testing
purpose). Click Remove Condition. Then click Add Result Block
9. From Add Result Block page, under Search this source, select your new result
source.
145
Step-by-Step Guide to Office 365 Hybrid Deployment
10. Under Settings, select This block is always shown above core results. Click Save.
11. Review your configuration again
12. Go to your on-premises SharePoint site collection and SharePoint Online to test hybrid
search
146
Step-by-Step Guide to Office 365 Hybrid Deployment
1. Log into Office 365 portal. Select DOMAINS. Click Add domain
147
Step-by-Step Guide to Office 365 Hybrid Deployment
4. Office 365 will recognize the domain provider that you purchase your domain. In our
case, Office 365 recognized GoDaddy. Office 365 will ask you to sign in to the domain
control panel. For example, in our case, click Sign in to GoDaddy.
148
Step-by-Step Guide to Office 365 Hybrid Deployment
6. From Confirm Access page, GoDaddy will ask you to accept to allow Office 365 to
make some changes to the domain. Click Accept.
7. Office 365 shall automatically complete the domain verification. Click Next.
149
Step-by-Step Guide to Office 365 Hybrid Deployment
8. Select user in Office 365 you want to update domain. For example, updating from
admin@ict24happs.onmicrosoft.com to admin@ict24h.info. Click Update selected
users.
150
Step-by-Step Guide to Office 365 Hybrid Deployment
11. Sign in to your Office 365 portal with the newly updated account.
13. Select No, I have an existing website or prefer to manage my own DNS records.
151
Step-by-Step Guide to Office 365 Hybrid Deployment
14. By default, Office 365 assists you to update configuration for Exchange, Skype for
Business and Mobile Device Management. Click Next.
15. From the record page, there are number of different records in Office 365. Click Add
records to add a new one.
152
Step-by-Step Guide to Office 365 Hybrid Deployment
18. From DOMAINS page, verify the new domain you just added and configure.
--End--
153