Enabling Silent OWA Redirection for Office 365 Hybrid
As part of a Hybrid deployment of Exchange Server 2010 and Office 365, you’ll be faced with a few challenges if you want to keep a single Outlook Web App URL for your end users.
If you’re using Windows Authenticated Login against Exchange and AD FS then you’ll already have avoided multiple login prompts; and if you’re using Forms Based Authentication for both I’ve covered the TMG setup necessary to configure the same single sign on you’ll see in these videos in my article Configuring AD FS 2 with TMG-based SSO to Office 365.
The other challenge that I really wanted to get a solution for, and get feedback from others on, is the landing page shown above where the end user needs to click-through the “Use the following link to open this mailbox with the best performance” page. What I wanted was a solution that avoided that step entirely.
Now, it’s not necessary to do this if you are happy for users to update their own bookmarks, and concerns about users seeing a non-company domain can be avoided by following the steps in this article by Timothy Heeney which shows you how to setup a separate vanity Office 365 URL like “http://cloud.company.com/owa” by using CNAME records.
However if you have a large user base that will be mixed between on-premise and Office 365, then keeping a single OWA URL will be very desirable. For example, a large University may have user documentation with the URL specified, lab computers with standard bookmarks, and the possibility that users may move between on-premises and Office 365 as they move between different courses or roles. It might only be an extra click, but if you add up that extra 5 seconds across tens of thousands of users logging into OWA per day and it starts to add up..
If you’re not familiar with the process, here’s a quick demo of the current “out of the box” experience, optimised using TMG for forms-based single sign-on:
As you can see it’s good – but it’s not great. It’s not got the “wow” factor that makes a hybrid deployment feel like a single organization.
The redirect page itself does serve other purposes, so it’s not like we can just get rid of it. It’s used by Exchange itself if you have an environment with multiple internet facing sites, unless you use the SP2 feature for silent redirection between sites. So we can’t just do away with the redirection page altogether – we need to take into account where it might be used elsewhere.
Another issue that’s been highlighted to me (thanks BR!) is that the default non-SSL link generated through the Hybrid Wizard is in the form http://outlook.com/owa/federateddomain rather than it’s SSL equivalent – so using this (or the vanity URL mentioned above) could generate browser warnings regarding redirection to a insecure link. Therefore the link we redirect to must be in the form https://outlook.com/owa/federatedomain. This can be changed easily though, by editing the Organization Relationship like so:
Set-OrganizationRelationship "On Premises to Exchange Online Organization Relationship" -TargetOwaURL:https://outlook.com/owa/federateddomain
Once this is changed, we should be ready to enable the silent OWA redirection in Exchange itself, by editing the casredirect.aspx file within OWA.
Before we begin – it’s important to understand that this is unsupported by Microsoft, and it probably never will be. Therefore, you’ll need to test this in your own environment, and be prepared to replace the original casredirect.aspx file in the event of any issues; you’ll also need to check and if needed, re-implement this after application of update rollups or service packs. That said, so far I can’t see a reason why this would cause any issues and part of the point of this post is to gain some feedback from the community as to any other downsides.
So now you know why you shouldn’t do this – let’s look at how to do it..! You’ll find the casredirect.aspx file within the OWA directory, typically in the following path within the Exchange install directory:
C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\owa\
Edit the casredirect.aspx file directly above the <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> tag and add the following lines:
<%
if (RedirectionUrl.Contains("https://outlook.com/owa")) {
Response.Redirect(RedirectionUrl);
Response.End();
}
%>
This should look like this in the actual file itself:
What does this do? Well, it’s pretty straightforward – before any content is rendered, the Redirection URL is checked to ascertain if it contains the https://outlook.com/owa URL (note the HTTPS!), and if so, issue a redirect to Office 365. For any other Redirection URLs, the page will render normally.
Let’s take a look at how it works in practice:
As you can see it’s fairly simple to implement, and provides a clean login consistent with on-premises Outlook Web App when combined with other SSO methods. Let me know what you think in the comments…
Steve
Managing Office 365 and On-Premises Exchange 2010 from the same Powershell Session
I've just been reading on Mike Pfeiffer's blog this article about connecting Remote Powershell to Office 365. I've not yet got my beta account on Office 365, but do use Live@EDU/Outlook Live and had been wondering how similar administration is. It turns out that it's exactly the same (even down to the server names) therefore I thought it might be worth sharing a method I've been using for some…
Because there is such a big overlap of cmdlets between your On Premises Exchange 2010 environment and Office 365/Outlook Live, it can be a bit of a pain when you want to write a script that performs actions on both. I've documented how to do this in a previous post, but when you are disconnecting/connecting between environments, it can get pretty confusing. A simple error in a script can mean you create mailboxes in the wrong environment.
The solution is to use the -Prefix parameter when you're connecting to each environment. This means that, for example, Get-Mailbox can appear as Get-OnPremisesMailbox and Get-CloudMailbox. Your scripts can now easily target either environment, or both in the same script and you won't need to keep on checking whether you're performing actions against the local Exchange server or your "cloud" environment.
To demonstrate how simple this is, here's a quick example of connecting to both environments:
# Connect to On Premises Exchange
$OnPremisesSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchange.contoso.com/powershell/ -Authentication Kerberos
Import-PSSession $OnPremisesSession -Prefix OnPremises
# Connect to Office 365 / Outlook Live
$CloudCredential=Get-Credential
$CloudSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $CloudCredential -Authentication Basic -AllowRedirection -WarningAction SilentlyContinue
Import-PSSession $CloudSession -Prefix Cloud
This should connect us to both environments and even allow us to combine On Premises and Cloud Powershell cmdlets together. For example, to get a total of all your mailboxes, both On Premises and in Office 365 / Outlook Live:
(Get-OnPremisesMailbox -ResultSize Unlimited).Count + (Get-CloudMailbox -ResultSize Unlimited).Count
You can also combine commands via the pipeline. In the next example, we will get all On Premises mail-enabled users that have an External Email Address (eg they are synced using OLSync/DirSync) in our Office 365 / Outlook Live domain, then start a foreach loop (using the % shorthand) and then retrieve details about the mailboxes from Office 365 / Outlook Live:
Get-OnPremisesMailUser -ResultSize Unlimited-Filter {ExternalEmailAddress -like "*@contoso.onmicrosoft.com"} | %{Get-CloudMailbox $_.UserPrincipalName}
Finally, a few notes for those who are just starting to play with Office 365 or Outlook Live via Remote Powershell. Firstly, you might need to set your Powershell execution policy (at an elevated command prompt) the first time you connect:
Set-ExecutionPolicy RemoteSigned
And if you are developing/testing and you find the Get-Credential part above tiresome, you can replace the line with a hard-coded plain text username/password. Be wary of using this in your production environment, due to the security implications of hard-coding an admin password in clear text into a script:
$CloudCredential = New-Object System.Management.Automation.PSCredential "admin@contoso.onmicrosoft.com", (ConvertTo-SecureString "password" -AsPlainText -Force)
Hope this helps!
Missed Tech Ed Europe 2010? Watch the Exchange Sessions Online Now
This week in Berlin, Germany, TechEd Europe 2010 is taking place. TechEd is Microsoft’s main educational event providing a week of comprehensive training, hands-on labs and a chance to hear about the future of Microsoft products direct from the source.
If (like myself) you’ve been unable to attend TechEd Europe in Berlin this week you’ll be missing out on a number of fantastic Exchange related sessions, covering what’s new in Exchange 2010 SP1, High Availability and Office 365 amongst others.
The good news is that most of these sessions are available to watch online at the Tech Ed website, and also available to download along with the accompanying PowerPoint decks for offline viewing.
For my (and your) convenience, I’ve collated the Exchange and related sessions below and as they are posted online, I’ll keep this article updated.
Update 1: 21:54 11th Nov - Added COS203, COS208-LNC, SIA303 & SIA304
Update 2: 23:07 13th Nov - Added UNC311, UNC401 & UNC 403
Please note – at least for me, the view online links can be a little flaky, but refreshing the page seems to work. The PPT and WMV links are good though.
UNC203 - What's New in Microsoft Exchange Server 2010 SP1? - Scott Schnoll
This session provides details on the many new features and enhancements in Exchange Server 2010 SP1. We’ll start by covering the new pre-requisites for Service Pack 1, the enhancements and changes to setup and deployment, and the choices of permission models. Then we’ll dive into the enhancements in each server role, covering many of more than 75 new features in SP1, such as mailbox audit logging, new IRM functionality, personal archive enhancements and more.
View Online | Download Video | Download PPT | Flickr Photoset
UNC311 - How Outlook connects to Exchange 2010 Client Access Server - Ross Smith IV
The Client Access Server role in Exchange 2010 brings a lot of new features for the end user, but this session will focus on the improvements for the administrator. We will cover what has evolved and what needs to be understood about the following areas: RPC Client Access, Address Book service, client connection behaviors, and load balancing requirements.
View Online | Download Video | Download PPT
UNC308 - Archiving, Retention and Discovery with Microsoft Exchange Server 2010 SP1 - Krish Sundaresan
As the volume of email continues to increase, you are likely to be seeking new and better ways to preserve and discover critical email data to meet an array of IT governance, legal and compliance requirements. To help address these needs, Exchange Server 2010 introduced integrated archiving and discovery capabilities. This session offers a technical overview and demonstration of the features and functionality delivered in Exchange 2010 and SP1.
UNC215-LNC - Exchange 2010 Solutions from HP and Microsoft for Simplified Messaging - Michael Kohs; Tim Doering
Today’s businesses are becoming more and more reliant on email messaging but at the same time, an increasing number of users and mailboxes has lead to uncertainties about the cost and performance of messaging solutions. Learn about HP’s building blocks for building a variety of Exchange implementations, ranging from small and medium sized to large-scale datacenter deployments. With these unique HP building blocks, customers will benefit from: - Increased business efficiency by seamlessly converging the infrastructure stack, using proven industry standard components - Easy setup, management and monitoring using HP’s renowned software suite - Best in class reliability and variety of choices for high-availability solutions - Lower total cost of ownership through savings in floor space, power, cooling and optimized $/GB Learn how only HP can help you to build a high-availability, cost-effective and simple, yet high-performing environment when migrating to Microsoft Exchange 2010.
View Online | Download Video | Download PPT
UNC401 - Microsoft Exchange Server 2010: High Availability Deep Dive (including changes introduced by SP1) - Scott Schnoll
Go far beyond the basics of Exchange High Availability and learn what's really going on under the hood in an Exchange 2010 database availability group (DAG). This session covers key aspects of the inner workings of DAGs, including a deep dive technical discussion on how DAGs rely on quorum and how the DAG witness and witness server are used. You'll also gain a solid understanding of Active Manager and it's best copy selection process. This session also includes details on the continuous replication and database copy management improvements added in SP1.
View Online | Download Video | Download PPT
UNC403 - Native Data Protection in Exchange 2010 SP1 - Ross Smith IV
This session will explain how Exchange 2010 can protect data with features such as mailbox resiliency, single item recovery, and the lagged copy. We will demonstrate how to use Single Item Recovery and Lagged Copies, and look at how these features can replace traditional point-in-time backups for customers, while lowering costs.
View Online | Download Video | Download PPT
COS201 - Office 365: What’s Coming Soon - Jennifer Pisani, Ural Cebeci, Eron Kelly
This session provides a preview of our next generation cloud productivity services, Office 365 (previously known as Business Productivity Online Standard Suite). Office 365 brings together cloud versions of our most trusted email, communication and collaboration software, Exchange Online, SharePoint Online and Lync Online with our familiar Office Professional Plus desktop suite. In this session we will demonstrate how the messaging and collaboration capabilities in now Office 365 has evolved as the latest server technology is deployed in this collection of hosted enterprise software services. Join us for an interactive conversation on the future of productivity and to learn more about Office 365!
View Online | Download Video | Download PPT
COS302 - Office 365: Identity and Access Solutions - Dan Kershaw
This session provides a preview of the identity and access solutions in the next generation of the Business Productivity Online Standard Suite (Office 365). The session will focus on how authentication works for both web apps and rich client apps, how to enable single sign-on (SSO) using corporate AD credentials and AD FS 2.0 to Office 365 services, and the different SSO deployment options for Office 365 services.
View Online | Download Video | Download PPT
UNC204 - BPOS/S Exchange Online - Notes from the field - Neil Johnson
During this session we will take a look at BPOS/S Exchange Online customer deployments in the real world. What problem areas were discovered during the planning, deployment and migration phases and how they were resolved. Also some practical experience of planning for Office 365deployments with Beta customers. This session aims to provide some real world insight into planning for and deploying Exchange Online into your organisation.
COS202 - Microsoft Live@edu: Moving Your School Communication and Collaboration to the Cloud - Ann Vu, David Fisher, Massimo Marzocchi
Moving email to the cloud is a big trend in Education. Lots of schools are also looking at how to leverage cloud solutions for collaboration. Microsoft Live@edu is part of Microsoft's S+S solutions and provides communication and collaboration services for educational institutions at no cost. Join us in this session and become part of a family of thousands of schools that have chosen Live@edu? We outline the current features of a Live@Edu implementation, touching upon key IT and end user scenarios. We also discuss how you can extend Live@edu to best fit your school needs, demonstrate Office Web Apps for the newest release of Microsoft Exchange on the cloud, and provide a sneak preview of where we are headed in the future with SharePoint based collaboration and productivity.
View Online | Download Video | Download PPT
COS203 - Implementing Microsoft Business Productivity Online Standard Suite (BPOS): Planning, Preparation and Migration - Tom Ligon, Philippe Maurent
This session provides guidance for individuals responsible for coordinating and performing customer deployment and migration activities related to migrating customers from their current environment to BPOS-Standard. This session guides attendees through three key deployment project phases: Plan, Prepare, and Migrate, focusing on the tasks handled by partners and customers, and providing a high-level review of tasks handled internally by Microsoft services teams. This session does not cover processes that occur prior to deployment (Sales and Initial Assessment) and post-deployment (Operations).
View Online | Download Video | Download PPT
COS208-LNC - A Walkthrough of the next version of BPOS now called Office 365 - David Anderson
This session will take you through the key features of the future release of the BPOS platform (now called Office 365). We will cover the Onboarding and Administration portals and the new interfaces with Exchange Online, SharePoint Online and Lync, as well as how to access managing users and groups, commerce, mailbox migrations, and support.
SIA303 - Better Together: Mail Protection and Routing Scenarios with FOPE and Office 365 - Cristian Mora, Wendy Wilkes
The next release of FOPE will have new capabilities that not only enable new Office 365 cloud-based application suite and BPOS customers to route mail via FOPE for filtering, but also enable all FOPE customers to configure secure cross-premise hybrid mailflow scenarios that can help customers seamlessly move mail infrastructure to the cloud while maintaining existing investments and configuration. We will present and demonstrate these scenarios and describe the underlying architecture.
View Online | Download Video | Download PPT
SIA304 - Information Protection for Microsoft Exchange Server 2010 SP1 and Exchange Online using AD RMS - Tejas Patel
Learn about new Exchange 2010 SP1 and Exchange Online IRM capabilities that protect content on premises and in the cloud, using AD RMS.
View Online | Download Video | Download PPT
Keep checking this post for updates, and if there’s any good TechEd Europe 2010 Exchange-related sessions online that I’ve missed, let me know in the comments.
Office 365 – What does it mean for Exchange?
Earlier this week, Microsoft announced the next generation of their cloud online services, Office 365. This new suite of online services will offer Exchange Online, Sharepoint Online, Lync Online (the next generation of Office Communications Server) and the desktop Office Professional Plus suite.
When it comes to messaging, the next generation of Exchange Online provides Exchange 2010 SP1 along with mailbox sizes up to 25GB, online archiving features, Voicemail integration with On Premises PBX's and enterprise email features such as retention policies and cross-mailbox search.
One of the fundamental differentiators of Office 365 was announced on the Exchange Team Blog; the ability to integrate closely with On Premises Exchange. ADFS 2.0 powered Single Sign On will enable what has been known as "Connected Federation". This allows users to login using their On Premises Active Directory credentials, Mailbox Moves either way between On Premises and Exchange Online, Cross Premises Mail Tracking & Routing, and management of both On Premises and Exchange Online from from a familiar toolset - a single Exchange Management Console, and ECP and Exchange Management Shell. As well as all this, more basic, critical features like availability (free/busy) and Calendar and Contact sharing will be supported via Federated Sharing.
So - why would a cross-premises (where some mailboxes remain On Premises and some are hosted on Office 365) have a business case, especially where it hasn't been considered in the past? The key reason to consider a cross-premises deployment is so your business can take advantage the best of both worlds. It's already gaining traction in the server virtualization area (just look at what VMware are aiming for) and it's a great fit for messaging. When looking to move to Exchange 2010, a lot of enterprises are considering consolidating their Exchange infrastructure and avoiding managing mailbox servers at small branch offices. Hosting mailboxes in the cloud makes a lot of sense in this situation as it can remove a major point of failure - the internet or WAN links into the regional or main HQ. Road warriors commonly only need an internet connection, so again, hosting their mailbox using Office 365 makes a lot of sense. However - in larger offices, where the bandwidth required for all Outlook Clients to connect out to the internet, or where a loss of connectivity to Exchange could paralyse the business, it still makes sense to host Exchange On Premises. Utilizing a cross-premises deployment with Office 365 could save money and effort when it comes to those branch offices and mobile users, but also allows the user mailboxes to be moved back On Premises (or vice-versa) as the user's role in the organisation changes.
Of course, there are some questions and possible caveats that still need to be answered by Microsoft and assessed against your business needs before even thinking about whether Office 365 will be appropriate; for example, how are 25GB Office 365 mailboxes managed? If a user gets a new laptop, will they need to sync tens of gigabytes of data with their local copy of Outlook? Online Archives have been mentioned by Microsoft, so one might assume the 25GB will be split between the primary mailbox and the Archive. If so, it will be interesting to find out what those ratios are so the impact of an OST sync can be taken into account. The other critical area is backups. Anyone reading up about Exchange 2010 will no doubt have read that Microsoft is now advocating the use of 3+ Database Copies instead of backups, leaving "Recover from Deleted Items" the only option for recovering deleted data. Currently, they employ this method of backup on the "beta" of Office 365's Exchange Online, Live@EDU's Outlook Live so I wouldn't be too surprised if this is the case for Office 365 also.
So where does these leave the future of On Premises messaging? I think, given even the sort of caveats mentioned above, Office 365 and other cloud based services have a compelling business case, simply because the capital expenditure required to implement isn't required. Many On Premises deployments today take into account what the business projects it will need over the next 3 to 5 years and the appropriate hardware to meet the worst-case scenario is bought up-front whether it will be used to it's full capacity or not.
I believe that a more appropriate vision for the future of Exchange On Premises deployments has to be able to justify itself against cloud services cost models like Office 365's, which are targeted toward operational expenditure. In the future, On Premises Exchange deployments could also aim to look at this model where the business is charged back based on what they are actually using rather than buying it all up-front. Of course - initial investment is needed, but by only buying the capacity needed initially - thin provisioning mailboxes (i.e. providing larger mailbox quotas than the underlying disk storage allows) will reduce those costs considerably. This model of chargeback and building out capacity as it's required is already in widespread use in the virtualization area, and as someone who runs such an environment, I can say it works well and is popular with customers. Even if this sort of model doesn't equate exactly, it does provide a model to ensure costs can be compared with cloud messaging offerings fairly, and provides a little motivation to move away from over provisioning and wasted storage.
Another question typically on the minds of IT staff is "will a move to Office 365 cost me my job?". My personal opinion is that it most cases, no it won't - at least no more than a move to On Premises Exchange 2010 will. In larger enterprises, there may be some re-deployment where large Exchange Admin teams exists - but due to massive improvements in the product quality since Exchange 2003 (and to a lesser extent, Exchange 2007), Exchange 2010 takes a lot less work to keep running. A move to Office 365's Exchange Online service might require a similar level of planning as a move to Exchange 2010 (and will in most situations involve some Exchange 2010 servers in the mix anyway), and on-going administration still remains. Cloud services like Email might be sold as light-touch, especially by Google, but the reality is that the end users still require the same things. Someone still needs to do the IT work to create mailboxes (or automate that process), deal with shared mailboxes and distribution groups, override access rights and troubleshoot mail delivery issues. These can all be delegated - but they also can be delegated in the exact same way with On Premises Exchange 2010.
Whist it's common knowledge the Office 365 re-brand takes BPOS (Business Productivity Online Mouthful) under it's wing, it's definitely worth noting that Live@EDU is also being brought into the fold. Why does this matter? Because by understanding that Outlook Live and Live@EDU are basically the production beta for Office 365, you can start learning more about what Office 365 will offer straight away. For example, I've recently published a post about Federated Sharing with Outlook Live which I believe will also (with small modifications) apply to Office 365's Exchange Online. I also worked with Microsoft on a Q&A about what my employer can already do with Live@EDU, which includes some of these very benefits.
So, what does this all mean for Google? I think it's obvious that what Office 365 brings to the table will be a quantum leap over what Google Apps's GMail has provided so far. Up against the rich cross-premises, enterprise functionality offered by Office 365, GMail is more clearly defined as a consumer product competing in the enterprise market. That said, I am certainly not dismissing Google; for example, they have supported SAML 2.0 SSO for Google Apps for a long time, and provide excellent APIs that allow you to write your own rich provisioning systems.
Google also have a big advantage when it comes to smaller businesses, the sort of size where the company doesn't want or need internal IT infrastructure. These are traditionally the kind of companies who otherwise would stamp hotmail, gmail or yahoo email addresses onto their business cards and for them, Google is a well known brand and is easy to use. Office 365 will have some ground to make up here, but I think a major battle ground will be in the SME sector, competing in ground where server provision was previously provided by a Windows Small Business Server installations.
However Google still have massive hurdles in the enterprise to overcome. Take Jaguar, who faced problems when they first migrated, then had to overcome a user revolt, according to the comments from Jaguar employees here. Eventually Jaguar had to re-train it's staff to use Google Apps, according to this press release. Reports like this don't help the case for moving systems to Google's cloud (and neither do the incorrect cost comparisons) and don't forget, Google doesn't provide an exit strategy either. I never thought I'd say this a few years ago, but at the moment Microsoft provides the least lock-in for enterprise email in the cloud.
Comments for/against Google aside, I certainly think that Office 365 is a very interesting development and it will be worth watching what happens next. If you haven't registered for the beta of Office 365, you can register here.
Set up Federated Free/Busy and Calendar Sharing between Exchange 2010 SP1 and Outlook Live [Updated]
As organizations move to make use of cloud based services, like Exchange Online or Outlook Live, it’s pretty important to be able to integrate both the on-premises service and the cloud service so that end-users can continue to work as normal. That’s especially important with a service like Outlook Live, aimed at Education institutions, where typically staff, faculty and some students will continue to be hosted on-premise and the majority of students will be hosted in the cloud. A seamless experience makes life easier for users and thus easier for IT…
So, with Outlook Live and Exchange 2010 On-Premises there is a pretty good opportunity to get Exchange working seamlessly between both systems. I’ll be covering a unified login in a further article (once I’ve re-written the code we use in-house into a re-distributable form). But for now, I’m focusing on the user experience with free/busy and calendar sharing.
One of the areas users might expect to 
“just work” is free/busy and calendar sharing between on-premise and cloud. The options are there, it looks like it tries to do it.. But the end user just gets unfriendly error messages and “permission denied” errors. To get this up and running in Exchange 2010 SP1 is actually now pretty simple. Although SP1 allows self-signed certificates for Federation, you cannot use these with Outlook Live federation, and you'll need to perform an extra step. However it's still fairly straightforward…
Pre-requisites
First things first, we need a few things in-place and working already before we can get going. The main pre-req is Autodiscover, but I won’t cover how to set this up, as it's is covered in detail elsewhere on the good old ‘net..
-
Autodiscover working for On-Premises for the domain you want to use (using DNS names, not a service records)
-
Autodiscover working for Outlook Live for the domain you want to use (again, using DNS names, not a service record)
-
Separate domains for on-premises and Outlook Live (I’m testing getting shared working – follow up article to come)
-
Exchange 2010 CAS Connectivity to *.outlook.com
-
Org admin rights on Exchange 2010 SP1 and Tenant Admin rights on Outlook Live, along with Powershell access to both.
-
Access to manage the DNS for both domains and add TXT records.
-
External URL setup and tested for Exchange Web Services / WebServicesVirtualDirectory
Once that’s all setup and available, you should be ready to go..
Setting it up
To keep things simple, we’re not going to do anything too complicated, we’re going to set things up so all users in both on-premises and Outlook Live can see each other’s free/busy and share calendars (and contacts). Also, for the purposes of this article it’s assumed no Sharing Policy is setup already.
On our test setup, we’ve got two domains:
On Premises: rootuk.net
Outlook Live: test.rootuk.net
Basically we need to create four things on-premise:
- A Federation Trust to authenticate us against the MS Federation Gateway
- A new sub-domain ExchangeDelegation for the account namespace (in this example, ExchangeDelegation.rootuk.net)
- An Organization Relationship to say Outlook Live can see in for Free busy
- Finally a Sharing Policy to allow on-premise users to share their calendars with Outlook Live users.
In Outlook Live the trust with MS’s Federation Gateway is there by default so we just need the Organization Relationship to allow On-premise to see in and the Sharing Policy to allow the Outlook Live users to share with On-premise users.
First, we’ll setup the on-premise config, then get the Outlook Live stuff done. Afterwards we’ll test everything works.
On Premises Config
Step One – Setup a New Federation Trust using a trusted certificate [Updated 10th Nov 2010]
To setup a Federation Trust for use with Outlook Live, you need to use a certificate from an approved certificate authority. As this list is quite short, you may find it doesn't include you current SAN/UCC certificate provider (for example, if you use the JANET Certificate Service), however this isn't a major issue. The certificate you use for Federation doesn't have to be the same one you currently use for your other Exchange services, so fear not - you don't need to buy a new, expensive SAN/UCC certificate. I've found the cheapest one from GoDaddy works just fine.
If you've already got a supported certificate, you can skip this part and just use your existing certificate thumbprint for the New-FederationTrust command. Otherwise, to generate a new request for a single domain certificate just to use for Federation, use New-ExchangeCertificate:
New-ExchangeCertificate -GenerateRequest -SubjectName 'o=rootuk.net, cn=rootuk.net' -DomainName rootuk.net -FriendlyName 'Third Party Federation Certificate' -PrivateKeyExportable $true
Next, follow the standard process for your CA, by requesting, then downloading the certificate from the third party certificate provider:
After downloading the certificate, you now need to complete the certificate request by importing the certificate into Exchange:
Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\cert\certificate.crt -Encoding byte -ReadCount 0))
Note down the Thumbprint in the output, and then create the Federation Trust using that thumbprint value. Note that we’re choosing the "Legacy Provisioning Service" as part of this process. This is why we can't use a self-signed request – these only work against a new “Business” gateway. Outlook Live currently works against a legacy “Consumer” gateway and the -UseLegacyProvisioningService parameter switches us to use that one.
New-FederationTrust -Name 'Microsoft Federation Gateway' -Thumbprint 'thumbprint' –UseLegacyProvisioningService
NB.. You'll see in that example above I got an error the first time. This does happen occasionally and I've seen it reported in forums too. The error is "The request failed with HTTP status 403: Forbidden". Just retrying the command should work.
Next, we need to setup a record in DNS for the application ID using the ExchangeDelegation sub-domain and the main On-Premises domain we wish to use for federation. As of SP1, it's possible to use the "Federated Domain Proof" DNS TXT record, but as we're using the legacy method, we will use the Application ID method.
To add the App ID, you need to add a DNS record that contains your Application ID (shown as "ApplicationIdentifier" in the output from "New-FederationTrust", or by entering "Get-FederationTrust") and enter it in the form "AppID=<yourappid>".
If you use Windows DNS, it goes a little something like this:
Once those are both in, reload/HUP your DNS and make sure you can resolve it, both from your Exchange servers and from the outside world. The following command should work:
nslookup -querytype=TXT ExchangeDelegation.rootuk.net
nslookup -querytype=TXT rootuk.net
Now we’ve got the Federated Trust and DNS record sorted, we can get ourselves properly setup with the Federated Gateway. To do this, we first need to add the accepted domain of the Federated namespace:
New-AcceptedDomain -Name 'Federated Namespace' -DomainName 'ExchangeDelegation.rootuk.net' -DomainType 'Authoritative'
Next, we first use the Set-FederatedOrganizationIdentifier command to configure the account namespace:
Set-FederatedOrganizationIdentifier -DelegationFederationTrust 'Microsoft Federation Gateway' -AccountNamespace ExchangeDelegation.rootuk.net -Enabled:$true
Finally, add the main domain name of the On Premises domain:
Add-FederatedDomain -DomainName 'rootuk.net'
Assuming that completes successfully, we can move onto the next step..
Step Two– Setup the On-Premise Organization Relationship
The next step is to allow our Outlook Live domain to see our On-premise Free/Busy info. You can do this via Powershell or the Exchange Management Console:
Via Powershell:
Test that you can get the federation info for your Outlook Live domain. If you get an error, run the command again with the -Verbose parameter for a detailed error and check your autodiscover setup for Outlook Live:
Get-FederationInformation test.rootuk.net
Next, configure the relationship. The LimitedDetails option below is the most open setting for the relationship, which means any user who has chosen to show that much detail will also make it available to the Outlook Live tenant.
Get-FederationInformation test.rootuk.net | New-OrganizationRelationship -Name "Outlook Live" -FreeBusyAccessEnabled:$true -FreeBusyAccessLevel:LimitedDetails
If you'd rather configure via Exchange Management Console:
Navigate to Organization Configuration, and select the Organization Relationships Tab. Right click in the whitespace and choose “New Organization Relationship”:
in the New Organization Relationship window, Give a the new relationship a friendly name (e.g. Outlook Live). Select the checkbok "Enable this organization relationship", then choose to enable free/busy access. Choose “Free/busy access with time, plus subject and location” to select the widest access. This means any user who has chosen to show that much detail (i.e. people can see that on-premise right now) will also share it to Outlook Live.
Next enter the Outlook Live domain in the Automatically discover configuration information text box, and press Next.
Check for any errors, and press Finish. If there are errors, and it isn't a typo, then it’s likely to be an Autodiscover issue - but you'll find out most detail on the possible cause if you use the Powershell instructions above.
The new relationship should now be listed underneath Organization Relationships:
Step 3 – Setup the Sharing Policy
To enable our on-premise users to share their information with Outlook Live users we need a sharing policy setup. While you can setup multiple sharing policies and assign them to different users, for this basic sharing we’re going to modify the default sharing policy
Via Powershell:
First, check your settings. Note down the existing Domains value.
Get-SharingPolicy 'Default Sharing Policy'
Replace the domains value on the Default Sharing Policy setting the original value (or remove it, if you want) and adding the Outlook Live domain. For the Outlook Live domain we're setting the maximum scope for sharing:
Set-SharingPolicy 'Default Sharing Policy' –Domains '*:CalendarSharingFreeBusySimple', 'rootuk.net:CalendarSharingFreeBusyReviewer, ContactsSharing'
If you'd prefer to configure the sharing policy via the Exchange Management Console:
Navigate to Organization Configuration > Mailbox > Sharing Policies, then right click the Default Sharing Policy, then choose Properties:
In the Default Sharing Policy Properties, choose “Add”, then specify the Outlook Live domain. To allow for the maxium level of detail to be shared by individual users, select the last option “Calendar sharing with free/busy information plus subject, location and body, Contacts sharing:
And that’s it for On-Premise. Next.. We need to get the hosted environment setup with with the corresponding parameters:
Outlook Live Setup
For the Outlook Live setup you have to use Powershell – Exchange Management Shell isn’t supported when managing your hosted tenant. If you’re not sure how to connect Powershell see the guide on the Outlook.com help site, but it basically looks a little like this:
Step 1: Setup the Outlook Live Organization Relationship
We get to miss out the first step that we had to do on-premise, setup of the federation trust, because as a tenant of the outlook.com Exchange environment this has already in place.. So we can skip to getting an organization relationship setup with our on-premise domain.
First, we check that we can indeed discover the correct settings by using the Get-FederationInformation command, specifying the on-premise domain:
Get-FederationInformation rootuk.net
The output from the command should show details matching the Organization Identifier and Application URI we setup earlier, along with the details of the on-premise Autodiscover environment.
If it returns a failure you may need to double check your Autodiscover settings for the on-premise environment, or in some cases you may need to give it a little while (if you just setup your Federation Trust on-premise) and try again. For example, in my production environment it took around an hour for my production Outlook Live tenant to be able to discover the Federation Information although my test domains could see the same information without any issues.
So.. After you’ve tested Outlook Live can discover the Federation Information, it’s onto actually creating the Organization Relationship. The command is exactly the same as on-premise,we are really just swapping the domain:
Get-FederationInformation rootuk.net | New-OrganizationRelationship -Name "On-Premise" -FreeBusyAccessEnabled:$true -FreeBusyAccessLevel:LimitedDetails
Step 2: Setup the sharing policy
Finally, it’s on to the final step – getting the sharing policy sorted. Check out what the Default Sharing Policy currently is before we go and add our on-premise domain:
Get-SharingPolicy
Then replace the Domains list for the Default Sharing Policy with a value that includes the on-premise domain. In the example below, I’m keeping the settings that were already there and adding the on-premise domain. For consistency, I'm also keeping the same sharing level as set on-premise:
Set-SharingPolicy 'Default Sharing Policy' -Domains '*:CalendarSharingFreeBusySimple', 'rootuk.net:CalendarSharingFreeBusyReviewer, ContactsSharing'
After that, it should all be done. Give it a little bit of time (say, 15 minutes) for everything to take effect and we should be ready to have a play..
Testing it out
For testing purposes on my two domains, on-premise “rootuk.net” and Outlook Live “test.rootuk.net”, I’ve created test accounts in each –“onpremise@rootuk.net” and “outlooklive@test.rootuk.net”. For the screenshots I’ve used OWA, but it works equally well in Outlook.
The first test is for Free/Busy. I’ve created a few test appointments in both calendars and you’ll see availability works just as if the user was on-premise:
In Outlook Live, scheduling a new meeting with the on-premise user as an attendee:
Next, via on-premise Exchange 2010 SP1, with our Outlook Live user as an attendee this time:
The second test is to check it is possible to share a calendar either way, and this is where it strays slightly away from the full range of options available to users within a single environment.
The limitations we’ve got mean that the user must share the calendar using OWA or Outlook 2010, and must use the “share this calendar” options rather than setting permissions directly. The recipient of the permission must add the calendar using the resulting email (they can’t just add it by name) and it’s read-only. this of course means the process can’t be easily automated, but it does allow users to use a common workflow to share folders, via the “share” options.
Sharing a calendar in Outlook Live:
On-premise user receives the sharing invitation and chooses “Add this calendar” to add it:
After adding the calendar, it’s shown in red (in OWA, anyway) while the server retrieves the calendar:
After a minute or so, the Outlook Live calendar shows up alongside the On-premise calendar:
Finally, let's test it from On-premise to Outlook Live:
Select the Calendar’s “Share” option to share the calendar (it's worth noting that the OWA UI has changed between RTM and SP1.. but I digress):
Over in Outlook Live, the Outlook Live user receives the invitation and again, chooses the “Add this calendar” link:
After choosing to add the calendar, the on-premise calendar shows (again after a minute or so to do the first sync) alongside the Outlook Live calendar:
Contacts sharing is again a similar process, although it must be shared using Outlook 2010. Simply right click a contacts folder and choose Share>Share Contacts:
And that’s it – hopefully this will work for you, but if you have any questions or any issues, just use the comments form below.
Update - 10th November 2010: The original article used the -MetaDataURL parameter to use a self-signed certificate with the old "consumer" gateway. This is no longer valid. The article has been updated to reflect the new process, which requires an acceptable third-party certificate and the -LegacyProvisioningService parameter. If you have used the -MetaDataURL parameter to setup Federated Sharing you should remove and re-create both the organizational relationship (both sides) and the federation trust (on premises) using the updated information in "Step 1" of the On Premises Config. You do not need to remove/re-create the sharing policy.
Update - 15th December 2010: The article has been updated to use ExchangeDelegation.domain.com for the Federated Namespace based on advise from the Exchange team. This is a best practise and pre-req for cross-premises Free/Busy.
More from StevieG.org
- About Me
- Car PC
- Exchange 2010 Virtual Load Balancer
- Exchange Environment Report
- Recommended Exchange Reference Material
My MSExchange.org articles
My SearchExchange.com articles
UC Architects Podcast
Listen to the UC Architects Podcast..
Steve’s Exchange Book
Order my book today..
Find Me On…
Important Notice
Categories
Recent Posts
- Exchange 2013 Server Role Requirements Calculator – What does it mean for Exchange implementations?
- The UC Architects Windows Phone App is now available!
- New on SearchExchange: Configuring Office Web Apps
- My latest KB articles on MSExchange.org
- Final parts of Migrating a standalone Office 365 tenant to Exchange now available
- The UC Architects: Episode 20, Two in a row!
Blogroll
- Aaron Tiensivu's Blog
- Andrew Price's Lync Blog
- Clint Boessen's Blog
- Devin on Earth
- Dougs Blog…
- Elan Shudnow's Blog
- Exchange Server Pro
- Exchange Team Blog
- Exchange2010.com
- Exchangepedia Blog
- Henrik Walther Blog
- Iain Smith's Lync Blog
- Mike Crowley's Whiteboard
- Mike Pfeiffer's Blog
- VMlover by Daniel Eason