Presentation is loading. Please wait.

Presentation is loading. Please wait.

MEC 2014 4/5/2017 1:13 PM © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.

Similar presentations


Presentation on theme: "MEC 2014 4/5/2017 1:13 PM © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks."— Presentation transcript:

1 MEC 2014 4/5/2017 1:13 PM © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 WAP and ARR - TMG alternatives?
4/5/2017 1:13 PM USX305 WAP and ARR - TMG alternatives? Roop Sankar Bagepalli & Georg Hinterhofer Senior PFE’s Microsoft © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3 A Pirates Choice!

4 IIS Application Routing Request (ARR) Web Application Proxy (WAP)
Tech Ready 15 4/5/2017 Strategics – ARR vs WAP WAP is the strategic product, both do the job WAP and ARR, depending on your requirements, will get the gig done Realize that the “strategic” (read: area of investment) product is Web Application Proxy Features IIS Application Routing Request (ARR) Web Application Proxy (WAP) Pre- Authentication Prerequisites IIS 8.0, IIS 7.0, IIS 6.0 Windows 2012 R2 Dependency None ADFS has to be set up Load Balancing Inbuilt functionality Requires a Load Balancer © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 Application Request Routing – ARR
Each and every pirate’s favorite letter!)

6 Application Request Routing - ARR
What is ARR? ARR is an IIS Extension – current version 3.0 ARR allows IIS to act as a Load Balancer and Reverse Proxy – free of charge! Prereq’s? Works on IIS 7.0 (Windows 2008) or newer No other prereq’s! Does not need to be domain joined! Grab it here!

7 Application Request Routing - ARR
TechReady 18 4/5/2017 Application Request Routing - ARR Features of ARR Reverse proxy / web publishing Support multiple load balancing algorithms Health checking Caching Content delivery network (CDN) SSL Offloading Layer 4 and 7 routing decisions Usage reporting Cookie based affinity Application affinity opt-out Rich API Websocket support © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 ARR Functional Overview
Outlook ActiveSync OWA ECP URL Rewrite Module URL Filtering Allow/Deny URL Web Farm Framework Module Load Balancing Health Check

9 URL Rewrite It’s the actual reverse proxy
Generally used to provide users with simple URL’s, BUT we’ll use if for our cause as well Can act as reverse proxy between the client – and – in our case, the Web Farm. There’s more where that came from™: URL Filtering Powerful URL re-write capabilities Pattern matching (RegEx)

10 Web Farm Framework Free Load Balancing! Features include:
TechReady 18 4/5/2017 Web Farm Framework Free Load Balancing! Features include: Load Balancing – seven different algorithms Health Test – checks availability of server or service Server Affinity – cookie affinity (Exchange 2007/2010) Monitoring & Management © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11 ARR – The Configuration (Option 1)
Only a couple of simple steps! Create a Server Farm

12 ARR – The Configuration (Option 1)
Only a couple of simple steps! Modify the Server Farm for Exchange’s needs (it’s a bit of a Diva, ya know)

13 ARR – The Configuration (Option 1)
Only a couple of simple steps! Proper Healthchecking!

14 ARR – The Configuration (Option 1)
TechReady 18 4/5/2017 ARR – The Configuration (Option 1) Only a couple of simple steps! Configure the URL Rewrite rules URL’s https:// mail.sir8.at /OWA /ECP /OAB /EWS/Exchange.asmx https:// mail.sir8.at * Done! © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15 IIS ARR – Option 1 (how does it work..?)
https://autodiscover.contoso.com/Autodiscover/Autodiscover.xml URL Matched Access allowed Request forwarded to AutoDiscover Web Farm. CAS3 marked as unhealthy. Forward request to CAS1 or CAS2. URL Rewrite rule: https://mail.contoso.com/* https://autodiscover.contoso.com/* https://autodiscover.contoso.com/*

16 IIS ARR – Option 1 (how does it work..?)
URL Matched Access allowed Request forwarded to mail.contoso.com Web Farm. CAS1 marked as unhealthy. Forward request to CAS2 or CAS3. URL Rewrite rule: https://mail.contoso.com/* https://mail.contoso.com/* https://autodiscover.contoso.com/*

17 IIS ARR – Option 1 (how does it work..?)
https://mail.contoso.com/EWS/Exchange.asmx URL Matched Access allowed Request forwarded to mail.contoso.com Web Farm. CAS1 marked as unhealthy. Forward request to CAS2 or CAS3. URL Rewrite rule: https://mail.contoso.com/* https://mail.contoso.com/* https://autodiscover.contoso.com/*

18 https://mail.contoso.com/OAB
Quirks of Option 1 https://mail.contoso.com/OWA/HealthCheck.htm Health Check (PASS) Server Healthy https://mail.contoso.com/OAB https://mail.contoso.com/EWS/Exchange.asmx

19 https://mail.contoso.com/OAB
Quirks of Option 1 https://mail.contoso.com/OWA/HealthCheck.htm Health Check (FAIL) Server Unhealthy https://mail.contoso.com/OAB https://mail.contoso.com/EWS/Exchange.asmx

20 IIS ARR – Option 2 Per Protocol Health Check!!!

21 IIS ARR – Option 2 Per Protocol Health Check!!!
URL Rewrite Server Farm mail.contoso.com OWA Web Farm https://mail.contoso.com/OWA/HealthCheck.htm mail.contoso.com ecp.contoso.com ECP Web Farm https://ecp.contoso.com/ECP/HealthCheck.htm ecp.contoso.com ews.contoso.com EWS Web Farm https://ews.contoso.com/EWS/HealthCheck.htm ews.contoso.com eas.contoso.com eas.contoso.com https://eas.contoso.com/Microsoft-Server-ActiveSync/HealthCheck.htm EAS Web Farm oab.contoso.com OAB Web Farm https://oab.contoso.com/OAB/HealthCheck.htm oab.contoso.com oa.contoso.com https://oa.contoso.com/RPC/HealthCheck.htm oa.contoso.com OA Web Farm https://autodicover.contoso.com/Autodiscover/HealthCheck.htm https://autodicover.contoso.com/Autodiscover/Autodiscover.xml autodiscover.contoso. com AutoDiscover Web Farm Exchange Virtual Directories: mail.contoso.com,ECP.contoso.com, EWS.contoso.com, EAS.contoso.com, OAB.contoso.com, OA.contoso.com AutoDiscover.contoso.com

22 Comparison between the available Options…
Solution True distribution of traffic destined for multiple CAS servers Load Balancing of traffic destined for multiple CAS servers Exchange Virtual Directories (OWA, ECP, OAB etc) [except AutoDiscover] Certificate & DNS Option 1 No per-protocol Health Check (Server Availability) Yes* Share a common namespace mail.tailspintoys.com Minimal (mail.tailspintoys.com and autodiscover.tailspintoys.com) Option 2 Per-protocol Health Check (Service Availability) Yes Namespace for each protocol EWS.tailspintoys.com EAS.tailspintoys.com OAB.tailspintoys.com etc Certificate entry for each protocol (mail.tailspintoys.com, EWS.tailspintoys.com, EAS.tailspintoys.com, OAB.tailspintoys.com etc.) or one Wildcard certificate (*.tailspintoys.com) Multiple additional DNS entries

23 Comparison between the available Options…
Solution High Availability of traffic destined for multiple CAS servers Load Balancing of traffic destined for multiple CAS servers Exchange Virtual Directories (OWA, ECP, OAB etc) [except AutoDiscover] Certificate & DNS Option 1 No per-protocol Health Check (Server Availability) Yes* Share a common namespace mail.tailspintoys.com Minimal (mail.tailspintoys.com and autodiscover.tailspintoys.com) Option 3 Per-protocol Health Check (Service Availability) Yes Share a common namespace mail.tailspintoys.com Minimal (mail.tailspintoys.com and autodiscover.tailspintoys.com) Option 2 Per-protocol Health Check (Service Availability) Yes Namespace for each protocol mail.tailspintoys.com EWS.tailspintoys.com EAS.tailspintoys.com OAB.tailspintoys.com etc Certificate entry for each protocol (mail.tailspintoys.com, EWS.tailspintoys.com, EAS.tailspintoys.com, OAB.tailspintoys.com etc.) or one Wildcard certificate (*.tailspintoys.com) Multiple additional DNS entries

24 Comparison between the available Options…
Solution High Availability of traffic destined for multiple CAS servers Load Balancing of traffic destined for multiple CAS servers Exchange Virtual Directories (OWA, ECP, OAB etc) [except AutoDiscover] Certificate & DNS Option 1 No per-protocol Health Check (Server Availability) Yes Share a common namespace mail.tailspintoys.com Minimal (mail.tailspintoys.com and autodiscover.tailspintoys.com) Option 3 Per-protocol Health Check (Service Availability) Yes Share a common namespace mail.tailspintoys.com Minimal (mail.tailspintoys.com and autodiscover.tailspintoys.com) Option 2 Per-protocol Health Check (Service Availability) Yes Namespace for each protocol mail.tailspintoys.com EWS.tailspintoys.com EAS.tailspintoys.com OAB.tailspintoys.com etc Certificate entry for each protocol (mail.tailspintoys.com, EWS.tailspintoys.com, EAS.tailspintoys.com, OAB.tailspintoys.com etc.) or one Wildcard certificate (*.tailspintoys.com) Multiple additional DNS entries

25 https://mail.contoso.com/OWA
TechReady 18 4/5/2017 ARR – Option 3 2 Namespaces, but still per protocol health checks! URL Rewrite Server Farm OWA Web Farm /OWA* https://mail.contoso.com/OWA/HealthCheck.htm ECP Web Farm /ECP* https://mail.contoso.com/ECP/HealthCheck.htm https://mail.contoso.com/OWA EWS Web Farm https://mail.contoso.com/EWS/HealthCheck.htm /EWS* autodiscover.contoso.com mail.contoso.com EAS Web Farm https://mail.contoso.com/Microsoft-Server-ActiveSync/HealthCheck.htm /EAS* OAB Web Farm https://mail.contoso.com/OAB/HealthCheck.htm /OAB* https://mail.contoso.com/RPC/HealthCheck.htm OA Web Farm /RPC* AutoDiscover Web Farm https://autodicover.contoso.com/Autodiscover/HealthCheck.htm /AutoDiscover* Exchange Virtual Directories: mail.contoso.com AutoDiscover.contoso.com © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

26 ARR – Option 3 2 Namespaces, but still per protocol health checks!
TechReady 18 4/5/2017 ARR – Option 3 2 Namespaces, but still per protocol health checks! URL Rewrite Server Farm /OWA* OWA Web Farm https://mail.contoso.com/OWA/HealthCheck.htm ECP Web Farm /ECP* https://mail.contoso.com/ECP/HealthCheck.htm https://mail.contoso.com/EWS/Exchange.asmx EWS Web Farm https://mail.contoso.com/EWS/HealthCheck.htm /EWS* EAS Web Farm https://mail.contoso.com/Microsoft-Server-ActiveSync/HealthCheck.htm /EAS* autodiscover.contoso.com mail.contoso.com OAB Web Farm https://mail.contoso.com/OAB/HealthCheck.htm /OAB* https://mail.contoso.com/RPC/HealthCheck.htm OA Web Farm /RPC* AutoDiscover Web Farm https://autodicover.contoso.com/Autodiscover/HealthCheck.htm /AutoDiscover* Exchange Virtual Directories: mail.contoso.com AutoDiscover.contoso.com © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

27 Bringing HA to ARR …for even more ARRrrrrrr Easy configuration…
TechReady 18 4/5/2017 Bringing HA to ARR …for even more ARRrrrrrr ARR itself is a single point of failure and doesn’t provide any HA to itself, it needs a little help Mitigate with NLB (WinNLB or 3rd Party) Easy configuration… …. Leverage IIS shared config! …. Either Active/Passive or Active/Active doable – failover or failover + load distribution! …. All the glory is here! - © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

28 ARR + Exchange 2013/2010/2007? Yes, you can!
TechReady 18 4/5/2017 ARR + Exchange 2013/2010/2007? Yes, you can! ARR will work with Exchange 2007/2010/2013. If you have 2007 in the mix, make sure you also publish the legacy namespace. No need for 2013/2010 coex obviously. © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

29 IIS ARR Implementation Scenarios…
RULES: URL Rewrite and Web Farm are mutually dependant on each other. You can control how the IIS ARR behaves depending on which component you configure. If you configure the properties of URL Rewrite + Web Farm  Reverse Proxy + Software Load Balancer URL Rewrite only  Reverse Proxy Web Farm only*  Software Load Balancer

30 IIS ARR: Reverse Proxy OWA Outlook ActiveSync ECP

31 IIS ARR: Load Balancer OWA Outlook ActiveSync ECP

32 Scenario A External User Internal User

33 Scenario B External User Internal User

34 Scenario C External User Internal User

35 Scenario D

36 Web Application Proxy - WAP

37 Web Application Proxy - WAP
Part of the Remote Access Role in 2012 R2 Requires an ADFS 2012 R2 installation Can be deployed domain joined or non-domain joined Does not require a 2012 R2 DC Reverse proxy of Web applications and ADFS Proxy Provides reverse proxy Replaces the “old” ADFS Proxy Provides SSO for some scenarios Designed to be deployed in the DMZ Highly customizable login page – see

38 WAP – Network Topology Internet DMZ Corporate Network AD FS Client
AuthN Active Directory Domain Controller AuthN Web UI Config. Store Client (browser, Office client or modern app) HTTP Config. API over HTTPS Obtain KCD ticket for IWA AuthN AD FS Proxy Web Application Proxy Firewall Load Balancer Firewall HTTP/S Claims, IWA or pass-through AuthN Backend Server Load Balancer Backend Server Backend Server Internet DMZ Corporate Network

39 WAP and Exchange Offers reverse proxying for all Exchange-relevant protocols OWA, ECP, EAS, OA, MAPIHTTP, AutoDiscover, EWS,OAB – we got you covered! Preauthentication only for OWA/ECP! PreAuth is performed by redirecting the client to ADFS Redirection is supported for the following protocols: Standard HTTP (browsers), MS-OFBA (Office clients), OAuth2 (Windows Store Apps)…. In our case for OWA/ECP. Cannot redirect for preauthentication: Clients using HTTP Basic or NTLM authentication (ActiveSync, MAPIHTTP), RPC over HTTP (Outlook Anywhere) – those need to use passthrough.

40 WAP and Exchange – KCD Preauth Flow

41 https://mail.fabrikam.com/owa
TechEd 2013 4/5/2017 1:13 PM Internet Internal network ` Perimeter network AD User OWA (Auth: IWA) https://mail.fabrikam.com/owa © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

42 OWA Internet Internal network ` Perimeter network AD AD FS
TechEd 2013 4/5/2017 1:13 PM Internet Internal network ` Perimeter network AD https://sts.fabrikam.com AD FS User https://sts.fabrikam.com Web Application Proxy https://mail.fabrikam.com/owa OWA (Auth: IWA) https://mail.fabrikam.com/owa © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

43 OWA Internet Internal network ` Perimeter network AD AD FS
TechEd 2013 4/5/2017 1:13 PM Internet Internal network ` Perimeter network AD https://sts.fabrikam.com AD FS User https://sts.fabrikam.com Web Application Proxy 307 https://mail.fabrikam.com/owa OWA (Auth: IWA) GET https://mail.fabrikam.com/owa © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

44 OWA Internet Internal network ` Perimeter network AD AD FS
TechEd 2013 4/5/2017 1:13 PM Internet Internal network ` Perimeter network AD https://sts.fabrikam.com AD FS User App Policies https://sts.fabrikam.com Web Application Proxy GET https://mail.fabrikam.com/owa OWA (Auth: IWA) https://mail.fabrikam.com/owa © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

45 OWA Internet Internal network ` Perimeter network AD AD FS
TechEd 2013 4/5/2017 1:13 PM Internet Internal network ` Perimeter network AD https://sts.fabrikam.com AD FS User App Policies https://sts.fabrikam.com Web Application Proxy POST https://mail.fabrikam.com/owa OWA (Auth: IWA) https://mail.fabrikam.com/owa © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

46 OWA Internet Perimeter network Internal network ` AD AD FS
TechEd 2013 4/5/2017 1:13 PM Internet Perimeter network Internal network ` AD https://sts.fabrikam.com AD FS User App Policies https://sts.fabrikam.com Web Application Proxy 302 FOUND MSISAuth (session cookie) https://mail.fabrikam.com/owa OWA (Auth: IWA) https://mail.fabrikam.com/owa © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

47 OWA Internet ` Perimeter network Internal network AD AD FS GET
TechEd 2013 4/5/2017 1:13 PM Internet ` Perimeter network Internal network AD https://sts.fabrikam.com MSISAuth (session cookie) AD FS User App Policies https://sts.fabrikam.com GET Web Application Proxy 307 Redirect MSISAuth (session cookie) https://mail.fabrikam.com/owa OWA (Auth: IWA) https://mail.fabrikam.com/owa © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

48 Shows ticket issued for SPN
TechEd 2013 4/5/2017 1:13 PM Internet Perimeter network Internal network ` AD https://sts.fabrikam.com AD FS User KCD for Principal Name App Policies https://sts.fabrikam.com 301 moved permanetly Web Application Proxy https://mail.fabrikam.com/owa OWA (Auth: IWA) MSISAuth (session cookie) Shows ticket issued for SPN GET /w AuthToken! https://mail.fabrikam.com/owa EdgeAccessCookie (session cookie) © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

49 Finally… we log on to OWA!

50 Shows ticket issued for SPN
TechEd 2013 4/5/2017 1:13 PM Internet Internal network ` Perimeter network AD https://sts.fabrikam.com AD FS User https://sts.fabrikam.com Web Application Proxy GET MSISAuth (session cookie) MSISAuthenticated (session cookie) https://mail.fabrikam.com/owa OWA (Auth: IWA) Shows ticket issued for SPN https://mail.fabrikam.com/owa MSISLoopDetectionCookie (session cookie) EdgeAccessCookie (session cookie) © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

51 WAP and Exchange – Passthrough Auth Flow

52 OWA Internet ` Perimeter network Internal network AD AD FS
TechEd 2013 4/5/2017 1:13 PM Internet ` Perimeter network Internal network AD AD FS User Actual OWA logon! Web Application Proxy https://mail.fabrikam.com/owa OWA (Auth: IWA) 401 Unauthorized https://mail.fabrikam.com/owa 401 Unauthorized © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

53 Exchange 2013 SP1 and ADFS Auth
TechReady 18 4/5/2017 Exchange 2013 SP1 and ADFS Auth Finally – a supported way of getting ADFS auth goin’! Exchange 2013 SP1 introduced ADFS authentication for OWA and ECP, based on SAML 2.0 It’s an either/or thing – you can not have any other form of authentication (FBA, NTLM, Basic, secret knock signs) mixed with ADFS authentication – no multiple Vdir support as of now. No support for coexistence, e.g. running ADFS auth on Ex2013 SP1 and trying to open up mailboxes for 2013 non-SP1, 2010 or 2007 will not work and is not supported. You can leverage either ADFS directly or WAP as the ADFS proxy for “claiming your claim” Allows for pre-authentication on WAP without the need for WAP to be domain joined! (hold for applause) © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

54 Exchange 2013 SP1 and ADFS Auth
TechReady 18 4/5/2017 Exchange 2013 SP1 and ADFS Auth Implementation overview Requires manual Relying Party Trust configuration in ADFS – no automatic config Requires UPN, PrimarySID and GroupSID issuance rules Requires configuration of –AdfsIssuer, -AdfsAudienceUris and -AdfsSignCertificateThumbprint on Exchange’s Set-OrgConfig. Enable ADFSAuth and disable all other forms of auth on the OWA/ECP virtual directories Detailed implementation steps are available now at © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

55 Bringing HA to WAP It’s easy – just install more boxes!
TechReady 18 4/5/2017 Bringing HA to WAP It’s easy – just install more boxes! WAP stores its config in ADFS 2012 R2 As soon as you “subscribe” more WAP boxes to the same ADFS instance, they will get the same config Web Application Proxy Web Application Proxy Config... Publishing Rules.... Config... Publishing Rules.... AD AD FS © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

56 NLB (Windows or 3rd Party)
TechReady 18 4/5/2017 Bringing HA to WAP You still need to think about NLB WAP does not provide any form of NLB … not for the published application … not for WAP itself … WinNLB or 3rd Party … no need for affinity!! User NLB (Windows or 3rd Party) Web Application Proxy Web Application Proxy Config... Publishing Rules.... Config... Publishing Rules.... © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

57 Configuring WAP for KCD
TechReady 18 4/5/2017 Configuring WAP for KCD Required ADFS config – Create Relying Party Trust © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

58 Configuring WAP for KCD
TechReady 18 4/5/2017 Configuring WAP for KCD Creating an AD delegation for preauth Single Server (delegation to Exchange directly) © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

59 Configuring WAP for KCD
TechReady 18 4/5/2017 Configuring WAP for KCD Creating an AD delegation for preauth Multiple Exchange Servers (delegation to the ASA) This requires an Alternate Service Account configured on Exchange 2010 / Exchange The delegation needs to be made out to this account. © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

60 WAP and EX not in the same domain?
Yep, it‘s possible! Historically, KCD required the that the server asking for a Kerb Ticket and the server that we delegated to to be in the same domain. Fear not, Windows 2012 changed quite a bit. Read more here: In a nutshell, WAP (the server asking for a ticket) can be in another domain (eg child.contoso.com) while the application server – lets say Exchange, is in the root domain or in another child (contoso.com or child2.contoso.com) Delegation for these scenarios is set on the application server instead of the WAP server.

61 Configuring WAP Installing WAP TechReady 18 4/5/2017
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

62 Configuring WAP Configuration for Preauth (OWA/ECP) TechReady 18
4/5/2017 Configuring WAP Configuration for Preauth (OWA/ECP) © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

63 Configuring WAP Config for Pass trough (EAS/AutoD/OA/OAB/MAPIHttp)
TechReady 18 4/5/2017 Configuring WAP Config for Pass trough (EAS/AutoD/OA/OAB/MAPIHttp) © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

64 Configuring WAP Disable Headers translation in Request Headers
TechReady 18 4/5/2017 Configuring WAP Disable Headers translation in Request Headers WAP should not translate HTTP host headers to internal host headers when forwarding requests. © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

65 Configuring WAP Some older EAS devices and OS’s don’t support SNI
TechReady 18 4/5/2017 Configuring WAP Some older EAS devices and OS’s don’t support SNI Http.sys listens and serves certs based on the SNI header sent (no IIS on WAP) Not all EAS devices support sending SNI, leading to a broken EAS experience Older OS‘s (Win XP) don‘t support sending SNI at all. You need to assign a default SSL binding via netsh. © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

66 Configuring WAP Some older EAS devices don’t support SNI
TechReady 18 4/5/2017 Configuring WAP Some older EAS devices don’t support SNI XP is one happy peppy! © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

67 WAP and Cross-Forest Auth
TechReady 18 4/5/2017 WAP and Cross-Forest Auth We know you want it! Leveraging ADFS/WAP and UPN rewrites, we can do, for example, this! ` https://sts.fabrikam.com AD FS AD FS https://sts.contoso.com https://sts.fabrikam.com WAP Internal network Internal network WAP User Mailbox https://mail.fabrikam.com/owa OWA User https://mail.fabrikam.com/owa © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

68 WAP and Cross-Forest Auth
TechReady 18 4/5/2017 WAP and Cross-Forest Auth We know you want it! Works for OWA/ECP as those can be published with Pre-Authentication, and honor the redirection to ADFS. Contoso, in this scenario, needs no Exchange and no special prep. Magic is done by rewriting the UPN claim. You need to configure ADFS claims provider trust and ADFS relying party trust for the “trusting” forest. Works in KCD or ADFS Authentication scenarios. © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

69 WAP + Exchange 2010/Exchange 2007?
We got you covered! Pure Exchange 2010: Same story as as for Exchange 2013, OWA + ECP /w Preauth, all others Pass-Through. Pure Exchange 2007: All protocols only passthrough (EXCEPT if you are ok with proxying to a single server) Exchange 2013/2010 coex: OWA + ECP /w preauth, all others Pass-Through Echange 2013/2010/2007: OWA + ECP for 2013/2010 /w Pass-Through, all others pass through (same EXCEPT as above)

70 So you have a WAP lab deployment…
… and after a while of not using it, it stops working WAP uses a short-lifed certificate (15 days) to authenticate to ADFS. If you don’t use your WAP lab for 15 days, WAP will be essentially stranded as the expired certificate will be rejected by ADFS. You can either re-install WAP (the config will remain as it is stored in ADFS), or rerun the configuration wizard via the Remote Access UI (preferred) For the Remote Access UI, to let you run through the wizard again, change HKLM\Software\Microsoft\ADFS\ProxyConfigurationStatus to 1 (meaning “not configured”) instead of 2 (“configured”). Reopen the UI. No reboot required.

71 WAP External Lockout Prohibit a DoS-Attack against your environment
ADFS/WAP offer a „soft-lockout“ for user accounts on WAP itself The internal AD account remains unlocked while external access is blocked after multiple unsuccessfull auth attempts. Needs to be set lower than the internal AD account lockout policy if you have one. Can help mitigate a DoS in case a copy of your GAL/OAB/AD etc gets lost.

72 WAP External Lockout Configuring External Lockout
Config changes need to be made on the ADFS server. Changes and pushed out to WAP at next config refresh (every 60 seconds) Use Get/Set-ADFSProperties to modify: ExtranetLockoutEnabled: $true or $false; determines whether Lockout is enabled, default $false ExtranetLockoutThreshold: Number of failed auth attempts before soft-locking a user ExtranetObservationWindow: Timespan for a user to be locked, eg 30 Minutes (00:30:00)

73 Demo WAP in action!

74 In Review: Session Objectives And Takeaways
Tech Ready 15 4/5/2017 In Review: Session Objectives And Takeaways Session Objectives Describe how ARR and WAP are functioning, technical implementation and limitations. Explain what ARR and WAP can do for publishing of Exchange 2007, Exchange 2010 and Exchange 2013, and compare them to what TMG could do. Action Items: Go build yourself a WAP and ARR Lab and promote the use of these products with your customers! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

75

76 4/5/2017 1:13 PM © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.


Download ppt "MEC 2014 4/5/2017 1:13 PM © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks."

Similar presentations


Ads by Google