Building your own (home-) lab for test-driving Office 365 hybrid features – part 2 - Office 365

Office 365 » Building your own (home-) lab for test-driving Office 365 hybrid features – part 2

Building your own (home-) lab for test-driving Office 365 hybrid features – part 2

Blogs

Office 365

Home

Syndication

Introduction

In the first part of this article, we talked about what our lab would look like and prepared everything up to the point where we could install the virtual machines. In this part, we will go through the installation of ADFS and to publish it using the TMG 2010. In order to create our hybrid lab, we need to have 5 virtual machines. Four of them will be running Windows Server 2008R2 and can be built using differencing disks. One server needs to be 32-bit though (DirSync).

Creating the virtual machines

Adding a differencing disk to a VM is quite simple. First, start with creating a VM without a hard disk.

Afterwards, open up the VM’s properties and go to IDE Controller 0/1. From the actions pane, select Hard Disk and click “Add”:

This will add a disk to the VM that you can configure. Clicking “New” will open the “New Virtual Hard Disk Wizard”:

In the wizard, start by selecting “Differencing Disk” and click “Next”:

Enter a name and location for the disk. It’s easier when you store the disk with the configuration files of your VM and confirm.

Select the parent disk we created before and click “Next”.

Confirm the configuration and click “Finish”.

Repeat the steps above for every of the following virtual machines: DC, Exchange, TMG and ADFS.
You can create a regular VM for the DirSync Server but remember to use a 32-bit copy of Windows Server 2008!

After you’ve deployed the different VM’s, configure a DC on one and Exchange 2010 SP1 on another VM.

ADFS

Now that we’ve setup our virtual machines, it’s time to set our first steps towards a hybrid scenario. Although it’s not required to use SSO in a hybrid deployment, it will provide your users with the best experience.
By default, Windows Server 2008 R2 ships with ADFS 1.1. You will need to download the ADFS 2.0 installer from the Microsoft Download website: http://www.microsoft.com/download/en/details.aspx?id=10909

Run the installer. After agreeing to the EULA, select “Federation Server” and click “Next”:

Setup will check if all prerequisites are met, if not it will install them automatically. Click Next.

Setup will now start:

Once the installation is complete, click Finish to open up the management console:

Before we can configure ADFS, we need to make sure that we have an appropriate certificate available.

ADFS uses three different certificates:

Token-Signing (Self-Signed)
Token-Decrypting (Self-Signed)
Communications (Trusted CA)

Make sure that you have the communications-certificate ready. By default, when configuring ADFS, it will use the certificate’s subject name as the service name. Unless you want to change the service name afterwards (check this blog post), you might want to make sure that your subject name is correct and somehow represents what it’s intended for. Microsoft for instances always uses sts.domainname.com in it's examples. You can either use a third party trusted CA or an internal CA to issue the certificate. It doesn’t really matter, just make sure the certificate is valid and trusted by your clients who are going to use ADFS.

Once you’ve got the certificate, you will need to import it in IIS. For more information on how to import a certificate in IIS, take a look here: http://technet.microsoft.com/en-us/library/cc732785(WS.10).aspx

Now that we’ve imported the certificate into IIS and bound it to the default website, open up the Server Configuration wizard:

Select “Create a new Federation Service” and click “Next”

Depending on your deployment, choose either “New Federation Server Farm” or “Stand-Alone Federation Server”, click Next:

The wizard will pick up the imported certificate. If multiple exists, you will be give the choice to select the proper one:

Confirm to start configuration:

After the setup completes successfully, you can close the management console.

Publishing ADFS through TMG 2010

I had to figure out a way in which I could publish both ADFS and Exchange onto the internet with only a single external IP. A TMG allows you to publish web sites based on their host name. Since my ADFS environment is using STS.domainname.com and Exchange is using webmail.domainname.com this was the ideal solution!

Publishing Exchange through a TMG 2010 is relatively easy. However; ADFS requires a bit more work:

Open the TMG Management Console, Right-click Firewall Policy and select New > Web Site Publishing Rule:

Choose a descriptive name (e.g. ADFS) for the Publishing Rule and click Next.

Choose Allow and click Next.

Choose “Publish a single Web site or load Balancer” and click Next.

Select “Use SLL…” and click Next:

Enter the internal site name (e.g. adfs.domainname.com) and select the Computer name of the ADFS Server or ADFS Proxy Server. This can be an IP address as well:

Enter “/*” as a path and make sure to select “Forward the original host header instead of the actual one specified in the Internal site name field on the previous page”. Click Next.

Now here’s what makes our lab possible. In this window we will define the host header that adfs should be filtering on.
Select “This domain name (type below) and enter the domain name that you configured earlier in ADFS (service name). Click Next.

Select a Web Listener. If you haven’t already configured one before, now is a good time to do so. If you need help creating a listener, look further down below the article for more information.

Select “No Delegation, but client may authenticate directly” and click next.

Accept the defaults and click Next.

Review your settings and click Finish to create the Publishing Rule.

However, in order for ADFS to work through the TMG, we still need to modify some settings:

Right-click the Publishing Rule and select “Properties”. Go to the “Link Translation”-tab and disable “Apply link translation to this rule”.

Click OK to accept the changes. Now right-click the Publishing Rule again, but now select “Configure HTTP” and locate the settings below on the General-tab:

Make sure you disable “Verify Normalization” and “Block High Bit Characters”. Click OK.

You’re all done. Don’t forget to Apply the changes to the TMG!

Web Listener

Creating a web listener is a pretty easy task. First, start by giving your Web Listener a descriptive name:

Next, select “Require SSL secured connections with clients” and select Next:

Select the network(s) the listener will be active on and click Next.

Select the appropriate certificate and click Next:
Note: make sure that the certificate that you use for this listener contains both the subject name for ADFS as the subject name(s) for Exchange!

Select “No Authentication” and click Next:

Click Next again (no options can or need to be changed here):

Review the settings and confirm by clicking “Finish”:

We’ve now configured ADFS and published it onto the internet through TMG. In the next part of this article, we will be configuring TMG for Exchange 2010.
Once that is done, your way to a hybrid deployment is open Smile

Posted 11-08-2011 11:17 by Michael Van Horenbeeck

Filed under: Office 365, Federation, Hybrid, Coexistence, ADFS, SSO, Single Sign-On

Comments

Michael Van Horenbeeck wrote re: Building your own (home-) lab for test-driving Office 365 hybrid features – part 2

on 01-04-2012 1:36

In the next part of this guide I would normally be explaining how to publish Exchange 2010 through TMG (or alternatively through UAG), but there is already a lot of great guidance on this topic. Microsoft has released a whitepaper which describes the necessary configuration steps and can be downloaded from here: www.microsoft.com/.../details.aspx

3DZ:andrewbelon.com