Scribd Logo
Importer

Bienvenue sur Scribd !

  • USX305 Hinterhofer

    Transféré par

    denynhan
    21 vues76 pages
    USX305_Hinterhofer

    Titre original

    USX305_Hinterhofer

    Copyright

    © © All Rights Reserved

    Formats disponibles

    PPTX, PDF, TXT ou lisez en ligne sur Scribd

    Avez-vous trouvé ce document utile ?

    Ce contenu est-il inapproprié ?

    Signaler ce document
    USX305_Hinterhofer

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PPTX, PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    21 vues76 pages

    USX305 Hinterhofer

    Transféré par

    denynhan
    USX305_Hinterhofer

    Droits d'auteur :

    © All Rights Reserved
    Téléchargez comme PPTX, PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    sur 76

    Features

    IIS Application Routing Request


    (ARR)

    Pre- Authentication

    Web Application Proxy (WAP)

    Prerequisites

    IIS 8.0, IIS 7.0, IIS 6.0

    Windows 2012 R2

    Dependency

    None

    ADFS has to be set up

    Load Balancing

    Inbuilt functionality

    Requires a Load Balancer

    OWA

    Outlook

    ActiveSync

    ECP

    IIS ARR

    URL Rewrite
    (Reverse Proxy)

    Web Farm properties


    (Load Balancing)

    URL Rewrite Module


    URL Filtering
    Allow/Deny URL

    Web Farm Framework Module


    Load Balancing
    Health Check

    URL Rewrite
    (Reverse Proxy)

    Web Farm properties


    (Load Balancing)

    URLs
    https://

    mail.sir8.at

    /OWA

    https://

    mail.sir8.at

    /ECP

    https://

    mail.sir8.at

    /OAB

    https://

    mail.sir8.at

    /EWS/Exchange.asmx

    https://

    mail.sir8.at *

    https://autodiscover.contoso.com/Autodiscover/Autodiscover.xml

    IIS ARR
    URL Rewrite rule:

    https://mail.contoso.com/*
    https://autodiscover.contoso.com/*
    https://autodiscover.contoso.com/*

    autodiscover.contoso.com (Web Farm)

    Health Check:
    https://autodiscover.contoso.com/Autodiscover/HealthCheck.htm

    Load Balancing:
    Least Current Requests

    Affinity: No

    mail.contoso.com (Web Farm)

    Health Check:
    https://mail.contoso.com/OWA/HealthCheck.htm

    Load Balancing:
    Least Current Requests

    Affinity: No

    IIS ARR
    URL Rewrite rule:

    https://mail.contoso.com/*
    https://mail.contoso.com/*
    https://autodiscover.contoso.com/*

    autodiscover.contoso.com (Web Farm)

    Health Check:
    https://autodiscover.contoso.com/Autodiscover/HealthCheck.htm

    Load Balancing:
    Least Current Requests

    Affinity: No

    mail.contoso.com (Web Farm)

    Health Check:
    https://mail.contoso.com/OWA/HealthCheck.htm

    Load Balancing:
    Least Current Requests

    Affinity: No

    IIS ARR
    URL Rewrite rule:

    https://mail.contoso.com/*
    https://mail.contoso.com/*

    https://autodiscover.contoso.com/*

    autodiscover.contoso.com (Web Farm)

    Health Check:
    https://autodiscover.contoso.com/Autodiscover/HealthCheck.htm

    Load Balancing:
    Least Current Requests

    Affinity: No

    mail.contoso.com (Web Farm)

    Health Check:
    https://mail.contoso.com/OWA/HealthCheck.htm

    Load Balancing:
    Least Current Requests

    Affinity: No

    CAS 1

    https://mail.contoso.com/OAB
    https://mail.contoso.com/EWS/Exchange.asmx

    IIS ARR
    (Reverse Proxy & Load Balancer)

    CAS 1

    https://mail.contoso.com/OAB
    https://mail.contoso.com/EWS/Exchange.asmx

    IIS ARR
    (Reverse Proxy & Load Balancer)

    CAS 2

    IIS ARR

    User

    mail.contoso.com
    ecp.contoso.com
    ews.contoso.com
    eas.contoso.com
    oab.contoso.com
    oa.contoso.com

    https://autodicover.contoso.com/Autodiscover/
    Autodiscover.xml

    URL Rewrite

    Server Farm

    mail.contoso.com

    OWA
    Web Farm

    https://mail.contoso.com/OWA/HealthCheck.htm

    ecp.contoso.com

    ECP
    Web Farm

    https://ecp.contoso.com/ECP/HealthCheck.htm

    ews.contoso.com

    EWS
    Web Farm

    https://ews.contoso.com/EWS/HealthCheck.htm

    eas.contoso.com

    EAS
    Web Farm

    oab.contoso.com

    OAB
    Web Farm

    https://oab.contoso.com/OAB/HealthCheck.htm

    oa.contoso.com

    OA
    Web Farm

    https://oa.contoso.com/RPC/HealthCheck.htm

    autodiscover.contoso.
    com

    AutoDiscover

    CAS

    https://eas.contoso.com/Microsoft-Server-ActiveSync/HealthCheck.htm

    https://autodicover.contoso.com/Autodiscover/HealthCheck.htm

    Web Farm

    Performing per-protocol Health


    Check

    Exchange Virtual Directories:


    mail.contoso.com,ECP.contoso.com, EWS.contoso.com,
    EAS.contoso.com, OAB.contoso.com, OA.contoso.com
    AutoDiscover.contoso.com

    Solution

    Option 1

    Option 2

    True distribution of traffic


    destined for multiple CAS
    servers

    Load Balancing of traffic


    destined for multiple CAS
    servers

    Exchange Virtual Directories


    (OWA, ECP, OAB etc)
    [except AutoDiscover]

    No per-protocol Health
    Check
    (Server Availability)

    Yes*

    Share a common namespace

    Per-protocol Health Check


    (Service Availability)

    Yes

    Certificate & DNS

    Minimal (mail.tailspintoys.com and


    autodiscover.tailspintoys.com)

    mail.tailspintoys.com

    Namespace for each protocol

    Certificate entry for each protocol


    (mail.tailspintoys.com,
    EWS.tailspintoys.com,
    EAS.tailspintoys.com,
    OAB.tailspintoys.com etc.) or one
    Wildcard certificate (*.tailspintoys.com)

    Multiple additional DNS entries

    mail.tailspintoys.com
    EWS.tailspintoys.com
    EAS.tailspintoys.com
    OAB.tailspintoys.com etc

    Solution

    Option 1

    Option 2
    3

    High Availability of traffic


    destined for multiple CAS
    servers

    Load Balancing of traffic


    destined for multiple CAS
    servers

    Exchange Virtual Directories


    (OWA, ECP, OAB etc)
    [except AutoDiscover]

    No per-protocol Health
    Check
    (Server Availability)

    Yes*

    Share a common namespace

    Per-protocol Health Check


    (Service Availability)

    Yes

    Certificate & DNS

    Minimal (mail.tailspintoys.com and


    autodiscover.tailspintoys.com)

    mail.tailspintoys.com
    Namespace
    Share a common
    for each
    namespace
    protocol

    Certificate
    Minimal (mail.tailspintoys.com
    entry for each protocol
    and
    (mail.tailspintoys.com,
    autodiscover.tailspintoys.com)
    EWS.tailspintoys.com,
    EAS.tailspintoys.com,
    OAB.tailspintoys.com etc.) or one
    Wildcard certificate (*.tailspintoys.com)

    Multiple additional DNS entries

    mail.tailspintoys.com
    EWS.tailspintoys.com
    EAS.tailspintoys.com
    OAB.tailspintoys.com etc

    Solution

    Option 1

    Option 3

    High Availability of traffic


    destined for multiple CAS
    servers

    Load Balancing of traffic


    destined for multiple CAS
    servers

    Exchange Virtual Directories


    (OWA, ECP, OAB etc)
    [except AutoDiscover]

    No per-protocol Health
    Check
    (Server Availability)

    Yes

    Share a common namespace

    Per-protocol Health Check


    (Service Availability)

    Yes

    Certificate & DNS

    Minimal (mail.tailspintoys.com and


    autodiscover.tailspintoys.com)

    mail.tailspintoys.com

    Share a common namespace

    Minimal (mail.tailspintoys.com and


    autodiscover.tailspintoys.com)

    mail.tailspintoys.com

    Option 2

    Per-protocol Health Check


    (Service Availability)

    Yes

    Namespace for each protocol

    Certificate entry for each protocol


    (mail.tailspintoys.com,
    EWS.tailspintoys.com,
    EAS.tailspintoys.com,
    OAB.tailspintoys.com etc.) or one
    Wildcard certificate (*.tailspintoys.com)

    Multiple additional DNS entries

    mail.tailspintoys.com
    EWS.tailspintoys.com
    EAS.tailspintoys.com
    OAB.tailspintoys.com etc

    URL Rewrite

    User

    IIS ARR

    Server Farm

    CAS

    /OWA*

    OWA
    Web Farm

    https://mail.contoso.com/OWA/HealthCheck.htm

    /ECP*

    ECP
    Web Farm

    https://mail.contoso.com/ECP/HealthCheck.htm

    /EWS*

    EWS
    Web Farm

    /EAS*
    /OAB*

    mail.contoso.com
    autodiscover.contoso.com

    https://mail.contoso.com/OWA

    /RPC*

    /AutoDiscover*

    EAS
    Web Farm

    https://mail.contoso.com/EWS/HealthCheck.htm
    https://mail.contoso.com/Microsoft-Server-ActiveSync/HealthCheck.htm

    OAB
    Web Farm

    https://mail.contoso.com/OAB/HealthCheck.htm

    OA
    Web Farm

    https://mail.contoso.com/RPC/HealthCheck.htm

    AutoDiscover

    Web Farm

    Performing per-protocol Health


    Check

    https://autodicover.contoso.com/Autodiscover/HealthCheck.htm

    Exchange Virtual Directories:


    mail.contoso.com
    AutoDiscover.contoso.com

    URL Rewrite

    User

    IIS ARR

    Server Farm

    CAS

    /OWA*

    OWA
    Web Farm

    https://mail.contoso.com/OWA/HealthCheck.htm

    /ECP*

    ECP
    Web Farm

    https://mail.contoso.com/ECP/HealthCheck.htm

    /EWS*

    EWS
    Web Farm

    /EAS*

    /OAB*

    mail.contoso.com
    autodiscover.contoso.com

    https://mail.contoso.com/EWS/Exchange.asmx

    /RPC*

    /AutoDiscover*

    EAS
    Web Farm

    https://mail.contoso.com/EWS/HealthCheck.htm
    https://mail.contoso.com/Microsoft-Server-ActiveSync/HealthCheck.htm

    OAB
    Web Farm

    https://mail.contoso.com/OAB/HealthCheck.htm

    OA
    Web Farm

    https://mail.contoso.com/RPC/HealthCheck.htm

    AutoDiscover

    Web Farm

    Performing per-protocol Health


    Check

    https://autodicover.contoso.com/Autodiscover/HealthCheck.htm

    Exchange Virtual Directories:


    mail.contoso.com
    AutoDiscover.contoso.com

    configure

    OWA

    Outlook

    ActiveSync

    IIS ARR

    URL Rewrite
    (Reverse Proxy)

    Web Farm properties


    (Load Balancing)

    ECP

    OWA

    Outlook

    ActiveSync

    IIS ARR

    URL Rewrite
    (Reverse Proxy)

    Web Farm properties


    (Load Balancing)

    ECP

    External User

    External Firewall

    IIS ARR
    Reverse Proxy + Load Balancer

    Internal Firewall

    Internal User

    External User

    External Firewall

    IIS ARR
    Reverse Proxy

    Internal Firewall

    IIS ARR
    Load Balancer

    Internal User

    External User

    External Firewall

    IIS ARR
    Reverse Proxy

    Internal Firewall

    IIS ARR
    Internal Load Balancer

    Internal User

    IIS ARR
    External Load Balancer

    IIS ARR
    (Reverse Proxy + L7 Load Balancer)

    DMZ

    O365 Mailbox
    OnPremise Mailbox

    ADFS Proxy

    ADFS

    INTRANET

    INTERNET

    O365 Exchange Online Hybrid Configuration

    OnPremise Mailbox

    O365 Mailbox

    AD FS
    AuthN
    Web UI

    AD FS Proxy
    Web
    Application
    Proxy

    Firewall

    Load Balancer

    Firewall

    (browser,
    Office client
    or modern
    app)

    Config. API
    over HTTPS

    HTTP

    HTTP/S
    Claims, IWA or
    pass-through
    AuthN

    Internet

    DMZ

    Load Balancer

    Client

    Config.
    Store

    AuthN

    Active Directory
    Domain
    Controller
    Obtain KCD
    ticket for IWA
    AuthN

    Backend
    Server
    Backend
    BackendServer
    Server

    Corporate Network

    https://mail.fabrikam.com/owa

    https://sts.fabrikam.com

    https://sts.fabrikam.com

    https://mail.fabrikam.com/owa

    https://mail.fabrikam.com/owa

    https://sts.fabrikam.com

    https://sts.fabrikam.com

    GET

    https://mail.fabrikam.com/owa

    https://mail.fabrikam.com/owa

    https://sts.fabrikam.com

    https://sts.fabrikam.com

    GET
    https://mail.fabrikam.com/owa

    https://mail.fabrikam.com/owa

    https://sts.fabrikam.com

    https://sts.fabrikam.com

    POST
    https://mail.fabrikam.com/owa

    https://mail.fabrikam.com/owa

    https://sts.fabrikam.com

    https://sts.fabrikam.com

    302 FOUND
    https://mail.fabrikam.com/owa
    MSISAuth
    (session cookie)

    https://mail.fabrikam.com/owa

    https://sts.fabrikam.com

    https://sts.fabrikam.com

    GET
    307 Redirect
    https://mail.fabrikam.com/owa
    MSISAuth
    (session cookie)

    https://mail.fabrikam.com/owa

    https://sts.fabrikam.com

    https://sts.fabrikam.com

    301 moved
    permanetly
    https://mail.fabrikam.com/owa
    MSISAuth
    (session cookie

    EdgeAccessCookie
    (session cookie)

    GET /w AuthToken!

    KCD for
    Principal
    Name

    Shows ticket
    issued for
    SPN https://mail.fabrikam.com/owa

    https://sts.fabrikam.com

    https://sts.fabrikam.com

    GET
    https://mail.fabrikam.com/owa

    Shows ticket
    issued for
    SPN https://mail.fabrikam.com/owa

    Actual OWA
    logon!

    https://mail.fabrikam.com/owa

    401
    Unauthorized

    401
    Unauthorized

    https://mail.fabrikam.com/owa

    http://technet.microsoft.com/en-us/library/hh831477.aspx

    https://sts.fabrikam.com

    https://sts.contoso.com

    https://sts.fabrikam.com

    https://mail.fabrikam.com/owa

    https://mail.fabrikam.com/owa

    and after a while of not using it, it stops working


    WAP uses a short-lifed certificate (15 days) to authenticate to ADFS.
    If you dont use your WAP lab for 15 days, WAP will be essentially stranded as the expired
    certificate will be rejected by ADFS.
    You can either re-install WAP (the config will remain as it is stored in ADFS), or rerun the
    configuration wizard via the Remote Access UI (preferred)

    For the Remote Access UI, to let you run through the wizard again, change
    HKLM\Software\Microsoft\ADFS\ProxyConfigurationStatus to 1 (meaning not configured)
    instead of 2 (configured). Reopen the UI. No reboot required.

    Vous aimerez peut-être aussi