Office 365 Single Sign Out with ISA or TMG as the ADFS Proxy

Over the last year I’ve spent a decent chunk of my time shaping and delivering Identity and Access Management workshops for Office 365 projects at Content and Code. This is generally underpinned by Active Directory Federation Services v2.0 (ADFS). In fact I don’t think we’ve done a single Office 365 project without it. Along the way I’ve become acquainted with many of the nuances of the sign on and sign out experiences as they differ across Office 365 services, client applications and different (valid) network perimeter technologies. In this post I will mainly focus on the security implications of publishing ADFS through ISA or TMG Reverse Proxies in the place of ADFS Proxy servers. In the majority of our engagements we’ve considered this option (potentially allowing our clients to consolidate infrastructure) since ISA, TMG or similar Reverse Proxies are commonly deployed. Yet we need to evaluate with full awareness of how ADFS operates without a Claims-aware Reverse Proxy such as the ADFS Proxy. This gets pretty technical, so I’m assuming some high-level familiarity with ADFS, Reverse Proxies and Office 365.


Continue reading “Office 365 Single Sign Out with ISA or TMG as the ADFS Proxy”

When Lync Online Traffic Routes Peer-to-Peer

Following my last post on Lync, Strings and Cans I need to report further detail on my test findings, wherein I identified that some Lync Online traffic would route peer-to-peer. This was an exciting finding for us, and remains so, although we’ve also uncovered some initially-unexpected nuances. To this end, my first post describes a model for understanding Lync traffic and details the default experience. In this post, I’ll talk about how in some cases, a two-person session will switch from peer-to-peer routing to a conference mediated by the Lync Online Edge servers. In these cases, Lync traffic routes in the same way as a multiple-participant conference, even though there are only two users involved. Put another way, in these cases all traffic will route via Office 365’s Lync Online Edge servers, even if all the internal ports are open for peer-to-peer communications.

NAT Traversal and Candidate Testing

To understand what’s going on, you first need to understand what to look for. Part of the reason for the delay producing this second post is that I’ve been trying to explain this by picking apart network monitor data. At first these captures were nothing more than an attempt to validate assumed behaviour, but it’s quite a bit more complicated than I expected. Thankfully, there are some excellent resources that describe precisely what I’ve seen with greater precision and detail than I could hope to reverse engineer. Having spun my wheels for a bit, I would recommend some healthy RTFM – getting to grips with Lync topology and possibly even consulting protocol documents, if you’ll spend any amount of time trying to decipher Lync network traffic. I cite some of these resources at the bottom of this post, but for the immediate considerations I’m focusing on some key descriptions from Bernd Ott’s How Communicator Uses SDP and ICE To Establish a Media Channel article.

Continue reading “When Lync Online Traffic Routes Peer-to-Peer”

Lync, Strings and Cans

Like a lot of people in the Microsoft partner community, I’ve been catching up with Lync this year and digging in to the finer details with a few of my colleagues. One thing we wanted to understand better was the routing between two users over a LAN, a private WAN, or some other connection where all the necessary network ports would be open. Would these clients communicate peer-to-peer? If so, does it always behave the same way, how is it accomplished and what might go wrong?

First, consider an organisation with offices across multiple floors or buildings. Lync may be a very effective means of connecting these employees despite their relatively close proximity. If this traffic can route locally it can be a big plus – especially if there’s lots of media traffic. Second, consider an organisation with multiple branches. They invested in private WAN links to connect these branches and don’t necessarily want to route Lync traffic over their internet connections if they can avoid it. For some organisations these will be non-issues, since Lync traffic is optimised for the WAN, but for other organisations this may be important – particularly if they’re in a part of the world where internet connections are slow or expensive (or both). So we went about testing this with the Lync 2010 client and Office 365 users (the behaviour is the same with Microsoft Online IDs or federated users).

Continue reading “Lync, Strings and Cans”

Amazon VPC and VM Import Updates

In the last couple of weeks I’ve received notification of two important updates regarding Amazon Web Services. I thought I’d share them here, as they are both relevant to use of SharePoint 2010 on EC2 and I’ve seen no mention of them elsewhere. If you’re interested in this broader topic, I’ve covered it in detail here:


My commentary here assumes some familiarity with these earlier posts. This is new functionality that enables new design options. These options should make SharePoint 2010 on EC2 more appealing for a few specific uses.

Continue reading “Amazon VPC and VM Import Updates”

SharePoint 2010 Infrastructure for Amazon EC2 Part IV: Cost Analysis

In the previous posts in this series I’ve discussed the AWS platform and took a closer look at storage, snapshots and provisioning, looked at networking and cloning and then reviewed administration, delegation and licensing. In this post I will analyse cost, which is probably the most important factor when considering a move to the cloud.

Continue reading “SharePoint 2010 Infrastructure for Amazon EC2 Part IV: Cost Analysis”

SharePoint 2010 Infrastructure for Amazon EC2 Part III: Administration, Delegation and Licensing

In the first part of this series on SharePoint 2010 infrastructure considerations for Amazon EC2, I introduced the AWS platform and took a closer look at storage, snapshots and provisioning. In the second post I moved on to networking and cloning. In this third post I will discuss administration, delegation and licensing.

Continue reading “SharePoint 2010 Infrastructure for Amazon EC2 Part III: Administration, Delegation and Licensing”

SharePoint 2010 Infrastructure for Amazon EC2 Part II: Cloning and Networking

In my previous post I introduced some of the peculiarities of designing SharePoint 2010 environments for Amazon’s EC2, specifically focused on the AWS platform, storage, snapshots and provisioning. In this post I continue this exploration, moving on to cloning and networking considerations.

Continue reading “SharePoint 2010 Infrastructure for Amazon EC2 Part II: Cloning and Networking”

SharePoint 2010 Infrastructure for Amazon EC2 Part I: Storage and Provisioning

The Amazon Web Services (AWS) have been around for a while now but there’s been surprisingly little ­­use or abuse in the SharePoint community, from what I’ve seen. A notable exception to this is Andrew Woodward’s novel and interesting approach to Exchange BPOS migration via Amazon EC2. But that doesn’t talk much about SharePoint on Amazon, so in these posts I’ll give an introduction to the design constraints that pertain to SharePoint 2010 development environments on EC2. Even if the Amazon Web Services aren’t appealing, a lot of the issues discussed here will apply to consumption of other Pay-As-You-Go infrastructure services, presumably including the forthcoming Windows Azure VM role AKA Hyper-V Cloud. In this first post I focus on the platform, storage, snapshots and provisioning.

Continue reading “SharePoint 2010 Infrastructure for Amazon EC2 Part I: Storage and Provisioning”