| Lausanne Office 365 The Full Hybrid Experience Vincenzo Barbieri / Jean-Claude Corboz DL Groupe Swisscom

Agenda Exchange Hybrid25’ Vincenzo Barbieri Lync Hybrid20’ Vincenzo Barbieri Voice Connectivity over SIP Trunk 15’ Jean-Claude Corboz

DL Groupe Company Profile Founded employees Geneva –Vaud - Valais –Fribourg -Jura & Microsoft Competencies Unified Communication (Exchange –Lync) Cloud (Office 365 & Azure) Virtualization VDI & Server System Center

Before we begin… A simple mental model for Office 365 Latest productivity services in Microsoft’s public cloud + the latest apps

Planning For Deployment “Can I do it in a weekend?” DEPLOYMENT PLAN Migration solution is part of the plan DEPLOYMENT PLAN Migration solution is part of the plan Hybrid Exchange sharing features Source Server Exchange IMAP Lotus Notes Google Size Large Medium Small Identity Management Identity Management On-Premises Single Sign-On On-Cloud Provisioning DirSync Bulk Provisioning

Standard Microsoft migration options IMAP migration Cutover migration Staged migration 2010 Hybrid2013 Hybrid Exchange 5.5 Exchange 2000 Exchange 2003 Exchange 2007 Exchange 2010 Exchange 2013 Notes/Domino GroupWise Other Simple Migrations Hybrid IMAP Migration Supports wide range of platforms only (no calendar, contacts, or tasks) Cutover Exchange Migration (CEM) Good for fast, cutover migrations No migration tool or computer required on-premises Staged Exchange Migration (SEM) No migration tool or computer required on-premises Requires Directory Synchronization with on-premises AD Hybrid Deployment Manage users on-premises and online Enables cross-premises calendaring, smooth migration, and easy off-boarding

Hybrid VS Staged FeatureStagedHybrid Mail routing between on-premises and cloud (recipients on either side) Mail routing with shared namespace (if desired) on both sides Unified GAL Free/Busy and calendar sharing cross-premises Mailtips, messaging tracking, and mailbox search work cross-premises OWA Redirection cross-premise (single OWA URL for both on-premises and cloud) Exchange Online Archive Exchange Management Console used to manage cross-prem relationship & mailbox migrations Native mailbox move supports both onboarding and offboarding No outlook reconfiguration or OST resync required after mailbox migration Online Mailbox Move allows users to start logged into their mailbox while it is being moved to the cloud Secure Mail ensure s cross-premises are encrypted, and the internal auth headers are preserved Centralized mailflow control, ensures that all routes inbound/outbound via On Premises Today’s Focus Exchange Sharing Secure Transport Mailbox Move

Hybrid – Architecture On-premises Exchange Org Users, Groups, Contacts via DirSync Office 365 Existing Exchange 2007 or later Office 365 Directory Synchronization App Exchange 2013 CAS and MBX Secure Mail Flow Sharing (free/busy, MailTips, archive, etc.) Mailbox Data via MRS

| Lausanne Identities

Understanding Identities Separate credential from on- premises credential Authentication occurs via cloud directory service Password policy is stored in Office 365 Does not require on-premises server deployment Same credential as on-premises credential Authentication occurs via on- premises directory service Password policy is stored on- premises Requires on-premises DirSync server Requires on-premises ADFS server

Understanding Identities Cloud IdentityCloud Identity + DirSyncFederated Identity Scenario  Smaller organizations with or without on-premises Active Directory  Medium to Large organizations with Active Directory on-premises  Large enterprise organizations with Active Directory on-premises Benefits  Does not require on-premises server deployment  “Source of Authority” is on-premises  Enables coexistence  Single Sign-On experience  “Source of Authority” is on-premises  2 Factor Authentication options  Enables coexistence Limitations  No Single Sign-On  No 2 Factor Authentication options  Two sets of credentials to manage  Different password policies  No Single Sign-On  No 2 Factor Authentication options  Two sets of credentials to manage  Different password policies  Requires on-premises DirSync server deployment  Requires on-premises ADFS server deployment in high availability scenario  Requires on-premises DirSync server deployment

Provision Identies Manually using Control Panel Batched via CSV file (Control Panel) Directory Synchronization (DirSync)

Directory Synchronization What is DirSync Application that synchronizes on-premises Active Directory with Office 365 Synchronizes adds/deletes/modifications of users, groups, and contacts from on-premise to Office 365 Designed as a software based “appliance” “Set it and forget it” x64 version based on FIM 2010 Bundled with SQL Server 2008 R2 Express Edition

Purpose of DirSync Enables “run state” administration and management of users, groups, and contacts Synchronizes adds/deletes/modifications of users, groups, and contacts from on-premise to Office 365 Enabler for Single Sign-On Not intended as a single use bulk upload tool

| Lausanne Single Sign-on

Purpose of Single Sign-on Enables users to access both the on-premises and cloud-based organizations with a single user name and password Provides users with a familiar sign-on experience Allows administrators to easily control account policies for cloud- based organization mailboxes by using on-premises Active Directory management tools.

Benefits of Single Sign-on Policy Control Access Control Reduced Support Calls Security Support for Strong Authentication

Office 365 Desktop Setup Installs operating system and client software updates required for connectivity with Office 365 Automatically configures Internet Explorer and rich clients for use with Office 365 Note: Office 365 Desktop Setup is not an authentication or sign- in service and should not be confused with single sign-on

Microsoft Online Sign-in assistant Can be installed automatically by Office 365 Desktop Setup or manually Enables authentication support by obtaining a service token from Office 365 and returning it to a rich client (e.g. Lync) Required for on-premises computers connecting to Office 365 (e.g. DirSync, Exchange, ADFS, PowerShell)

Authentication Flow – Active Profile Customer Microsoft Online Services Logon (SAML 1.1) Token Source User ID: ABC123 Logon (SAML 1.1) Token Source User ID: ABC123 Auth Token Unique ID: Auth Token Unique ID: Basic Auth Credentials Username/Password Basic Auth Credentials Username/Password

Important components Directory synchronization Claims based authentication  ADFS ADFS must be redundant and highly available

| Lausanne Coexistence and Hybrid

What is coexistence Some users are provisioned in Office 365 while the remaining users are provisioned in the on-premises environment Office 365 users see the same objects in the Global Address List as the on-premises users messages are routed seamlessly from Office 365 users to on-premises users, and vice-versa

Simple Coexistence Deployment Uses Directory Synchronization for GAL synchronization Enables mail routing between on-premises and Office 365 using a shared DNS namespace Provides a unified GAL experience Can be used with cloud identities or federated identities Does not require an on-premises Hybrid server

Hybrid Deployment Uses Directory Synchronization for GAL synchronization Enables mail routing between on-premises and Office 365 using a shared DNS namespace Provides a unified GAL experience Can be used with cloud identities or federated identities

Hybrid Coexistence Feature Example Cross-Premises Free/Busy and Calendar Sharing Creates the look and feel of a single, seamless organization for meeting scheduling and management of calendars Works with any supported Outlook client

Hybrid Coexistence Feature Example Cross-Premises MailTips Correct evaluation of “Internal” vs. “External” organization context Allows awareness and correct Outlook representation of MailTips

Hybrid Coexistence Feature Example Cross-Premises Mail Flow Preserves internal organizational headers (e.g. auth header) Message is considered “trusted” and resolve the sender to rich recipient information in the GAL (not SMTP address) Restrictions specified for that recipient are honored

Exchange 2013 Hybrid Deployment 2. Deploy Exchange 2013 servers Install both E2013 MBX and CAS servers Install E2010 EDGE servers Set an ExternalUrl for the Exchange Web Services vdir E2010 or 2007 Hub Internet facing site Intranet site Exchange 2010 or 2007 Servers 1. Prepare Install Exchange SP and/or updates across the ORG Prepare AD with E2013 schema 4. Publish protocols externally Create public DNS A records for the EWS and SMTP endpoints Validate using Remote Connectivity Analyzer 5. Switch autodiscover namespace to E2013 CAS Change the public autodiscover DNS record to resolve to E2013 CAS 6. Run the Hybrid Configuration Wizard E2013 CAS 3. Obtain and Deploy Certificates Obtain and deploy certificates on E2013 MBX and CAS servers & E2010 EDGE servers Clients autodiscover.contoso.com mail.contoso.com E2010 or 2007 CAS E2010 or 2007 MBX E2013 MBX SP/RU Office Move mailboxes Autodiscover & EWS SMTP E2010 EDGE 7

Hybrid – User Experience If configured for SSO, users login with their AD credentials. Otherwise, admin needs to distribute new passwords to users. User’s current Outlook profile is updated with the Exchange Online server name via Autodiscover. Offline files (OST files) do not have to be recreated

Key take aways Coexistence & Hybrid is Exchange on-prem and Office 365 together Seamless user experience Think about redundancy !

| Lausanne Lync Hybrid

Session objectives and takeaways

Lync 2013 Enabling deployment choice Lync Server Private cloud / dedicated Lync Server Single domain & directory Users split – server / online Lync Hybrid Office 365 Lync Online Hosted multi-tenant Lync Online

Just so we’re speaking the same language Lync Split Domain Lync features delivered through a combination of On-premises and Online deployment. A customer can deploy split domain and have a subset of users in Lync Online. Hybrid Delivering an end to end user experience through a combination of on premise and O365 services Example: Lync Server with Exchange Online

| Lausanne Lync Split Domain

Lync Split Domain Deploying Lync Server with a Lync Online Tenant Value proposition Move users from Lync Server to Lync Online….and back. Flexibility in making PBX replacement decisions by site. Hosted infrastructure for robust conferencing needs. Segmenting Users between Lync Server & Lync Online Lync Server for users / sites which need “PBX replacement” features Lync Online for non PBX replacement sites. Saves cost & management complexity when local infrastructure is eliminated Allows for transitioning users between environments as needs change.

Enabling Lync Split Domain Federated identity (SSO) Identity Managed On Premise SSO experience Lync Online O365 Tenant Customer Domains Validated Lync Server configuration to enable Split-Domain Lync Server

Lync Split Domain in a nutshell Optimized for interoperability across Lync communication modalities between on premise users and online users All workloads for a given user handled in one environment Requires tenant on the latest version for O365

Infrastructure for Lync Split Domain O365 DirSync (Initial Provisioning, Directory) ADFS (Single Sign In with on-prem credentials) External Access and Lync Federation deployed on-premise Lync 2013 PowerShell on Premise for cross premise moves O365 DirSync (Initial Provisioning, Directory) ADFS (Single Sign In with on-prem credentials) External Access and Lync Federation deployed on-premise Lync 2013 PowerShell on Premise for cross premise moves Fabrikam, Inc. Lync Edge Server Lync Server Lync Online Office 365 Services Active Directory Lync Online Edge SIP/TLS/SRTP O365 DirSync Provisioning MSODS OrgID Single Sign-On (ADFS v2) Lync Online Server

Split domain Coexistence Topologies Fabrikam Lync Edge Server 2010 Lync Server 2010 Active Directory Fabrikam Lync Edge Server 2013 Lync Server 2013 Active Directory Fabrikam Lync Edge Server 2013 Lync Server 2013 Active Directory OCS 2007 R2 Lync Lync 2013 Lync Server 2013 OCS 2007 R2 + Lync Server 2013 Lync Server 2013

Lync Split Domain Planning checklist #1 On Premise infrastructure, Lync Server Active Directory forests Lync Server version, Federation What features are critical for the end user Differences between Lync Server and Lync Online capabilities Identify the user profiles/segments for which Lync Online is appropriate e.g. Students, Teachers

Lync Server / Online – IM/Presence Lync ServerLync Online Rich presence Peer to Peer Audio/Video Calling Click to Communicate – Office Integration Mobility Clients – Windows Phone, Android, iOS MAC Client Federation with Lync/Lync Online Skype Interop XMPP Gateway Persistent Chat

Lync Server / Online – Meetings Lync ServerLync Online Multi-Party PC Audio/Video Ad-Hoc meetings, Scheduled Meetings Desktop Sharing, Application Sharing, Power Point Rich Client for Meetings Mobile Clients for Meetings Rich Client for Meetings Reach Client for Meetings PSTN Dial-In in Meetings With ACP Partners Meeting Size

Lync Split Domain - What gets migrated? Source IM/P Meetings OCS 2007 R2 Lync Server 2010 Lync Server 2013 Migration – User Data Contact list, Groups, ACLs. Not migrated Online meetings must be rescheduled; tool to help with meetings rescheduling Meeting content Client migration Lync Client 2013 required for users migrated to Lync Online from Lync Server For OCS 2007 R2 environments, move user to a Lync 2013 pool (& Lync 2013 client) prior to migration

Client choices Lync 2013 Lync Windows Store App Lync Web App Lync Mobile Lync for Mac 2011

Lync Split Domain - Setup

Lync Split Domain – Moving Users sipfed.online.lync.com-Credential $cred[-ProxyPool OnPremPool] Tenant in O365 Dirsync has completed for the user User is licensed for Office365 (Admin step) HostingProvider ProxyFqdn: sipfed.online.lync.com AutodiscoverUrl: webdir.online.lync.com HostingProvider ProxyFqdn: sipfed.online.lync.com AutodiscoverUrl: webdir.online.lync.com Tenant Admin authentication If a Lync Server 2013 Director is deployed and is the next hop for the Edge Server, the –ProxyPool parameter must be used with the Move-CsUser cmdlet to move users from on- premises to Lync Online. For details, see Move Users to Lync Online. Fabrikam, Inc. Lync Server Lync Online (O365) Active Directory HomePool: OnPremPool DeploymentLocator:SRV HomePool: NULL DeploymentLocator:SRV Lync Online Server Lync Online HomePool: NULL/Proxy Pool DeploymentLocator: sipfed.online.lync.com HomePool: Lync Online Pool DeploymentLocator:sipfed.online.lync.com -HostedMigrationOverrideURL Based on Admin Portal URL appended with /HostedMigration/hostedmigrationservice.svc Example: igrationservice.svc Note: This is Case Sensitive! Based on Admin Portal URL appended with /HostedMigration/hostedmigrationservice.svc Example: igrationservice.svc Note: This is Case Sensitive!

| Lausanne Behind the scenes

Sign-In Experience Fabrikam, Inc. Lync Edge Server Lync Server Lync Online Active Directory Lync Online Edge Lync Online Server HomePool: NULL DeploymentLocator: sipfed.online.lync.com Sipfed.online.lync.com ADFS 2.0 Office 365 Identity

IM / Presence Fabrikam Lync Edge Server Lync Server Lync Online Active Directory Lync Online Edge Lync Online Server DeploymentLocator: sipfed.online.lync.com Roy Alice Signaling

Meetings Fabrikam Lync Edge ServerLync Server Lync Online Active Directory Lync Online Edge Lync Online Server Roy Alice Media (Lync Online Meeting) Media (Lync OnPrem Meeting) Online Directory

| Lausanne Lync Hybrid

Lync Hybrid Deploying Cloud and On-Premises products together Value proposition Ability to shift and scale different workloads. Grow into the cloud at your own pace. Segmenting Products between the cloud and on- premises Exchange, Lync and/or SharePoint deployed in O365. Move products that need high up-time to the cloud easily. Saves cost & management complexity when local infrastructure is eliminated. Allows for transitioning users between environments as needs change.

Lync Supports Mixed Exchange Scenarios Lync Server – Exchange Online Lync Online – Exchange Server User mailbox and calendar online Instant Messaging, Presence, Meetings, and Enterprise Voice on-premises User mailbox and calendar on premises Instant Messaging, Presence and Meetings online Option for cloud enablement of customers not yet ready to move Exchange Some scenarios not supported: Voice/UM, OWA, Unified Contacts Store, Archiving to Exchange

Lync On-Premises and Exchange Interop Exchange Server Exchange Online Schedule and Join Meetings via Outlook IM/Presence in Outlook Web App Join Online meeting in Mobile Clients Publish status based on Outlook Calendar Missed Conversations history and call logs in MBX High Resolution Contact Photo in client and LWA Meeting Delegation (users hosted together**) Archiving Content in Exchange Search archived content Voic Unified Contact Store (requires 2013 client**)

Lync Online and Exchange Interop Exchange Server Exchange Online Schedule and Join Meetings via Outlook IM/Presence in Outlook Web App Join Online meeting in Mobile Clients Publish status based on Outlook Calendar Missed Conversations history and call logs in MBX High Resolution Contact Photo in client and LWA  Client Only Meeting Delegation (users hosted together**) Archiving Content in Exchange Search archived content Voic Unified Contact Store (requires 2013 client**)

Lync – SharePoint Scenarios SP ServerSP Online Skills Search Presence in SharePoint SP ServerSP Online Skills Search Presence in SharePoint

Session objectives and takeaways

| Lausanne Voice Connectivity over SIP Trunk

SIP Trunking illustrated A step further in IP based communication Private IP Network (MPLS) Private IP Network (MPLS) SBC SIP Trunk Private IP Network Centralized SIP Trunking Distributed SIP Trunking IP PBX with PSTN Gateways ISDN PRI Public Switched Telephony Network (PSTN) TDM PBX per site Data center

SBC – a Multifunction, Multipurpose Devices (Swiss army knife) SBC’s perform several functions. Key functions are : Security –topology hiding –access control –NAT traversal –DoS, fraud Technical –protocol inter-working and normalization, Business –SLA assurance –Enforcement – regulatory & Law

SIP Trunking services qualified for Microsoft > Lync Server 2010 < > Lync Server 2013 < Source:

Session Border Controllers qualified > For Lync Server Oracle/Acme Packet are part of Swisscom’s Managed SBC that are Certified Resellers Source:

IP Redundancy (Data Connectivity Networks) > Basic up to Increased geographical redundancy Basic RedundancyGeographical Redundancy Without Redundancy WAN/MPLS Customer A LAN Router Access lines from Provider Customer BCustomer C WAN/MPLS LAN Router LAN Router Access lines from Provider

Call Redundancy This variant presume one trunk but two SIP nodes’ IP addresses. All communication systems (IP Addresses) will be monitored and if the primary node will experience failure then traffic will be routed to the secondary node (standby). Routing possibilities Hunt (default): Calls are sent to 1 st system, if 1 st systems is not available, calls are sent to 2 nd system. Calls are sent back to 1 st system once available Round Robin: send call in an changing order to 1 st, 2 nd … system. If 1 or 2 are not available, they are sent to the available system Microsoft LYNC uses a different topology for Redundancy and load sharing comparing to other PBX It’s possible, although proportional distribution for incoming calls can be done PBX 1 PBX 2 Swisscom VoIP Platform (Geo Redundant and highly available), 1 SIP Trunk (aware of several IP destinations; 1 active at the time) LAN-I with SDT-1:  2 Routers  2 Physical accesses  2 Different entry points  2 Different POPS’

PBX without integrated Fax Customer keeps Fax machines but not the analog access Deploying Media Gateway box from VoIP Phone Product Media Gateway analog 2/8/16 from VoIP Phone shall be ordered Single numbers from customer’s DDI or a range are assigned to Fax In the bill, customer sees VoIP Gate & Media Gateways Other possibilities for connectivity and machines (physical or server) are available VoIP Gate (SIP Trunk) Mediatrix Box VoIP Phone (MGCP) DDI E164

Difference between transparent and T.38

Standard Emergency Number Routing Individual emergency number routing as a part of SIP Trunking optional services Company defines which numbers (individual/ranges) belong to which building VoIP Nomadic usage is not supported (not regulated) The emergency call centre is instructed to ask the caller for location identification Simple and current way of emergency number routing DDI 1 DDI 2 Single Number Lausanne Geneva Emergency center in Lausanne 112