Monday, February 22, 2016

Configure Exchange 2010 SP3 Federation to Office 365

Federation is accomplished using the Microsoft Federated Gateway server, a free cloud-based service offered by Microsoft.  The Microsoft Federated Gateway (MFG) server acts as a trust broker between federated organizations, similar to the way a trusted root CA works for certificates.  All organizations that use federation must configure a one-time federation trust with the MFG, and organization  that share free/busy information must have an Organization Relationship with the other org(s) they want to share with. 

First of all we have to create “A” record for  autodiscover  which will point to external DNS. Federation uses autodiscover to automatically configure the Orgnization relationship for the remote organization.

Make sure your autodiscover is work properly otherwise you need to put all information put manually.

Create a new Federation Trust
  • Open the EMC and select the Organization Configuration.
  • In the Actions pane, select New Federation Trust.  The New Federation Trust wizard will run.
  • Click New to form the new trust with the Microsoft Federation Gateway.  The wizard will create a new self-signed certificate called Exchange Delegation Federation with the subject name of Federation. 
  • Click Finish to close the wizard.


Create Domain Proof Records
Domain Proof records are TXT records created in your domain's external DNS zone.  The purpose of these TXT records is to prove the identity of your domain for the trust with the MFG server. 
Run the following cmdlets from the Exchange Management Shell (EMS) to generate the domain proof values:

Get-FederatedDomainProof -DomainName tech.com


cmdlet will generate a unique Proof value, based on a hash using the Exchange Delegation Federation self-signed certificate.  If the MFG can read the domain proof value in an external DNS record and it matches the calculated value, it proves domain ownership and validates the trust.

You must create one TXT record in external DNS for each of the Proof values. 



Manage the Federated Domains

Once the domain proof TXT records have propagated you can add the federated domains to the Federation Trust.  But before you can add the federated domains, you must first add the new tech.com namespace to the Accepted Domains on the hub transport configuration.
  • Click the Organization Configuration and select the Microsoft Federation Gateway trust under the Federation Trust tab.
  • Click Manage Federation in the Actions pane.  You will see the current federation certificate status. 
  • Click Next to bring up the Manage Federated Domains window.
  • Click Add and select the Microsoft Federated Trust accepted domain you created earlier.
  • Click Next and Manage to configure Microsoft Federated Trust.  When the configuration is successful you will see the federation trust has an Application Identifier and Application URI.


Create Organization Relationships from On-Premises 
Now that the federated trust has been created and then validated by the MFG, you can create organization relationships.  These are the federation sharing policies that determine what is shared with whom.
  •  Click the Organization Relationships tab on the Organization Configuration node in the EMC.
  • Click New Organization Relationship in the Actions pane.  The New Organization Relationship wizard will start.
  • Enter a name.
  • Select the Enable free/busy information access checkbox and specify the free busy data access level you wish to share using the dropdown box.
  • Click Next to enter the External Organization details for my case its Office 365 so it is corp.mail.onmicrosoft.com.


When the organization relationship has been successfully configured you will see it listed under the Organization Relationships tab.  Sharing Enabled and Calendar enabled will show as True.

Create Organization Relationships from Exchange Online

Following steps you need to perform to create Orgnization relationship with your on-premises exchange servers:
  • Open the Exchange online portal.
  • Select Organization
  • Click on Plus sign in right side
  • Put the name of the relationship
  • Put the you on-premises domain name where you want to share the free/busy information.
  • Check the “enable calendar free/busy information sharing”
  • Click on save

Once you save you can see the your newly created organization domain details.

Testing and Troubleshooting

Use the following cmdlets to get or test Exchange federation configuration information:

Get-FederatedOrganizationIdentifier - Gets the Microsoft Exchange Server 2010 organization's federated organization identifier and related details, such as federated domains, organization contact, and status.  The Enabled attribute will show as False until the MFG has validated the trust using the domain proof TXT records in external DNS.

Get-FederationInformation - Gets federation information, including federated domain names and target URLs, from an external Exchange organization.  It does this using the autodiscover record of the external domain.  

Get-FederationTrust - Displays the federation trusts configured for the organization. 

Get-OrganizationRelationship - Gets settings for a relationship that has been created for free/busy information access or secure e-mail delivery using federated delivery.

Test-OrganizationRelationship - Verify that the organization relationship is properly configured and functioning as expected for a given user.

Test-FederationTrust - Runs the following series of tests to ensure that federation is working as expected.

Hope it will help you.

Cheers!

No comments:

Post a Comment