An overview of OWAS from Microsoft explains how it works and how it integrates with Lync 2013, SharePoint 2013 and Exchange 2013 http://technet.microsoft.com/en-us/library/jj219437(v=office.15)

For Lync 2013 OWAS is an optional component, but it is required if you want to use the PowerPoint sharing feature of Lync. If OWAS is not deployed you can still share the desktop or share PowerPoint as a program and meeting participants see what the presenter is showing them. However you cannot choose the ‘PowerPoint’ option seen below which uploads a presentation and lets participants experience the full PowerPoint features such as embedded video, transitions, animations and skipping back or forward on the slide deck out of sync with the presenter.

Windows Update Automatic Updates is Not Supported

The point of this post is to call out something that we have seen at two Lync 2013 clients so far who deployed OWAS. The documentation Plan Office Web Apps Server states:

“Applying Office Web Apps Server updates by using the Microsoft automatic updates process isn’t supported with Office Web Apps Server”

Apply software updates to Office Web Apps Server explains the correct process of how to deploy updates for Office Web Apps Server, including server farms, and cautions:

“Applying Office Web Apps Server updates by using the automatic updates process isn’t supported with Office Web Apps Server. This is because updates to an Office Web Apps Server must be applied in a specific way, as described in this article. If Office Web Apps Server updates are applied automatically, users may be unable to view or edit documents in Office Web Apps. If this happens, you have to rebuild your Office Web Apps Server farm”

What Goes Wrong

If the advice above is not followed and automatic installation of Windows Updates is enabled, when an update for OWAS like the March 2013 KB2760445 or April 2013 KB2810007 updates (at +- 585 MB each) are added to Windows Update, the server will install the update and OWAS functionality will break. Lync users will not be able to use PowerPoint sharing in meetings.  The server CPU will spike to 100% (thanks to the many OWAS applications) and sit there indefinitely. Additionally, the Office Web Apps Server Farm will be in a broken state. You will get some Application Event Log errors logged for:

• ‘.NET Runtime’ Event ID 1026 and
• ‘Application Error’ Event ID 1000 about some of the viewers such as ‘Faulting application name: pptviewerfrontendwatchdog.exe, version: 15.0.4481.1000′

The following commands will state that ‘It does not appear that this machine is part of an Office Web Apps Server farm’:

Import-Module OfficeWebApps
Get-OfficeWebAppsFarm
Get-OfficeWebAppsMachine

In order to get these commands to even respond, you may have to stop the ‘Office Web Apps’ WACSM service.

You may be thinking to yourself that if Office Web Apps Server updates should not be automatically installed – then the updates should not be published on Windows Update at all. Makes sense to me!

Recreate The Farm

The way to fix the broken OWAS farm is to recreate it using the same commands used when the server was installed to create the Office Web Apps Farm. The article mentioned above about applying updates says you should run:

Remove-OfficeWebAppsMachine

However this can be bypassed by running the original commands and confirming at the editing and overwrite prompts, or adding ‘-force’ to the command. Recreating the farm would be similar to the following:

Import-module OfficeWebApps
New-OfficeWebAppsFarm -InternalUrl "https://owas01.domain.local" -ExternalUrl "https://owas.domain.com.au" –CertificateName "OWAS_Internal" –EditingEnabled

The output of this is a successfully created farm and the server should return to normal CPU levels. If the CPU is still 100%, restart the server.

More information on the New-OfficeWebAppsFarm syntax is available http://technet.microsoft.com/en-us/library/jj219436.aspx

Note that the command above can take about 10 minutes to complete as it starts the WACSM service if it is stopped. After that, make sure you disable automatic Windows Update installation or you will have to go through the process again in the future.

Beware, this is a ‘BHOLD for Dummies’ scenario where all you might like to do is develop a quick scenario to show off BHOLD’s capabilities in role management. This blog incorporates the following key technologies:

1. BHOLD Core Portal
2. FIM Metaverse with 4 Management Agents (1 x AD DS, 2 x BHOLD, 1 x FIM Portal)
3. Active Directory (AD DS)

Essentially, what I’m attempting to demo to a customer is the ability to quickly provide users access to applications using the BHOLD Core Portal without performing any permissions, group or OU membership changes in AD DS. The key scenario is being able to show how the BHOLD Core Portal can use its powerful role management capability to affect change into a group in the FIM Metaverse. After a group is updated and available with membership in the FIM Metaverse, it can then be turned into whatever a customer wants using code. BHOLD is essentially performing a task whereby it imports Active Directory Users, and an Organisational Structure (SQL, AD DS or 3^rd party connector) to generate ‘role based access’ to applications and permissions in the form of a FIM Metaverse group membership. That’s all it does essentially, it’s very powerful but at the same time very simple.

I’ve setup my demo to achieve the basic scenario:

The above represents a scenario whereby I import both Users and a basic AD DS OU (flat) structure into the BHOLD database so I can quickly get started in demonstrating working with BHOLD OUs. I’ve seen other scenarios whereby others have used a SQL database to generate either a user and/or a sample BHOLD OU structure. For the purposes of simplicity (this is for dummies right!), I’ve kept it to only FIM, AD DS and BHOLD.

So boiling it down: Users and OUs go in, group membership comes out!

Part 1: Bring your Users and OUs from AD DS into the FIM Metaverse.

If you’d really like to cheat, get a FIM R2 SP1 platform installed and then run the ‘Quickstart’ PowerShell command which will essentially install an AD and FIM Management Agent and configure it for a Self Service Password Reset (SSPR) scenario. It’s very easy and the QuickStart source code comes with the FIM R2 SP1 media – you can find how to get this scenario working by following this link: http://technet.microsoft.com/en-us/library/jj134276(v=ws.10).aspx

For reference, my AD DS and FIM Management Agents are configured very simply like the following:

I’m cheating a bit here, because BHOLD actually needs a minimum of two attributes to get a working BHOLD OU working in the BHOLD database ‘B1′:

1. Display Name (I’m sourcing from an OU’s name attribute)
2. Company (I hard-code this with a string ‘value’ of simply ‘Kloud’). I’m using a FIM Portal Sync Rule to get the flat string value ‘Kloud’ into the Organization Metaverse object (not in the screenshot).

After this is setup, there should be a populated ‘Person’ and ‘Organization’ Metaverse entry similar to the following:

Person:

Organization:

Eagle eye observers will note I’m actually not bringing across any correlation between the ‘Person’ and the ‘Organization’ ie. that ‘Michael Pearn’ belongs to ‘Identity Management’ at all because essentially it doesn’t really matter for our demo.

It just means it will add one more step whereby I have to add person: ‘Brendan Carius’ to a BHOLD OU called ‘Management’. We’re just sourcing BHOLD OUs from somewhere that’s not SQL. Keeping it really, really simple. Also, AD DS OUs are limited in that a user is generally only a member of one AD DS OU at a time (not including the parent hierarchy). A user however can be made a member of multiple BHOLD OUs so this is why I’ve purposefully kept AD DS OU import ‘flat’ and not bring across user membership.

So run an AD DS Management Agent import, confirm that both a basic Person and Organizational objects exist in the Metaverse and have attributes similar to the above.

Step 2: Create BHOLD Management Agents and Provisioning Code

This step will consist of two major tasks:

1. Create a Metaverse Project Extension to provision ‘Persons’ and ‘Organizations’ to the BHOLD connector space ready for export to the BHOLD database
2. Create the BHOLD Management Agents (using the BHOLD Access Connector MA template, installed by the BHOLD SP1 Access Connector MSI installation)

Substep A:

Create a basic Metaverse extension with the Microsoft LAB provided code and compile it in Visual Studio 2012 (http://technet.microsoft.com/en-us/library/jj853089(v=ws.10).aspx). Update the code to reflect your Management Agent names in your FIM Sync engine.

Substep B:

1. Create the two BHOLD Management Agents (1 for OUs, 1 for Users and Groups) and configure them with the following attribute mappings:

BHOLD Org Unit Management Agent

• Select only the ‘OrganizationalUnit’ part of the BHOLD MA:
  

• OUs ‘go in’ to the BHOLD database:
  

BHOLD User Management Agent:

• Select both the ‘Group’ and ‘User’ Object Types
  

• Users go in, Group memberships come out!
  

2. At the end of this step, you should have 4 Management Agents configured like this:

The last part will be to create some ‘Export’ run profiles for each of the Management Agents. Then run an AD DS MA ‘Full Import’ and ‘Full Sync’ cycle and you should have some pending exports in both of your BHOLD MAs. Run an export of these MAs and you should now have some users and BHOLD OUs created in the BHOLD Core portal.

Step 3: Confirm Users and BHOLD OUs are created in the BHOLD Core Portal

Time now for a basic sanity check to ensure that you have BHOLD Users and OUs to play with. Open up the BHOLD Core Portal on your BHOLD server.

1. Login to BHOLD core website –> click ‘Model’ –> Click ‘Users’. Click the magnifying glass search button:

2. Login to BHOLD core website, click ‘Model’ –> Click ‘Organizational Units’. Click the magnifying glass search button:

OK, it’s looking good. The BHOLD OUs have a very flat hierarchy (ie. all OUs have a parent BHOLD ’root’ OU which is the very ‘top of the tree’). This could be solved easily into a more complex hierarchy of multiple levels but for this demo not necessary (plus others have documented how this can be achieved). The next part will be to create a basic ‘BHOLD application’ with some permission ‘groups’ which we’ll export back to our FIM Metaverse as group memberships.

For reference, each time a new BHOLD OU is created, an ‘MR Role’ is automatically created with the OU. Also, each time a ‘BHOLD user’ is created, a ‘PR Role’ is automatically created with that user. Both ‘MR Roles’ and ‘PR Roles’ can be found under: Model à Roles:

Step 4: Create BHOLD Applications & Permissions

For this scenario, every time a new BHOLD OU is created (either manually or from an import from the FIM Metaverse) it will automatically create an ‘MR Role’ for that OU. This is the key bit for our demo – we’re going to make life simple and use this automatically created role to assign a ‘BHOLD application’ and a ‘BHOLD permission’ to that role and therefore assigns users to that application permission.

Substep A: Create your BHOLD application:

1. Create a new application by clicking ‘Model’ à ‘Applications’:
   

I used data values of Protocol = SOAP and Object type = User.bholdDefAlias, as I found that would create me a BHOLD account with the correct ‘Alias’ type (more on this later).

2. Click ‘OK’ when complete.

Substep B: Create a BHOLD Permission:

This essentially represents a FIM Metaverse Group as you assign users (via BHOLD OUs and Roles) to Applications via a BHOLD Permission object.

1. Click ‘Modify’ next to the ‘Permissions’ entry when you’re in the ‘Application’ settings (in my case my ‘O365 Production’ Application):

2.  Create a basic label for the Permission (this essentially becomes your FIM Metaverse Group Name). My Permission name in this example is ‘B2 License’:

3. Click ‘Add’ when the Permission object is completed. The default values for Maximum number of roles = 0 and Maximum Number of users = 0 represents an unlimited value.

4.  You can confirm that there are now Permission objects assigned to that Application by checking: ‘Model’ –> ’Permissions’ then filtering on that Application using the drop down box and ‘magnifying glass’ icon (in my case ‘O365 Production’):

Substep C: Assigning the Permission to the MR Role

I’m going to now link the Application, Permission and MR Role Objects to tie my user ‘Brendan Carius’ (who is a member of the ‘Management MR Role’).

1. Confirm the user ‘Brendan Carius’ is a member of the MR Role object. Click ‘Model’ –> ‘Roles’ –> MR-<name>
2. Click ‘Modify’ then add in a user (or a dozen!) to that MR Role object.
3. Confirm a user appears in the list for the MR object:

   

4. Now we will assign that MR Role object to the Permission ‘B2 License’. Open up the ‘Model’ –> ‘Permission’ –> e.g. B2 License:

5. Under Roles click ‘Modify’, then add in the MR role from Step 3. I’m adding in the ‘MR Management’ role to this Permission object:

6. Confirm the value has been added successfully at the top of the screen:

7.  You can now confirm that due to the test user (my user ‘brendan.carius’) being a member of the MR Role ‘Management’ object now has the ‘Permission’ object to that application in his profile. Confirm by browsing ‘Model’ –> ‘Users’ –> < Test User> then under the ‘Permission’ there should be the example added in:

8.  Confirm that user now has been automatically created into an Account in the BHOLD section. Browse ‘Model’ –> ‘Accounts’ and the alias for the user should match their ‘sAMAccountName’ from Active Directory.

This seemed to be the key essential element missing from my previous failings with BHOLD SP1, if the account does not appear in the ‘Accounts’ section, then the ‘Permissions Object’ will not flow membership to the ‘FIM Group Metaverse object’:

9.  Now run an Import Run profile on the BHOLD Users Management Agent and then a Full Sync, and in the FIM Metaverse Search, that user should now be represented in both the FIM Groups called ‘B1 License’ and ‘B2 License’:

10.  Checking the membership of both the ‘B1 License’ and ‘B2 License’ groups in the Metaverse should now reveal Brendan Carius to be a member:

11.  Well, step 11 is up to you! Write code to then use that membership to create either groups in AD DS directly or straight to a third party application over an extensible Management Agent (ECMA 2.0, 2.2 or Powershell).

This is just a ‘quick and dirty’ intro to BHOLD to help demystify some of the terminology and use of the BHOLD Core Portal.  I’ll be blogging about more advanced scenarios and techniques in weeks and months to come.  Good luck!

Looking Back

I and many others at PDC 2008 listened to the announcement of Azure and the follow up communications as Microsoft went “all in” on the cloud. I particularly remember a set of slides from this presentation that found its way into thousands of other Microsoft sponsored presentations (including mine) around the planet.

The abridged message of this early marketing was based on the theory that the elastic nature of cloud should lend itself to a certain set of workloads that are uneconomic to serve on fixed infrastructure. Acronym heavy concepts like TCO, ROI and SLM are used to identify those workloads in your organisation and help build a business case to move them to the cloud.

Reality

So 5 years on where are we? Working on the frontline of cloud computing the reality is somewhat different and surprising. While the optimal workloads are certainly still the most economical to move off your on-premise infrastructure, cloud economics isn’t the most important factor, not yet anyway. Here’s my new 20-20 hindsight on that same slide, “Workload Patterns Practical for Cloud”.

Turns out the ideal workloads for Cloud are somewhat less ambitious and fall into one of the following categories:

IT Avoidance

Avoiding the internal IT department. We see a lot of this and it’s a conversation started by the business who just need to get stuff done but have been at the mercy of IT departments, project management prioritisation queues and bloated risk averse estimation processes. While all good IT departments should have systems in place to ensure they are serving the business (the money makers) in reality we are seeing a failing of that process and the resulting spill over of IT execution is being picked up by cloud based services outside of the control of IT departments. For example:

• Business departments directly engaging services from SAAS providers
  (Social, Collaboration, Accounting, Blogs, Video hosting etc)
• Reaching a dispersed and mobile workforce who haven’t been well served by traditional internal, IT departments with their firewalls and standard operating environments.

Predictable and Boring

While the original cloud sales pitch was all about quickly auto scaling your computations and web sites to solve new problems and serve huge numbers of customers, the reality is quite different. It is the plain vanilla workloads of Email , Intranet, Timesheets and Accounting with its fixed number of users and steady state traffic that is moving to cloud.

Why? It’s easy, the migration path is well trodden and quantifiable. The CIO who needs to reduce CapEx on the balance sheet can fund a large and risky migration of a core line of business system or alternatively take a fixed price migration, remove a rack of servers and a couple of IT head count in the deal. This really makes sense when you think about cloud computing as a utility like electricity. Organisations should be migrating out to cloud services those workloads that are not core business. This is just the beginning of an IT commoditisation process, the end result of which is organisations not in the business of making money from IT shouldn’t have an IT department nor a server room just as they don’t generate their own electricity.

That will take time, but evidentally it will start with the boring workloads first.

Dev & Test

At Kloud we moved to a new office space with a dedicated air conditioned server room which now looks like this. The only cold server containment is the beer fridge and the only server is the xBox (actually there is one server left but its life is likely to be short lived).

We arguably are a company that makes money from IT and we do indeed have lots of development, test and build servers but they all run elsewhere and only when needed for an individual client or project. The short lived environments are used to replicate or fake everything needed to build a client solution and just as quickly removed.

It has become the norm for organisations to deploy much larger server footprint to support multiple independent development and test streams than that deployed to run production environments. These server farms are typically underutilised and run much longer than they need to.

While not glamorous nor business critical, these environments represent a large proportion of the corporate data centre and are an obvious starting point for moving workloads to the cloud. And since by definition these environments are meant to be isolated, there is no better isolation than the other side of the world in someone elses data centre.

Disaster and Backup

The final workload pattern that is blazing the cloud trail is disaster and backup. Hosting a replica of the corporate production environment and backing up the data to a remote data centre capable of being switched to in the event of disaster. This is a great strategy for that CIO who has until now had to support 2 data centres >50 kms apart for the 1 day in 4 years when a backhoe cuts the Internet link.

This is potentially the most interesting of all the cloud adoption strategies since the disciplines, processes and deployment challenges of running a DR site in the cloud requires the same disciplines as those to run production. Cloud vendors know this and are encouraging the use of cloud platforms for DR and backup strategies and cloud backed storage solutions.

Looking Forward

So what now moving forward? Arguably we are at a tipping point for cloud I think for the following reasons:

• Hardware refresh cycle: Most hardware accounting factors in a 3-4 year hardware refresh cycle. Hardware that was purchased before cloud was a viable option are now up for renewal. We are now realistically at a point where a CIO with vision could quite justifyably say “we are buying no more hardware” (which is what startups have been doing for years)
• Money wins most arguments: The formative years of cloud have been dominated by one persistent question; Security! But the rate of uptake of corporate Email and Intranet compared to other workloads suggests that in the mind of the CIO the prospect of fixed cost and low risk migration trumps the risk of hosting your sensitive internal data in the public cloud.
• Moats are not a great defence: Traditional IT Security principles have followed the Middle Ages mindset of putting a ring of confidence around the castle where all the good people are on the inside and all the bad people safely on the outside. The adoption of SaaS as a service provider outside and BYOD mobility as a consumer have forced a challenge to that mindset and an acknowledgement by many IT professionals that the security provided by a top tier cloud provider is most likely better than something you can knock together under the stairs at work.
• Identity first: One of the great side effects of the adoption of “boring” workloads is that even boring applications need logins and ideally you want those logins to be the same regardless of where the application runs. While the ultimate solution “Federation” appears to still be an afterthought for most SaaS provders the next best thing is identity management and provisioning to manage the potential explosion of identities. This valuable initiative being undertaken by organisations today is paving the way for much more flexible “apps without borders” model tomorrow.

So Cloud adoption happened but in a different way than would be predicted purely on economics. But it happened. And the formative work is paving the way for a new generation of agile, competitive organisations relieved of the burden of IT.

This blog should be read in conjunction with getting an infrastructure or demo scenarios working from this link:  http://technet.microsoft.com/en-us/library/jj134107(v=ws.10).aspx.  Also, you have to be meticulous and methodical in following the installation guidance from Microsoft as there is quite a lot of pre-requisite software that has to be installed onto all of the FIM R2 Sp1 servers in order for the BHOLD installation to succeed.

Issue 1: Application Pools not starting on your FIM Service & Portal server during BHOLD SP1 FIM Integration MSI install

Both Stefan and I recently ran into an issue installing the BHOLD FIM Integration MSI file onto our FIM Service & Portal server.  We were seeing a problem where the MSI would launch a custom action to run an executable called:  ‘FIMCustomization.exe’.  This executable runs a command window which promptly crashes, returning a non-zero exit code to the MSI and therefore terminating and rolling back the installation.  We were noticing two things occurring during this MSI install:

1.  The MSI installation in real-time creates a web application locally to the FIM Portal server in IIS Manager called ‘BHOLD’ under port 5151, then immediately tries to call a ‘BHoldRoleExchangePoint.svc’ file that’s hosted in that new web application (locally to the FIM portal server)

2. IIS Manager reports an issue where the Application Pool cannot start for the new BHOLD application and then stops the web application.  This is noticeable in the Event Viewer (App Log) with an issue similar to this (click to expand):

This is what causes the MSI installation to fail and rollback during install.

Stefan determined that putting the following entry into the following file fixed the issue.

1.  On the FIM Portal (SharePoint 2010 Foundation) server, locate the file: C:\Windows\System32\inetsrv\config\applicationHost.config

2. Search for the string: ‘SPNativeRequestModule’ and add to end of the sentence: preCondition=”bitness64″  before the end text ‘/>’

The final beginning and end string value should look similar to:

<add name=”SPNative RequestModule” image=…<edit>… spnativerequestmodule.dll” preCondition=”bitness64″ />

This fixed issues where Application Pools were not starting correctly due to an incorrect x86/x64 architecture.  I’m sure an expert SharePoint developer would be able to tell you why in more detail!   Note: This fix is alluded to in the Microsoft Release Notes for BHOLD SP1 but it states that it applies to Windows Server 2012 only.  However, it looks like it impacts Server 2008 R2 as well (thanks to Dan Thom for the spot!).

Issue 2:  Cross Domain Silverlight issue after successful FIM Integration MSI file installation

By default, the BHOLD installation for the BHOLD SP1 FIM Integration MSI file installs the link for the ‘BHOLD Self Service Portal’ with only the hostname of the FIM service portal.  In some situations we saw, this causes an issue with Silverlight not running the BHOLD self-service portal as it detects a ‘cross domain’ issue with the link and does not display the content for security reasons

The link is displayed off the FIM Portal here: (click to zoom):

By adding in the full FQDN of the new BHOLD site in the following file fixes the issue.

1. On the FIM Portal server, open the file with Notepad.exe:  C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\template\layouts\BHOLD\Self service.aspx

2. Locate the string:  value=”RoleExchangePoint=http://:5151/BHOLD/RoleExchangePoint …..<etc>

and add in the full FQDN to the server so that the value reads:

value=RoleExchangePoint=http://<FQDN of your FIM Portal server>:5151/BHOLD/RoleExchangePoint….

Example, if was ‘FIMPortal’, and your FIM portal server has a FQDN of ‘FIMPortal.Fabrikam.com’, then the value becomes:

value=RoleExchangePoint=http://FIMPortal.Fabrikam.com:5151/BHOLD/RoleExchangePoint…

By performing a test of the ‘BHOLD Self Service Portal’ link, there should be no ‘cross domain’ Silverlight errors interfering with the portal displaying correctly.

Hope this helps future installations!

Michael Pearn

Let me know by the form below if you have any questions about getting a BHOLD SP1 lab or environment built:

This post will cover a bit of background around NTLM Outlook Anywhere and KCD and a seemingly hidden configuration change you need to make to successfully use Outlook Anywhere NTLM authentication with UAG and a hardware load balancer. I could not find this referenced anywhere else, so am hopeful that it will save somebody a lot of troubleshooting time. Bear with me as this post gets a little detailed. If you are impatient (and we have all been in that situation where we only care about the solution) then jump to the fix.

Symptoms

On a recent customer project, we had a UAG array that needed to connect to a Hardware Load Balancer (HLB) Virtual IP address (VIP) which load balanced an Exchange Client Access Server (CAS) array. The experience for remote Outlook clients using Outlook Anywhere is they keep getting authentication prompts when trying to connect or create a new Outlook profile. Putting in the correct user name and password will just prompt again and again.

Publishing Outlook Anywhere with NTLM

A white paper by Greg Taylor from the Exchange Product Group was released by Microsoft in January 2011 Publishing Outlook Anywhere Using NTLM Authentication With Forefront TMG or Forefront UAG which covered the steps for TMG and UAG to enable NTLM Outlook Anywhere authentication. This configuration guide covered a lot of the issues people encountered and worked fine if you used a single Exchange Client Access Server (CAS) or wanted UAG to perform the load balancing with a server farm.

Adding a Hardware Load Balancer to the Solution

The problem comes when trying to use a Hardware Load Balancer (HLB) between UAG and the CAS Array. As UAG will only connect to a single published name that is configured on the ‘Addresses’ section of the ‘Web Servers’ tab and will be using KCD, Exchange needs to have a Service Principal Name (SPN) for the published name and UAG must be allowed to delegate authentication. However an SPN should not exist twice in an Active Directory forest, so the CAS array members cannot all have the SPN added. If UAG tries to connect to the server using the SPN, authentication will fail. This was covered in detail in an Exchange Team Blog Combining Web Farm publishing with Software or Hardware Based Load Balanced CAS arrays.

Alternate Service Account

A solution for CAS Array Kerberos authentication was introduced with Exchange 2010 Service Pack 1 in the form of the Alternate Service Account (ASA) which is covered in Configuring Kerberos Authentication for Load-Balanced Client Access Servers and Using Kerberos with a Client Access Server Array or a Load-Balancing Solution. All Client Access Servers use a shared computer account (or use account if required) via the Microsoft Exchange Service Host service and SPNs are added to this account to allow clients to authenticate to any CAS using the CAS Array FQDN. The steps to configure the ASA are:

1. Create a computer account for the ASA
2. Add the SPNs to the ASA
3. Convert the Offline Address Book to an application using ConvertOABDir.ps1
4. Deploy the ASA account to the Exchange CAS array members using RollAlternateserviceAccountPassword.ps1

The first link above states:

“External or Internet-based clients that use Outlook Anywhere won’t use Kerberos authentication. Therefore, the fully qualified domain names that are used by these clients don’t have to be added as SPNs to the ASA credential.”

This seems to be the root of the problem with Outlook Anywhere and UAG, as UAG needs to use Kerberos authentication to perform Kerberos Constrained Delegation (KCD).

KCD, S4U2Self and S4U2Proxy

In order for the client to authenticate to the Client Access Server via UAG, the high level flows are:

1. UAG takes the user credentials in non-Kerberos form, for example Basic or NTLM
2. UAG uses the Kerberos protocol transition extension S4U2Self (Service for User to Self) to obtain a Kerberos ticket on behalf of the user, as if the user had obtained it directly
3. UAG uses the Kerberos Constrained Delegation (KCD) extension S4U2Proxy (Service for User to Proxy) to impersonate the user and obtain a Kerberos ticket to access the Exchange CAS
   1. The UAG server needs to be allowed to delegate authentication to the SPN Exchange uses
4. The Exchange CAS responds to UAG as if the user had authenticated directly with Kerberos
5. UAG sends the response back to the user device

More information on Kerberos Constrained Delegation and the S4U2Self and S4U2Proxy Kerberos extensions is available from:

http://msdn.microsoft.com/library/cc246071(PROT.13).aspx

http://technet.microsoft.com/en-US/library/cc738207(v=ws.10)

Usual Exchange and UAG Configuration

• Follow the ASA guide mentioned above Configuring Kerberos Authentication for Load-Balanced Client Access Servers
• Enable Outlook Anywhere on each server (or all at once)

Get-OutlookAnywhere -server serverone | Set-OutlookAnywhere -ClientAuthenticationMethod NTLM

• Add SPNs for additional UAG published names if you are using custom ports as mentioned in my previous blog about custom port redirect problems.

setspn -s http/exchange.domain.com CAS-ASA$

• Configure UAG Outlook Anywhere application for KCD as per the White Paper above
• Configure Active Directory to allow UAG to use KCD to the ASA computer account SPNs that are published by UAG. Rather than exporting the LDIF file from UAG, you can run the following script to setup delegation where ‘exchange.domain.com’ is what is entered on the UAG application ‘Addresses’ tab

$SPNs = "http/exchange.domain.com","http/exchange"
$UAGservers = "UAG01","UAG02","UAG03","UAG04"
Import-Module -Name ActiveDirectory
foreach ($UAGserver in $UAGservers) {
    $TempComputer = $null
    $Tempcomputer = Get-ADComputer $UAGserver
    Set-ADObject $Tempcomputer.DistinguishedName -Add @{"msDS-AllowedToDelegateTo" = $SPNs}
    Set-ADObject $Tempcomputer.DistinguishedName -Replace @{"userAccountControl" = 16781312}
}

At this point you will have done everything mentioned for Exchange and UAG in the Microsoft documentation but it will not work and Outlook users will keep getting prompted for credentials.

Cause

Outlook Anywhere uses the RPC application in IIS which uses the DefaultAppPool Application Pool.

The DefaultAppPool is different to all of the Exchange specific application pools as it uses the ApplicationPoolIdentity identity, not LocalSystem as can be seen below.

As it is not using LocalSystem this application pool cannot use the Exchange Alternate Service Account as it does not have access to the Exchange Service Host SPNs. That means UAG cannot delegate authentication and Kerberos Constrained Delegation will not work. KCD will not fall back to a lower authentication mechanism on authentication failure.

How to Make It Work

The fix is pretty simple – modify DefaultAppPool to LocalSystem or create a new application pool that uses LocalSystem. The first option is not recommended as there are other applications using the DefaultAppPool and doing so may give more rights than are required. Creating a new application pool is possible in the IIS console, but the DefaultAppPool has quite a few non-standard settings. So the easiest way is to use the IIS PowerShell module to copy the application pool. This was my first attempt at using the IIS PowerShell module and I could not get it consistently copy the DefaultAppPool across multiple Exchange versions and Windows patch levels. In the script below there is a dirty hack that creates the application pool, deletes it and then copy. Without the precreation I would get the error ‘Copy-Item : Object reference not set to an instance of an object’ when trying to copy. Note the iisreset at the end – this will disconnect users so plan ahead.

Import-Module webadministration
### Need to stop DefaultAppPool and precreate the new app pool to get it to work consistently
Stop-WebAppPool DefaultAppPool
New-WebAppPool MSExchangeRpcAppPool
Remove-WebAppPool MSExchangeRpcAppPool
copy IIS:\AppPools\DefaultAppPool IIS:\AppPools\MSExchangeRpcAppPool
Start-WebAppPool DefaultAppPool
### Modify new app pool to LocalSystem
$RpcAppPool = dir IIS:\AppPools | where {$_.name -eq "MSExchangeRpcAppPool"}
$RpcAppPool.processModel.identityType = "LocalSystem"
$RpcAppPool | set-item
### Change RPC applications to use the new app pool
set-itemproperty "IIS:\Sites\Default Web Site\Rpc" ApplicationPool MSExchangeRpcAppPool
set-itemproperty "IIS:\Sites\Default Web Site\RpcWithCert" ApplicationPool MSExchangeRpcAppPool
iisreset

You end up with a new application pool using LocalSystem that only contains the RPC applications.

This process has been tested and works with Exchange 2010 Service Pack 2 and Service Pack 3 on Windows 2008 R2. Exchange 2013 and Windows 2012 have not been validated.

Bonus Information – KCD and Trusts

Attempting to work out if Outlook Anywhere NTLM with UAG and KCD was supported with a trust sent us down many conflicting documents and references. This UAG page in particular made me think it would not work Configuring single sign-on with Kerberos constrained delegation when it says:

“The following are the requirements for Kerberos constrained delegation:

• The Forefront UAG server must be part of a domain.
  
• You must define only one authentication server for the trunk to which the application belongs.
  
• All domain controllers in the internal network must be running Windows Server 2003.
  
• Users must be part of the same Active Directory forest as the Forefront UAG server and the application servers.
  
• Forefront UAG servers and application servers must be part of the same domain”
  

However Summary (Kerberos Protocol Transition and Constrained Delegation) says:

“The accounts of users accessing the services do not have to be in the same domain as the services”

It wasn’t clear if that meant it could be in a different domain in the same forest, or if it could cross forest boundaries. Many other documents and articles confused the issue and I could not find a nice concise link stating it would work. This is probably the closest but it is for ISA and IAG (the predecessors of TMG and UAG) KCD with Cross-Forest Accounts.

The bottom line is that it does work – users from trusted forest A can access their linked mailboxes from Outlook Anywhere via UAG in forest B and get seamless SSO.

For KCD to work, UAG and the resource (Exchange in this case) have to be in the same domain. For S4U2Self protocol transition to work, there must be a two way forest trust (which means Windows 2003 Forest functional level or later) and the UAG servers need to be able to resolve and connect directly to the trusted forest Active Directory Domain Contollers for authenticating end users. In our situation we had to add an additional domain suffix to the UAG server internal network interfaces and open up firewall ports.

The foundation and principles of AWS have been built on Amazon, a company that was envisaged to be the most customer centric company in the world. “There are two kinds of companies, those that work to try to charge more and those that work to charge less. We will be the second.” – Jeff Bezos

These types of requirements are inputs into an ethos that pervades, that underpins the Architecture of AWS.

Core Principles

Elasticity and Scalability are two fundamental cloud architecture principles that guide the AWS Architecture.

Elasticity is the ability to use resources in a dynamic and efficient way so the traditional anti-pattern of over provisioning of infrastructure resources to cope with capacity requirements is avoided. Significantly, elasticity avoids the costs of these over provisioned resources such as power, space and maintenance. This is the AWS pay as you go/pay for what you use model.

Scalability is the ability to scale without changing the design. With AWS, scalability is achieved by scaling-out.  Infrastructure and application components are designed with the premise that they will fail, instead of a just being designed around High Availability. The technology components are commodities that can be thrown out when they fail and grown by adding more when demanded. A guiding principle is to have a consistent approach to architecture and growth.

Embracing these core principles requires a number of traditional blockers to be removed to support resilience and growth. Manual Components, Tightly Coupled Components, Stateful Components and Vertical Components.

• Manual – where manual intervention is required to start, scale or control resources
• Tightly Coupled Components – where a single component is dependent on another specific component
• Stateful components – resiliency to a loss of state
• Vertical scaling – ability to scale out horizontally, instead of vertical scaling which will eventually hit limitations

Repeatability is at the heart of removing these blockers so that automation (autoscaling and bootstrapping) can take over and scale transparently as the demand arises.

AWS represents a fork in the road where Infrastructure and Application Technologies meet at a common manageable point, the API. This is the power and revolution of cloud and AWS architectures, largely turning the Datacentre into highly manageable software. The AWS API has SDKs for Java, Python, Ruby, .NET, PHP, iOS and Android.

Architecting technology components as commodities is fundamental. Once blockers are removed Technology building blocks just become interchangeable components, the very definition of a commodity – “A basic good used in commerce that is interchangeable with other commodities of the same type. Commodities are most often used as inputs in the production of other goods or services. The quality of a given commodity may differ slightly, but it is essentially uniform across producers”. In AWS speak quality refers to the instance type and whilst there a number of different flavours of scale from t1.micro to C1.Xlarge they are essentially the same “commodity”.

New Architectural Ethos

Where there are blockers of cloud architecture adoption there are also principles that promote and strengthen cloud architecture. Areas that you need to gravitate towards to successfully leverage the AWS cloud.

• Autoscaling and Bootstrapping – Autoscaling allows you to automatically horizontally scale to accommodate load. Bootstrapping allows you automatically setup your servers after they boot. (Using components such as Amazon Machine Images (AMI’s) and CloudFormation to automate)
• Loosely Coupled
• Stateless
• Horizontal

Changing a legacy architecture to this new pattern can be but isn’t always the first step in adopting the cloud. Sometimes a “lift and shift” of  a current application  ”as-is” can be a suitable and compelling first step into the cloud.  It just means that all the capabilities of a cloud architecture will not be fully available until the blockers are removed and the new architecture ethos is more widely adopted. The adoption of new cloud architectures is like dining out. There are many choices,  you can choose a la carte options and sample some specific menu items or you can have a banquet and get the full experience.

In AWS Infrastructure becomes code. In this example see how quick it can be to provision infrastructure for a website using CloudFormation: http://www.youtube.com/watch?v=Rg7On-Yx82g

5 trunks were required to meet a combination of different domain names, certificates), different authentication mechanisms, different access methods and authorisation requirements. We could not give the UAG servers private IP addresses for the External interfaces, so the compromise was to publish each trunk on the same public IP address using a custom port. The HLB would publish the trunks on port 443 and connect to UAG on the relevant custom port. This meant 7 public IP addresses used (5 x HLB and 2 x UAG servers) which was the best we could do.

Environment Overview

The diagram above (click for a larger version) shows a high level overview with dummy trunk names and IP addresses showing that each HLB VIP is a different IP address and each UAG trunk is on the same address using a custom port.

Trunk 3 is a non-authenticated trunk for Lync 2013 referenced in my previous blog post Publish Lync 2013 Including Mobility and Office Web Apps with UAG 2010

Trunks 1, 2, 4 and 5 all publish the same applications for Exchange 2010, SharePoint 2013 and FIM 2010 on different domain names and from different locations.

The table below has more detail with dummy trunk and published names.

Issues Encountered

With UAG 2010 Service Pack 3, all applications on trunk 1, 4 and 5 worked correctly (trunk 3 worked in all scenarios due to not doing authentication). The problem was that all applications on trunk 2 (except for SharePoint) would authenticate but not be able to connect to the application. Using Outlook Web App as an example, the client would:

1. Browse to https://mail.showcase.kloud.com.au/owa
2. be taken to the following for authentication https://mail.showcase.kloud.com.au/uniquesig0c4449dcaa9c2c7cb80a00574fc3ea78/uniquesig0/InternalSite/OWA/Login.asp?resource_id=5C0BCBBECE4E49BDA6859D1CD5DDD09C&login_type=2&site_name=trunk1&secure=1&URLHASH=7fc49ee2-2e27-4518-8fb8-b54b0ff77b87&orig_url=https%3a%2f%2fmail.showcase.kloud.com.au%2fowa
3. After authentication the client browser would appear to be stuck on a validation page https://mail.showcase.kloud.com.au/uniquesig0c4449dcaa9c2c7cb80a00574fc3ea78/uniquesig0/InternalSite/Validate.asp
4. After about 40 seconds the connection would timeout with the following in the address bar https://mail.showcase.kloud.com.au/uniquesig0c4449dcaa9c2c7cb80a00574fc3ea78/uniquesig0/InternalSite/RedirectToOrigURL.asp?site_name=trunk1&secure=1

If I went to the original URL again https://mail.showcase.kloud.com.au/owa I could get to the Outlook Web App page without having to authenticate. Sometimes I needed to go to the original URL 2 or 3 times for it to work.

Troubleshooting

UAG 2010 Service Pack 3 tracing symbols had not been released at the time of troubleshooting (they were released on 30 April) so I rolled back to Service Pack 2. With Service Pack 2, only trunk 1 worked correctly so that was making the situation worse. The UAG trace logs were massive and did not get me any closer to a solution.

Fiddler and HttpWatch showed the same thing, that after the validate.asp page it was trying to:

1. Redirect to https://mail.showcase.kloud.com.au/uniquesig0c4449dcaa9c2c7cb80a00574fc3ea78/uniquesig0/InternalSite/RedirectToOrigURL.asp?site_name=trunk1&secure=1
2. and then to one of the following addresses depending on which Service Pack I had
   1. https://trunk2.showcase.kloud.com.au:2443/uniquesigacde95fbf87ff4ca921a1aca1d5b6d510f79207ec5f596b4b80c06329b09f2591329bdfadfac0bdd33fa95f57bf2ef36/uniquesig1/owa/
   2. https://mail.showcase.kloud.com.au:2443/owa

which contained the trunk name and custom port or the published name with a custom port. A sample of the logon experience from HttpWatch is shown below (click for a larger version).

Cause

After a lot of testing and troubleshooting I eventually raised a Microsoft PSS call. After a couple of days of testing, my very knowledgeable PSS engineer eventually worked out the cause of the issue:

• UAG has a problem resolving the names internally when custom ports are in use and the ‘Public host name’ matches the ‘Addresses’ entry. In this example both are set to ‘mail.showcase.kloud.com.au’.

Trunk 1 worked as it was using the default port 443. Trunk 4 and 5 worked as the ‘Public host name’ ‘mail.contoso.com’ was different to the ‘Addresses’ published name ‘mail.showcase.kloud.com.au’. It turns out UAG 2010 Service Pack 2 has another bug with the custom port publishing which is why only trunk 1 worked when using SP 2.

Resolution

Using SP3, the solution for trunk 2 was to change the ‘Addresses’ name UAG connected to the internal servers on to another name e.g. ‘mail-internal.showcase.kloud.com’. This caused another issue – a new name was required on the certificate used by the internal web servers. The internal certificate had to be regenerated with the additional FQDN added to the Subject Alternate Names and was applied to all Exchange Client Access Servers. For FIM we thought we could get away with changing ‘Replace the host header with the following’ as you see below (which is not an option on the OWA application template) but encountered what seems like another bug where UAG does not pass the host header, but rather uses the original ‘Addresses’ host name. So FIM needed a SAN added to the certificate too.

SharePoint worked in all scenarios so I can only assume it is because of the AAM (Alternate Access Mapping) already catering for the different names being published and the host header worked as expected.

Summary

The publishing scenario used here is probably an edge case. Most environments would use private IP addresses and not need custom ports so would not come across this issue. Others using custom ports may have different internal and external DNS namespaces, like mail.showcase.kloud.com.au externally and mail.kloud.local internally which would not hit this issue. I seem to have hit the perfect set of requirements for causing problems. Maybe some karmic payback – although just having to work with UAG is punishment for something. I miss the relative simplicity and flexibility of TMG like being able to publish multiple domain names on a single publishing rule!

Even though others will probably not see this problem, it is good to be aware that there are some issues with custom ports, using the same name internally and externally and that host headers do not always work as expected.

The next blog will cover how to configure and publish Outlook Anywhere NTLM authentication with UAG to provide seamless Single Sign On from domain joined computers.

In this blog I will explain how to setup UAG 2010 Service Pack 3 to publish all Lync 2013 reverse proxy features including mobility (for Lync mobile clients) and Office Web Apps. But first a little background unless you want to jump straight to UAG 2010 Configuration.

IIS ARR (Application Request Routing)

According to this NextHop blog Using IIS ARR as a Reverse Proxy for Lync Server 2013, IIS ARR is the only supported Microsoft solution for customers who do not already own TMG. A couple of things to note is that IIS ARR cannot do pre-authentication (not supported for Lync anyway) and there does not seem to be any sizing or scaling documentation out yet.

So IIS ARR looks like a solution if you just publish Lync, or if pre-authentication is not important to you – and this seems to be the way most Microsoft products like Exchange and SharePoint are going.

A recent customer engagement had a requirement for pre-authentication and authorisation (allowing only members of a specific group access to Outlook Web App for example) for Exchange 2010, SharePoint 2013 and FIM 2010. Additionally Lync 2013 required no pre-authentication or authorisation. TMG had been planned for and following the end of life statement above, UAG 2010 was chosen. IIS ARR did not meet all of the requirements.

UAG 2010 – No Official Support For Lync

It is important to note up front that Lync 2013 is not officially supported on UAG 2010. UAG 2010 Service Pack 3 provided support for publishing Exchange 2013 and SharePoint 2013, but Lync was noticeably absent. Additionally, Office Web Apps Server 2013 is not specified as supported.

What’s new in Forefront UAG Service Pack 1 Update 1 added support for publishing Lync 2010 Lync Web App (and SharePoint 2010 Office Web Apps) and lists some known issues including ‘Forefront UAG does not support Lync Mobility scenarios’. More information at Publishing Lync web services

Ben Ari from the Microsoft UAG CSS team (who publicly seems to know more about UAG than anybody else) wrote a clarification blog UAG Lync Mobility and other Lync clients stating:

“UAG does not support accessing Lync using Lync Mobility on any platform, nor the use of the Lync software client. The only thing that IS supported is using the Web-based version of the Lync client. For customers who need to publish Lync for Mobility and the software client, Microsoft recommends publishing the Lync Edge server using TMG, or a comparable transparent-publishing firewall solution (note, though, that using the TMG server that’s on your UAG server is not supported for this purpose)”

At that time, Lync 2013 had reached RTM but not General Availability so I assume this references Lync 2010. Even the official TechNet article on Lync 2013 Reverse Proxy configuration only lists TMG and ISA as the Microsoft options.

Investigating using UAG 2010 to Publish Lync 2013

Bearing in mind the lack of support from Microsoft, our project decided to try using UAG to publish all Lync 2013 web services including mobility and Office Web Apps and see how far we got. Looking into publishing Lync on UAG 2010 I found three main articles which pointed me in the right direction:

Lync publishing on UAG

Publish Lync 2010 with ForeFront Unified Access Gateway 2010 (UAG)

UAG as a Lync reverse proxy

The blogs above cover a lot of the steps required for Lync Web App and mobility, but the full list of reverse proxy functions we required were:

• Meeting join
• Dialin page
• Lync Web App
• Lync 2013 and Lync 2010 mobile clients
• Lync autodiscover
• Persistent Chat administration
• Lync client Address book web search
• Lync client Address book group expansion
• Office Web Apps upload and presentation from Lync client and Lync Web App

UAG 2010 Configuration

I won’t cover UAG initial configuration and certificates here, except to say that you need a UC Certificate from a public certificate authority with SAN names containing the FQDNs of:

• Lync trunk public host name
• Lync External Web Services
• Lync Meet Simple URL
• Lync Dialin Simple URL
• Lyncdiscover for each SIP domain
• Office Web Apps farm external URL

Create Trunk

The first step to publish Lync with UAG 2010 is to create a new trunk. This has to be a separate trunk to the one used for Exchange or other applications, as the Lync trunk cannot do any authentication on UAG – all authentication will be handled by the Lync Front End servers. Create a new HTTPS portal trunk and run through the wizard. Note that the trunk ‘Public host name’ must be a different name to any of the applications you are intending on publishing as we will be publishing whole domain names ‘/*’ and not just specific paths. Add authentication servers now and they will be disabled after the wizard completes.

Edit Trunk Authentication

Configure the trunk and on the ‘Authentication’ tab, clear ‘Require users to authenticate at session logon’

On the ‘Session’ tab, enable ‘Disable component installation and activation’ and ‘Disable scripting for portal applications’ to allow non supported browsers to connect. Increase the ‘Inactive session timeout (seconds)’ from the default 5 minutes to something closer to the 3 day (259200 seconds) ‘SessionExpirationInterval’ default for Lync 2013 as documented in Set-CsMcxConfiguration

Enable authentication pass through. UAG 2010 SP 3 defaults to having ‘FullAuthPassthru’ set to 1 in ‘HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\UrlFilter’. For Lync to function we need another 32-bit DWORD key ‘KeepClientAuthHeader’ with a value of ’1′ in the same location to retain the authentication headers.

Activate the trunk and go get a coffee while you wait for the activation process to complete and TMG storage to synchronise across all UAG array members.

Create Applications

Web Services

Create an application called ‘Lync 2013 Web Services’ using the ‘Microsoft Lync Web App 2010′ template. Follow the wizard and ensure you leave the path as ‘/’ and destination HTTPS port as ’4443′. Uncheck ‘Use SSO’ and ‘Add portal and toolbar link’ and leave ‘Authorize all users’ enabled.

Three applications will be created as you can see below.

With the default configuration of Web Services, errors are posted in the UAG Web Monitor:

“A request for application Lync Web Services of type Lync2010 on trunk lync; Secure=1 failed because a POST action without a content-type header is not allowed. The URL is /WebTicket/WebTicketService.svc”

“A request for application Lync Web Services of type Lync2010 on trunk lync; Secure=1 failed because a POST action without a content-type header is not allowed. The URL is /ucwa/v1/applications/211401975557/me/reportMyActivity”

To allow Lync Mobile clients to authenticate to the Webticket service and update presence, edit the ‘Lync 2013 Web Services’ application and on the ‘Web Settings’ tab enable ‘Allow POST requests without a content-type header’.

Edit the meet and dialin applications and ensure ‘Addresses’ and ‘Public Host Name’ on the ‘Web Services’ tab are correct if you use different internal and external domain names. For readability I rename them to ‘Lync 2013 Meet’ and ‘Lync 2013 Dialin’.

Lyncdiscover

Create an application called ‘Lync 2013 Lyncdiscover’ using the ‘Microsoft Lync Web App 2010′ template with ‘Public Host Name’ ‘lyncdiscover.<sipdomain>’ and the same settings as the Lync Web Services application. Once the wizard is complete, remove the ‘Lync 2013 Lyncdiscover – Meet’ and ‘Lync 2013 Lyncdiscover – Dialin’ applications created by the rule.

Office Web Apps Server

Create an application called ‘Office Web Apps 2013′ using the ‘Microsoft Office SharePoint Server 2013′ template. Public host name should be the ExternalURL of the Office Web Apps Server Farm. Change the published port to ‘HTTPS’ port ’443′ as it defaults to HTTP. As with the others, uncheck ‘Use SSO’ and ‘Add portal and toolbar link’ and leave ‘Authorize all users’ enabled.

Final Configuration

You should end up with an application list similar to this:

The final step is to edit the trunk to allow Lync Web App to upload and present presentations using Office Web App Server. The default configuration denies PUT requests for UCWA (Unified Communications Web API) and you receive ‘Invalid Method’ warning messages stating:

“A request from source IP address x.x.x.x, user on trunk lync; Secure=1 for application Lync Web Services of type Lync2010 failed because the method used PUT is not valid for requested URL /ucwa/v1/applications/111597367048/communication”

Configure the trunk settings and on the ‘URL Set’ tab, click ‘Add Primary’. Enter the following details:

Name: Lync2010_UCWA

Action: Accept

URL: /ucwa/.*

Parameters: Ignore

Methods: PUT, POST, GET

Close the trunk settings and activate the UAG configuration.

Testing

Considering the stated lack of support for Lync 2013 and specifically Lync Mobility, surprisingly all of the functions mentioned above worked without a hitch after the ‘POST without a content-type header’ and UCWA PUT issues were resolved. Lync 2013 and Lync 2010 mobile clients on Windows Phone, iOS and Android could sign in. Lync Web App worked beautifully including audio, video and content sharing. The Lync client could search the address book, join meetings and users could get dialin information and create Persistent Chat rooms. From our testing, everything is working as expected. I keep waiting for something to fail, but so far all is good.

I have been doing a lot of work with UAG lately and run into a lot of bugs and problems, so I think this may be the first of a few UAG blogs.

Edit 15 May 2013 – updated UCWA path.

The reason behind these limitations rest in the handshake that takes place between the browser and the web server. When a SSL client request is initiated, the HTTP header data is not available to the web server. Only after successful handshake are the headers encrypted and sent to the web server. Too late to allow for successful redirection to the desired web site.

Solving this limitation required an extension to the Transport Layer Security (TLS) protocol that includes the addition of what hostname a client is connecting to when a handshake is initiated with a web server. The name of the extension is Server Name Indication (SNI). Of course, extending the definition of a protocol is never as easy as updating an RFC. Both client and server compatibility are required to make use of these extensions. On the client side, roughly 95% of browsers support SNI. Specifically those are:

• Internet Explorer 7 or later
• Mozilla Firefox 2.0 or later
• Opera 8 or later
• Google Chrome 6 or later
• Safari 3 or later
• Test Your Browser

In the Microsoft world, support for the SNI extensions to TLS were introduced with Windows Server 2012 and IIS 8.  Through the Internet Information Services (IIS) Manager and a web sites bindings UI, SNI can be specified for a HTTPS site along with a host header:

There are many resources on the Internet that deal with setting up and configuring a site using SSL bindings as well as utilizing SNI from within the IIS Manager.  Where I’d like to focus the second part of this blog is in creating SNI web-bindings using PowerShell.  As a driver for implementing SNI is the scalability it provides, this scalability might be for naught if not coupled with the ability to deploy a solution without the use of a GUI.

There are three parts to successfully assigning and associating any SSL binding with a website through PowerShell:

1. A SSL binding needs to be created for the web site
2. A certificate needs to exist in the local machine certificate store
3. A SSL binding relationship needs to be created to associate a certificate with a web site

Creating the Web Site Binding

Creating the web site binding is a straightforward process.  The following PowerShell sequence would be used to create the binding and assign the correct port, host header and specification for use of SNI:

# Import IIS Management PowerShell Module
Import-Module WebAdministration

$hostHeader = "test.com"

New-WebBinding -Name "Test Website" -Protocol "https" -Port 443 -HostHeader $hostHeader -SslFlags 1

The name specified would be the name of the web site you’d like to add the binding to.  The protocol and port are standard for SSL bindings.  The host header is the URL you’d like the web site to respond to.  Finally, SslFlags with a value of 1 enables SNI for this binding.

Retrieving the Certificate from the Certificate Store

While I won’t cover the process to request a certificate or import the certificate into the local machine store, there are two factors we need to address before using the certificate in the third and final step.

In order to use the certificate in IIS it is critical that the certificate is imported allowing the private key to be exported.  If a certificate is used without an exportable private key, IIS will be unable to bind that certificate.

Creating the SSL association in the third step requires we have some reference to the certificate we’d like to associate with the web site.  There are two values that can be used.  The thumbprint of the certificate or a reference to the certificate object itself.

In order to retrieve the thumbprint of a certificate the following PowerShell command is used:

$thumbprint = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.FriendlyName -eq "Test Cert"}).Thumbprint

In the above example the friendly name of the certificate is used as the matching context.  One could also use the subject instead.

In order to get a reference to the certificate itself the following syntax can be used:

$certificate = Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.FriendlyName -eq "Test Cert"}

After this step you will now either have a direct reference to the certificate or the value for the certificates thumbprint.

Creating the SSL Association

The final step in the puzzle is tying together both the binding and the certificate.  This can be the trickiest part to get right.  PowerShell doesn’t provide a native cmdlet to directly do this. Instead, one needs to use the IIS drive exposed by the WebAdministration module to create a SslBinding object and associate that object with the certificate.

The PowerShell sequence for that task is as follows, if you’re using the certificate object:

New-Item -Path "IIS:\SslBindings\!443!test.com" -Value $certificate -SSLFlags 1

If you’re using the thumbprint your command would be:

New-Item -Path "IIS:\SslBindings\!443!test.com" -Thumbprint $certificate -SSLFlags 1

If successful, you should receive confirmation displaying the host name, along with the site the host name is bound to.  To confirm that SNI is in use run the following command from the command line:

In the above, notice the SSL binding is using the hostname:port syntax which confirms SNI is in use.

Following the above steps will allow you to take advantage of the new Server Name Indication (SNI) implementation in Windows Server 2012 and IIS 8.

There are many blogs comparing the major IaaS providers – however this post focuses more on the Australian market IaaS providers. Organisations of all sizes have begun adopting or investigating Cloud computing making it essential for decision makers to look into what they offer. This comparison looks at what available options are in the market in regards to Infrastructure as a Service (IaaS) providers.  As more customers are looking at the best combination in the market – we will examine each cloud provider feature set at a high level.  Note that this comparison does not include aspects on the PaaS (Platform as a service) space.

IaaS major players in Australia

When referring to pure Australian players – we can count major providers that have (actual) presence in Australia and who are yet to make their services available to this region. Firstly, as we all know Amazon has seen Australia as a serious market with its Sydney region establishment mid last year (June 2012). Next are the Telco’s, Telstra & Optus who recognize that there is a significant revenue for the Cloud market. Finally, companies who wish to scale their services internationally should look at what Rackspace have to offer with their IaaS packages.  UPDATE: Microsoft have shared their plans to enable services in Victoria and NSW to cater for the growing demand of Cloud services.

In summary we particularly look at the following Cloud providers:

• Amazon Web Services
  
• Microsoft Windows Azure
  
• Telstra Utility Hosting (IaaS)
  
• Optus PowerOn IaaS
  
• Rackspace IaaS
  

Amazon Web Services
AWS has gained huge market share and popularity anywhere in the world including Australia and is seen as a leader in public IaaS. They have very frequent releases with new products/updates coming every 2 weeks or so. As an infrastructure as a service provider, Amazon is seen as a leader in the enterprises and start-ups at present.

Microsoft Windows Azure
Azure unveiled the IaaS Virtual Machines offering preview at the Meet Windows Azure Event in June last year (2012). Last week (17-Apr AEST) Microsoft has made the infrastructure services with GA (General Availability) along with new features such as larger virtual machines and a new pricing commitment based model for possible greater discounts. Despite no local availability in Australia, we see Azure as a major player in the Cloud especially its successful adoption by developers with their PaaS and SaaS offerings. UPDATE: Azure will be available in Australia – see their announcement here.

Telstra Utility Hosting (IaaS)
It has been public for a while that Telstra are offering Cloud services, they have announced $800m investment to build a cloud platform to serve majority of Australian customers. They have also recently completed a major upgrade to their Cloud portal providing greater ease for consumers. Telstra are ramping up its services to cover more geography regions in APAC with its recent initiative – Telstra Global.

Optus PowerOn IaaS
Optus released its first Cloud product late 2010 followed by a major upgrade last year. To support its strategy, the parent company, Singtel has completed re-organisation to focus more on regional opportunities. Optus PowerOn Cloud is a vCloud certified data center.

Rackspace IaaS
Rackspace established an Australian presence in 2009 using its overseas data centers. Now, Rackspace has opened an Australian data center and brings its openstack solution for private cloud deployments. There is no date yet when they will release its public cloud offerings in Australia. To make a consistent comparison, we will compare the public cloud offering.

The Comparison

The following table compares the offerings among major Cloud providers in the industry at a high level. The comparison takes into account support and availability within the Australian landscape focusing on Infrastructure services (IaaS). We have selected differentiators as a method to distinguish services/feature set being provided by the Cloud providers (refer to the table). Where applicable, we discuss several key areas in more detail.

This comparison is valid at the time this blog is published and is subject to change in the future as Cloud providers rapidly adding more features.

Footnotes description:

1. Only one region is available at present.
2. Refers to the DB cloud offerings (PaaS) and excludes the use of a dedicated database installed on a virtual server.
3. Microsoft customised Hyper-V for Azure.
4. Refers to a set of virtual machines running on a dedicated hardware.
5. Rackspace 100% SLA is for hardware and infrastructure failures – please refer to their SLA here.
6. IaaS (Virtual Machines, Networks, Storage) has the same price worldwide.  CDN (PaaS) has differing prices based on zones.
7. Update: Azure will soon be available in Australia in two regions – New South Wales and Victoria.  No official date has been announced yet.

Cloud Engine
Cloud Engine refers to the underlying provisioning and orchestration technology supporting the IaaS. Azure, AWS, and Telstra IaaS use proprietary Cloud engines with Rackspace notably uses the OpenStack platform, and Optus as the early provider embraces VMware vCloud. 

Consumer API
One of the add-on benefits with Cloud is the ability to programmatically manage your infrastructure via API and various programming languages.  Both Azure and AWS provide strong API support which practically allow anything done via UI possible via the APIs, this is also accessible via different languages too eg. .Net, Java, PHP, node.js, etc.  Rackspace supports the industry standard RESTful API powered by the OpenStack platform.  At the time this article written, there are no API published by both Telstra and Optus.

Storage Offerings
All providers have services around storage – this again refers to dedicated storage offering for unstructured and structured data in the Cloud as opposed to disks attached to servers. Azure offers Table (NoSQL) and Blob (unstructured) storage to store your data; Amazon with its DynamoDB and S3 (and quite recently) Glacier for archiving solution; Rackspace offers Cloud Files and Databases solution but no support for NoSQL yet. Telstra and Optus only offer unstructured data storage option at this stage.

Compute Offerings
There is not much to say here as all providers we compared have compute offerings – there are varying workload sizes which is described in the above table.

Network offerings
Azure has virtual network, load balancer, and network security products such as Traffic Manager (it’s in preview as this blog is written). AWS has virtual private cloud allowing you to create private and public subnets, load balancer with its elastic load balancing (ELB), and security groups and ACL allowing granular access control mechanism. Rackspace allows the creation of isolated networking with CloudNetworks, Load Balancer with the Cloud Load Balancers product, and advanced traffic filtering using open vSwitch technologies. Despite these similarities there are certain aspects of networking that are different eg. Load Balancer capabilities between Azure, AWS and Rackspace which we may cover in a separate blog.

24×7 Support Availability

All cloud providers offer 24×7 support as follows

• Azure has phone and email options but no online chat support option.
• AWS has phone, email, chat, screen sharing support options.
• Rackspace has phone, ticket (email), chat support.
• Telstra has phone and email support but no community forum option.
• Optus has phone and email support, service management reporting but no community forum.
  

SLA
Each vendor provides differing SLA terms and condition and you should consult appropriate parties (SIs, lawyers, and the relevant vendors)

Amazon
EC2 SLA
S3 SLA

Azure
Virtual Machines and Network SLA
Storage SLA
SQL Databases SLA

Rackspace
Cloud Servers SLA
Cloud Load Balancers SLA
Cloud Databases SLA
Cloud Files SLA 

Telstra
Telstra IaaS SLA

Optus
Optus PowerOn SLA

What does this mean for my organization?

While it is good to see what these cloud providers bring to the table, you will need to understand how your organization can benefit from these. For starters, understand at what stage your organisation is at in the journey of adopting the cloud, what immediate business problems you urgently need to address, and then think about ways Cloud can make a real impact to your organisation.

It is important to look at beyond the hype and to align your cloud initiatives to your business need. At Kloud, we believe that every organisation can benefit from Cloud in some way and we are enthusiastic in enabling your business to be a cloud-ready business. Invite us for a quick meeting & discuss how the Cloud can transform your business.

We look forward to hearing what you think – if you have any suggestions or questions please contact us.

Key links for further info:

https://cloud.telstra.com/virtual-servers
http://www.arnnet.com.au/article/425575/optus_shifts_cloud_strategy_into_high_gear/
http://www.rackspace.com/blog/rackspace-comes-to-australiaand-brings-our-openstack-solution-too/
http://www.rackspace.com/blog/cloud-networks-the-next-chapter-in-the-open-cloud/
http://aws.amazon.com/premiumsupport/
http://www.windowsazure.com/en-us/support/plans/
http://www.rackspace.com/cloud/servers/support_b/
http://www.telstraglobal.com/news/437-telstra-global-s-cloud-solution-powers-flat-planet-s-expansion-in-asia
https://cloud.telstra.com/help-and-support