Integrating Cloud Services in the enterprise network

The use of cloud services is being discussedintensively in many companies. The discussions does usually lead tothe following questions:

• Is our data safe in the cloud?
• Can I get fast access? At any time and from any place on theworld ?
• Do Cloud Services meet the compliance guidelines of thecompany?

It gets really interesting when the decision is “pro cloud” andthe implementation project is about to start. If you need help, youcan rely on the experience of our specialists. Feel free to call orto send us a message.

Cloud services in general

Cloud services are a complex issue. There are many providerswhose offers differ just in details. Due to the already gatheredproject experience the experts of FirstAttribute focus onthe Microsoft cloud solutions.

Microsoft cloud solutions can be

• IaaS (Infrastructure as a Service)
• PaaS (Platform as a Service) and
• SaaS (Software as a Service).

It is a mix of public cloud and private cloud services.Microsoft calls its public cloud service MS Online (MicrosoftOnline) or in short MS-O, the private cloud is called theOn-Premises or short OnPrem.

On the way from OnPremises to a SaaS solution, responsibilitiesalso move from from the local IT to the cloud service provider. Thepicture below shows you how the responsibilities for each cloudsolution are balanced between the local IT and the cloud serviceprovider .

Comparison of cloud variations OnPremise , IaaS , PaaS andSaaS

Cloud Computing with Microsoft – Examples :

Microsoft Office 365

Microsoft Office 365 is a SaaS (Software as a Service) solutionfrom Microsoft .
Office365 comes in 3 versions:

• Office 365 Small Business Premium
• Office 365 Midsize Business
• Office 365 Enterprise

The characteristics and of each verison can be found on theMicrosoft website: http://office.microsoft.com/en-us/business/

Basically, the follwing components are offered:

• Exchange Online ( EXO )
• SharePoint Online (SPO)
• Lync Online (LYO)
• Office Online (Word, Excel, PowerPoint, Outlook, Access)

Technically seen, Microsoft provides a Microsoft Azure ActiveDirectory domain in a so-called cloud tenant (client). This domainis the basis for an Exchange organization and the provision ofother services such as SharePoint. The Office programs (Word, Exceletc.) are streamed via App-V directly to the terminals.

Workplace integration

The main questions here are:

• How do cloud services fit into the existingenvironment?
• How does the daily business look like for theuser?
• How does the end user access to the cloudservices ?
• Is it all transparent and understandable tothe user ?

Three-step concept for the integration

1 Directory synchronization

Establish a directory synchronization between the OnPremises ADdomain in your own data center and the Microsoft Azure ActiveDirectory domain based on the MIIS (Microsoft Identity IntegrationServer). So you can access the cloud tenant with the regular username. You can now access a different domain (Azure AD) and with adifferent password.

2 MIIS Password Synchronization

Establish a MIIS Password Synchronization. The directorysynchronization with the Microsoft Identity Integration Serverenables the transmission of passwords in the Microsoft Azure ActiveDirectory domain. Thus, users can sign in with the same usernameand password both OnPremises as well as in the cloud – but on twodifferent domains.

3 Single Sign-on SSO

Establishment of the single sign-on SSO. A STS (security tokenservice) is required which is set up with a ADFS Trust (ActiveDirectory Federation Services) between the Microsoft Azure ActiveDirectory domain and the AD domain OnPremises. This allows you todirectly access to cloud services without further notification. TheSSO solution is the best solution for the user, but also the mostcomplex.

For this reason we want to go a bit more into detail in thenext chapter.

Single Sign-On SSO

The implementation of SSO requires a Windows domain in mode2003R2, 2008, 2008R2 or 2012. You can install the ADFS serviceeither as ADFS 2.0 on a Windows Server 2008R2 or as ADFS role on aWindows Server 2012. If users want to log on to the cloud using SSOoutside the intranet, an AD FS 2.0 proxy server in the DMZ isnecessary. The Cloud login page passes the authentification on theADFS proxy to the ADFS server and the OnPremises domain.
The routing works if the user logs on using his UPN(UserPrincipalName), eg username@company.com. In addition, the DNSsuffix of the UPN must be a public registered DNS domain. Only thatway the forwarding target can be resolved externally to the ADFSproxy in the DMZ.
It is might be the best to use the e-mail address as UPN here, asthis is known to the user. Even for users who log on to theirworkstation to a domain PC, the UPN of the user object must becorrectly maintained to provide a proper SSO.

Conclusion

If you look at SSO it is easy to see that a cloudservice integration is a very complex issue. The UPN isjust one of many examples that must be considered before and duringthe implementation. In addition there are public certificates,external DNS entries, firewall rules, and trusted sites entries inInternet Explorer (to name just a few). All these should be takeninto consideration to get the connection to the cloud worksmoothly.

If you have questions or need support, you can rely on theexperience and expertise of FirstAttribute. We support andaccompany you on your journey to the cloud. Feel free to contact us.

graphics: adapted from Microsoft sources