I’ve been working with a customer who wanted to lock down access to O365 so users can access all the services from anywhere apart from browser based access, which can only be accessed from their corporate managed devices. Here’s a quick rundown of what we did…

We used the basic setup of 2 AD FS proxy servers in the DMZ and 2 internal federation servers to give us high availability. We had TMG sat in front of the AD FS proxy boxes, an example of the rule is shown below:-

Create a TMG Firewall Policy for AD FS

1. Log in to TMG as Domain Admin and launch Forefront TMG Management from the Start menu

2. Select Firewall Policy and select Publish Web Sites

3. Web publishing rule name: AD FS and click Next

4. Select Allow and click Next

5. Select Publish a single Web site or load balancer and click Next

6. Select Use SSL to connect to the published Web server or server farm and click Next

7. Internal site name: <your-federation-service-name

8. Check the checkbox to Use a computer name or IP address to connect to the published server

9. Computer name or IP address: <your-adfs-proxy> and click Next

10. Path: /* and click Next

11. Accept requests for: This domain name (type below):

12. Public name: <your-federation-service-name>

13. Path: /*

14. Click Next

15. Click New

16. Web listener name: AD FS Listener and click Next

17. Select Require SSL secured connections with clients and click Next

18. Check the checkbox next to External and click Next

19. Click Select Certificate, select your SSL cert certificate, click Select, and click Next

20. Select how clients will provide credentials to Forefront TMG: No Authentication and click Next and Next and Finish

21. Click Next, select No delegation, but client may authenticate directly, and click Next

22. Make sure All Users is displayed and click Next and Finish

23. Right-click the AD FS policy and select Configure HTTP

24. On the General tab, uncheck the checkbox for Verify normalization and click OK

25. Right-click the AD FS policy and select Properties

26. Select the Link Translation tab, uncheck the checkbox for Apply link translation to this rule, and click OK

27. Click Apply at the top of the TMG console

See here for full details/images - http://social.technet.microsoft.com/wiki/contents/articles/limit-access-to-office-365-via-adfs-with-threat-management-gateway.aspx and follow this link for ISA - http://blog.c7solutions.com/2011/06/publishing-adfs-through-isa-or-tmg.html and it’s also worth noting that Forefront UAG works only with the WS-Federation Passive protocol (e.g. browser access, such as the portal and OWA) not the active (e.g. Exchange ActiveSync, Outlook 2007, Outlook 2010, IMAP, POP, SMTP and Exchange Web Services) or MEX (e.g. Office subscriptions and Lync) see here for more details.

We also just used the Windows Internal Database (WID) as we don’t require more than 5 federation servers in the farm. The WID uses a primary/secondary model to replicate the database to all of the nodes in the federation farm. Because only one server is configured as the primary server, configuration changes can only be made on that server. The federation services on the secondary nodes are not able to modify the database. In this configuration, there are two features that cannot be implemented because they rely on database changes across all nodes. These two features are Token Replay Detection and SAML Artifact Resolution (for more details see here).

We followed the TechNet article ‘Limiting Access to Office 365 Services Based on the Location of the Client’ to create our own custom rule to lock down access to O365. The rule we created was ‘Allow all external access to Office 365, except Browser based access’ this is the rule we created:-

exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) &&

NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip",

Value=~"\b1\.2\.3\.4\b"]) &&

exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value == "/adfs/ls/"])

=> issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "True");

If we break down the rule we can see what it’s doing and it’s a little confusing as it uses double negatives! When the Value = True in the claims deny (last line in the rule) and the expression is set to NOT exist it allows that expression through!

So looking at our rule we are allowing ‘x-ms-forwarded-client-ip’ with a value IP address of 1.2.3.4 which is the public IP address from our internet facing TMG (so the NAT’d IP from internal to external).

We are not allowing ‘x-ms-proxy’ or ‘x-ms-endpoint-absolute-path’ the absolute path is what’s blocking the browser access. So when we try to access OWA for example from a none managed device (e.g. not tunneled through the corporate network using the internet proxy servers and appearing to come from 1.2.3.4) but instead coming from another IP, such as home broadband, we get access denied as below.

Access Denied

There was a problem accessing the site. Try to browse to the site again.

If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.

You are not authorized to access this site. Contact your administrator for more information.

Reference number: 11111111-1111-1111-1111-111111111111

You can then lock down POP and IMAP using the following link if required

Oh and dont forget we now have the Client Access Policy Builder to automate the creation of these rules for the most common scenarios as listed in the TechNet article above.

Written by Daniel Kenyon-Smith

Please find a list of migration issues and resolutions that I captured during my last customers migration:-

Flood mitigation on Threat Management Gateway (TMG) - http://community.office365.com/en-us/w/exchange/office-365-move-mailbox-fails-with-transient-exception.aspx

Issue	Resolution
The operation couldn't be performed because object couldn't be found on 'xxx.prod.outlook.com'	The object has not been replicated to Office 365, check Dirsync error logs, dirsync email errors. Ensure these errors have all been resolved before the users are added to migration list and ensure the object has been sync’d to O365
A large item was encountered: Item (IPM.Note) Subject:"4600562666", Size: 42.07 MB (44,113,161 bytes), Folder:"Inbox A large item was encountered: Item (IPM.Note) Subject:"Here's My Card", Size: 42.43 MB (44,493,004 bytes), Folder:"Inbox" A large item was encountered: Item (IPM.Note) Subject:"", Size: 48.49 MB (50,848,177 bytes), Folder:"PRIVATE EMAILS"	PFDAV ExMerge - http://support.microsoft.com/kb/328202 Search-Mailbox – Needs to be a 2010 mailbox http://technet.microsoft.com/en-us/library/dd298173.aspx To be able to use the -DeleteContent Parameter you need to have "Mailbox Import Export" permissions. Without these permissions, the parameter -DeleteContent is not available for the Search-Mailbox Command. Instructions: 1. Create a new Security Group 2. Enter the following command in Exchange Management Shell (replace the Security Group name accordingly): New-ManagementRoleAssignment -Name "Import Export Support" -SecurityGroup ImportExport -Role "Mailbox Import Export" *See below for the command to skip large items
Domain xxx.co.uk is not an accepted domain for your organization	Remove all SMTP addresses from mailboxes that are not registered in O365 (or register the domain names)
Target user already has a primary mailbox. Mailbox already migrated	User has already been migrated, ensue no users are duplicated
The target mail user doesn't have an SMTP address that matches the target delivery domain 'Service.company.com'	Add the target domain SMTP (Service.company.com) to all mailboxes before migration (and ensure they have been sync’d to O365)
Warning: Failed to clean up the source mailbox after the move. Error details: MapiExceptionNotFound: Unable to delete mailbox. (hr=0x8004010f, ec=-2147221233)	The issue occurs when migrated accounts cannot clear homemdb, homemta, msexchhomeservername and msexchguid attributes from the source server and set the TargetAddress on the source side which it is supposed to do after mailbox move completes (flipping of the attributes starts after 95% completion of the move). A script can be created or apply this hotfix - http://support.microsoft.com/kb/940012 Pretty much the same issue as large item count http://support.microsoft.com/kb/2584294
Error: This mailbox exceeded the maximum number of large items that were specified for this request. --> MapiExceptionMaxSubmissionExceeded: IExchangeFastTransferEx.TransferBuffer failed (hr=0x80004005, ec=1242)	Pretty much the same issue as large item count http://support.microsoft

*new-MoveRequest -identity $_.UserPrincipalName -Remote -RemoteHostName 'mail.company.com' -RemoteCredential $cred -TargetDeliveryDomain 'service.company.com' -BadItemLimit 50 -LargeItemLimit 40

If you receive the following error when trying to migrate to O365, the you will need to check that your EWS endpoints are published correctly.

The call to 'https://mail.company.com/EWS/mrsproxy.svc' timed out. Error details: The request channel timed out while waiting for a reply after 00:00:00.Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allotted to this operation may have been aportion of a longer timeout. --> The HTTP request to https://mail.company.com/EWS/mrsproxy.svc' has exceeded the allotted timeout
of 00:00:00.0010000. The time allotted to this operation may have been a portion of a longer timeout.--> The operation has timed out

Without stating the obvious, there is a timeout issue! I have seen before if you haven’t published EWS correctly to the internet. Ensure when you connect to https://mail.company.com/EWS/mrsproxy.svc that you get prompted for authentication from the exchange server and there is no pre-authentication at TMG/UAG for example. Once EWS is published to the internet correctly you should be able to start migrations to O365!

Written by Daniel Kenyon-Smith

AD FS Publishing and Policy Rules

Office 365 Migration Issues