, , , , , , , ,

Cloud Connect Explained | An Introductory Guide

Cloud Connect uses the latest in fibre hardware technology to create a physical link between your network, and the cloud. Almost every organisation is now either using the cloud, or somewhere along the process towards adoption of the cloud.

The Cloud refers to Internet based computing. This is a model in which on-demand, low cost, shared computing resources can be used for a variety of tasks. Organisations use cloud computing for a number of reasons such as compute, backups, security or to host shared documents and resources.

If, like many organisations, you are also using the cloud, then it’s important to know about the connectivity infrastructure that supports the cloud. While most data will travel across the public Internet, Cloud Connect is a dedicated connection between your network and your cloud services. A dedicated connection means your data bypasses the public infrastructure, and therefore benefits from consistent performance and improved security.

Cloud Connect allows you to connect to any one of the many cloud service providers, including AWS (Amazon Web Services), Microsoft Azure, or Office 365. Additionally you can attain cost savings by using the same connection for multiple services. Efficiencies can also be gained through mitigation of outages through a fault resistant architecture, which allows an uptime of up to 99.999%.


Find out more about Cloud Connectivity Providers



Learn how to connect your private network to your cloud




Cloud Connect Benefits


Security

Secure network access is an essential component of cloud computing. Your data may be at risk if it travels over the public Internet network. However, with Cloud Connect, security is guaranteed as it’s a private dedicated connection, meaning that it’s for your data and your data only.


Resilience

If your organisation is reliant on cloud, then it’s no use if your connectivity infrastructure only allows you to access it only some of the time. Furthermore, incidents such as a contractor cutting through your fibre, could cut off your connectivity for weeks. Thankfully with Cloud Connect these scenarios are mitigated due to resilient failover options. This enables your business to stay online around the clock with up to 99.999% uptime as guaranteed by proactively monitored Service Level Agreements.


Performance

By having a dedicated and direct private connection that is not shared by anyone else, consistent high level performance is enabled. This results in a quality end-user experience on-top of a fast, efficient, and reliable service. Additionally, unlike shared connections, your route to cloud is unaffected by contention and demand at peak times.

Cloud Connect Features


Dedicated Bandwidth

The connection is not shared and dedicated end-to-end.

Predictable Latency

The latency is low and predictable, far better than an Internet VPN.

Range of Bandwidth

A range of bandwidth capacities, from 10Mbps to 10Gbps.

Totally scalable

Scale up or down in bandwidth to suit capacity needs.

Fully redundant

Redundant connections throughout by design.

Reduced Costs

Reduced or no cost of data transfer on Ingress or Egress.


How do you get one?

Serviceteam IT have enterprise solutions for organisations of any size. We offer scalability and flexibility that would otherwise be unavailable from legacy services, and deliver dedicated, secure, uncontended fibre connections for all your voice and data traffic. What Serviceteam IT offer is:

  • Extensibility – Our infrastructure can grow, adapt and scale to your business
  • Continuity – Network designed with contingency options for business continuity
  • Cost Savings – Do away with expensive hardware, switching, and set-up costs
  • Fully managed – Eliminate admin and billing headaches
  • Proactively monitored SLA – with up to 99.999% uptime
  • Maintainence – Hardware maintenance included in standard service
  • 24/7 Support – From a dedicated fault management team


With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

, , , , , , , , ,

Cyber Security: Office 365 as 802.1X RADIUS Password Authentication

Security is paramount for any business, especially given the rise in cyber attacks, data thefts and major network breaches. I won’t list the major names, as that’s been done, but you can read the Cyber Security Breaches Survey 2016. Much of that research was aimed at larger organisations, even though it’s far easier for enterprise-level companies to secure their resources. But what about the rest of us, Startups, Micro-Businesses and Small to Medium sized organisations?

, , , , , , , ,

Beat Office 365 Price Increases | 5% Off

If you purchase new, or renew existing Office 365 licences, you can avoid Office 365 price increases. We will offer at least a 5% reduction on the current 2017 prices for 12 months. This offer includes Exchange Online, SharePoint Online, Skype for Business and the entire suite of Office 365.

If you purchase new, or renew existing, Office 365 licences:

SAVE AT LEAST 5%

This includes Exchange Online, SharePoint Online, Skype for Business, OneDrive for Business and the entire suite of Office 365 pricing.

Office 365 - Serviceteam ITOffice 365 price increases 22%

I’m sorry to be the bearer of bad news, but Microsoft have yesterday announced a 22% price increase for their cloud services, including the Office 365 price, from 1st January 2017. If you are considering an Office 365 subscription, I highly recommend you complete your purchase for a 12 month commitment before 31st December 2016 in order to avoid Office 365 & Exchange Online price increases.

It’s obviously an inevitability of Brexit, and thankfully, we were proactive and forward thinking on behalf of our customers and protected their Office 365 price. We took the decision to add or renew all of our customer users with 12 month terms at the end of Q3 2016. We enable almost 5000 users, communicating across 4 continents and 15 time zones, who expect the best possible service with the least possible disruption.

 The bulletin we have received from Microsoft in full:

Office 365 Price: Important changes for customers buying enterprise software and cloud services in British pound.

We wanted to give you advance notification of some important changes to pricing coming in January 2017.

Effective January 1, 2017, we will be increasing British pound pricing to harmonise prices for enterprise software and cloud services within the EU/EFTA region. We periodically assess the impact of local pricing of our products and services to ensure there is reasonable alignment across the region and this change is an outcome of this assessment.  These changes are similar to the recent harmonisation adjustments to pricing in Norwegian krone and Swiss franc we made in April 2016.

From January, British pound prices for on-premises enterprise software will increase by 13% to realign close to euro levels.  Most enterprise cloud prices in British pounds will increase by 22% to realign close to euro levels.  Even after this adjustment, customers across the region buying in British pound will still find our cloud offerings highly competitive. For indirect sales where Microsoft products are sold through resellers, final prices and currency of sale will continue to be determined by them. In the EU/EFTA region, partners will continue to have access to prevailing prices in euro, Norwegian krone, Swiss franc, Swedish krona, and Danish krone, along with revised prices in British pounds.

For business customers, these changes will not affect existing orders under annuity volume licensing agreements for products that are subject to price protection. For example, customers with Enterprise Agreements have price protection on previously ordered enterprise software and cloud services, and will not experience a price change during the term of their agreement. Similarly, business customers with cloud commitment subscriptions such as Office 365 also receive price protection during their subscription term, which is normally twelve months from the start of paid subscription.

Prices for new product additions under existing volume licensing agreements and purchases under new contracts will be as defined by the price list at the time of order.  This pricing change will not apply to consumer software or consumer cloud services.

If you have any questions or would like to speak to someone regarding protecting your Office 365 Price please get in touch.

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivitycommunicationcontinuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

, , , , , , , , , , , , , , ,

Restrict Access to Office 365 Exchange Online | HowTo | 2 of 2

Part One | Part Two

In Part One we learnt:

  1. Install and update Windows Server with Active Directory Federation Services version 2.0 (AD FS 2.0) with update Rollup 2, KB2681584.

  2. Set-up AD FS for Office 365 for Single Sign-On.

    To continue . . .

  3. Add five claim rules to the Active Directory Claims Provider trust.

    Use the following procedure to add a set of claim rules that make the new claim types available to the policy engine. In this step, you will have to add five acceptance transform rules for each of the new request context claim types using the following procedure.  On the Active Directory claims provider trust, create a new acceptance transform rule to pass through each of the new request context claim types.

    a. Select Start, go to Programs, then to Administrative Tools. Click on AD FS 2.0 Management.

    b. In the console tree, under AD FS 2.0\Trust Relationships, click Claims Provider Trusts, right-click Active Directory, and then click Edit Claim Rules.

    c. In the Edit Claim Rules dialog box, select the Acceptance Transform Rules tab, and then click Add Rule to start the Rule wizard.

    d. On the Select Rule Template page, under Claim Rule Template, select Pass Through or Filter an Incoming Claim from the list, and then click Next.

    e. On the Configure Rule page, under Claim Rule Name, type the display name for this rule; in Incoming Claim Type, paste the Issued Claim Type URL, and then select Pass through all claim values. Complete this step for all five Issued Claim Type URLs below:

    Rule Name Issued Claim Type URL
    EQ-Forwarded-client-ip http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip
    EQ-client-application http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application
    EQ-client-user-agent http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent
    EQ-Proxy http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy
    EQ-endpoint-absolute-path http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path


    f. To verify the first rule, EQ-Forwarded-client-ip select it in the list and click Edit Rule, then click View Rule Language. The claim rule language should appear as follows:

    c:[Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip”%5D => issue(claim = c)

    g. Click Finish and in the Edit Claim Rules dialog box, click OK to save the rules.

  4. Create a rule to block all external IP address access to Office 365 & Exchange Online

    If you want to simply block access to Office 365 & Exchange Online from the public Internet you need to carry out the following:

    a. Click Start, point to Programs, point to Administrative Tools, and then click AD FS 2.0 Management.

    b. In the console tree, under AD FS 2.0\Trust Relationships, click Claims Provider Trusts, right-click Active Directory, and then click Edit Claim Rules.

    c. In the Edit Claim Rules dialog box, select the Acceptance Transform Rules tab, and then click Add Rule to start the Rule wizard.

    d. On the Select Rule Template page, under Claim Rule Template, select Pass Through or Filter an Incoming Claim from the list, and then click Next.

    e. On the Configure Rule page, under Claim Rule Name, type the display name for this rule, such as Block Office 365 Exchange Online from the Internet. Under Custom Rule, paste the following claim rule language syntax:

    exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip", Value=~"customer-provided public ip address regex"]) => issue(Type = "http://schemas.microsoft.com/authorization/claims/deny", Value = "true");

    customer-provided public ip address regexBuilding the IP address range expression

  5. Update the Microsoft Office 365 Identity Platform relying party trust

    This step allows you to configure what type of clients to block. Below there is a custom block scenario. Block all external access to Office 365, except Exchange ActiveSync and browser-based applications such as Outlook Web Access or SharePoint Online.

    exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy”%5D) && 

    The ‘Type’ x-ms-proxy exists. This  means that the claim came through an ADFS Proxy (or other compatible proxy such as Azure).

    NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”, Value==”Microsoft.Exchange.Autodiscover”]) &&

    ClientApplication is RPC or WebServices. The ‘or’ can be used (using the ‘|’ character) syntax to check the value field. The value of this is Microsoft.Exchange.Autodiscover.

    NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”, Value==”Microsoft.Exchange.ActiveSync”]) &&

    ClientApplication is RPC or WebServices. The ‘or’ can be used (using the ‘|’ character) syntax to check the value field. The value of this is Microsoft.Exchange.ActiveSync.

    NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path”, Value == “/adfs/ls/”])

    The type x-ms-endpoint-absolute-path exists and has a value of for the ls policy. This is the name of the endpoint for _Active_ ADFS Claim.

    NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip”, Value=~”\b192\.168\.1\.([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-5][0-9])\b|\b255\.255\.255\.255\b”]) &&

    The value for the type x-ms-forwarded-client-ip has a value that DOES NOT MATCH the regular expression “”. The only allowed range is 192.168.1.0 to 192.168.1.255 plus a single address 255.255.255.255.

    i. What is the source of “x-ms-forwarded-client-ip” and what are the values we should expect to see? ii. What is the format of the expression? Building the IP address range expression

    => issue(Type = “http://schemas.microsoft.com/authorization/claims/deny”, Value = “true”);


With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivitycommunicationcontinuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

, , , , , , , , , , , , , , ,

Restrict Access to Office 365 Exchange Online: Limiting by Network, IP, Client, Group or Policy | HowTo | 1 of 2

Active Directory Federation Services (AD FS) 2.0 provides a way to configure access restriction policies. Office 365 & Exchange Online customers using Single Sign-On (SSO) who require these policies can now use Client Access Policy rules to restrict access based on the location of the computer or device that is making the request and prevent access from the Internet

Part One | Part Two

Restricting access to email and communications services in the cloud from the Internet, in Office 365 & Exchange Online, may at first seem a little counter intuitive, however, it is very sensible. Data loss is minimised. Time and working hours restrictions are adhered to. Personal devices and the compromised security they pose are removed. Compliance and regulatory restrictions, for example for finance or health care sectors, are met. Fundamentally, it ensures the control an organisation requires, whilst meeting the needs of flexibility and reduced costs, that the cloud offers.

Perhaps you want to ensure Outlook users can only use corporate laptops to connect as long as they establish a VPN tunnel to the corporate network? Outlook Web App (OWA) can be used from any machine without restrictions within the corporate network or from a named IP or IP address range? ActiveSync can be used from any device, as long as the device or user has been approved by an administrator, and that device is secured according to the policy regarding passcode length, installed OS etc? Restrict or block access based upon Group Policy membership?

The simple scenario options are:

Scenario Description
Block all external access to Office 365 & Exchange Online
Office 365 access is allowed from all clients on the internal corporate network, but requests from external clients are denied based on the IP address of the external client.
Block all external access to Office 365, except Exchange ActiveSync
Office 365 access is allowed from all clients on the internal corporate network, as well as from any external client devices, such as smart phones, that make use of Exchange ActiveSync. All other external clients, such as those using Outlook, are blocked.
Block all external access to Office 365, except for browser-based applications such as Outlook Web Access or SharePoint Online
Blocks external access to Office 365, except for passive (browser-based) applications such as Outlook Web Access or SharePoint Online.
Block all external access to Office 365 for members of designated Active Directory groups
This scenario is used for testing and validating client access policy deployment. It blocks external access to Office 365 only for members of one or more Active Directory group. It can also be used to provide external access only to members of a group.

If you are a little overwhelmed by PowerShell and expressions there is a useful GUI for PowerShell which builds the expressions for the most common scenarios:

Office 365 & Exchange Online Client Access Policy Builder

In order to enable an external access policy for Office 365 & Exchange Online the following steps are required:

  1. Ensure you have a Windows Server with Active Directory Federation Services version 2.0 (AD FS 2.0) with update Rollup 2, KB2681584.

    After the Update Rollup 2 for Active Directory Federation Services (AD FS) 2.0 package has been installed on all federation servers and federation server proxies, restart the AD FS Windows service.

  2. Follow the video guide here to Set-up AD FS for Office 365 for Single Sign-On.

    a. If you do not have Active Directory Federation Services installed, add ADFS by using the Add Roles and Features Wizard. If you are using Windows Server 2008, you need to download and install ADFS 2.0: Active Directory Federation Services 2.0 RTW. After the installation, use Windows Update to install all applicable updates and reboot as required.

    b. Request a certificate from a third-party CA for the Federation server name as Office 365 needs a trusted certificate on your ADFS server. You need to obtain a certificate from a third-party certification authority (CA). When you customise the certificate request, ensure you add your Federation Server name in to the Common Name field.

    The video only explains how to generate a certificate signing request (CSR). You need to send the CSR file to a third-party CA. Once the CA has returned a signed certificate, follow these steps to import the certificate to your certificate store:

    i. Run Certlm.msc to open the local computer’s certificate store.
    ii. In the navigation pane, Expand Personal, expand Certificate, right click the Certificate folder, and then click Import.

    The Federation Service name is the Internet-facing domain name of your ADFS server. Your Office 365 users will be directed to this domain for authentication, therefore, make sure that you add a public A record for the domain name in your DNS.

    c. To configure ADFS you cannot manually type a name as the Federation Server name. The name is determined by the subject name (Common name) of a certificate in the local computer’s certificate store.

    In ADFS 2.0, the Federation server name is determined by the certificate that binds to “Default Web Site” in Internet Information Services (IIS). You must bind the new certificate to the Default website before you configure ADFS.

    You can use any account as the service account. If the service account password is expires, ADFS will stop working. Therefore, make sure that the password of the account is set to never expire.

    d. Download the Office 365 tools, including Windows Azure Active Directory Module for Windows PowerShell and Azure Active Directory sync appliance. They are available in the Office 365 portal. Go to Active Users, and then click Single sign-on: Set up.

    d. Now you need to add your domain to Office 365 as the first video does not explain how to add and verify your domain to Office 365. For more information about that procedure, see the video below:
    .

    e. You can now connect ADFS to Office 365 by running the following commands in Windows Azure Directory Module for Windows PowerShell. In the Set-MsolADFSContext command, specify the FQDN (Fully Qualified Domain Name) of the ADFS server in your internal domain instead of the Federation server name. In the example below I have used adfs.serviceteamit.co.uk.

    Enable-PSRemoting  Connect-MsolService  Set-MsolADFSContext –computer <the FQDN of the ADFS server> Convert-MsolDomainToFederated –domain adfs.serviceteamit.co.uk

    If the command ran successfully, you should see the following: A “Microsoft Office 365 Identify Platform” Relying Party Trust is added to your ADFS server.

    f. Once the ADFS domain is added you need to Synchronise the local Active Directory user accounts to Office 365. If your internal domain or suffix is different from the external domain, you have to add the external domain as an alternative UPN in the local Active Directory. For example, the internal domain name is “serviceteamit.local” but the external domain name is “serviceteamit.co.uk.” So, serviceteamit.co.uk needs to be added as an alternative UPN suffix. Now you can synchronise the local user accounts to Office 365 by using the Directory Sync Tool.

    If you are using ADFS 2.0, you must change the UPN of the user account from “serviceteamit.local” to “serviceteamit.co.uk” before you synchronise the accounts to Office 365. If not, the user will not be validated on the ADFS server.

    g. Finally you can now configure the client computer for Single Sign-On. After you add the Federation server name to the local Intranet zone in Internet Explorer, the NTLM authentication is used when users try to authenticate on the ADFS server. Therefore, they are not prompted to enter their credentials.

    Administrators can implement Group Policy settings to configure a Single Sign-On solution on client computers that are joined to the domain.

    If you wish to enable additional services, such as Secure ID or Oracle Identity use the AD FS 2.0 Step-by-Step and How To Guides.

  3. Add five claim rules to the Active Directory Claims Provider trust.

    Continue to Part Two in order to add the rules.

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivitycommunicationcontinuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!