“Managing Office 365 Endpoints” page
Download
Report
Transcript “Managing Office 365 Endpoints” page
Customer
LAN/WAN
Proxy
Public
Internet
Customer
LAN/WAN
Direct
(NAT/PAT)
Customer
LAN/WAN
ExpressRoute
Microsoft
Global Network
Handling Internet Routed
Traffic
http://aka.ms/tune
• This example sends ER traffic direct and non ER routable traffic to a proxy
• Downloadable from “Managing Office 365 Endpoints” page
•
//EXPRESS ROUTE DIRECT
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
if (
dnsDomainIs(host, "lync.com")||
dnsDomainIs(host, "microsoftonline.com")||
dnsDomainIs(host, "officeapps.live.com")||
dnsDomainIs(host, "outlook.office.com")||
dnsDomainIs(host, "protection.outlook.com")||
dnsDomainIs(host, "sharepoint.com")||
dnsDomainIs(host, "adminwebservice.microsoftonline.com")||
dnsDomainIs(host, "agent.office.net")||
dnsDomainIs(host, "clientconfig.microsoftonline-p.net")||
dnsDomainIs(host, "domains.live.com")||
dnsDomainIs(host, "hip.microsoftonline-p.net")||
dnsDomainIs(host, "home.office.com")||
dnsDomainIs(host, "login.microsoftonline.com")||
dnsDomainIs(host, "login.windows.net")||
dnsDomainIs(host, "outlook.office365.com")||
dnsDomainIs(host, "portal.office.com")||
dnsDomainIs(host, "provisioningapi.microsoftonline.com")||
dnsDomainIs(host, "smtp.office365.com")||
dnsDomainIs(host, "www.office.com"))
{return "DIRECT";}
//All other traffic to proxy
•
else {return "PROXY 10.10.10.10:8080";}
ExpressRoute Design
Options
Public
Internet
Border Internet
Router/NATPAT
Customer
Site A
Edge
Router
Microsoft Global
Network
NAT/PAT
ExpressRoute
= BGP Route Propagation
= Internal Corporate Network
Customer
Site B
= Internet Traffic
Internal Router
Chicago ExpressRoute
NA Edge Router
Microsoft Global
Network –Chicago IX
NAT/PAT
Pool 1
Customer
North
America Site
Border
Internet
Router/N
AT-PAT
Public
Internet
Internal
Border Internet
Router/NAT-PAT
Router
Microsoft Global
Network –London IX
EMEA Edge
Router
Customer
EMEA site
NAT/PAT
Pool 2
London ExpressRoute
= North America Corporate Network
= BGP Route Propagation
= EMEA Corporate Network
= Internet Traffic
•
•
•
•
•
•
•
•
•
Client sends connection to actual Office 365 IP/Port
No need to handle Microsoft BGP routes internally
Internal routing tables stay small
Routing override is handled on edge router via it’s knowledge of the
ExpressRoute BGP information
Internet traffic is sent via a separate internet egress
Lower level of internal implementation requirements
Have to be able to route public IPs to the edge router
All traffic can be sent direct, no need for client proxy configuration for Office
365 traffic
Use BGP routes and not URL & IP page for route management
Public
Internet
Internet Proxy
Customer
Site A
Internal
Router
Microsoft Global
Network
Office 365
ExpressRoute
Proxy
Edge
Router
ExpressRoute
= BGP Route Propagation
= Internal Corporate Network
Customer
Site B
= Internet Traffic
NAM Internet
Proxy
Public
Internet
Internal
Router
Customer
USA Site
NAM Office 365
ExpressRoute
Proxy
ExpressRoute
Chicago
Microsoft Global
Network
Edge
Router
= BGP Route Propagation
= Internal Corporate Network
EMEA Internet
Proxy
= Internet Traffic
Internal
Router
Customer
EMEA site
EMEA Office 365
ExpressRoute Proxy
Edge
Router
Public
Internet
ExpressRoute
London
Microsoft Global
Network
//EXPRESS ROUTE PROXY TRAFFIC
if (
dnsDomainIs(host, "lync.com")||
dnsDomainIs(host, "microsoftonline.com")||
dnsDomainIs(host, "officeapps.live.com")||
dnsDomainIs(host, "outlook.office.com")||
dnsDomainIs(host, "protection.outlook.com")||
dnsDomainIs(host, "sharepoint.com")||
dnsDomainIs(host, "adminwebservice.microsoftonline.c
dnsDomainIs(host, "agent.office.net")||
dnsDomainIs(host, "clientconfig.microsoftonline-p.net")
dnsDomainIs(host, "domains.live.com")||
dnsDomainIs(host, "hip.microsoftonline-p.net")||
dnsDomainIs(host, "home.office.com")||
dnsDomainIs(host, "login.microsoftonline.com")||
dnsDomainIs(host, "login.windows.net")||
dnsDomainIs(host, "outlook.office365.com")||
dnsDomainIs(host, "portal.office.com")||
dnsDomainIs(host, "provisioningapi.microsoftonline.com
dnsDomainIs(host, "smtp.office365.com")||
dnsDomainIs(host, "www.office.com"))
{return “PROXY 10.10.10.1:80";}
//All other traffic to internet proxy
else {return "PROXY 10.10.10.2:8080";}
Public
Internet
Border Internet
Router/NATPAT
Customer
Site A
Microsoft Global
Network
NAT/PAT
Edge
Router
ExpressRoute
= eBGP Route Propagation
= IBGP Route Propagation
Customer
Site B
= Internet Traffic
Chicago
ExpressRoute
Microsoft Global
Network
NAT/PAT
Pool 4
Customer
NAM Site
Border Internet
Router/NATPAT Pool 1
Edge
Router
= eBGP Route Propagation
= Internet Traffic
= NAM iBGP Route Propagation
Border Internet
Router/NATPAT pool 2
= EMEA iBGP Route Propagation
Edge
Router
Customer
EMEA Site
Public
Internet
NAT/PAT
Pool 3
London
ExpressRoute
Microsoft Global
Network
Exchange Server Hybrid deployments
SharePoint federated hybrid search
SharePoint hybrid BCS
Skype for Business hybrid
Skype for Business federation
Skype for Business Cloud Connector
If Outlook client is in
the same region as the
Tenant, then we
connect direct to it
Microsoft DNS
3
Client’s DNS asks the
Microsoft DNS Server
Microsoft’s DNS servers
return the IP addresses of the
regional datacenter
North America Datacenters
2
Portal
EXO
MBX
EXO
Client’s DNS
The client asks the
local DNS Servers
CAS
5
Exchange Online accesses
the datacenter where the
tenant resides and proxies
the requests
1
4
The user accesses the
regional datacenter
DNS Call returns an IP
address of a Datacenter
local to the user’s
location
Outlook connects to that
and the data is
backhauled over the
Fibre network between
the tenant location and
the local Datacenter
Result is a much fast
connection for the client
and data stays in tenant
location.
Microsoft DNS
3
Client’s DNS asks the
Microsoft DNS Server
Microsoft’s DNS servers
return the IP addresses of the
regional datacenter
2
Client’s DNS
The client asks the
local DNS Servers
North America Datacenters
Exchange
Online accesses
the datacenter
where the
tenant resides
and proxies the
requests
EXO
MBX
5
1
EU Datacenters
Portal
4
The user accesses the
regional datacenter
EXO
CAS
Exchange Online uses GEO DNS
Internet
egress point
You get a different IP Address from
the DNS depending on where in the
world you request it
Impacts a multi-country corporate
network with multiple Internet
connection points
Commonly DNS is only requested at
one point and cached
Microsoft datacenter
DNS call
Customer network
Data transfer
You can get DNS from another part
of the globe to where you have
Internet connectivity
MICROSOFT CONFIDENTIAL—NDA ONLY