10.2 Connector Requirements

The connector for Office 365 supports account provisioning for users only in Active Directory, eDirectory, and JDBC identity sources. For more information, see Section 2.4.1, Requirements for Provisioning.

Complete the following steps before you install the connector for Office 365:

  • Identify an existing Office 365 administrative account to use, or create a new administrative account. This administrative user must not belong to the Office 365 domain that CloudAccess will manage.

  • Microsoft does not support subdomains having different federated settings than their parent. To use a subdomain for Office 365, ensure that either you do not use Office 365 with the parent domain, or that both the parent domain and its subdomain have the identical federation settings.

  • Identify the verified Office 365 domain for which CloudAccess will manage authentication.

  • Identify a Windows Management Server on which to install the connector. The Windows Management Server that you use for the connector for Office 365 should be a dedicated server that is not used for other web applications. However, the connector does not need to be installed on a domain controller or even need to be part of the domain where the CloudAccess appliance is installed. The Windows server can be a standalone server, as long as it meets the following requirements:

    • Windows Server 2012 R2 or Windows Server 2008 R2 operating system with all available updates installed.

    • Microsoft IIS. Install the IIS component that comes with the Windows Server operating system on your Windows Management Server. Install the Web Server (IIS) role and verify that the Application Development ASP and .Net features are installed. Enable HTTPS on IIS. The connector uses HTTPS between the CloudAccess appliance and the Office 365 web application in IIS.

    • Microsoft .NET Framework 4.x. You can download .NET from the .NET downloads web page.

    • Microsoft Online Services Sign-In Assistant 7.x. You can download the Microsoft Online Services Sign-In Assistant software from the following location: Microsoft Online Services Sign-In Assistant for IT Professionals BETA. Select the msoidcli_64.msi file.

    • Windows Azure AD Module for Windows Powershell. You can download the module from the following location: Manage Windows Azure AD using Windows PowerShell.

    • Port 443 must be open. This port is used for inbound provisioning information from CloudAccess, and outbound for Office 365 configuration and provisioning.

  • (Conditional) If you do install the connector for Office 365 on a domain-joined server, you must be logged in as a domain administrator rather than a local machine administrator when running the installer.

  • The Microsoft Lync support is available only if you configure the connector with WS-Federation.

  • (Conditional) If you plan to use the Enhanced Client Profile (ECP), also called HTTP proxy authentication, in Microsoft Outlook, or if you plan to use Microsoft Lync, ensure that you configure CloudAccess with the following:

    • A publicly resolvable, publicly accessible IP address. You can use port forwarding to protect your appliance behind your corporate firewall.

      When the user logs in to the Office 365 online portal, the browser handles all of the redirects and name resolution, so you can manually edit entries in the device’s ../etc/hosts files to work around name resolution. However, with ECP and Lync, Office 365 actually sends an authentication request directly to CloudAccess, so its IP address must be publicly accessible.

    • An SSL certificate signed by a trusted certificate authority (CA) such as Verisign, Thawte, Symantec, Digicert, and so on. The certificate common name must match the appliance hostname.

    NOTE:CloudAccess also supports ECP for Microsoft Exchange email on mobile devices running Android or iOS. Users must add an Exchange account on their device and enter their Exchange credentials. For more information, see the following Microsoft web pages:

    If you use WS-Federation for the connector for Office 365, CloudAccess also supports ECP for Microsoft Lync. Users must add a Lync account on their mobile device and enter their Lync credentials. For more information, see the following Microsoft web pages:

  • Verify that you have the minimum attributes populated in the identity source.

    For more information, see Configuring LDAP and JDBC Identity Sources in the CloudAccess Installation and Configuration Guide.