Office 365 Student Advantage end-to-end guide

office 365 cloud

One of the (many) additions to our IT provision we’ve made over the summer was to enable Office 365 accounts for all our students, having finished migrating all staff over at the end of July.

One of the key drivers was so that they could access the Student Advantage component of the offering i.e. Office 365 ProPlus.

I was going to write a longer, more detailed post but realised James B Marshall has done most of the hard work, although the links can be a bit scattered so thought I’d bring it all together here, along with a couple of real-life screenshots from our activation process.

The first three links you want are James’ guides, read these first to get an overview of the process:

How do I get Student Advantage in Office 365 Education – part 1
How do I get Student Advantage in Office 365 Education – part 2
How do I get Student Advantage in Office 365 Education – part 3
Student Advantage Deployment Guide

Disclaimer: as you can guess I don’t work for Microsoft and anything written below is based on my experiences only.
If in doubt contact your software license reseller or your Microsoft account manager!

Your EES agreement

A key requirement of getting your Office 365 licenses is to have a valid agreement covering all your staff. If you’re new to EES also make sure your reseller uses the Eduserv agreement to get the best pricing.

You need to ask your reseller for the Office 365 licenses to be added to your agreement; both for the free plan A2 (now known as E1) for Faculty \ Students as well as the (additional) Student Advantage licenses.

When renewing \ setting up your agreement make sure you fill in your primary contact details carefully. The activation email for your Office 365 accounts will go to the primary account contact unless you specify a separate licensing contact on the form.

You might need to do this if your agreement is ordered by someone outside of IT and they get put down as the primary contact. This is important as it can be difficult to track down those activation emails later on if they’ve gone to a user who isn’t expecting them.

ees contact info

Contact information page from EES enrolment form

 

Activating your licenses and checking VLSC

Once your EES agreement is processed you should see two things

  1. your licenses will appear in VLSC in the Agreement Summary
  2. you’ll receive an email (or two) to activate your Office 365 licenses

Sometimes the Office 365 licenses might take a week or two longer to come through compared to when your new EES agreement goes live. If you don’t see anything after 14 days it’s worth checking with your reseller \ Microsoft that everything has gone through OK.

To check VLSC log in with the nominated Microsoft account you use to manage your licenses then head to Licenses > License Summary

VLSC license summary

Then look down the list for the Office 365 licenses as highlighted below:

I've snipped this screenshot as we have a lot more licenses in the list!

I’ve snipped this screenshot as we have a lot more licenses in the list (click to enlarge)

So now you just need that activation email… although you might have already received it but not realised. You might initially think it would be branded from Office 365 but it’s a lot more subtle and could easily be mistaken as a confirmation email for your VLSC access. Watch out for the magic words Microsoft Online Services Team

Here’s what the subject line looks like in your inbox:

student advantage subject line

And here’s the message body:

student advantage message body

make sure your browsers aren’t logged into anything before clicking!

As per James’ instructions the email offers you two choices:

1) Use an existing account (if you’ve already set up an Office 365 tenancy and just need to add licenses to it)
2) Create a new account (if you’re new to Office 365)

There are some warnings about making sure you’re signed out from all Microsoft accounts but I’ll mention it again…

*** be 100% sure you’re signed out of all your accounts before clicking any links! ***

Be very paranoid here, especially if you’re already using Office 365 for your work account (even worse if you’ve opened the email in OWA rather than the Outlook client)

If the link finds anything apart from your Office 365 admin account logged in when it opens in the browser those licenses will disappear into the void and you’ll need to go the long way round Microsoft support to get it sorted out.

 

Enabling your licenses

If all goes well you should see this in your Office 365 admin panel under Billing > Licenses

office 365 licenses

Now you could go through all your users in the Office 365 admin site, click each one and assign the licenses by ticking the required boxes but that’s far too much like hard work! Fortunately PowerShell comes to the rescue :)

There’s a useful article that explains how to log into Office 365 remotely, the commands to use and even provides some pre-made scripts for you to work with – nice work!

http://blogs.technet.com/b/educloud/archive/2014/02/05/what-are-my-sku-names-for-office-365-education-and-how-can-i-automate-the-licensing.aspx 

The only thing to note from our experience is that the SKU names have your organisation’s tenancy at the start so if you’re scripting use the Get-MsolAccountSku command first to double-check what yours are listed as.

student advantage powershell
We used this snippet to add the Student Advantage licenses to all existing Office 365 accounts that had the A2 Student license set:

Get-MsolUser -All | select UserPrincipalName,Licenses | Where-Object {$_.Licenses[0].AccountSkuID -eq "YOURORG:STANDARDWOFFPACK_STUDENT"} | Set-MsolUserLicense -AddLicenses "YOURORG:OFFICESUBSCRIPTION_STUDENT"

Replace YOURORG with the correct result from the Get-MsolAccountSku command above
Also remember you need to connect to an Office 365 session first using the instructions here

The students’ view

With the licenses assigned it’s worth trying out a sample account see what the user experience is like for those trying to access their software. Here’s a quick run-through:

When students sign in they can either use the old link to go directly to the software page (we used it in our user guides and looking back at James’ instructions he does the same)

https://portal.microsoftonline.com/OLS/MySoftware.aspx

Alternatively if you’ve set the new Office 365 Start page as the default view when users log on the links to install Office 365 ProPlus will appear (providing you’ve assigned the licenses correctly ;) )

student advantage install 1
The executable is a small Click-to-Run installer that gets users up and running nice and quickly.
There’s a bit of download activity at the start as the installer streams down to the machine

student advantage install 2
Soon you’ll see a welcome screen (pictured) followed by the usual Use Recommended Settings box (not pictured). Also note the notification tray icon and progress message in the corner:

welcome to Office

Now the important bit, students need to sign in using their Office 365 account to activate the license:

sign in

if the account is valid it’s just a matter if time for the full installation to complete but Office is now ready to roll!

student advantage install 7

Installation errors

Although Microsoft say that the click-to-run installer should behave itself alongside other versions we’ve sometimes found that isn’t the case. In those situations the safest bet tends to be removing any old versions using the Microsoft FixIt tools http://support.microsoft.com/kb/2827031

Other platforms

On top of the standard Office ProPlus for Windows students can also use their subscription to download apps for Mac, iPad \ iPhone, Android phone (with hopefully an Android tablet version coming soon).

If I can get my hands on a couple of spare devices I’ll add a few screenshots from those as well but the idea is pretty much the same each time; as long as the student knows their Office 365 username and password they’re good to go.

Note: if a user tries to install on more than 5 devices they have to deactivate one of them before installing on another device as per http://blogs.technet.com/b/educloud/archive/2013/11/11/what-are-my-options-to-deploy-office-365-proplus.aspx

 

 

HD videoconferencing kit for Lync and beyond

With our Office 365 migration complete for all users at the college we’ve started to turn our attentions to integrating Lync into our environment. One of our aims was to provide conference calling between the multiple sites the college is based across. These days the consumer world does 1:1 video calling with ease but we also wanted to have a system set up so a full room of users could connect across sites easily, without needing everyone signed into individual devices to do it.

Previously this kind of requirement would have seen 3rd party vendors’ eyes light up with pound signs; however with the software side now covered by Office 365 \ Lync all we needed was some decent hardware.

I remembered an article I read a while back about Google’s Chrome Box conferencing system that seemed to be sporting some fairly commodity-level kit. This interested me as we basically wanted the same setup but with the opposite vendor supplying the platform. A glance down the comments suggested a Logitech camera and Jabra conference mic, if it’s good enough for Google to support an HD system under their brand then it’s good enough for us!

Kit list

Both the Logitech camera and Jabra mic are part of Microsoft’s Lync-certified hardware compatibility list
Interestingly the Logitech camera appears in quite a few of the “Room Systems” from partner suppliers which further enhances its credentials.

Logitech C930e conference webcam
http://www.logitech.com/en-gb/product/webcam-c930e-business?crid=1252

Jabra SPEAK 510MS mic http://www.jabra.co.uk/products/pc_headsets/jabra_speak__510_series/jabra_speak_510_ms

D-Link 7 port powered USB hub
http://www.dlink.com/uk/en/home-solutions/connect/usb/dub-h7-7-port-usb-2-0-hub

Hands-on

Although the kit was purchased with Lync as the primary objective the timing worked out well for us; during last week we were asked to set up our conference room for a variety of web demonstrations and video calls. In each case the scenario was exactly as originally planned above; a room full of people all needing to provide input during the call.

With a deadline set the unboxing and setup commenced:

shiny new kit ready to go

shiny new kit ready to go

In terms of hardware the system is basically plug-and-play, although I did install the optional software for both pieces of kit that give some additional status reporting (Jabra) and camera control (Logitech).

The hardest part in our room was running the USB for the mic as the cable run is pretty much on the limit of the 5m USB limit. The powered USB hub will give us a few more options, maybe mounted underneath the conference table in the long-run. Alternatively something like an active USB extension cable can get around the 5m problem.

Logitech c930e

In terms of physical installation the camera sat securely on the top of our SMART E70 screen. The mounting clip has multiple pivot points which help it stay in place at both back and front of the screen you’re placing it on, which is a nice touch. There’s also a lens cap that can be fitted for when you definitely don’t want video being shown, again shows a bit of thought has gone into the design.

One hooked up the first thing that struck me about the camera is the wide field of view compared to standard webcams. It’s definitely an advantage in our setup, easily covering the full length and width of our conference table which has ~12 people around it when fully populated.

Video quality was smooth, something you don’t get with some cheaper cameras.  With standard lighting colours looked crisp, I did close the blinds at the far end of the room as bright sunlight coming through caused problems.

Initially the auto focus took a bit of time to adjust to the room but it got there after a couple of seconds, at which point all users around the table were clearly visible. The only downside is no optical zoom, although you can use the digital zoom via the camera’s control panel the results weren’t great (as you’d expect). For this reason you’ll need to use the c930e as a fixed camera; if you want something that’s going to move around for close-ups on an individual you might be better served by the Conferencecam BCC950 but it comes with a heftier price tag.

Audio wise the C930e covered the front half of the room well enough but volume dropped off towards the back. I was expecting that to some extent which was why I preferred a separate conference mic that could be placed at the centre of the audio source. In a smaller room you’ll likely be fine with the C930e’s mic alone.

Jabra Speak 510MS

The Jabra 510MS really impressed me; audio was clear from all areas of the table without fuss. The biggest challenge is running a suitable length USB cable as our conference PC is on the other side of the room, however as mentioned above a mixture of either USB hub or active extension cable should do the trick.

The UFO-esque design is rather unusual but I like it, little LEDs light up around the circumference of the device when you press input buttons and there’s also additional indicators for charging and Bluetooth. Sometimes it’s easy to knock the capacitative buttons by accident but easy enough to get back to where you were before.

Audio-wise the microphone worked perfectly, easily picking up users at both ends of the table. On conferences the user at the other end reported clear audio with GoToMeeting and Skype. My first test with Lync had the desktop client reporting “echo detected” but there does seem to be a fix listed in the latest firmware release notes so will run the update and try again to see if that solves it.

The 510MS does have a built-in speaker, although it did sound a bit on the tinny side. I’d recommend using a more powerful set of speakers for delivering audio (in our case a sound bar) but it’s basically a case of using the best tool for the job.

Conclusion

For both parts of the system you’re looking at around £200 to kit out a room, which for HD video \ audio is a fair deal I think. If you don’t need to cover a room full of people there are more affordable options out there, including a stand for your existing tablet ;)

Office 365 watch – Summer 2014

Over the summer Microsoft have made some handy changes to the Office 365 UI. Some of the new additions are features I’ve wanted to see for a while and have come on board just in time for the start of the new academic year.

Start page

The lack of a coherent start page that allowed users to perform common tasks was something that seemed an odd omission from the product and didn’t make life easy for users. Previously the Office logo went off to a product page that was pretty pointless (and quite annoying). Good to see that the link now goes somewhere useful; the start page now allows users to create documents, access the key features of 365 and install Office ProPlus (if licensed).

Office 365 start screen

the new Office 365 start screen

The quote of the day is also quite amusing, albeit in a David Brent kind-of-way ;)

You can set the preference for whether you see the new start screen as the home page for all users in Office 365 settings; it’s also configurable on a per-user basis. There’s a nicely-made video on YouTube that shows where to do this if you’d like to see how…

Menu improvements for touch

The main navigation bar has doubled in size, which should make working on touch devices much easier. Noticed this rolling out last week, first appearing in OWA but now seems to be consistent across the whole O365 suite. Microsoft also allowing branding and some customisation of the menu which is a nice bonus.

Upload limit increased on OneDrive for Business

When testing out OneDrive for Business I found the 2GB file limit a bit restrictive, particularly if working with video where file sizes can balloon quite quickly. Fortunately Microsoft have upped the limit to what seems to be 10GB (based on what I’ve read elsewhere). Along with the 1TB storage upgrade means OneDrive for Business is right up there again with the competition; granted Google Drive can upload up to 5TB but good luck putting that through your internet connection!

A few more requests…

Now that MS seem to have caught up my previous wish lists here’s a few more I’m hoping for:

  • Easily visible storage meter for OneDrive for Business
    Granted it’s not so important with 1TB storage per user but it should be easier to see how much space you’ve used, either on the Start Page or front screen of OneDrive please.
  • Simpler file management in OneDrive for Business
    It’s still rather clunky to move files between folders using the web UI in OneDrive, probably something that’s due to its SharePoint origins but does require improvement.
  • OneDrive for Business client
    The desktop client is still crying out for a next-generation upgrade. It definitely needs to be more intelligent in terms of how to deal with what could potentially be 1TB of sync data and integrate more smoothly with the operating system as a coherant whole. I’d also like to see the Modern UI and Desktop versions of the app working as one rather than separately, might have to hold out until Office 2015 for progress there though

100,000 views and counting!

coollogo_com-31751774

Hot on the heels of the 100th post I noticed the other day that I’ve also hit over 100,000 views so thought it deserved a little celebration.

When I first started this I wasn’t even expecting 100 views and thought the blog would just serve as a personal memory bank, looks like it’s proved useful to people too which is an unexpected bonus :) Thanks for reading and all your comments, now onto the next milestone of 250,000!

conversion
I wasn’t sure if celebrating 0x186a0 views was going to have quite the same headline effect…

Solving PXE boot problems on ZCM 11

pxe boot blogDuring the last week I’ve been having a look at ZCM 11.3 in preparation for when we upgrade our production zone from 11.2.3a. I wanted to check that imaging was still going to work in the same way as before as well as testing some of our new hardware that doesn’t work with the current PXE drivers.

The test environment makes use of some of our old server and comms kit including some Dell PE2950 servers running ESXi hooked up via Cisco 3750 switches.

The DHCP server was installed on a Windows Server 2012 R2 virtual machine.
I downloaded the ZCM 11.3 appliance, imported it and ran through the setup wizard, all pretty painless so far.

With the zone configured I then tried to PXE boot a client PC but it disappointingly failed with an error

“PXE-E51 No DHCP or DHCP Proxy Offers received”

In the end a series of fixes were required to get PXE working, not all of them present in the official Novell documentation so I figured it might be useful to pull everything together in one place

Server services

By default the ZCM server doesn’t have the Proxy DHCP service enabled. Without this you’re going nowhere so log onto the server with Putty \ console and type the following

service novell-pbserv start

check it with

service novell-pbserv status

While you’re there it’s also worth setting it to auto-start using chkconfig otherwise it’s an easy step to forget if you reboot the server at some point in the future.

Firewall

The appliance also ships with the firewall enabled but this seems to block PXE boot (!)
Solution: turn it off using the YaST tool (console onto the GUI of the ZCM server for this)

Ref: https://www.novell.com/support/kb/doc.php?id=7005130

VLAN environment pre-requisites

My dev environment was set up as a series of VLANs, in this scenario make sure you have ip helper-adress configured on each VLAN interface. According to the Novell documentation you need two entries, one for your DHCP server’s address and the other for the ZCM server that’s providing the PXE service.

Ref: https://www.novell.com/documentation/zenworks11/zen11_cm_preboot_imaging/data/bve6kpq.html

You also need ip-forward rules set up on your router \ L3 switch

ip forward-protocol udp 67
ip forward-protocol udp 68

Cisco switch port settings

Despite all the fixes above the client device still wouldn’t boot from the network and was beginning to wonder if it was ever going to work. The missing link was that Portfast needs to be enabled on Cisco switches (might apply in a similar way to other vendors) to ensure the port comes up quickly enough for the PXE service to work.

Ref: https://www.novell.com/support/kb/doc.php?id=3131242

PortFast has been known to have been switched off and this has caused issues on the PXE boot sequence. PXE tends to boot faster and request DHCP faster than the switch can handle.
PortFast has been enabled so that the Switch can start talking to a device without going through the process of waiting for the switch and device to decide what speed they will communicate, by enabling Portfast the switch will open the port and enable packets to flow.
The normal time period for the Switch to open up a port is around 30 seconds, with PortFast enabled the clients can start talking as soon as they are switched on, and in the case of PXE boot services it would not wait for 30 seconds.
 

Troubleshooting tips

The server logs can be useful to help figure out how far along the path the packets are getting (or not) so you know if the problem is on the networking side or the server. To check if your DHCP requests are getting through have a look in

/var/opt/novell/log/novell-proxydhcp.log

and you should see a line like this, where 192.160.0.X is the server VLAN’s IP address.

Received packet on 0.0.0.0:68
Received packet on 192.168.0.X:67 from relay agent 192.168.0.X

You should also be able to see workstation information as they check in to the imaging system, this log file is a little further into the folder tree

/var/opt/novell/log/zenworks/preboot/novell-pbserv.log

Cloud stories: Groupwise to Office 365 (part 2)

office 365 cloudHaving sorted out the initial connectivity issues the next stage of the process was to make a decision on what version of the Outlook client (and therefore Office) to deploy to users’ machines. Until now the college had been running Office 2007 and there would need to be a strong reason to change staff machines midway through the academic year.

Outlook, Office 365 and cached profiles

In my previous experiences with Exchange I’d always disabled Cached Exchange Mode as it always seemed to cause more trouble than it was worth, especially with users that frequently moved between PCs. However due to the fact the Exchange server is now on a shared platform and more “distant” from the local network it becomes necessary to look at it again. Initially we tried running with Cached Mode disabled but performance wasn’t at an acceptable level; moving between folders caused a noticeable delay, as did searches and listing the contents of a large inbox.

With that in mind we knew Cached Mode was going to be mandatory, this is where things get interesting. In previous on-premise scenarios it mailbox limits are generally an order of magnitude smaller than the standard offering on Office 365, however with the standard offering now 50GB per user the effects on OST files could potentially be rather problematic. If a user moves machine the time taken to build the cache again could lead to a pretty painful user experience too!

All Outlook versions prior to 2013 are pretty much a blunt instrument in terms of how they deal with the cache. Fortunately Office 2013 comes to the rescue with its new Hybrid Cache feature. More information can be found at http://technet.microsoft.com/en-us/library/cc179067(v=office.15).aspx

cached mode
configure this either manually in the Outlook profile or via GPO \ OCT

What it basically does is to cache a smaller amount of email (from 3 months upwards) then offers the user a small “There are more items in this folder on the server” link for anything older, at which point Outlook grabs the required mail seamlessly from the Office 365 servers. It’s a best-of-both-worlds scenario and, in my opinion is a key reason to upgrade if using Office 365 with the desktop Outlook client.

That said even at the 3 months setting a reasonably sized mailbox can still need 1GB+ of data to be downloaded before Outlook is ready to use. As a result we’ve recommended our users to access email via OWA if they’re on a machine they’re not likely to use again any time soon.

Self-service Office upgrade

The cache alone pretty much made up our minds to go with Office 2013, the additional integration with OneDrive for Business \ SharePoint was also another factor that will become more apparent in the coming months once our SharePoint Intranet goes online too.

With the decision made we needed to find the simplest method to deploy the new version of Office to staff. With nearly 1000 staff machines all in use at different times it wasn’t something we could push out overnight. The team-by-team migration plan also meant that we couldn’t switch in a “big bang” method as Outlook and GroupWise don’t play nicely if both are active and fighting for control of MAPI profiles.

nalwin office upgradeThe solution was to make a self-service process that users could initiate at a time convenient to them. Generally it tended to be a lunch break on the day of their migration but equally it could be done at the end of the day etc. We used ZENWorks to push out a Bundle named Office 2013 upgrade which contained a customised MSP created with the Office Customisation Tool (OCT).

If you’ve not used it before basically you run setup.exe /admin then generate an MSP file which you place in the Updates folder within the Office 2013 installation media folder structure.

More info available at http://technet.microsoft.com/en-us/library/cc179097(v=office.15).aspx

Tip: remember to include the AUTO_ACTIVATE property while configuring your OCT deployment file as avoids users seeing any pesky pop-ups asking them to activate Office when they run it for the first time

Progress indicator

We also hit a bit of a problem of our own making due to the effects our Novell environment has on Folder Redirection. Our (until now) lack of Active Directory meant we had to use some unofficial local policy ADM templates to achieve a similar effect to the native Windows GPOs. The downside of this was that we had to map to a drive letter rather than the supported method of using UNC path. As a result Office setup bombed out when run as the logged-on user, even if using the Dynamic Local Admin option in ZENWorks.

office_HTA
the HTA loads full-screen and disables CTRL+ALT+DEL so setup doesn’t get interrupted

The workaround was to use the SYSTEM account to run the setup executable, however it meant that we lost any form of progress indicator to let the user know something was actually happening. I knocked up a quick HTA that effectively locks the workstation with a full-screen splash page informing the user to wait for the automatic reboot, along with some quick tips on how to set up Outlook on next logon.

Fixing setup errors

In testing I found that the upgrade would sometimes fail for no apparent reason. In line with some of the gems I’ve had from Windows 8 the error messages were about as much use as a chocolate teapot… “Microsoft Office Professional Plus 2013 encountered an error during setup” doesn’t really help much.

chcoloate teapot office error
unhelpful error message mandatory, teapot optional…

Digging through temporary files yields a setup log file that gives a more detailed insight into what went wrong, although in this case the failure was listed as a fairly non-specific “1603” error. The workaround listed on the Microsoft forums that recommends deleting a couple of folders from ProgramData seemed to work so I’ve included the folder delete \ rename actions as the first steps in the Bundle to be sure.

delete directory

Bundle requirements

Recently we noticed a few machines were failing the upgrade but initially couldn’t think why as they were all built from the same base Windows 7 image and Office 2007 installation. The error we kept getting was a 1605 which means “out of disk space”… oops! Turns out the affected machines were our 1st-gen SSD PCs that only had 60GB drives. Between the ZCM cache, Office install directory and other detritus on the local drive there wasn’t enough room to install Office.

Disk cleanup was the easy fix, along with a couple of requirements on the Bundle to check for disk space, as well as to only run the installer if Office 2013 wasn’t already installed

Tip: use HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\15.0 to check this

requirements

Outlook profile \ Launch actions

We experienced some issues when GroupWise and newer versions of Outlook were installed on the same machine, basically both programs were fighting for control of the default MAPI profile which made Outlook rather upset.

To get around this I added some additional Launch actions to our Outlook desktop shortcut to check for (and remove) any GroupWise MAPI profiles first. In older versions of Office profile information was stored in a hard-to-find location in the registry, fortunately in 2013 that’s changed for the better and you just need to look in:

HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\[profile name]

We used OCT to define that all new Outlook profiles are called Office365 by default, with that in mind I use the registry location above to check if a legitimate profile exists. If not we import a PRF file with the accounts section removed to ensure the first-run wizard appears as expected, the command to do this looks like

Command: ${ProgramFiles32}\Microsoft Office\Office15\OUTLOOK.EXE
Command Line Parameters: /importprf Z:\Office365.prf

Next-time
Next time

Next post in this mini-series will cover how we migrated 400GB+ of mail data from GroupWise to Office 365 with the help of some rather nifty scripting :)

Cloud stories: Groupwise to Office 365 (part 1)

office 365 cloud

I’ve been meaning to start this series of posts for a while, documenting our journey as we move various legacy on-premise systems to Office 365 and all the fun and games we’ve had along the way. Like many email was the first item on the migration hit-list and indeed was a key driver for investigating moving services into the cloud.

Unlike many organisations we weren’t moving from Exchange, our on-premise system was actually Novell Groupwise. The large increase in storage space was the biggest draw for us to go cloud but mobile access also played a part. Novell were very short sighted in not providing a (free) mobile app for Groupwise as the majority of users weren’t willing to mess around with manual IMAP settings nor were they particularly enamoured with having to pay for a 3rd party app to read email on their phones, which these days is a bread-and-butter feature requirement for any enterprise-grade product (imo).

Although moving to a cloud-based service is often marketed as a click-and-forget experience it’s not entirely accurate unless you’re setting up from scratch. This post covers a few lessons we learnt and some tips to help you avoid them…

Firewall Rules

We use a combination of standard firewall and proxy web filter to direct traffic in and out to the Internet at large, a pretty common setup for an organisation of our size with ~2500 workstations.

1401412783_firewallHowever we soon found out that this wasn’t as simple as first thought. Although our firewall can identify traffic based on application some of the login processes for the Outlook client were only identified as vanilla SSL, I guess some of the Autodiscover processes may be the reason for this.

At first we thought the solution might be fairly simple, at my last place I used Microsoft’s Forefront Online Protection for Exchange (FOPE) which gave a defined list of IP ranges to allow mail from so was hoping Office 365 would be similar… we were wrong!

It started well enough, Microsoft gives what looks like a helpful list of addresses to allow here…

http://onlinehelp.microsoft.com/en-gb/office365-enterprises/hh373144.aspx

We dutifully added all of them to the firewall then watched as Outlook played it’s own game of Russian Roulette with logins, some would work and others would fail miserably with messages like the example below about an encrypted connection being unavailable. Trying to continue with the unencrypted version also failed.

outlookwarning01
The next logical step was to check the firewall logs and see what was going on, lo and behold there was a bunch of blocked traffic from the affected machine, type listed as SSL (in addition to the Office 365 traffic that was allowed by our rule). At first glance the listed IPs looked pretty similar to some of the ones on the Microsoft link so I punched them into the very helpful CentralOps domain dossier to do a bit of detective work into what they really were.

Surprise! The IPs were owned by Microsoft, One Redmond way. Over the course of a couple of days I’d collected (and kept adding) these new address ranges but new ones kept coming. After a while another surprise was that some were listed as being owned by Akamai, which is the CDN Microsoft use to deliver content for the Office 365 web interface. We expected that for OWA but not for the desktop client but there it was clear as day in the logs.

In the end we decided that there was no way we were going to be able to keep up with how rapidly the addresses were changing and give our users a decent experience (our pilot users didn’t have a fun time getting set up with Outlook) so we were forced to push all Office 365 traffic trough our proxy server instead. We didn’t want to do this if we could help it as our firewall is much faster at processing large amounts of traffic than the proxy – no choice for now but thus far it’s stood up to the load pretty well.

A well-written TechNet article explains how Microsoft have built the CDN network for Office 365 and why they’re only supporting wildcard URL rules for filtering…

http://blogs.technet.com/b/exchange/archive/2013/12/02/office-365-url-based-filtering-is-just-better-and-easier-to-sustain.aspx

…which is great but until the firewall vendors catch up and put it in their core feature sets many network admins won’t be happy. The issue crops up more when using the desktop Outlook client but that’s a fundamental reason for choosing Microsoft over Google so a workaround had to be found to give a reliable first-run experience.

Proxy issues with Outlook

Now that we had the basic traffic issues on the way we thought Outlook would kick into life quite easily but there was one more sting in the tail. Autodiscover still wasn’t working reliably despite having proxy authentication disabled for all Office 365 domains (seems a common recommendation from various proxy suppliers) so we needed to dig a bit deeper.

We ran the Outlook first-run wizard with TCPView running alongside and noticed something odd…

Our proxy settings were pushed out via a GPO setting, along with a manual exceptions list for various IP ranges and internal sites. Because our internal domain is the same as our external one we added autodiscover.havering-college.ac.uk to the list of proxy exceptions (and created an internal DNS record) so we expected to see connections going out via the proxy server address… except we didn’t.

Bizarrely it seemed Outlook was ignoring the proxy server completely and trying to connect directly – which on a standard user’s machine won’t work. Cue some furious Googling which showed that it wasn’t just us experiencing the same problem…

http://social.technet.microsoft.com/Forums/ie/en-US/e696adc8-e05d-42a0-bc95-f3c48b04bef3/bypass-proxy-for-local-addresses-office-365-connection-outlook-2010?forum=ieitprocurrentver

The only solution was to create a proxy auto-configuration file that explicitly says to use the proxy for the Office 365 URLs. As soon as we did this and switched the GPO over to Auto-Detect Settings Outlook kicked into life. I’m not sure if this issue has been sorted in Office 2013 SP1 but it’s not a listed fix and recent posts in the thread above suggest it’s still an unresolved issue.

Next-time
Next time

Next post in this mini-series will cover some decisions you’ll need to make about what version of Office you use on your machines and how it can affect your 365 experience.

Follow

Get every new post delivered to your Inbox.

Join 49 other followers