itproceed_workplacemobility_delivering traditional file server workloads in a secure manner to...
TRANSCRIPT
![Page 1: ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a secure manner to modern devices](https://reader030.vdocument.in/reader030/viewer/2022020208/55c7401bbb61eb5f6e8b4773/html5/thumbnails/1.jpg)
Tweet and win an Ignite 2016 ticket #itproceed
Delivering traditional File Server Workloads in a
secure manner to modern devices
Kenny Buntinx, Tim De Keukelaere
![Page 2: ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a secure manner to modern devices](https://reader030.vdocument.in/reader030/viewer/2022020208/55c7401bbb61eb5f6e8b4773/html5/thumbnails/2.jpg)
@KennyBuntinx
http://be.linkedin.com/KennyBuntinx
http://scug.be/blogs/sccm
![Page 3: ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a secure manner to modern devices](https://reader030.vdocument.in/reader030/viewer/2022020208/55c7401bbb61eb5f6e8b4773/html5/thumbnails/3.jpg)
@Tim_DK
http://be.linkedin.com/in/timdekeukelaere/
http://scug.be/tim/
![Page 4: ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a secure manner to modern devices](https://reader030.vdocument.in/reader030/viewer/2022020208/55c7401bbb61eb5f6e8b4773/html5/thumbnails/4.jpg)
Microsoft NDA Confidential
What are Work Folders ?
System Architecture and server deployment
Client deployment
Behind the scenes
Troubleshooting
Data protection and security
![Page 5: ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a secure manner to modern devices](https://reader030.vdocument.in/reader030/viewer/2022020208/55c7401bbb61eb5f6e8b4773/html5/thumbnails/5.jpg)
![Page 6: ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a secure manner to modern devices](https://reader030.vdocument.in/reader030/viewer/2022020208/55c7401bbb61eb5f6e8b4773/html5/thumbnails/6.jpg)
![Page 7: ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a secure manner to modern devices](https://reader030.vdocument.in/reader030/viewer/2022020208/55c7401bbb61eb5f6e8b4773/html5/thumbnails/7.jpg)
![Page 8: ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a secure manner to modern devices](https://reader030.vdocument.in/reader030/viewer/2022020208/55c7401bbb61eb5f6e8b4773/html5/thumbnails/8.jpg)
individual data
file server
devices
wherever
remaining in compliance
![Page 9: ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a secure manner to modern devices](https://reader030.vdocument.in/reader030/viewer/2022020208/55c7401bbb61eb5f6e8b4773/html5/thumbnails/9.jpg)
“Work Folders is a brand new direction for enabling access to data in offline scenarios, along the lines of Citrix ShareFile , Onedrive for Business and Dropbox, but without the cloud and sharing features.“
![Page 10: ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a secure manner to modern devices](https://reader030.vdocument.in/reader030/viewer/2022020208/55c7401bbb61eb5f6e8b4773/html5/thumbnails/10.jpg)
Co
nsu
mer
/
pers
on
al
data
Ind
ivid
ual
wo
rkd
ata
Team
/ g
rou
p
wo
rk d
ata
Pers
on
al
devic
es
Data location
OneDrive Public cloud
OneDrive For Business SharePoint / Office
365
Work Folders File server
Folder Redirection /
Client-Side Caching File server
![Page 11: ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a secure manner to modern devices](https://reader030.vdocument.in/reader030/viewer/2022020208/55c7401bbb61eb5f6e8b4773/html5/thumbnails/11.jpg)
USERS can SYNC THEIR WORK DATA to their devices
Users can REGISTER THEIR DEVICES to be able to sync data when IT enforces CONDITIONAL ACCESS
IT can publish access directly through a reverse proxy, or CONDITIONAL ACCESS can be enforced via device registration through the WEB APPLICATION PROXY
IT can configure a file server to provide WORK FOLDER SYNC SHARES for each user to store data that syncs to their devices, including integration with RIGHTS MANAGEMENT
IT can SELECTIVELY WIPE the corporate data frommultiple platforms ( IOS , WP )
ACTIVE DIRECTORY DISCOVERABILITY provides users Work Folders location
![Page 12: ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a secure manner to modern devices](https://reader030.vdocument.in/reader030/viewer/2022020208/55c7401bbb61eb5f6e8b4773/html5/thumbnails/12.jpg)
- Windows 8.1 and above
- Windows 7 - http://blogs.technet.com/b/filecab/archive/2014/04/24/work-folders-for-windows-7.aspx
Domain join is required
- IOS - iPad / iPhone - http://scug.be/sccm/2015/04/10/work-folders-app-for-iphone-finally-released/
- Android ?
![Page 13: ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a secure manner to modern devices](https://reader030.vdocument.in/reader030/viewer/2022020208/55c7401bbb61eb5f6e8b4773/html5/thumbnails/13.jpg)
![Page 14: ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a secure manner to modern devices](https://reader030.vdocument.in/reader030/viewer/2022020208/55c7401bbb61eb5f6e8b4773/html5/thumbnails/14.jpg)
Step 1• Install Work Folders Role
Step 2• Configure Work Folders Server with SSL
Step 3• Configure the Work Folders Server for ADFS Authentication
Step 4• Setting the Relying Party settings in ADFS
Step 5• Configure the Web Application Proxy
Step 6• Create the necessary DNS records
![Page 15: ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a secure manner to modern devices](https://reader030.vdocument.in/reader030/viewer/2022020208/55c7401bbb61eb5f6e8b4773/html5/thumbnails/15.jpg)
netsh http add sslcert ipport=0.0.0.0:443 certhash=<Cert thumbprint> appid={CE66697B-3AA0-49D1-BDBD-A25C8359FD5D} certstorename=My
![Page 16: ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a secure manner to modern devices](https://reader030.vdocument.in/reader030/viewer/2022020208/55c7401bbb61eb5f6e8b4773/html5/thumbnails/16.jpg)
In order to publish Work Folders with Web Application Proxy, it must use AD FS (OAuth2) authentication instead of Windows Authentication.
You can use PowerShell to configure the Work Folder Server for AD FS authentication using the following command: Set-SyncServerSettings -ADFSUrl <AD FS URL>
![Page 17: ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a secure manner to modern devices](https://reader030.vdocument.in/reader030/viewer/2022020208/55c7401bbb61eb5f6e8b4773/html5/thumbnails/17.jpg)
$ECSIdentifier = "https://Windows-Server-Work-Folders/V1";
$ECSDisplayName = "EnterpriseClientSync";
$TransformRuleString = '@RuleTemplate = "LdapClaims" @RuleName = "Ldap" c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer
== "AD AUTHORITY"] => issue(store = "Active Directory", types =
("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"), query =
";userPrincipalName,displayName,sn,givenName;{0}", param = c.Value);' ;
$AuthorizationRuleString = '@RuleTemplate = "AllowAllAuthzRule" => issue(Type =
"http://schemas.microsoft.com/authorization/claims/permit",Value = "true");' ;
Add-ADFSRelyingPartyTrust -Identifier $ECSIdentifier -Name $ECSDisplayName -
IssuanceTransformRules $TransformRuleString -IssuanceAuthorizationRules
$AuthorizationRuleString -EncryptClaims:$false -EnableJWT:$true -AllowedClientTypes
Public;
The Relying Party settings must include the UPN in the claims since the Work Folders will use it to impersonate as the user. Unfortunately there is no such file, we used a PowerShell script to create the RP.
![Page 18: ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a secure manner to modern devices](https://reader030.vdocument.in/reader030/viewer/2022020208/55c7401bbb61eb5f6e8b4773/html5/thumbnails/18.jpg)
$WAPAppName = "EnterpriseClientSync"
$ExternalURL = "https://Workfolders.demolabs.be/"
$BackEndServerURL = "https://Workfolders.demolabs.be/"
Add-WebApplicationProxyApplication -Name $WAPAppName -ExternalURL
$ExternalURL -ExternalCertificateThumbprint $cert.Thumbprint -
BackendServerUrl $BackEndServerURL -ExternalPreauthentication ADFS -
ClientCertificateAuthenticationBindingMode None -
BackendServerCertificateValidation None -ADFSRelyingPartyName
EnterpriseClientSync -UseOAuthAuthentication
![Page 19: ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a secure manner to modern devices](https://reader030.vdocument.in/reader030/viewer/2022020208/55c7401bbb61eb5f6e8b4773/html5/thumbnails/19.jpg)
Workfolders.demolabs.be
<internalworkfoldersserver>.demolabs.be
Workfolders.demolabs.be
![Page 20: ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a secure manner to modern devices](https://reader030.vdocument.in/reader030/viewer/2022020208/55c7401bbb61eb5f6e8b4773/html5/thumbnails/20.jpg)
![Page 21: ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a secure manner to modern devices](https://reader030.vdocument.in/reader030/viewer/2022020208/55c7401bbb61eb5f6e8b4773/html5/thumbnails/21.jpg)
![Page 22: ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a secure manner to modern devices](https://reader030.vdocument.in/reader030/viewer/2022020208/55c7401bbb61eb5f6e8b4773/html5/thumbnails/22.jpg)
• Manual
• Opt-in
• Mandatory
http://scug.be/nico/2013/09/13/manage-work-folders-with-configuration-manager-2012-r2/
![Page 23: ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a secure manner to modern devices](https://reader030.vdocument.in/reader030/viewer/2022020208/55c7401bbb61eb5f6e8b4773/html5/thumbnails/23.jpg)
1. Local change detected
2. Initiate sync session with server
3. Upload file to server
4. Server applies change to data dir
5. Sync initiated by second client
6. Download file from server
7. Client applies change to data dir
• Client limited to 1 partnership per user per device
• Client always drives sync
• Device applying the change responsible for conflict resolution
![Page 24: ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a secure manner to modern devices](https://reader030.vdocument.in/reader030/viewer/2022020208/55c7401bbb61eb5f6e8b4773/html5/thumbnails/24.jpg)
![Page 25: ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a secure manner to modern devices](https://reader030.vdocument.in/reader030/viewer/2022020208/55c7401bbb61eb5f6e8b4773/html5/thumbnails/25.jpg)
On the Web Application Proxy
Applications and Services
Logs\Microsoft\Windows\We
b Application Proxy\Admin
On the ADFS Server
Applications and Services
Logs\ADFS\Operational
![Page 26: ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a secure manner to modern devices](https://reader030.vdocument.in/reader030/viewer/2022020208/55c7401bbb61eb5f6e8b4773/html5/thumbnails/26.jpg)
On the client
Applications and Services Logs\Microsoft\Windows\WorkFolders\Operational
For the end user :
![Page 27: ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a secure manner to modern devices](https://reader030.vdocument.in/reader030/viewer/2022020208/55c7401bbb61eb5f6e8b4773/html5/thumbnails/27.jpg)
![Page 28: ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a secure manner to modern devices](https://reader030.vdocument.in/reader030/viewer/2022020208/55c7401bbb61eb5f6e8b4773/html5/thumbnails/28.jpg)
![Page 29: ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a secure manner to modern devices](https://reader030.vdocument.in/reader030/viewer/2022020208/55c7401bbb61eb5f6e8b4773/html5/thumbnails/29.jpg)
![Page 30: ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a secure manner to modern devices](https://reader030.vdocument.in/reader030/viewer/2022020208/55c7401bbb61eb5f6e8b4773/html5/thumbnails/30.jpg)
![Page 31: ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a secure manner to modern devices](https://reader030.vdocument.in/reader030/viewer/2022020208/55c7401bbb61eb5f6e8b4773/html5/thumbnails/31.jpg)
![Page 32: ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a secure manner to modern devices](https://reader030.vdocument.in/reader030/viewer/2022020208/55c7401bbb61eb5f6e8b4773/html5/thumbnails/32.jpg)
![Page 33: ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a secure manner to modern devices](https://reader030.vdocument.in/reader030/viewer/2022020208/55c7401bbb61eb5f6e8b4773/html5/thumbnails/33.jpg)
And win a Lumia 635
Feedback form will be sent to you by email
Give me feedback
![Page 34: ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a secure manner to modern devices](https://reader030.vdocument.in/reader030/viewer/2022020208/55c7401bbb61eb5f6e8b4773/html5/thumbnails/34.jpg)
Follow Technet Belgium
@technetbelux
Subscribe to the TechNet newsletter
aka.ms/benews
Be the first to know
![Page 35: ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a secure manner to modern devices](https://reader030.vdocument.in/reader030/viewer/2022020208/55c7401bbb61eb5f6e8b4773/html5/thumbnails/35.jpg)
Thank you!
![Page 36: ITPROCEED_WorkplaceMobility_Delivering traditional File Server Workloads in a secure manner to modern devices](https://reader030.vdocument.in/reader030/viewer/2022020208/55c7401bbb61eb5f6e8b4773/html5/thumbnails/36.jpg)
Belgiums’ biggest IT PRO Conference