Export (0) Print
Expand All

Overview of hybrid SharePoint 2013 for technical decision makers

SharePoint 2013
 

Applies to: SharePoint Server 2013, SharePoint Online

Topic Last Modified: 2014-05-02

Summary: What is SharePoint hybrid? Learn about how integrating a SharePoint Server 2013 and Office 365 with SharePoint online environment can add flexibility and mobility to your company.

This article will help you understand the technical components and architecture of a SharePoint hybrid solution. This article will also help you to decide what hybrid solutions best address your business requirements and goals and which hybrid topology is required to support the solutions you want to deploy.

WarningWarning:
To configure a hybrid SharePoint environment, you need a combination of expert skills and significant hands-on experience with several products, including SharePoint Server 2013, SharePoint Online, and related products and technologies. If this skill and expertise is not available in-house, we recommend that you engage Microsoft Consulting Services to provide technical guidance and support during the design and deployment of your hybrid environment.

Cloud services such as SharePoint Online in Office 365 can be an attractive alternative to on-premises SharePoint business solutions. However, for a variety of reasons, you might want or need to deploy specific solutions in the cloud while maintaining your on-premises SharePoint Server 2013 farm. For example, many enterprises must keep certain data and information systems on-premises or within their geopolitical boundaries to satisfy compliance regulations or legal policies. Some enterprises may plan to gradually move their existing on-premises SharePoint Server 2013 content and services to the cloud, using a staged migration in which SharePoint Server 2013 workloads are moved to SharePoint Online one at a time.

At the architectural level, a SharePoint hybrid environment is created by configuring a mutual trust relationship and common identity management provider between a SharePoint Online tenant and a SharePoint Server 2013 farm. This architecture supports trusted service connections between the on-premises and cloud SharePoint farms, which can exchange data and content when requested by an authorized user. Depending on the topology and services that are configured, content in one environment can be exposed and manipulated in the other through SharePoint apps, lists and libraries, web parts, and Search applications.

Hybrid functionality in SharePoint Server 2013 and SharePoint Online in Office 365 provides several different options to extend your on-premises investment to the cloud by integrating services like search, Business Connectivity Services, and Duet Enterprise Online.

We currently provide guidance for deploying the following SharePoint hybrid solutions: Search, Business Connectivity Services (BCS), and Duet Enterprise Online. Each solution has specific hybrid topology requirements, which are listed in the following tables.

NoteNote:
You will learn more about hybrid topologies in the section What are the SharePoint hybrid topologies? later in this article.

Search solutions

Hybrid topology Supported functionality

One-way outbound

SharePoint Server 2013 Search services can query the SharePoint Online search index and return federated results to SharePoint Server 2013 Search.

One-way inbound

SharePoint Online Search services can query the SharePoint Server 2013 search index and return federated results to SharePoint Online Search.

Two-way

Both SharePoint Server 2013 and SharePoint Online Search services can query the search index in the other environment and return federated results.

Business Connectivity Services (BCS) solution

Hybrid topology Supported functionality

One-way inbound

or

Two-way

The SharePoint Online BCS service can connect to an on-premises SharePoint Server 2013 farm by using an app for SharePoint or an external list that is installed on a SharePoint Online site collection. The BCS Service configured on the on-premises farm brokers the connection to on-premises OData Service endpoints and supports both read and write operations. BCS hybrid solutions can be configured to support full CRUDQ (Create, Read, Update, Delete and Query) functionality.

Duet Enterprise Online solution

Hybrid topology Supported functionality

One-way inbound

or

Two-way

SharePoint Online users can perform both read and write operations against an on-premises SAP system. You can do this by either using an app for SharePoint that’s installed on a SharePoint Online site collection or by enabling a Duet Enterprise Online feature.

NoteNote:
Duet Enterprise Online for SharePoint Online is required to support this capability.

The term hybrid topology refers to the direction in which trusted connections can be established in a hybrid environment. Each hybrid solution depends on a secure communications channel and a specific trust relationship between SharePoint Online and SharePoint Server 2013. For each solution, the hybrid infrastructure must be configured with the components and supporting technologies that support the requirements of the connection.

For example, a one-way inbound hybrid topology enables SharePoint Online to request data from a SharePoint Server 2013 web application. In order for inbound data connections to occur, a web application in SharePoint Server 2013 must be published to the Internet with an Internet-routable URL. This requires the deployment of a reverse proxy device that is configured to securely accept the inbound connection and relay the request to SharePoint Server 2013.

Conversely, a one-way outbound hybrid topology supports only trusted connections from SharePoint Server 2013 to a SharePoint Online web application. Because web applications in SharePoint Online are already configured with an Internet-routable URL, SharePoint Server 2013 can connect directly through an existing corporate firewall or forward proxy like any other request to an Internet server.

Microsoft supports three hybrid topologies for hybrid SharePoint solutions.

One-way outbound: An outbound authentication topology lets the on-premises SharePoint Server 2013 farm make authenticated connections to SharePoint Online. Connections to SharePoint Online that originate from SharePoint Server 2013 are referred to as outbound connections.

This diagram illustrates the connections and solutions supported in a one-way outbound authentication topology.

One-way inbound: An inbound authentication topology lets SharePoint Online make authenticated connections to the on-premises SharePoint Server 2013 farm. Connections to SharePoint Server 2013 that originate from SharePoint Online are referred to as inbound connections.

This diagram illustrates the connections and solutions supported in a one-way inbound authentication topology.

Two-way: A two-way authentication topology lets SharePoint Online make authenticated connections to the on-premises SharePoint Server 2013 farm and lets the on-premises SharePoint Server 2013 farm make authenticated connections to SharePoint Online.

This diagram illustrates the connections and solutions supported in a two-way (inbound and outbound) authentication topology.

Each available hybrid solution requires a specific hybrid topology. Your choice of which hybrid topology to use is based on a combination of what you need to do, the solution you need, your on-premises SharePoint architecture, and the desired user experience. For example, if you want users of your on-premises SharePoint Server 2013 farm to see both local and SharePoint Online results, you might only need a one-way outbound hybrid topology. If you want users to see both sets of search results regardless of the location of the search portal, you will need a two-way topology.

Before you make a decision, collect and consider the information that frames your business requirements, such as:

  • Do your users need to be able to search, find, and use on-premises content and data while they’re in the field or at a branch office?

  • Do your remote users need to securely access data from existing on-premises business systems?

  • Is it more cost effective to deploy a hybrid environment or to move your SharePoint content and applications to the cloud entirely?

  • Are there legal or regulatory considerations that could affect your decision on where to store business data?

  • Does your SharePoint Server 2013 farm contain custom code that cannot be easily migrated to SharePoint Online?

As is true for the rollout of any major technology solution, the successful deployment of a hybrid environment is largely dependent on the thoroughness of the design and planning process. You should carefully consider and clearly define your requirements and business goals and review the constraints of your existing SharePoint environment. Also, take time to consider the technical requirements of deploying and managing the different hybrid topologies. Informed by this information, you can decide which SharePoint hybrid solution or solutions are appropriate for you and which topology is required to support them.

The security-enhanced architecture of a SharePoint hybrid environment is built on multiple layers of trust and service integration. The following table describes the trust relationships that you will configure during the deployment process and the solutions and functionality supported by SharePoint hybrid environments.

Layers of trust and service integration

Layer Description

Identity management

Identity management in a hybrid environment is provided by the Azure Active Directory Synchronization Tool (DirSync) and either single sign-on (SSO) or DirSync Password Sync.

Server-to-server (S2S) trust

The server-to-server (S2S) trust that helps enable trusted communications and data exchange between SharePoint Server 2013 and SharePoint Online is built on the Open Authorization 2.0 (OAuth 2.0) web authorization protocol, shared Security Token Service (STS) certificates, and Azure AD, which acts as a trusted token signer for user claims.

In the one-way inbound and two-way topologies, inbound communications and content requests from SharePoint Online are encrypted with an SSL certificate and pre-authenticated using client certificate authentication.

Service integration

Productivity service integration between SharePoint Server 2013 and SharePoint Online services such as Search, Business Connectivity Services (BCS), and Duet Enterprise Online is dependent on new features and integration support included in SharePoint Server 2013.

Use this table to find the planning and deployment content you need to deploy a specific hybrid solution.

 

SharePoint hybrid solution SharePoint hybrid solution content Prerequisite hybrid topology Planning and deployment content Reverse proxy content

SharePoint Search

Display hybrid search results in SharePoint Server 2013

One-way outbound

Plan a one-way outbound hybrid topology

Configure a one-way outbound hybrid topology

Configure identity management for a hybrid topology in SharePoint Server 2013

Not applicable

SharePoint Search

Display hybrid search results in SharePoint Online

One-way inbound

Plan a one-way inbound hybrid topology

Configure a one-way inbound hybrid topology

Configure identity management for a hybrid topology in SharePoint Server 2013

Configure a reverse proxy device for SharePoint Server 2013 hybrid

SharePoint Search

Display hybrid search results in SharePoint Server 2013

AND

Display hybrid search results in SharePoint Online

Two-way

Plan a two-way hybrid topology

Configure a two-way hybrid topology

Configure identity management for a hybrid topology in SharePoint Server 2013

Configure a reverse proxy device for SharePoint Server 2013 hybrid

Business Connectivity Services

Deploy a Business Connectivity Services hybrid solution in SharePoint 2013

One-way inbound

or

Two-way

Plan a one-way inbound hybrid topology

Configure a one-way inbound hybrid topology

Configure identity management for a hybrid topology in SharePoint Server 2013

or

Plan a two-way hybrid topology

Configure a two-way hybrid topology

Configure identity management for a hybrid topology in SharePoint Server 2013

Configure a reverse proxy device for SharePoint Server 2013 hybrid

Duet Enterprise Online

Configure hybrid Duet Enterprise Online for SharePoint Server 2013

One-way inbound

or

Two-way

Plan a one-way inbound hybrid topology

Configure a one-way inbound hybrid topology

Configure identity management for a hybrid topology in SharePoint Server 2013

or

Plan a two-way hybrid topology

Configure a two-way hybrid topology

Configure identity management for a hybrid topology in SharePoint Server 2013

Configure a reverse proxy device for SharePoint Server 2013 hybrid

 

Edit icon

Record your topology choice in the Authentication topology row of Table 2 of the worksheet.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft