NHSmail Address Book Synchronisation Deployment Guide

Copyright © 2018 NHS Digital

NHSmail Address Book Synchronisation Deployment Guide November 2018

Version 1

NHSmail Address Book Synchronisation Deployment Guide

Copyright © 2018 NHS Digital 2

Contents

1 Overview 3

1.1 Document Conventions 3

1.2 Intended audience 3

2 Introduction 4

3 Pre-requisites for the TANSync Server 7

3.1 Hardware specification 7

3.2 Account Permissions 7

3.3 Ports and traffic flows 8

3.4 Pre-requisite software installation 8

4 TANSync installation 12

4.1 Installation of MIM Synchronization Service 13

4.2 Configuration of TANSync components 22

5 Post Installation of TANSync 52

5.1 Initial Synchronisation Cycle 52

5.2 Enable Provisioning 53

5.3 Configure Provisioning for Address Book Sync 54

6 Address Book Sync Operations 56

6.1 Running a Profile 56

6.2 Synchronisation of Data from NHSmail to Active Directory 57

6.3 Synchronisation of Data from Active Directory to NHSmail 57

6.4 Cleaning Old Run History 58

7 Schedule Automated Synchronisation 59

8 Appendix 63

8.1 Pre-deployment Consideration Items 63

8.2 Pre-Configuration Questionnaire 64

8.3 Advanced Rule Extensions 65

8.4 Configuration of File Connector 66

8.5 Proxy Configuration 71

8.6 Common Issues 71



1 Overview

1.1 Document Conventions

The following methods are used below to highlight important information within the document:

! Design Decision

This box highlights where we have made a decision on the design. The text above the box will explain the decision.

* Note

This box indicates information not directly related to the design.

! Important note

This box highlights critical information.

1.2 Intended audience

This document is intended for partner organisations who will be federated with the NHSmail platform and describes the configuration process for the TANSync solution, an Identity Manager Solution which enables organisations to synchronise local data with the NHSmail Application Programme Interface (API). This solution has been created based on Microsoft Identity Manager (MIM) 2016.

This document has been produced for a technical audience who have an understanding of the installation of Microsoft products and have experience working with identity products such as Identity Lifecycle Manager (ILM), Forefront Identity Manager (FIM) or MIM.

This document serves as a guide on how to build and configure MIM, which will be independent of all other servers.



2 Introduction

The TANSync Address Book Sync solution is available for organisations wishing to synchronise contact information with the NHSmail platform. TANSync pulls information from the NHSmail Portal into the local Active Directory as well as pushes information from the local Active Directory into the Portal which then synchronises the information into the NHSmail Exchange and Active Directory infrastructure.

The below diagram explains the high-level architectures and synchronisation flows for address book synchronisation.

Figure 1 – Address Book Synchronisation with separate SQL instance

`

Active Directory

Exchange

Service Bus

TANSync v2

Active Directory

NHSmail 2 Portal API Service

Federated Organisation

Accenture

Direction of Synchronisation

User

Contact

Shared Mailbox

SQL Serverr



Figure 2 – Address Book Synchronisation with SQL instance on the same server

* Note

Resource mailboxes are treated as shared mailboxes by TANSync.

! Important note

TANSync only communicates with an organisation’s on-premise Active Directory, hence enabling contact objects created by TANSync for Exchange or Skype For Business (or Lync) will need to be handled by the organisation’s infrastructure administrator.

The table below describes the data fields provided to the federated organisations.

Object Type Data Fields

User Id

Title

JobTitle

FirstName

LastName

DisplayName

OfficePhone

Fax

MobilePhone

`

Active Directory

Exchange

Service Bus

TANSync v2

Active Directory

NHSmail 2 Portal API Service

Federated Organisation

Accenture

Direction of Synchronisation

User

Contact

Shared Mailbox



Pager

EmailAddress

SipAddress

OrganisationName

OrganisationUnitName

SiteName

Country

Shared mailboxes (including resource mailboxes)

Id

DisplayName

EmailAddress

OrganisationName

OrganisationUnitName

Country



3 Pre-requisites for the TANSync Server

This section describes the pre-requisites and installation of the additional software ready for the deployment of TANSync.

* Note

It is not recommended to deploy TANSync on a Domain Controller.

It is recommended to install SQL Server on the same server as TANSync. However, if the organisation has got SQL cluster infrastructure, that can be used for TANSync as well.

3.1 Hardware specification

If SQL instance is installed on the same server.

Site Requirement Operating System Minimum system specification

Quantity

Partner Organisation Premises

TANSync MIM Synchronisation Server

Microsoft Windows 2012 R2

2 Core

16GB RAM

150GB disk

1Gbps network

1

If SQL instance is installed on a separate server.

Site Requirement Operating System Minimum system specification

Quantity

Partner Organisation Premises

TANSync MIM Synchronisation Server

Microsoft Windows 2012 R2

2 Core

16GB RAM

100GB disk

1Gbps network

1

3.2 Account Permissions

There are different permission levels for accounts used to install the TANSync Server.

Partner Organisation to provide

• An account which has Local Administrator privilege (for log-on and installation purposes). If external SQL instance is used the account requires Server Administrator (SA) role on the SQL instance to create Synchronization Service database during installation.

• A service account which has the following permission on Active Directory:

a. Full Control on the target container in Active Directory

(This object and all descendant objects)



b. Replicating Directory Changes on the Domain

(https://support.microsoft.com/en-gb/help/303972/)

NHSmail to provide:

• A service account which has the following roles in the NHSmail Portal (this account

will be provided by a Portal administrator):

a. EXTERNAL_CONNECTOR_USER_READ on address book sync partner

organisations within the Portal.

b. EXTERNAL_CONNECTOR_CONTACTS_READ_DEL_UPDATE on the organisation created for writing back contacts to the Portal

3.3 Ports and traffic flows

TANSync communicates with the NHSmail API over the encrypted TCP port 443 and uses outbound connections only. This is much more secure and does not require an organisation to expose their internal network to the NHSmail Service.

Source Destination Protocol Port Direction

TANSync Server NHSmail API (https://portal.nhs.net/api)

TCP and UDP 443 Outbound Initiated

TANSync Server Active Directory TCP and UDP 389 Outbound Initiated

! Important note

If the organisation requires Proxy for accessing the Internet, please refer to Appendix Section 8.4 for proxy configuration on TANSync server. The following endpoints should be configured in the Proxy whitelist:

http://portal.nhs.net – portal endpoint https://fs.nhs.net – authentication endpoint

3.4 Pre-requisite software installation

! Important note

If SQL Express is not required and a separate SQL instance is to be used, install SQL Native Client (Microsoft® SQL Server® 2012 Native Client) on the TANSync server for connectivity with that SQL instance.

Microsoft .NET 3.5, an installable windows feature, must be installed before the TANSync

server can be installed.

This section describes the TANSync package and how to install the product.

https://support.microsoft.com/en-gb/help/303972/

http://portal.nhs.net/

https://fs.nhs.net/



Steps Description

Launch Server Manager

Navigate to Dashboard

Select Add roles and Features

Select Next



Select Next

Select Next



Select Next

Select .Net Framework 3.5 Features



Select Install to start the installation

4 TANSync installation

The TANSync package can be obtained at the following location:

https://s3-eu-west-1.amazonaws.com/comms-mat/TANSync/TANSyncPackage_AddressBookSync.zip

TANSync is based on Microsoft Identity Manager 2016, which is included as a part of the standard Windows Server 2012 R2 licence.

! Important note

It is highly recommended to use SQL Server 2014 Standard or above instead of the included in the package SQL Express 2014.

SQL Express 2014 should only be used if the number of objects in the synchronisation scope is smaller than 20000 or testing purposes.

The Package contains the following sources:

Component Description

SQLExpress SQL Express 2014

Synchronisation Service Microsoft Identity Manager 2006 Synchronization Service

TANSync Configurations A set of preconfigured Management Agents to be imported into the synchronization service

TANSync Extensions A set of management agent extensions required for TANSync

RunScripts The scripts that runs the synchronization profiles in specific orders

https://s3-eu-west-1.amazonaws.com/comms-mat/TANSync/TANSyncPackage_AddressBookSync.zip



Refer to Appendix Section 8.1 for the summary of the configuration items required for Address Book Synchronisation.

! Important note

Before unzipping the TANSync package, it is highly recommended to unblock it to avoid further complication during deployment due to Windows blocking the execution of the components:

1) Right click on the zip file 2) Select Properties 3) Click on Unblock button at the bottom

4.1 Installation of MIM Synchronization Service

4.1.1 Install SQL Instance

This section describes the installation process for SQL Express 2014.

! Important note

If SQL Express is not required, install the organisation approved full version of SQL Server.

Install SQL Native Client on the TANSync server and skip to the next section.



Steps Description

Launch Setup.exe to start installation process

Select New installation or add features to an existing installation

Accept the license terms and select Next



Select Next

Select Default Instance

Select Next



Select Next

Add users who require Server Administrator access to the SQL instance

Select Next

Select Next



Select Close to complete the installation

4.1.2 Install Microsoft Identity Manager Synchronization Service

This section describes the installation process for Microsoft Identity Manager 2016 Synchronization Service.

Steps Description

Launch Setup.exe to start installation process



Accept the terms in the License Agreement and select Next

Select Next



If SQL server is not installed on the current server, select a remote machine and specify the machine name DNS name.

If SQL instance name is different from the default MSSQLServer, select a named instance and specify the name before selecting Next.

Otherwise leave everything as default.

Select Next

Enter the service account details

Note: enter the NETBIOS name instead of Domain name

Select Next



Enter the Security group’s details and select Next

Note: the security groups will be created locally on the machine.

Select Enable firewall rules for inbound RPC communications

Select Next



Select Install

When asked, select OK

After installation Select OK when asked to backup SQL database key

Select a location and back up the key

Select Finish



4.2 Configuration of TANSync components This section describes configuration of management agents required for the TANSync solution. The order of configuration is vital for maintaining the required precedence for attribute flow. This means that the TANSync Management Agent should be configured last.

Step Description

Copy all files from TANSync Extensions folder to C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions

4.2.1 Default Data Fields Mapping

The following table describes the default pre-configured attribute mapping between NHSmail and Active Directory:

NHSmail Object Type

NHSmail Data Field Active Directory Object

Active Directory Attribute Synchronisation Flow Direction

User Id Contact ExtensionName From NHSmail to Organisation AD

Title personalTitle From NHSmail to Organisation AD

JobTitle title From NHSmail to Organisation AD

FirstName givenName From NHSmail to Organisation AD

LastName sn From NHSmail to Organisation AD

DisplayName displayname From NHSmail to Organisation AD

OfficePhone telephoneNumber From NHSmail to Organisation AD



Fax facsimileTelephoneNumber From NHSmail to Organisation AD

MobilePhone mobile From NHSmail to Organisation AD

Pager pager From NHSmail to Organisation AD

EmailAddress otheMailbox From NHSmail to Organisation AD

SipAddress otherIpPhone From NHSmail to Organisation AD

OrganisationName company From NHSmail to Organisation AD

OrganisationUnitName Department From NHSmail to Organisation AD

SiteName l From NHSmail to Organisation AD

Country co From NHSmail to Organisation AD

Shared Mailbox (including resource mailbox)

Id Contact extensionName From NHSmail to Organisation AD

DisplayName displayName From NHSmail to Organisation AD

EmailAddress otherMailbox From NHSmail to Organisation AD

OrganisationName company From NHSmail to Organisation AD

OrganisationUnitName department From NHSmail to Organisation AD

Country co From NHSmail to Organisation AD

Contact Id User extensionName From NHSmail to Organisation AD

Title personalTitle From Organisation AD to NHSmail

FirstName givenName From Organisation AD to NHSmail

LastName sn From Organisation AD to NHSmail

OfficePhone telephoneNumber From Organisation AD to NHSmail

Fax facsimileTelephoneNumber From Organisation AD to NHSmail

MobilePhone mobile From Organisation AD to NHSmail

Pager pager From Organisation AD to NHSmail

EmailAddress mail From Organisation AD to NHSmail

SipAddress otherIpPhone From Organisation AD to NHSmail

Organisation <constant organisation code> From Organisation AD to NHSmail

4.2.2 Metaverse Schema Configuration

The steps below describe how to remove the default Metaverse schema in order to configure the correct one required for TANSync.



Step Description

Launch Synchronization Service Manager

Select Tools and select Options

Select Enable metaverse rules extension

Select Browse to select Metaverse rule extension



Step Description

Select MVExtension.dll and select OK

Create an empty object type. This will allow deleting all default object types from Metaverse schema

On Metaverse Design tab, select Create Object Type from Actions list



Step Description

Enter “a” and click OK

On Metaverse Design tab, delete all default object types.

Select an object type and select Delete Object Type on the right-hand side.

When ask, select Yes to confirm.

Repeat this for all object types



Step Description

On Metaverse Design Tab

Select Action from the top

Choose Import Metaverse Schema

Find and select file MVSchema.xml from ‘TANSyncPackage/ TANSync Configurations’ and select Open

Select OK



Step Description

Delete the empty object type (“a”) created above

Select each of the object type and select Configure Object Deletion Rule and select Rule Extension



Step Description

Finish

4.2.3 Active Directory Management Agent Configuration

This section describes the steps to deploy Active Directory Management Agent to MIM Synchronization Service and is only applicable to organisations with Active Directory as the data source.

A service account with the security permission detailed below needs to be created in Active Directory to run the Management Agent. (Described in section 3.2)

• Full Control to the Organisational Unit containing the target users (This object and all descendant objects)

• Replicating Directory Changes to the Domain

* Note

TANSync will be configured to access 2 Active Directory containers in this section as an example. These will need to be configured to match the organisation’s Active Directory container structure.

• SyncContacts – the container where Portal contacts will be written to.

• OrganisationUsers – the container containing users whose details will be written to the NHSmail Portal.

! Important note

If Contact write back to Portal is not required, then do not configure the OrganisationUsers equivalent container.



Step Description

Launch MIM Synchronization Service Manager

At Management Agents Tab select Actions and select Import Management Agent

Find and select ADMA.xml file from ‘TANSyncPackage/ TANSync Configurations’ and select Open

Select Next



Enter Forest name (FQDN), Service Account name and password, Domain name (NETBIOS)

Select Next

Select the Domain Distinguished Name from Existing Partitions section to replace DC=partner-org,DC=local with and click on button Match

Select the remaining and click Deselect

Select OK



Click on button Containers to configure the target Container

Expand and select the target Container

Select OK

Note: The illustration is an example and this might be different depending on the Active Directory architecture of the organisation.

OrganisationUsers is the container where user details will be read from. Do not configure this if the user data is not to be shared with NHS.

SyncContacts is the container where NHSmail contacts will be written to.



Select Next

Select Next



Select Next

Select required attributes (tick “show all” to show more)

Select Next



Configure filter for user objects if required and select Next

Select Next

Note: Your rule configuration may look different to the image, this is not an issue and you can continue with your installation



Configure attribute mapping for your organisation

Verify the attributes of connector space and check that metaverse objects are mapped correctly to make sure that the values are written to the right attributes in the Active Directory

Note: change the Organisation code constant to the correct one.

You can also set up “advanced mapping” by checking “Advanced” under “Mapping Type” and clicking “Edit”

Here you can set up a constant value for an attribute



Select Next

Select OK or Finish to complete

4.2.4 TANSync Management Agent Configuration

This section details the configuration of the management agent for TANSync. TANSync Management Agent reads users and shared mailboxes in the Portal using the API service.



Step Description


Select Management Agents

Select Action

Choose Import Management Agent

Find and select file TANSyncMA.xml and select Open



Select Next

Select Refresh interfaces

Select Next



Specify Service Account (will be provided to you) for connecting to the Portal API service

https://portal.nhs.net/api

Make sure Address Book Synchronisation is selected

Specify full path of a log file location

For example: C:\TANSyncLog\ tansynclog.txt

Make sure the MIM Synchronization Service account has full permission to the directory of the file.

Verbose option gives more detailed logging, if not selected only errors will be recorded

Select Next

Leave the configuration blank

Select Next




Select Next

Select Next



Select Next

Select Next



Select Next

Select Next



Select Next

Select Next



Select Finish

4.2.5 TANSyncWriteBack Management Agent Configuration

This section details the configuration of the management agent for TANSyncWriteback. TANSyncWriteback Management Agent creates contacts in the Portal using the API service.

Step Description





Select Action


Find and select file TANSyncMAWriteBack.xml and select Open

Select Next



Select Refresh interfaces

Select Next

Specify Service Account (will be provided to you) for connecting to the Portal API service


Make sure Address Book Synchronisation is selected

Specify full path of a log file location

For example: C:\TANSyncLog\ tansyncwritebacklog.txt

Make sure the MIM Synchronization Service account has full permission to the directory of the file.

Verbose option gives more detailed logging, if not selected only errors will be recorded

Select Next




Leave the configuration blank

Select Next

Select Next



Select Next

Select Next



Select Next

Select Next



Select Next

Select Next



Select Next

Select Finish

5 Post Installation of TANSync

5.1 Initial Synchronisation Cycle Run the profiles listed below in the following order, ensuring there are no errors:

Order Management Agent Run Profile

1 TANSyncMA Full Import

2 ADMA Full Import

3 TANSyncMAWriteBack (If applicable) Full Import

4 TANSyncMA Full Sync



5 ADMA Full Sync

6 TANSyncMAWriteBack (If applicable) Full Sync

5.2 Enable Provisioning

* Note

To start provisioning objects to Active Directory and the NHSmail Portal it is necessary to enable Provisioning Rule Extension in MIM.

This section describes the steps to enable provisioning of MIM Synchronization Service.

Step Description


Select Tools and select Options

Select Enable metaverse rules extension

Select Browse to select Metaverse rule extension



Select MVExtension.dll and select OK

Select Enable Provisioning Rules Extension

Select OK

5.3 Configure Provisioning for Address Book Sync To configure the provisioning please find and edit file:

C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions\TANSyncMA.cfg



The following table describes the configuration items in the file:

Item Description Default Values

LogFile: The file where the provisioning logs will be written to. Make sure the MIM Synchronization Service account has full permission to the directory of the file.

C:\TANSyncLog\TANSyncExtensionLog.txt

OperationMode: This specify the mode TANSync performs in

AddressBookSync

ProvisionTo: Specifies the names of Management Agents where objects will be provisioned to

TANSyncMAWriteBack,ADMA

OUPath: The Distinguished Name of the container where contact objects will be created in.

OU=SyncContacts,DC=partner-org,DC=local

* Note

To comment out configuration item use ‘#’ in the beginning of the line in the file



6 Address Book Sync Operations

6.1 Running a Profile To run a profile on a Management Agent, perform the following steps:

Step Description


On Management Agents tab, right click a Management Agent and select Run

Select the run profile and press OK to run



This section describes the steps to be performed for successful synchronisation of address book data between federated organisation and NHSmail.

! Important note

TANSync downloads and writes the data to Active Directory. However, enabling contacts in Exchange or Skype For Business will be performed by the organisation infrastructure administrator.

6.2 Synchronisation of Data from NHSmail to Active Directory This section describes the step to synchronise data from NHSmail to the organisation Active Directory.

Run the profiles listed below in the following order, ensuring there are no errors:


1 TANSyncMA Full Import

2 ADMA Delta Import

3 TANSyncMA Full Sync

4 ADMA Full Sync

5 TANSyncMA Export

6 ADMA Export

6.3 Synchronisation of Data from Active Directory to NHSmail

This section describes the step to synchronise data from the organisation Active Directory to NHSmail.

Run the profiles listed below in the following order, ensuring there are no errors:


1 ADMA Delta Import

2 TANSyncMAWriteBack Full Import

3 ADMA Full Sync

4 TANSyncMAWriteBack Full Sync

5 ADMA Export

6 TANSyncMAWriteBack Export



6.4 Cleaning Old Run History MIM Synchronization Service stores the logs of the previous synchronization profile runs in the database. This space can gradually fill up as time passes. It is good practice to clear these logs on a regular basis to reduce the memory footprint.

Also, if no longer required, remove the old synchronization and extension logs files created by TANSync. (These are configured in section 4.2.3, 4.2.4 and 5.2)

The following table describes the steps for clearing the profile runs history:

Step Description

Navigate to Operations in Synchronization Service Manager

Select Action and select Clear Runs



Select Clear runs before and specify the date and time

Deselect Save runs before clearing them if not required

Select OK to start clearing the runs

7 Schedule Automated Synchronisation

This section describes the steps to configure automated synchronization schedules. This schedule executes a script that starts the synchronisation run profiles on the management agents in specific order and will be configured in windows Task Scheduler.

For a successful execution of the schedule, a schedule task service account will be required.

Schedule task Service Account Permissions

• A member of MIMSyncAdmins group

• Permission to log on to the TANSync server

The schedule task will be configured to run script runSyncCycle.cmd provided in the TANSync package.

Step Description

Launch windows Task Scheduler

Select Create Task in Action section



In General Tab

Enter Name: Synchronisation Schedule

Enter Description:

TANSync Synchronisation schedule

Select the schedule service account

Select Run whether user is logged on or not

Select Run with Highest privileges

In Triggers Tab

Select New to create new triggers



Select the trigger settings. For example, Weekly on Saturday at 12:00:00 AM

Select Enabled

Click OK to complete the trigger creation

In Actions Tab

Select New to create a new action



Make sure Action is Start a program

Click Browse… to select the script runSyncCycle.cmd

Click OK to complete

Click OK to complete the schedule creation



8 Appendix

8.1 Pre-deployment Consideration Items

The table below lists the configuration items that need to be clear before the deployment:

Item Description Note

Implementation Actor Account

An account which has Local Administrator privilege (for log-on and installation purposes). If external SQL instance is used the account requires SA role on the SQL instance to create Synchronization Service database during installation.

Provided by the Organisation

Portal Service Account

A service account which has following roles in NHSmail Portal (this account will be provided by a Portal administrator):

• EXTERNAL_CONNECTOR_USER_READ on address book sync partner organisations within the Portal.

• EXTERNAL_CONNECTOR_CONTACTS_READ_DEL_UPDATE on the organisation created for writing back contacts to the Portal

This is a configuration item in TANSyncMA and TANSyncMAWriteBack Management Agents.

Provided by NHS

AD Forest Name Active Directory forest FQDN. This is a configuration item in Active Directory Management Agent (ADMA).


Domain NETBIOS name

Domain name. This is a configuration item in Active Directory Management Agent (ADMA).


AD Service Account

A service account which has the following permission on Active

Directory

• Full Control on the target container in Active Directory (This

object and all descendant objects)

• Replicating Directory Changes on the Domain

This is a configuration item during installation of Microsoft Identity

Manager.

Provided by the

Organisation

AD Container for NHSmail contacts

A container in Active Directory to store NHSmail contacts read from the Portal. This is a configuration item in Active Directory Management Agent (ADMA).


AD Container for reading organisation user details from

A container where the data will be read from to write into the NHS Portal. This is a configuration item in Active Directory Management Agent (ADMA).


Configuration xml files

The configuration xml files provided for importing the configuration to Microsoft Identity Manager to set up TANSync for Address Book Synchronisation

Provided by NHS

Extension Binaries

The binaries provide to extend the Address Book Sync functionalities to Microsoft Identity Manager

Provided by NHS

Portal API Endpoint

The Portal API service connection point. https://portal.nhs.net/api.

This is a configuration item in TANSyncMA and TANSyncMAWriteBack Management Agents.

Provided by NHS

TANSyncMA log file

The log file path with the file name for storing logs form TANSyncMA. The log by default will only contain error messages. However, if verbose option is selected the log will contain more





details on each of the operations performed by the management agent code.

Make sure that the MIM service account has full permissions in the directory and to the children files.

This is a configuration item in TANSyncMA Management Agent.

TANSyncMAWriteBack log file

The log file path with the file name for storing logs form TANSyncMAWriteBack. The log by default will only contain error messages. However, if verbose option is selected the log will contain more details on each of the operations performed by the management agent code.

Make sure that the MIM service account has full permissions in the directory and in the children files.

This is a configuration item in TANSyncMAWriteBack Management Agent.


TANSyncMA.cfg configuration

This configuration file is used for configuring provisioning objects to data sources. The file contains the following configuration items:

LogFile, OperationMode, ProvisionTo, OUPath

More detail is in section 5.3.


Schedule Task service account

An account to run automated synchronisation schedule. Section 7. Provided by the Organisation

RunScripts The set of command line (cmd) and Visual Basic (vbs) scripts to run synchronisation profiles in specific orders. The scripts also delete the run histories that are older than 2 weeks.

This is a configuration item in task scheduler in Section 7.

Provided by the NHS

8.2 Pre-Configuration Questionnaire

The following are questions to gather important information required for the TANsync deployment:

# Question

1 Who is/are performing the deployment?

2 What is the Active Directory Forest Name?

3 What is the Active Directory Domain Name (Fully Qualified Domain Name and NETBIOS)?

4 What is TANSync server IP address?

5 What is TANSync server Fully Qualified Domain Name (FQDN)?

6 What is Remote Desktop Protocol (RDP) port to the TANSync server?

7 What is SQL IP address?

8 What is SQL FQDN?

9 What is the Deployment Actor account details (login and password)?

10 What is the MIM service account details (login and password)?

11 What is the Distinguished Name of the Container to store NHSmail contacts in AD?



12 What is the Distinguished Name of the Container(s) to read organisation user data from to upload to NHSmail?

13 What is the TANSyncMA log file details (path and file name)? (if applicable)

14 What is the TANSyncMAWriteBack log file details (path and file name)? (if applicable)

15 What is the TANSync extension log file details (path and file name)? (if applicable)

16 What are the changes to the default data fields between NHSmail and AD mappings? (if applicable)

8.3 Advanced Rule Extensions

Rule extensions can help modify the attribute values of a data source and this section describes the developed rule extensions and their uses.

* Note

To define the rule in the attribute flow, use the following format:

<Rule Extension Name>:<Datasource Attribute Name>-<Metaverse Attribute Name>

Rule Extension Description Note

nameFormat This rule extension helps changing the data format to the correct Name format. I.E. first letter is in uppercase and the following is in lowercase.

Example

Configurable in Attribute Inbound Flows

ToLowerCase This rule extension transforms data to lowercase

Example


trimSip This rule extension removes the sip: suffix to allow NHS Portal API to process

Example


trimWhiteSpace This rule extension removes white spaces from the data.

Example


reduceLengthTo64 This rule extension truncate data to 64 characters.

Example


sip:



8.4 Configuration of File Connector

In the situation where writing directly to Active Directory is not possible a FileConnector management agent is provided for writing data downloaded from NHSmail into a file for further processing.

This section describes how to setup the FileConnector management agent.

* Note

This management agent will produce file “C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Data\Export.csv” on every Export. The file contains the NHSmail contact data.

The management agent cannot be used to provide TANSync with organisation user’s data to write back to NHSmail.

Step Description



Select Action




Find and select file TANSyncMA.xml and select Open

Select Next

Select Next



Select Next

Select Next



Select Next

Select Next



Select Next

Select Finish to complete

Configure FileConnector for provisioning

• Open file C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions\TANSyncMA.cfg

• add FileConnector to ProvisionTo configuration item.

• Remove ADMA from ProvisionTo configuration item. (if provisioning to Active Directory is no longer required)

For Example:

ProvisionTo: TANSyncMAWriteBack,FileConnector



8.5 Proxy Configuration

If you are using an outbound proxy for connecting to the Internet, add the following configuration to the file:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config

This text must be entered at the bottom of the file. In this code just before </configuration>

<system.net>

<defaultProxy>

<proxy

usesystemdefault="true"

proxyaddress="http://<PROXYADDRESS>:<PROXYPORT>"

bypassonlocal="true"

/>

</defaultProxy>

</system.net>

8.6 Common Issues

This section details the common issues which may occur when installing, configuring and running the TANSync solution.

Account permission issues Description: Installation with an account that does not have sufficient permission. Fix: The account needs to have local admin privilege on the local machine to install TANSync. The process needs to be run as Local Administrator. Description: Unable to install TANSync when using an external SQL instance. Fix: If the user wants to use an existing SQL Instance, they need to have an SA privilege on the SQL and use the existing SQL details during installation of MIM Synchronization Service. Schedule task account issues Description: The schedule task cannot run synchronization. Fix: The schedule task account needs to have the correct permissions and a member of MIMSyncAdmins group to run the synchronisation. Installation issues Description: Installation of MIM Synchronisation Service failed due to missing .Net 3.5 framework. Fix: ensure you have installed the prerequisite .Net 3.5. Synchronisation Issues Description: Connection failures during synchronisation. Fix: Ensure the service account password is correct and if expired refresh the password and reconfigure the management agent that failed.

Description: Unable to run any synchronisation run profile on TANSyncMA or TANSyncMAWriteBack.



Fix: Ensure all files in C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions are unblocked.

Description: Exception when running synchronisation profiles on TANSyncMA or TANSyncMAWriteBack. Fix: Ensure the MIM synchronisation service account has got full permission to the log folders (specified during configuration stages) and all the files in them.

NHSmail Address Book Synchronisation Deployment Guide

Documents