skype for business cloud connector edition v1.0

Skype for Business

Cloud Connector Edition

Planning and Migration Guide

Version 1.0

© 03.03.2016, Thomas Pött, MVP Office Server (Skype for Business)

Version 1.0

contact: via contact from on http://lyncuc.blogspot.com

http://lyncuc.blogspot.com/

https://mvp.microsoft.com/en-us/mvp/Jasper Brekelmans-5001356

Index

Index ........................................................................................................................................................ 2

Introduction of Cloud Connector Edition ................................................................................................ 4

Tenant support in Office 365.............................................................................................................................. 7

Cloud Connector Active Directory Forest ................................................................................................ 8

Cloud Connector (CCE) Topologies .......................................................................................................... 9

CCE ABA in planning: ........................................................................................................................................ 10

High Availability: ............................................................................................................................................... 11

Multi-Site deployment ..................................................................................................................................... 11

Migration to Cloud PBX with Cloud Connector Edition ......................................................................... 13

Greenfield ......................................................................................................................................................... 13

Skype for Business with Enterprise Voice on-premise ..................................................................................... 14

Target: native Cloud Connector Edition ...................................................................................................... 14

Target: Cloud Connector Edition with Office 365 Calling Plan (Cloud Voice Users) .................................... 14

Target: Cloud Connector Edition + Skype for Business partial Enterprise Voice (on-premise) ................... 14

Target: Cloud Connector Edition + Office 365 Calling Plan (Cloud Voice Users) + Skype for Business partial Enterprise Voice (on-premise) ..................................................................................................................... 15

Summary: ......................................................................................................................................................... 15

Infrastructure requirements for Cloud Connector Edition.................................................................... 16

Physical infrastructure ...................................................................................................................................... 16

Logical infrastructure ....................................................................................................................................... 16

DNS .............................................................................................................................................................. 16

Certificates externally .................................................................................................................................. 17

Certificates internally .................................................................................................................................. 17

Firewall Port Configuration.......................................................................................................................... 18

Release Notes:

The technical level of this document is 200. This article requires knowledge about Skype for Business Server, Office 365, certificate authorities and general knowledge about Office 365 hybrid configurations.

The new feature announced for Skype for Business called Cloud Connector Edition (CCE) was recently published. This article describes the Planning considerations for simple and complex CCE deployments. It talks about Active Directory synchronization for Hybrid Office 365 installations.

CCE will be a downloadable Virtual Machine environment only designed for Microsoft Hyper-V Windows Server 2012 R2. There are no physical PSTN Gateways available from Microsoft. This has to be integrated from 3rd party vendors.

Note:

This document is neither a sizing nor a configuration guide. You should use this document only for your

environment planning’s purposes and design considerations. In lager environments you should spend some

time to evaluate the optimal path of your PSTN deployment.

Introduction of Cloud Connector Edition

First look we have is into the change setup, or some may say common setup for a hybrid Skype for

Business deployment. The hybrid setup is literally nothing different than a regular on-premise

deployment, connected to the Office 365 tenant.

We have to deploy the on-premise system as we did in the past, including the dedicated DMZ

servers, as there are Edge and Reverse Proxy server. The both environments are than combined,

means federated.

This is still valid if you have E5 plan and active the Cloud PBX. The Cloud PBX enables the Enterprise

Voice features in the cloud.

I don’t step further into the hybrid configuration, where you have users in the Cloud and On-Premise,

neither I have look into the correct licensing, beside, with the E5 plan your users are entitled for

Enterprise Voice.

On Premise

PSTN

UserSIP PBX orProvider Gateway

Skype for Business

Edge

Reverse Proxy

Office 365 including Skype for Business Online (E5 Plan)

Cloud PBXUsers

As we see, we still require the on-premise server’s setup and configured as usual. Which leads us to

the question of consultancy and integration services. Well in other words here we don’t see any

changes. The work is still identically as we had this in the past, also with Lync 2013.

Simplifying a deployment, especially while we are move towards the cloud is a defined goal.

Asked simplification is:

It does not require a full on-premises Skype for Business Server deployment.

It is available worldwide.

Your users are homed online.

You can keep your current PSTN carrier if required.

You can purchase PSTN conferencing from Microsoft or from audio conferencing provider

(ACP) partners.* (*) Audio Conferencing is available in tow possible methods, either you configure your own PSTN conferencing numbers or,

your participate in the new Microsoft Cloud offering, where Microsoft provides a PSTN conferencing dial-in bridge.

How can we archive this?

Microsoft and some vendors, e.g. SONUS, come with perfect solution. The Microsoft answer is the

Cloud Connector Edition for Skype for Business 2015.

If we identify the required on-premise components, we see the:

Mediation Server Role

(SIP to SIP, Codec conversion)

Edge Server Role

(Access Edge, Media Relay, Media Relay Authentication MRAS, Outbound Routing and CMS

replica)

Central Management Store (CMS)

(File Transfer and on-premise topology)

Domain Controller

(if on-premise AD exits, this is still present in parallel) *

(*) IMPORTANT NOTE

The AD for the CCE will be independent of the on-premise AD and runs in its own forest. There is

no connection to the local AD from point of the Cloud Connector. Next is, the AZURE AD, sure there

are no issue with the Azure AD if the CCE AD runs in parallel! Next important requirement is, the

user running Skype for Business 2015 Online in Office 365 and were moved into the Cloud MUST

run EXCHANGE ONLINE!

Set-CsUser $username -EnterpriseVoiceEnabled $true -HostedVoiceMail $true

A good question asked now, why no Reverse Proxy Server. This is explained with, there is no internal

Web Services present. This allows us further reduce the number of server roles.

If those roles can be combined into s simplified deployment, we have reached our goals.

Mediation Edge

Domain Controller

Central Management Store (CMS)

Cloud Connector

NOTE:

Domain name for the internal components of Cloud Connector. This domain should be different from

the production domain. The name can be the same across all instances of Cloud Connectors.

Next look we take is into the simplified on-premise components based on the Could Connector

Edition (CCE)

On Premise

PSTN

User

SIP PBX orProvider Gateway

Cloud Connector Edition VMs


Cloud PBX

Users

Also recommended for those straight forward deployment is a virtualization technology, e.g. Hyper-

V. The “blue” CCE components are subject to Virtual Machines only. Where we position those VM’s

can be either on dedicated physical hosts or we might be able to implement them on the SBC, which

has Intel infrastructure board integrated.

NOTE:

The user on-premise are not stored on the Could Connector, nor that Online User are replicated to

the Cloud Connector. Meaning simple: there are NO users locally on the CCE. A local CCE database

is not present.

Tenant support in Office 365

As another point, mostly for companies offering customize service to their end customers ask if a

multi-tenant setup will be possible.

There is a clear answer on this topic: NO

User

On Premise (Tenant A)

AD Azure AD Sync(DirSync)

User

On Premise (Tenant B)

AD Azure AD Sync(DirSync)


CCE AD

Shared Cloud Connector

PSTN

WARING: This scenario is not support and not possible.The external Access Edge DNS name must be UNIQUE across Office 365 tenants

Office 365 with Azure ADmulti-tenant

With Skype for Business Microsoft called back the multi-tenant pack for hoster’s. Therefor this

environment enabling configuration splits is not available any longer and there is no way right now

for supporting CCE at those scenarios.

If you need a model where multiple parties are supported, you have to deploy CCE in parallel for

each tenant one.

Cloud Connector Active Directory Forest

In any hybrid scenario, the users are either one- or two way synched between On-Premise and Azure

AD in Office 365, while in two-way sync the affected users MUST be administered from the On-Prem

AD only!

User

Office 365 with Azure AD

On Premise

Users

AD

Azure AD Sync(DirSync)

Next we are having look into the scenario, where the an On-Premise Active Directory is present. The

standard method in Office 365 is the Azure AD Sync (DirSync) to the cloud. Now with the Cloud

Connector installed, the AD Forrest created on the CCE is another, totally different forest and in no

relationship with the On-Premise Active Directory (also NO TRUSTS). This is important.

User

Office 365 with Azure AD

On Premise

Users

AD



CCE AD

All users must be on Exchange Online, incl. UM

Cloud Connector (CCE) Topologies

As in the last chapter we discussed the Active Directory topologies, now we have a look into the

Cloud Connector deployment topologies.

The topology includes high availability and site based definitions.

First we have look into the SIP Signaling and the Media Path at the beginning.

The Media Path is defined as the client to Mediation Server or gateway connectivity.

On Premise

PSTN

User




Cloud PBX

Users

MEDIA

SIP Signaling

Signaling can be seen as functionality of the Cloud PBX feature, therefor we can understand that the

path must be from the device to the Cloud PBX and from there to the Mediation Server component.

This is identically with any other form of deployments. Not fully visualized is the SIP flow in detail, but

as the Access Edge component must be involving, the signaling flies from the client internally to the

Cloud PBX -> back to Access Edge -> than to the Mediation Server.

Media instead was in defined as either to the Mediation Server or with Media By-Pass to the gateway

directly. Now at point of writing this guide, the Media By-Pass feature is not available, but might be

in later updates implemented. (This is different with the on-premise deployment)

Some requirements are subject to consider:

- Per PSTN breakout at least one Cloud Connector Edition is required

- A single CCE instance can support up to 500 concurrent calls

- A maximum number of 4 (3+1) CCE can be deployed per PSTN breakout

- 3+1 refers to 3 CCE for scalability and +1 for high availability

If the maximum number of PSTN call is higher than 3x500 = 1500, you can deploy another site in

parallel to the existing one.

CCE ABA in planning:

Since the hardware spec’s are tremendous, I asked for other options which make the solution having

a better RoI, especially for smaller sites and customers.

As we remember from OCS/ Lync and SfB, the on-premise solution offers Survival Branch Appliances

(SBA), a system design with an embedded SfB Server, integrating the Mediation Server and

minimalistic Frontend Server, the Registrar only. It enables customer still making and receiving calls if

a WAN failure occurs between the SBA location and the central SfB pool.

Authentication for users is handled by User Communication MTLS certificate.

If we have deeper look into the CCE, it looks similar, beside we need authentication integrated for

servers, which handles the integrated Active Director Domain Controller. Mediation server for Audio

transcoding and a smaller dedicated topology database the minimalistic CMS and component for

connections to the Office 365 SfB Online tenant, the Access Edge Server.

As we see this similarity creates a possibility for SBA like CCE.

E.g. Sonus is investigating this setup right now and I’m proud announcing this first.

On Premise (SITE LONDON)

PSTN

User

Cloud Connector Edition VMs on

Sonus SBA CCE


Cloud PBX

Users

Additionally, there are undergoing testing’s right now supporting high concurrent call volume. Here

Sonus has tested a setup with 1000 concurrent calls on single CCE with their own gateway.

Being fair to other vendors, this will be put into the qualification list from Microsoft and other will be

able developing similar solutions.

High Availability:

In the same way we must calculate the SLA / availability of single site.

You can archive 99.9% availability by running a 2+2 setup.

99.8% is archived by either 1+1 or 3+1, which differs only in the maximum concurrent call volume.

Multi-Site deployment

If we have multiple sites deployed, the signaling stays the same. We only have the Cloud PBX feature

in Office 365, so all initial communication has to go into the cloud first.

We will have a look into the both sites MUNICH and LONDON. The both site have different breakouts

and here we see the setup

If the target phone number can’t be resolved through internal Reverse Number Lookup (RNL), it is

defined as a PSTN call. Therefor the Voice Routes are taken into the loop. The call will be directed to

the number breakout location. Which in the first case Munich, a German location. The client than

established the Media Path through the Mediation Server component associated with Munich Site.

On Premise (SITE MUNICH)

PSTN

User




Cloud PBX

Users

MEDIA

SIP Signaling


User



Call to:+49 89 123456789

The next example will explain the call routing via the second Site London. Assuming the client

initiates a call to a UK phone number and it is identified as such. Now signaling has to follow the

preferred Access Edge server for the CCE Site identified, which is NOT the initial site in Munich, it is

the second site in London. After the Session Initiate (INVITE) the SDN parameters will tell the client

that from the Voice Routes chosen Mediation Server component, which is London and the Media

Path will be established from the Client -> London Mediation Server -> London Gateway -> PSTN

On Premise (SITE MUNICH)

User




Cloud PBX

Users

MEDIA

SIP Signaling


PSTN

User



Call to:+44 20 87456321

Note:

With on-premise ACP (Audio Conferencing PSTN) it stays similar, only that the conferencing

component in the Cloud will connect directly to the on-premise Cloud Connector Mediation Server

component.

Migration to Cloud PBX with Cloud Connector Edition

Migration can be quite tricky. We have multiple scenarios from where we can move towards the

Cloud PBX with CCE.

I try describing the common scenarios and discuss possible difficulties. Starting with a greenfield

setup; the other possible migration scenarios require at least an Office 365 deployment and Skype

for Business setups

Note:

This section of the CCE guide will be continuously updated and we hope seeing a lot of changes

coming.

Greenfield

What does greenfield mean?

Assuming you didn’t run any LSC, OCS, Lync or Skype for Business software in your on-premise during

the past and want to make use of the actual release of Microsoft Unified Communication software.

You simply activate an Office 365 tenant and enable the Cloud users for Skype for Business there.

Once you have the enabled you start rolling out CCE’s into your locations where you have the PSTN

breakout and or having PBX systems ready for migration.

Most likely in this scenario, you will have a PBX system in place. This can any classic PBX like Avaya,

Lucent or others, as well you could operate other UC software, like Cisco CUCM or others.

If you want to migrate, here is the scenario

First you place an PSTN Gateway in-between your PSTN breakout and your PBX. If you do so with e.g.

SONUS, since this device are configured in automatic bypass mode, it will be after the insert fully

transparent. This is helpful, because you do not yet have any Office 365 Skype for Business Online

user activated for enterprise voice.

Well, I assume you have the online Dial Plans and Voice Policies ready

The next step will be phone number migration.

You configure the identical phone number a user has on the classic PBX now in Office 365.

Three migration step’s run in parallel:

- Configuring the GATEWAY pointing this dedicated number to the CCE (Cloud PBX)

- Removing the phone number and user from the PBX and define this number to be directed

externally. (From here the gateway can pick up the call from the PBX and direct it to the CCE)

- Now activating the Office 365 user for Cloud PBX with same phone number as he was

assigned on the classic PBX


User



Cloud PBX

Users

All users must be on Exchange Online, incl. UM

PSTN

Sonus gateway

AD


Azure AD ConnectOn-Premise User Sync

to Office 365

Phone Number Migration to Cloud PBX with CCE

Call Routing destination

based routing

PSTN

Audio Conferencing Provider

Microsoft Brigde

Note:

Some PBX are having head number reservation configuration. Meaning, a dedicated number range is

reserved by the PBX and call within this range can’t be routed outside the PBX. If this is the case,

contact your vendor and find a workaround, e.g. shrinking the head number, or define face numbers

in the PBX, which are than masked on the gateway.

Skype for Business with Enterprise Voice on-premise

Simply I have to state:

If you need Skype for Business on-premise Voice and can’t move to the Cloud PBX + CCE yet, you

have to consider a classic SfB hybrid solution utilizing pools, sites and SBA’s. Still benefiting from the

Meeting Broadcasts and e.g Microsoft’s upcoming ACP for PSTN conferencing. This lets you RoI

increase and you might be able in the near future consolidating your on-premise deployment.

Target: native Cloud Connector Edition

Moving towards native Cloud PBX with CCE’s only. Since we can see the not supported setup below,

there is only one possible solution. You have to move all SfB users to SfB online first.

From here you can deploy the CCE after you have fully decommission the SfB on-premise setup.

This is not a scenario you link to offer to larger customer. But Microsoft is working on a solution.

And I keep you updating towards this scenario.

Target: Cloud Connector Edition with Office 365 Calling Plan (Cloud Voice Users)

Not Supported!

Target: Cloud Connector Edition + Skype for Business partial Enterprise Voice (on-premise)

Not supported!

Target: Cloud Connector Edition + Office 365 Calling Plan (Cloud Voice Users) + Skype for

Business partial Enterprise Voice (on-premise)

Not supported!

Summary:

Write a summary isn’t that easy yet. As a result, out of the information above, I can highlight you

should dig into the CCE setup soonest.

For greenfield customers and for those where “one shot” migration can be considering, the benefit is

huge of utilizing CCE deployments.

If a smooth migration is required, where on-premise Skype for Business is present, there is right now

no way of coping this task.

You have to wait until some later releases Microsoft is coming up with.

But again, if an on-premise, classic PBX is present, well please consider the CCE setup. It is a straight

forward task for migration and it quite simple moving all users into the Cloud, especially if you only

utilize the presence, IM and AV p2p and conferencing services. The enhancement with enterprise

voice can be seen a next task in enhancing the services and user experience.

Infrastructure requirements for Cloud Connector Edition

Physical infrastructure

First look we had ware into the components involved in the Cloud Connector. It will be delivered

form of only Hyper-V Virtual Machines (VMs). Each VM contains the featured server role from Skype

for Business.

This are 4 VM’s which require a dedicated physical host with a minimum of:

- 64 bit dual CPU, six core (12 real core) a 2.5 GHz or higher

- 64 GB RAM

- 4x 600 GB 10k RPM 128MB Cache SAS 6Gbps Disks in RAID 5

- 3x 1 Gbps network adapter

Recommended are at least 2 PSTN Gateway for redundancy.

Azure Express Route between the sites and Office 365 are recommended, just I personally want to

see them mandatory. As you need to ensure high quality and reliable networks. If you run your own

ACP, meaning offering your personal conferencing dial-in numbers on your CCE. Audio is send from

the Skype for Business Online conferencing MCU down and forth to your CCE. This requires the QoS

being integrated in your network including the Office 365 tenant.

Note:

At point of writing this article it is in consideration of smaller physical servers if you will support less

users and it will be confirmed soon.

Logical infrastructure

DNS

DNS is required externally for the Access Edge Server and the Media Relay (Audio), Video is not

implemented for local breakouts. It must be ensured, the internal CCE servers, can resolve internal

DNS names and the Access Edge component the external DNS too. Therefor the Access Edge should

resolve DNS externally and have a host file for internal DNS resolving

(C:\Windows\System32\drivers\hosts)

Note:

(onmicrosoft.com DNS suffix external tenant is not supported!)

External DNS entries (also used for certificates):

Access Edge: e.g. ACCESS.SIPDOMAIN.COM

Media Relay: e.g. MEDIA.SIPDOMAIN.COM

Data Proxy: e.g. DP.SIPDOMAIN.COM (no necessary for certificates)

Certificates externally

Additional to DNS entries, we require public signed SAN Certificate in the form of:

SN/ CN ACCESS.SIPDOMAIN.COM

SAN ACCESS.SIPDOMAIN.COM

SAN SIP.SIPDOMAIN.COM

If you have multiple SIP Domain registered with Office 365

(not confirmed yet)

SN/ CN ACCESS.SIPDOMAIN.COM

SAN ACCESS.SIPDOMAIN.COM

SAN SIP.SIPDOMAIN.COM

SAN SIP.SIPDOMAIN-B.COM

SAN ACCESS.SIPDOMAIN-B.COM

Note:

Wildcard is supported as SN=SIP.SIPDOMAIN, SAN=SIP.SIPDOMAIN.COM + SAN=*.SIPDOMAIN.COM

Certificates internally

As usual, all internal Servers beside the Domain Controller require certificates, which can be either

private certificates or externally signed.

CMS (Primary or Backup) VM(s) require default certificate with server FQDN as the subject name.

Mediation Server VM(s) require default certificate with Mediation Server Pool FQDN as the subject name. A single certificate can be used across all mediation server VMs, or each VM can use its own certificate as long as all of them have the pool FQDN in the subject name.

Edge VM(s) Require internal certificate with Edge Server internal pool FQDN as the subject name. A single certificate can be used across all edge server VMs or each VM can use its own certificate as long as all of them have internal pool FQDN in the subject name.

Note:

Do not forget importing the Root CA Certificates if you are going to use internal/ private certificates.

Firewall Port Configuration1

Internal firewall

Source IP Destination IP Source Port Destination Port

Cloud Connector Mediation component

SBC/PSTN Gateway Any TCP 5060**

SBC/PSTN Gateway Cloud Connector Mediation component

Any TCP 5068/ TLS 5067


Internal clients 49 152 – 57 500*

TCP 50,000-50,019


Internal clients 49 152 – 57 500*

UDP 50,000-50,019

Internal clients Cloud Connector Mediation component

TCP 50,000-50,019

49 152 – 57 500*

Internal clients Cloud Connector Mediation component

UDP 50,000-50,019

49 152 -57 500*

* This is the default port range on the Mediation component. For optimal call flow, four ports per call

are required.

** This port should be configured on the SBC/PSTN gateway; 5060 is an example. You can configure

other ports on your SBC/PSTN gateway.

External firewall - minimum configuration

Source IP Destination IP Source port Destination port

Any Cloud Connector Edge External Interface

Any TCP 5061

Cloud Connector Edge External Interface

Any UDP 3478 UDP 3478


TCP 50,000-59,999

TCP 443


UDP 3478 UDP 3478


Any TCP 50,000-59,999

TCP 443

External firewall - recommended configuration

Source IP Destination IP Source Port Destination Port


Any TCP 5061


Any TCP 50,000-59,999 any


Any UDP 3478; UDP 50,000-59,999

any


Any TCP 443; TCP 50,000-59,999


Any UDP 3478; UDP 50,000 - 59,999

1 Taken from Technet

skype for business cloud connector edition v1.0

Technology