Skype for Business
Cloud Connector Edition
Planning and Migration Guide
Version 1.0
© 03.03.2016, Thomas Pött, MVP Office Server (Skype for Business)
Version 1.0
contact: via contact from on http://lyncuc.blogspot.com
Index
Index ........................................................................................................................................................ 2
Introduction of Cloud Connector Edition ................................................................................................ 4
Tenant support in Office 365.............................................................................................................................. 7
Cloud Connector Active Directory Forest ................................................................................................ 8
Cloud Connector (CCE) Topologies .......................................................................................................... 9
CCE ABA in planning: ........................................................................................................................................ 10
High Availability: ............................................................................................................................................... 11
Multi-Site deployment ..................................................................................................................................... 11
Migration to Cloud PBX with Cloud Connector Edition ......................................................................... 13
Greenfield ......................................................................................................................................................... 13
Skype for Business with Enterprise Voice on-premise ..................................................................................... 14
Target: native Cloud Connector Edition ...................................................................................................... 14
Target: Cloud Connector Edition with Office 365 Calling Plan (Cloud Voice Users) .................................... 14
Target: Cloud Connector Edition + Skype for Business partial Enterprise Voice (on-premise) ................... 14
Target: Cloud Connector Edition + Office 365 Calling Plan (Cloud Voice Users) + Skype for Business partial Enterprise Voice (on-premise) ..................................................................................................................... 15
Summary: ......................................................................................................................................................... 15
Infrastructure requirements for Cloud Connector Edition.................................................................... 16
Physical infrastructure ...................................................................................................................................... 16
Logical infrastructure ....................................................................................................................................... 16
DNS .............................................................................................................................................................. 16
Certificates externally .................................................................................................................................. 17
Certificates internally .................................................................................................................................. 17
Firewall Port Configuration.......................................................................................................................... 18
Release Notes:
The technical level of this document is 200. This article requires knowledge about Skype for Business Server, Office 365, certificate authorities and general knowledge about Office 365 hybrid configurations.
The new feature announced for Skype for Business called Cloud Connector Edition (CCE) was recently published. This article describes the Planning considerations for simple and complex CCE deployments. It talks about Active Directory synchronization for Hybrid Office 365 installations.
CCE will be a downloadable Virtual Machine environment only designed for Microsoft Hyper-V Windows Server 2012 R2. There are no physical PSTN Gateways available from Microsoft. This has to be integrated from 3rd party vendors.
Note:
This document is neither a sizing nor a configuration guide. You should use this document only for your
environment planning’s purposes and design considerations. In lager environments you should spend some
time to evaluate the optimal path of your PSTN deployment.
Introduction of Cloud Connector Edition
First look we have is into the change setup, or some may say common setup for a hybrid Skype for
Business deployment. The hybrid setup is literally nothing different than a regular on-premise
deployment, connected to the Office 365 tenant.
We have to deploy the on-premise system as we did in the past, including the dedicated DMZ
servers, as there are Edge and Reverse Proxy server. The both environments are than combined,
means federated.
This is still valid if you have E5 plan and active the Cloud PBX. The Cloud PBX enables the Enterprise
Voice features in the cloud.
I don’t step further into the hybrid configuration, where you have users in the Cloud and On-Premise,
neither I have look into the correct licensing, beside, with the E5 plan your users are entitled for
Enterprise Voice.
On Premise
PSTN
UserSIP PBX orProvider Gateway
Skype for Business
Edge
Reverse Proxy
Office 365 including Skype for Business Online (E5 Plan)
Cloud PBXUsers
As we see, we still require the on-premise server’s setup and configured as usual. Which leads us to
the question of consultancy and integration services. Well in other words here we don’t see any
changes. The work is still identically as we had this in the past, also with Lync 2013.
Simplifying a deployment, especially while we are move towards the cloud is a defined goal.
Asked simplification is:
It does not require a full on-premises Skype for Business Server deployment.
It is available worldwide.
Your users are homed online.
You can keep your current PSTN carrier if required.
You can purchase PSTN conferencing from Microsoft or from audio conferencing provider
(ACP) partners.* (*) Audio Conferencing is available in tow possible methods, either you configure your own PSTN conferencing numbers or,
your participate in the new Microsoft Cloud offering, where Microsoft provides a PSTN conferencing dial-in bridge.
How can we archive this?
Microsoft and some vendors, e.g. SONUS, come with perfect solution. The Microsoft answer is the
Cloud Connector Edition for Skype for Business 2015.
If we identify the required on-premise components, we see the:
Mediation Server Role
(SIP to SIP, Codec conversion)
Edge Server Role
(Access Edge, Media Relay, Media Relay Authentication MRAS, Outbound Routing and CMS
replica)
Central Management Store (CMS)
(File Transfer and on-premise topology)
Domain Controller
(if on-premise AD exits, this is still present in parallel) *
(*) IMPORTANT NOTE
The AD for the CCE will be independent of the on-premise AD and runs in its own forest. There is
no connection to the local AD from point of the Cloud Connector. Next is, the AZURE AD, sure there
are no issue with the Azure AD if the CCE AD runs in parallel! Next important requirement is, the
user running Skype for Business 2015 Online in Office 365 and were moved into the Cloud MUST
run EXCHANGE ONLINE!
Set-CsUser $username -EnterpriseVoiceEnabled $true -HostedVoiceMail $true
A good question asked now, why no Reverse Proxy Server. This is explained with, there is no internal
Web Services present. This allows us further reduce the number of server roles.
If those roles can be combined into s simplified deployment, we have reached our goals.
Mediation Edge
Domain Controller
Central Management Store (CMS)
Cloud Connector
NOTE:
Domain name for the internal components of Cloud Connector. This domain should be different from
the production domain. The name can be the same across all instances of Cloud Connectors.
Next look we take is into the simplified on-premise components based on the Could Connector
Edition (CCE)
On Premise
PSTN
User
SIP PBX orProvider Gateway
Cloud Connector Edition VMs
Office 365 including Skype for Business Online (E5 Plan)
Cloud PBX
Users
Also recommended for those straight forward deployment is a virtualization technology, e.g. Hyper-
V. The “blue” CCE components are subject to Virtual Machines only. Where we position those VM’s
can be either on dedicated physical hosts or we might be able to implement them on the SBC, which
has Intel infrastructure board integrated.
NOTE:
The user on-premise are not stored on the Could Connector, nor that Online User are replicated to
the Cloud Connector. Meaning simple: there are NO users locally on the CCE. A local CCE database
is not present.
Tenant support in Office 365
As another point, mostly for companies offering customize service to their end customers ask if a
multi-tenant setup will be possible.
There is a clear answer on this topic: NO
User
On Premise (Tenant A)
AD Azure AD Sync(DirSync)
User
On Premise (Tenant B)
AD Azure AD Sync(DirSync)
Cloud Connector Edition VMs
CCE AD
Shared Cloud Connector
PSTN
WARING: This scenario is not support and not possible.The external Access Edge DNS name must be UNIQUE across Office 365 tenants
Office 365 with Azure ADmulti-tenant
With Skype for Business Microsoft called back the multi-tenant pack for hoster’s. Therefor this
environment enabling configuration splits is not available any longer and there is no way right now
for supporting CCE at those scenarios.
If you need a model where multiple parties are supported, you have to deploy CCE in parallel for
each tenant one.
Cloud Connector Active Directory Forest
In any hybrid scenario, the users are either one- or two way synched between On-Premise and Azure
AD in Office 365, while in two-way sync the affected users MUST be administered from the On-Prem
AD only!
User
Office 365 with Azure AD
On Premise
Users
AD
Azure AD Sync(DirSync)
Next we are having look into the scenario, where the an On-Premise Active Directory is present. The
standard method in Office 365 is the Azure AD Sync (DirSync) to the cloud. Now with the Cloud
Connector installed, the AD Forrest created on the CCE is another, totally different forest and in no
relationship with the On-Premise Active Directory (also NO TRUSTS). This is important.
User
Office 365 with Azure AD
On Premise
Users
AD
Azure AD Sync(DirSync)
Cloud Connector Edition VMs
CCE AD
All users must be on Exchange Online, incl. UM
Cloud Connector (CCE) Topologies
As in the last chapter we discussed the Active Directory topologies, now we have a look into the
Cloud Connector deployment topologies.
The topology includes high availability and site based definitions.
First we have look into the SIP Signaling and the Media Path at the beginning.
The Media Path is defined as the client to Mediation Server or gateway connectivity.
On Premise
PSTN
User
SIP PBX orProvider Gateway
Cloud Connector Edition VMs
Office 365 including Skype for Business Online (E5 Plan)
Cloud PBX
Users
MEDIA
SIP Signaling
Signaling can be seen as functionality of the Cloud PBX feature, therefor we can understand that the
path must be from the device to the Cloud PBX and from there to the Mediation Server component.
This is identically with any other form of deployments. Not fully visualized is the SIP flow in detail, but
as the Access Edge component must be involving, the signaling flies from the client internally to the
Cloud PBX -> back to Access Edge -> than to the Mediation Server.
Media instead was in defined as either to the Mediation Server or with Media By-Pass to the gateway
directly. Now at point of writing this guide, the Media By-Pass feature is not available, but might be
in later updates implemented. (This is different with the on-premise deployment)
Some requirements are subject to consider:
- Per PSTN breakout at least one Cloud Connector Edition is required
- A single CCE instance can support up to 500 concurrent calls
- A maximum number of 4 (3+1) CCE can be deployed per PSTN breakout
- 3+1 refers to 3 CCE for scalability and +1 for high availability
If the maximum number of PSTN call is higher than 3x500 = 1500, you can deploy another site in
parallel to the existing one.
CCE ABA in planning:
Since the hardware spec’s are tremendous, I asked for other options which make the solution having
a better RoI, especially for smaller sites and customers.
As we remember from OCS/ Lync and SfB, the on-premise solution offers Survival Branch Appliances
(SBA), a system design with an embedded SfB Server, integrating the Mediation Server and
minimalistic Frontend Server, the Registrar only. It enables customer still making and receiving calls if
a WAN failure occurs between the SBA location and the central SfB pool.
Authentication for users is handled by User Communication MTLS certificate.
If we have deeper look into the CCE, it looks similar, beside we need authentication integrated for
servers, which handles the integrated Active Director Domain Controller. Mediation server for Audio
transcoding and a smaller dedicated topology database the minimalistic CMS and component for
connections to the Office 365 SfB Online tenant, the Access Edge Server.
As we see this similarity creates a possibility for SBA like CCE.
E.g. Sonus is investigating this setup right now and I’m proud announcing this first.
On Premise (SITE LONDON)
PSTN
User
Cloud Connector Edition VMs on
Sonus SBA CCE
Office 365 including Skype for Business Online (E5 Plan)
Cloud PBX
Users
Additionally, there are undergoing testing’s right now supporting high concurrent call volume. Here
Sonus has tested a setup with 1000 concurrent calls on single CCE with their own gateway.
Being fair to other vendors, this will be put into the qualification list from Microsoft and other will be
able developing similar solutions.
High Availability:
In the same way we must calculate the SLA / availability of single site.
You can archive 99.9% availability by running a 2+2 setup.
99.8% is archived by either 1+1 or 3+1, which differs only in the maximum concurrent call volume.
Multi-Site deployment
If we have multiple sites deployed, the signaling stays the same. We only have the Cloud PBX feature
in Office 365, so all initial communication has to go into the cloud first.
We will have a look into the both sites MUNICH and LONDON. The both site have different breakouts
and here we see the setup
If the target phone number can’t be resolved through internal Reverse Number Lookup (RNL), it is
defined as a PSTN call. Therefor the Voice Routes are taken into the loop. The call will be directed to
the number breakout location. Which in the first case Munich, a German location. The client than
established the Media Path through the Mediation Server component associated with Munich Site.
On Premise (SITE MUNICH)
PSTN
User
SIP PBX orProvider Gateway
Cloud Connector Edition VMs
Office 365 including Skype for Business Online (E5 Plan)
Cloud PBX
Users
MEDIA
SIP Signaling
On Premise (SITE LONDON)
User
SIP PBX orProvider Gateway
Cloud Connector Edition VMs
Call to:+49 89 123456789
The next example will explain the call routing via the second Site London. Assuming the client
initiates a call to a UK phone number and it is identified as such. Now signaling has to follow the
preferred Access Edge server for the CCE Site identified, which is NOT the initial site in Munich, it is
the second site in London. After the Session Initiate (INVITE) the SDN parameters will tell the client
that from the Voice Routes chosen Mediation Server component, which is London and the Media
Path will be established from the Client -> London Mediation Server -> London Gateway -> PSTN
On Premise (SITE MUNICH)
User
SIP PBX orProvider Gateway
Cloud Connector Edition VMs
Office 365 including Skype for Business Online (E5 Plan)
Cloud PBX
Users
MEDIA
SIP Signaling
On Premise (SITE LONDON)
PSTN
User
SIP PBX orProvider Gateway
Cloud Connector Edition VMs
Call to:+44 20 87456321
Note:
With on-premise ACP (Audio Conferencing PSTN) it stays similar, only that the conferencing
component in the Cloud will connect directly to the on-premise Cloud Connector Mediation Server
component.
Migration to Cloud PBX with Cloud Connector Edition
Migration can be quite tricky. We have multiple scenarios from where we can move towards the
Cloud PBX with CCE.
I try describing the common scenarios and discuss possible difficulties. Starting with a greenfield
setup; the other possible migration scenarios require at least an Office 365 deployment and Skype
for Business setups
Note:
This section of the CCE guide will be continuously updated and we hope seeing a lot of changes
coming.
Greenfield
What does greenfield mean?
Assuming you didn’t run any LSC, OCS, Lync or Skype for Business software in your on-premise during
the past and want to make use of the actual release of Microsoft Unified Communication software.
You simply activate an Office 365 tenant and enable the Cloud users for Skype for Business there.
Once you have the enabled you start rolling out CCE’s into your locations where you have the PSTN
breakout and or having PBX systems ready for migration.
Most likely in this scenario, you will have a PBX system in place. This can any classic PBX like Avaya,
Lucent or others, as well you could operate other UC software, like Cisco CUCM or others.
If you want to migrate, here is the scenario
First you place an PSTN Gateway in-between your PSTN breakout and your PBX. If you do so with e.g.
SONUS, since this device are configured in automatic bypass mode, it will be after the insert fully
transparent. This is helpful, because you do not yet have any Office 365 Skype for Business Online
user activated for enterprise voice.
Well, I assume you have the online Dial Plans and Voice Policies ready
The next step will be phone number migration.
You configure the identical phone number a user has on the classic PBX now in Office 365.
Three migration step’s run in parallel:
- Configuring the GATEWAY pointing this dedicated number to the CCE (Cloud PBX)
- Removing the phone number and user from the PBX and define this number to be directed
externally. (From here the gateway can pick up the call from the PBX and direct it to the CCE)
- Now activating the Office 365 user for Cloud PBX with same phone number as he was
assigned on the classic PBX
On Premise (SITE LONDON)
User
Cloud Connector Edition VMs
Office 365 including Skype for Business Online (E5 Plan)
Cloud PBX
Users
All users must be on Exchange Online, incl. UM
PSTN
Sonus gateway
AD
Azure AD Sync(DirSync)
Azure AD ConnectOn-Premise User Sync
to Office 365
Phone Number Migration to Cloud PBX with CCE
Call Routing destination
based routing
PSTN
Audio Conferencing Provider
Microsoft Brigde
Note:
Some PBX are having head number reservation configuration. Meaning, a dedicated number range is
reserved by the PBX and call within this range can’t be routed outside the PBX. If this is the case,
contact your vendor and find a workaround, e.g. shrinking the head number, or define face numbers
in the PBX, which are than masked on the gateway.
Skype for Business with Enterprise Voice on-premise
Simply I have to state:
If you need Skype for Business on-premise Voice and can’t move to the Cloud PBX + CCE yet, you
have to consider a classic SfB hybrid solution utilizing pools, sites and SBA’s. Still benefiting from the
Meeting Broadcasts and e.g Microsoft’s upcoming ACP for PSTN conferencing. This lets you RoI
increase and you might be able in the near future consolidating your on-premise deployment.
Target: native Cloud Connector Edition
Moving towards native Cloud PBX with CCE’s only. Since we can see the not supported setup below,
there is only one possible solution. You have to move all SfB users to SfB online first.
From here you can deploy the CCE after you have fully decommission the SfB on-premise setup.
This is not a scenario you link to offer to larger customer. But Microsoft is working on a solution.
And I keep you updating towards this scenario.
Target: Cloud Connector Edition with Office 365 Calling Plan (Cloud Voice Users)
Not Supported!
Target: Cloud Connector Edition + Skype for Business partial Enterprise Voice (on-premise)
Not supported!
Target: Cloud Connector Edition + Office 365 Calling Plan (Cloud Voice Users) + Skype for
Business partial Enterprise Voice (on-premise)
Not supported!
Summary:
Write a summary isn’t that easy yet. As a result, out of the information above, I can highlight you
should dig into the CCE setup soonest.
For greenfield customers and for those where “one shot” migration can be considering, the benefit is
huge of utilizing CCE deployments.
If a smooth migration is required, where on-premise Skype for Business is present, there is right now
no way of coping this task.
You have to wait until some later releases Microsoft is coming up with.
But again, if an on-premise, classic PBX is present, well please consider the CCE setup. It is a straight
forward task for migration and it quite simple moving all users into the Cloud, especially if you only
utilize the presence, IM and AV p2p and conferencing services. The enhancement with enterprise
voice can be seen a next task in enhancing the services and user experience.
Infrastructure requirements for Cloud Connector Edition
Physical infrastructure
First look we had ware into the components involved in the Cloud Connector. It will be delivered
form of only Hyper-V Virtual Machines (VMs). Each VM contains the featured server role from Skype
for Business.
This are 4 VM’s which require a dedicated physical host with a minimum of:
- 64 bit dual CPU, six core (12 real core) a 2.5 GHz or higher
- 64 GB RAM
- 4x 600 GB 10k RPM 128MB Cache SAS 6Gbps Disks in RAID 5
- 3x 1 Gbps network adapter
Recommended are at least 2 PSTN Gateway for redundancy.
Azure Express Route between the sites and Office 365 are recommended, just I personally want to
see them mandatory. As you need to ensure high quality and reliable networks. If you run your own
ACP, meaning offering your personal conferencing dial-in numbers on your CCE. Audio is send from
the Skype for Business Online conferencing MCU down and forth to your CCE. This requires the QoS
being integrated in your network including the Office 365 tenant.
Note:
At point of writing this article it is in consideration of smaller physical servers if you will support less
users and it will be confirmed soon.
Logical infrastructure
DNS
DNS is required externally for the Access Edge Server and the Media Relay (Audio), Video is not
implemented for local breakouts. It must be ensured, the internal CCE servers, can resolve internal
DNS names and the Access Edge component the external DNS too. Therefor the Access Edge should
resolve DNS externally and have a host file for internal DNS resolving
(C:\Windows\System32\drivers\hosts)
Note:
(onmicrosoft.com DNS suffix external tenant is not supported!)
External DNS entries (also used for certificates):
Access Edge: e.g. ACCESS.SIPDOMAIN.COM
Media Relay: e.g. MEDIA.SIPDOMAIN.COM
Data Proxy: e.g. DP.SIPDOMAIN.COM (no necessary for certificates)
Certificates externally
Additional to DNS entries, we require public signed SAN Certificate in the form of:
SN/ CN ACCESS.SIPDOMAIN.COM
SAN ACCESS.SIPDOMAIN.COM
SAN SIP.SIPDOMAIN.COM
If you have multiple SIP Domain registered with Office 365
(not confirmed yet)
SN/ CN ACCESS.SIPDOMAIN.COM
SAN ACCESS.SIPDOMAIN.COM
SAN SIP.SIPDOMAIN.COM
SAN SIP.SIPDOMAIN-B.COM
SAN ACCESS.SIPDOMAIN-B.COM
Note:
Wildcard is supported as SN=SIP.SIPDOMAIN, SAN=SIP.SIPDOMAIN.COM + SAN=*.SIPDOMAIN.COM
Certificates internally
As usual, all internal Servers beside the Domain Controller require certificates, which can be either
private certificates or externally signed.
CMS (Primary or Backup) VM(s) require default certificate with server FQDN as the subject name.
Mediation Server VM(s) require default certificate with Mediation Server Pool FQDN as the subject name. A single certificate can be used across all mediation server VMs, or each VM can use its own certificate as long as all of them have the pool FQDN in the subject name.
Edge VM(s) Require internal certificate with Edge Server internal pool FQDN as the subject name. A single certificate can be used across all edge server VMs or each VM can use its own certificate as long as all of them have internal pool FQDN in the subject name.
Note:
Do not forget importing the Root CA Certificates if you are going to use internal/ private certificates.
Firewall Port Configuration1
Internal firewall
Source IP Destination IP Source Port Destination Port
Cloud Connector Mediation component
SBC/PSTN Gateway Any TCP 5060**
SBC/PSTN Gateway Cloud Connector Mediation component
Any TCP 5068/ TLS 5067
Cloud Connector Mediation component
Internal clients 49 152 – 57 500*
TCP 50,000-50,019
Cloud Connector Mediation component
Internal clients 49 152 – 57 500*
UDP 50,000-50,019
Internal clients Cloud Connector Mediation component
TCP 50,000-50,019
49 152 – 57 500*
Internal clients Cloud Connector Mediation component
UDP 50,000-50,019
49 152 -57 500*
* This is the default port range on the Mediation component. For optimal call flow, four ports per call
are required.
** This port should be configured on the SBC/PSTN gateway; 5060 is an example. You can configure
other ports on your SBC/PSTN gateway.
External firewall - minimum configuration
Source IP Destination IP Source port Destination port
Any Cloud Connector Edge External Interface
Any TCP 5061
Cloud Connector Edge External Interface
Any UDP 3478 UDP 3478
Any Cloud Connector Edge External Interface
TCP 50,000-59,999
TCP 443
Any Cloud Connector Edge External Interface
UDP 3478 UDP 3478
Cloud Connector Edge External Interface
Any TCP 50,000-59,999
TCP 443
External firewall - recommended configuration
Source IP Destination IP Source Port Destination Port
Any Cloud Connector Edge External Interface
Any TCP 5061
Cloud Connector Edge External Interface
Any TCP 50,000-59,999 any
Cloud Connector Edge External Interface
Any UDP 3478; UDP 50,000-59,999
any
Any Cloud Connector Edge External Interface
Any TCP 443; TCP 50,000-59,999
Any Cloud Connector Edge External Interface
Any UDP 3478; UDP 50,000 - 59,999
1 Taken from Technet