Configuring Edge Server
- Microsoft .Net Framework 3.5, HTTP Activation, Windows Identity foundation, Telnet Client.
Add-WindowsFeature NET-Framework-Core, NET-Framework-45-Core, NET-Framework-45-ASPNET, Web-Net-Ext45, NET-WCF-HTTP-Activation45, Windows-Identity-Foundation, Telnet-Client -Source X:\sources\sxs
In order to configure Skype 4 Business Edge, we’ll have to change the Netbios to give it the name of our Domain but we won’t join it to the domain.
Edge Server must have 2 NICs, one Local NIC will point out to the Front end server but must not have Default gateway so traffic can only flow through the DMZ out to the internet and back in. but still it must be able to ping to the FE from Edge and vice versa.
DMZ network can have 1 DMZ address (Public Address to be NATTED to) or 3 DMZ addresses for public IP addresses with standard HTTPS ports.
Edit the Edge server’s host file to include Lync FE and DC’s IP addresses and Hostname
Now I will go back to Skype for Business FE server, I’ll launch the topology builder and add new Edge server
I will add the first Edge pool which contains of a single Edge server
Next, you will have to choose if you want to enable federation with partners or other service providers …e.g. (Google)
I am intending to use a single Public IP address with a different ports (nonstandard) since this is a lab. For production it’s recommended to use 3 public IP addresses for Access Edge, AV and WebConf services.
Next I will choose the last option which says that the Edge pool is translated by NAT. I will configure my firewall to NAT ports to the Edge’s DMZ IP addresses from the Public so I am choosing this option.
This is the FQDN’s the default configuration .. It’ll only use a single FQDN for all services if you’re going to use a single public IP address with a different ports.
When you use a single IP address with a different ports, the Access Edge port will normally change to 5061 (Not 443 like in the _sip._tls.domain.com) SRV record which will cause failure if you forgot to change this port to match the one in your Topology’s Access Edge settings.
Next I’ll have to enter my Edge server’s Local IP address.
Next I will be asked to enter the DMZ’s IP address which the wizard calls (Private External IP address)
Here I am going to place the NAT IP address which is my Public IP address.
Next I’ll have to choose which Lync FE pool will be used as the next hop to the Edge pool. In this case I’ll be choosing my main pool since the second is only for resilience purpose.
Then I’ll associate the mediation pool for Edge server for external media traffic. I can assign both in this case.
Now I’ll click on Finish and right click on the Site name’s properties to enable the SIP federation and XMPP federation then Publish the topology.
Now I will setup Azure Active Directory Sync on my DC server in order to sync the required users for the test purpose.
My domain is adeo.local so I want to change the UPN for users to match the synced domain. (Adeo-office365.ga) and moh10ly.com
Installing Azure Active Directory Sync
Now I will install the prerequisites which consist of the following
Net framework 4.5.2 is required for AADS but it’s already installed on my server
Next I will install Microsoft Online Service Sign in assistant
Next I will install Azure AD Module
Finally Azure AD Sync
Before moving forward, I’ll have to go to the Office 365 portal and activate DirSync
Then use a global admin credentials from O365.
Adding the forest using an enterprise admin user account
Due to the fact that my domain adeo-office365.ga’s public dns host doesn’t have SRV configuration because it’s hosted by the famous free domain service (Freenom) so I’ll have to add my original domain moh10ly.com as Lync (S4B) requires SRV records to point to the on-premises lync.
I will only sync one OU, so I will untick the Sync now box and click on Finish
I will go to the following path
“C:\Program Files\Microsoft Azure AD Sync\UIShell” and create a shortcut for the GUI application of AADS on the desktop
“C:\Program Files\Microsoft Azure AD Sync\UIShell\miisclient.exe”
To get this GUI app to work, you will have to sign out of your account and sign back in as your username will be added to the local administrators and have the authority to open it
Log off, log back in
Next I will go to the connectors tab and double click on the ADDS connector (Adeo.local)
I will go to the Configure Directory Partitions and under Credentials I’ll choose “Alternate credentials for this directory partition” then enter my on-premises AD Enterprise admin credentials
I’ll click on Containers
I’ll untick the DC=Adeo,Dc=Local box and only choose Dirsync OU then click OK and apply
Before I start syncing my AD , I will go to Skype for Business Server and add my domain moh10ly.com as a SIP domain
Next I am going to change the FQDN of the SIP access edge for public domain to moh10ly.com and the default port for the Access Edge to 443 and publish the topology
I needed to finally check if all my FE servers are replicating. So then I can move to Edge server to install Lync components
On the Edge server, I’ll use ISO for Skype 4 business to install the setup
First thing I’ll install the local Configuration Store
I’ll click on Run and then I’ll be asked to import the configuration file which I’ll must export from Lync FE (Skype 4 b FE) server
In this case, I’ll go to Lync FE and open Lync Management shell and enter the following Cmdlet
Export-CsConfiguration -FileName c:\top.zip
This cmdlet will export a file to the root C drive . I’ll copy this file to the edge server.
I’ll click next to continue, this should start installing the local store
Next I’ll request a certificate for Internal NIC For edge server
I’ll take the CSR (Certificate sign request) code and get a certificate from my local CA
I’ll open MMC and add Certificates console and import the PKCS certificate
After importing the certificate I’ll assign it to the internal NIC by clicking on Assign to the Edge Internal
Once we assign the certfiicate to the internal edge. The replication service for Edge and FE will start working
Now I’ll import my Public Certificate to Edge Server’s DMZ NIC
I already imported my public certificate, now I’ll go to the S4B wizard and assign it there
Unlike IN lync 2013 when you Click on Start service in the Wizard all services start on their own but on Skype for business you ‘ll have to start the services manually by yourself.
So Instead I used the service console to start the services.
Now I’ll go back to the FE And enable remote connectivity to Skype for Business from outside and make sure that replication works fine by checking the Topology or from cmdlet
Setting up Hybrid integration with Skype online for Business (O365)
In order for Skype for Business Hybrid configuration to work successfully for users homed on cloud and on-prem .. Users must be created first on-premises, enabled on Skype for Business on-premises and from the Skype for Business on-prem Control panel moved to Office 365 Skype for Business online.
Otherwise users will not be able to see each other’s presence information due to missing attributes if users were to be created directly online or on Active Directory and not enabled on-premises first.
In order to allow Hybrid environment to function properly, we’ll have to federate our Skype for Business on-premises’s Edge server as microsoft says below
Federation allows users in your on-premises deployment to communicate with Office 365 users in your organization. To configure federation, run the following cmdlets in the Skype for Business Server Management Shell:
On the front end server, we’ll run the following CMDlet
Set-CSAccessEdgeConfiguration -AllowOutsideUsers 1 -AllowFederatedUsers 1 -UseDnsSrvRouting -EnablePartnerDiscovery $true
Next cmdlet will create a new public federated provider for skype for business online.. However it already exists so we must delete it from control panel or the cmdlet will fail with the following message
New-CsHostingProvider -Identity SkypeforBusinessOnline -ProxyFqdn “sipfed.online.lync.com” -Enabled $true -EnabledSharedAddressSpace $True -HostsOCSUsers $True -VerificationLevel UseSourceVerification -IsLocal $false -AutodiscoverUrl https://webdir.online.lync.com/Autodiscover/Autodiscoverservice.svc/root
I’ll delete the hosted provider “Skype for Business Online”
I’ll try the cmdlet again after deleting the provider ..
New-CSHostingProvider -Identity SkypeforBusinessOnline -ProxyFqdn “sipfed.online.lync.com” -Enabled $true -EnabledSharedAddressSpace $true -HostsOCSUsers $true -VerificationLevel UseSourceVerification -IsLocal $false -AutodiscoverUrl https://webdir.online.lync.com/Autodiscover/AutodiscoverService.svc/root
Since it worked already, I will go back to the control panel and make sure it is enabled
Next is : Configure your Skype for Business Online tenant for a shared SIP address space
To configure a shared SIP address space, establish a remote PowerShell session with Skype for Business Online, and then run the following cmdlet:
We’ll have to download skype for business online powershell
After launching the PowerShell module as an administrator I’ll run the following cmdlet
(Connect to Skype for Business online (Lync Online) Powershell)
Now I’ll connect to my Office 365 tenant
$cred = Get-Credential
$CSSession = New-CsOnlineSession -Credential $cred
Import-PSSession $CSSession -AllowClobber
Now I’ll configure the shared sip address
Set-CsTenantFederationConfiguration -SharedSipAddressSpace $true
To double check my configuration I will see if the SharedSipAddresSpace is enabled or not
To double check that the hybrid configuration is setup properly we can use the Skype for business on-premises Hybrid UI wizard from the Home Menu under “Connection to Skype for Business Online”
Using the Skype for Business 2015 User interface to setup Hybrid configuration:
After you sign in it does automatically logs you in and configure the three following options
- Federation for the Edge server
- Federation with Office 365.
- Shared SIP address space.
Now I will configure my DNS Settings as recommended by Microsoft for the Hybrid Integration scenario
When creating DNS SRV records for hybrid deployments, the records, _sipfederationtls._tcp.<domain> and _sip._tls.<domain>, should point to the on-premises Access Proxy.
- Update some DNS records to direct all SIP traffic to Skype for Business on-premises:
- Update the lyncdiscover.contoso.com A record to point to the FQDN of the on-premises reverse proxy server.
- Update the _sip._tls.contoso.com SRV record to resolve to the public IP or VIP address of the Access Edge service of Skype for Business on-premises.
- Update the _sipfederationtls._tcp.contoso.com SRV record to resolve to the public IP or VIP address of the Access Edge service of Skype for Business on-premises.
- If your organization uses split DNS (sometimes called “split-brain DNS”), make sure that users resolving names through the internal DNS zone are directed to the Front End Pool.
According to Microsoft’s configuration of the Public DNS, you will have to configure only the SRV records to point to your edge server however, running a simple wireshark on your Skype for business client machine you can notice the following:
Microsoft Lync / Skype client first requires the Lyncdiscover / Lyncdiscoverinternal record in order to see where the user is located… then gets redirected to webdir.online.lync.com which is the Cname value to the Lyncdiscover Cname in the public DNS and tries to login the user through Login.microsoftonline.com then finds no user there and logs in using the SRV eventually in the end as in the below snapshot which I’ve used Wireshark for to monitor the DNS traffic that the Lync Client requests upon login request.
What have me confused here is that Microsoft says only SRV records must be pointing to your On-premises Lync/Skype for Business Edge server.. So you must enter something else other than SIP.domain.com (Which in normal cases might be the common name of your Edge certificate) for the value of the SRV Record since the SIP.domain.com and Lyncdiscover.domain.com must be pointing to Office 365.
I tried using the Public IP address of my Edge server just to check if my on-premises user will connect without any issue however I did have an issue with the Certificate saying “There was a problem verifying the certificate from the server”.
Luckily the Public certificate that I had on my edge server had multiple SANs (Subject Alternative Names) and one of them was WAC.moh10ly.com which I was intending to use for the WAC Server (Office Web Apps Server) and then I created an A record on my public DNS WAC.moh10ly.com that points to my Edge server’s Public IP address…. although the Wac.moh10ly.com is not a common name but it worked and I was able to federate with Office 365 users and was able to move users from on-premises to office 365 and back to on-premises as demonstrated later in the article.
“When creating DNS SRV records for hybrid deployments, the records, _sipfederationtls._tcp.<domain> and _sip._tls.<domain>, should point to the on-premises Access Proxy.”
Now I have changed all the SRV records to direct to the new A record
And finally deleted the A sip record and created a new CNAME record that points to sipdir.online.lync.com
I have already a user synced from my local AD to the cloud (office 365) that’s not enabled for Skype for business on-premises .. Once this user is synced and have been assigned a license it should be directly enabled for Skype for Business Online and I should be able to sign in to it without any issue.
In order for both users (homed online and On-premises) to see eachother’s presence the synced user must be enabled on the On-premises Server before moved to the cloud or else the presence and M will fail.
Time to test, I was able to sign in to the Online homed user (admin) and now I’ll be adding the on-premises homed user to the list to check the presence, IM ..etc
Here I added the user admin to my other account Mohammed.hamada and vice versa.
The Presence appears to be working fine for user homed on-premises as it shows when I changed it to “busy, be right back..etc” on the cloud user’s Client however the Office 365 homed user’s presence takes time to change on the on-premises user’s list and the IM doesn’t seem to work properly as messages sometimes doesn’t go through and fail.
Sending a message from the on-premises User (Mohammed Hamada) to (ADMIN)
Now sending an IM from Admin to Mohammed Hamada
To make sure that the issue is not within my on-premises server, I will use a different Skype for Business online account and see if IM work both ways.
This is my other user.. The presence information seems to work properly and now I’ll test the IM
IM between my On-premises and another user on another Office 365 tenant seems to be working fine back and forth as in the below snapshots so the issue might be related to Office 365 tenant which I am using for this test (could be related to trial version)
I am going to open a case with MS and see why this issue happens since my on-premises work fine with other tenants.
Now It’s time to move users from and to cloud and on-premises to check how easy, flexible or hard this process is.
I currently have 2 users, one on cloud and one synced and homed online (Office365)
In order to move users, you can go to Users tab after the hybrid config is finished and find the user you want to move then click on Actions and chose to move the users to the Skype for Business Online as in the below snapshot
Before you move the user to Office 365, you must assign license to the user or else the move will fail.
You can move the user back from Office 365 to your on-premises Skype for Business server with the same process exactly except that you’ll have to choose which pool you need to move the user to.
Checking where the user is hosted from Skype for business Management shell
The Hosting Provider will show you where the user is working from now.
Hope this has been helpful