Scribd Logo
Upload

Welcome to Scribd!

  • Skypeforbusinessmobility 151016132136 Lva1 App6891

    Uploaded by

    Nguyen Tan Tai
    8 views36 pages

    Original Title

    skypeforbusinessmobility-151016132136-lva1-app6891

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    8 views36 pages

    Skypeforbusinessmobility 151016132136 Lva1 App6891

    Uploaded by

    Nguyen Tan Tai

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 36

    • I am Fabrizio Volpe – Microsoft MVP on Skype for Business

    • I work for the Iccrea Banking Group


    • I am the author five IT books including Microsoft Lync Server
    2013: Basic Administration and the Lync Server Cookbook
    • I tweet from @fabriziovlp
    • I blog at http://www.absoluteuc.org/
    There is no subject so old that something new cannot be said
    about it.
    Fyodor Dostoevsky
    Mobility is about "experiences spanning a variety of devices”

    Cloud provides the infrastructure to keep the devices


    connected, and to support the services those devices
    consume
    Mobile client comparison tables for Skype for Business
    • The Lync 2010 clients are still supported in Skype
    for Business

    • Next version of the product will consider them as


    deprecated
    Reverse Proxy Edge Pool
    Required for: Required for:
    • Skype Web Services • SIP Clients
    • Mobility • Federation
    Reverse Proxy to publish Web Services Internet

    Skype for Business Web Service functions include:

    • Skype for Business Mobility client


    • Simple URL’s
    • LyncDiscover – client sign-in and discovery
    • Meet – Connect to meetings
    • Dialin – Dial-In Conference settings information
    • Schedule – Schedule Meetings
    • Skype for Business Web App client
    • Expand Distribution Groups
    • Address Book download
    Skype for Business differentiates services meant to be exposed to the external
    network from the ones for the internal network using IIS sites

    Using different ports also allows the Skype4B Front Ends to use a single IP
    address.
    Reverse proxy receives calls on standard ports (80 and 443) and redirects
    them to the External Skype for Business website (8080 and 4443)
    The Web Application Proxy service functions as both a reverse proxy and an Active
    Directory Federation Services (AD FS) proxy

    Services required to support the Web Application proxy

    Role / feature How it supports this scenario

    Active Directory Domain Services (AD DS) Active Directory® Domain Services is required as a prerequisite before you can deploy
    AD FS. It is also required for Web Application Proxy deployments that use Kerberos
    constrained delegation.

    Active Directory Federation Services (AD FS) AD FS is required to provide authentication and authorization services to Web
    Application Proxy and to store the Web Application Proxy configuration

    Remote Access (DirectAccess, Routing and Remote Access is the role containing the Web Application Proxy role service
    Remote Access)
    • Autodiscover Service returns all Web Services URLs
    for the user's home pool, including the Mobility
    Service (Mcx and UCWA) URLs
    • However, both the internal Mobility Service URL and
    the external Mobility Service URL are associated with
    the external Web Services FQDN
    • Therefore, regardless of whether a mobile device is
    internal or external to the network, the device
    always connects to the Mobility Service externally
    through the reverse proxy

    • DNS requirements for Skype for Business


    • https://technet.microsoft.com/en-
    us/library/dn951397.aspx
    Lync Connectivity Analyzer attempts to connect to your server
    by using the same services and protocols that are used by the
    apps themselves.

    The tool tests the following Lync Server components:

    • Autodiscover service
    • Authentication Broker (Reach) service
    • Mobility (MCX) service
    • WebTicket service

    Lync Connectivity Analyzer tests the configuration of the


    following additional components:

    • Publication of DNS records for Autodiscover URLs


    • Certificates
    • Proxy servers
    • The mobile client is discovering the internal LYNCDISCOVERINTERNAL
    URL and will make use of the of the EXTERNAL MOBILITY URL
    • Clients entitled for a direct peer-to peer setup
    • Important is the network path and it must be non NATed, a direct route
    • The mobile client must rely on the Edge Server and has to tunnel the
    • signaling/ media
    • The mobile device will connect to and send its media session to the
    external Edge interface
    • The internal full client connect media to Edge Server internal interface.
    • Call to the external full client is rerouted via Edge Server and send to the
    external side again

    • First to the external Edge interface than back through the Edge server to
    the remote client
    Authentication Mobility Infrastructure protection

    NTLM Credential storage Brute force


    TLS-DSK Device control
    Passive authentication*

    *ADFS based authentication


    Authentication Mobility Infrastructure protection

    Pre-authentication Credential storage Brute force


    No domain credentials Device control Account lock-out
    2-factor authentication Device registration DoS

    External Internal

    Skype for Business


    External Firewall Internal Firewall
    external users

    HTTPS: 443
    Active Directory
    HTTPS: 4443

    Reverse Proxy
    HTTPS: 443

    Access Edge – SIP/TLS: 443


    SIP/MTLS: 5061

    Access Edge – SIP/MTLS: 5061 Front end pool

    Edge Pool

    Skype for Business


    federation
    and Public IM
    MobilePreferredAuthType
    Set-csWebServiceConfiguration –UseWsFedPassiveAuth $TRUE

    Set-csWebServiceConfiguration –WsFedPassiveMetadataUri
    [URL]

    Additional config for mobile to use passive authentication:

    Set-CsWebServiceConfiguration -MobilePreferredAuthType
    WsFedPassive
    Previously:

    • Conversations on the mobile devices were not synchronized with desktop


    clients. You had to send the conversation (e-mail it?) from the mobile
    device to keep it on a different devices

    • Users had to manually accept messages on mobile devices in a short


    amount of time

    Synchronized conversations allow users to maintain their conversations


    across all of their devices

    Auto-Accept allow the mobile client to accept incoming messages on the


    users behalf

    Server requirements

    • Skype for Business Server 2015 with Exchange 2013 on-premises


    /Exchange Online
    • Skype for Business Online with Exchange 2013 on-premises/Exchange
    Online
    • Users must be homed on Skype for
    Business Server 2015

    • Users must have a mailbox homed on


    Exchange 2013 (either on-premises or online)

    • Skype for Business Server OAuth setup with


    the Exchange 2013 environment
    Skype for Business Server 2015, Microsoft Exchange Server 2013 (and
    Microsoft SharePoint Server 2013) can create security tokens that can
    be accepted by one another

    • Same certificate must be configured as the OAuthTokenIssuer


    certificate on all of your Front End Servers
    • Certificate must be at least 2048 bits
    Office 365 works with Windows Azure Active Directory
    (WAAD)

    Users defined directly on WAAD (Cloud Identity)

    Synchronized identity (DirSync with Password Sync)

    Federated Identity (DirSync with Single Sign-On)


    • The Active Directory Domain Service stores passwords
    in form of a hash value representation of the actual
    user password

    • The Password hash cannot be used to login to your


    on-premises network
    • Password is verified by the on-premises identity
    provider
    • This means that the password hash does not need
    to be synchronized to Azure AD
    Enable Server Side Conversation History

    Set-CsConversationHistoryConfiguration -EnableServerConversationHistory $true -


    verbose
    Set-CsClientPolicy –identity “policy_name” –EnableServerConversationHistory $true -
    verbose

    Verify replication and restart the front end service

    Get-CsManagementStoreReplicationStatus
    Restart the SfB Services (assuming this is the first time Lync-Exchange auth has been
    configured)

    Required settings

    CsMobilityPolicy – AllowSaveIMHistory flag = True


    CsClientPolicy – DisableSavingIM = False
    • LyncUcwa worker process in Internet Information Services
    (IIS) Manager

    Performance Counters

    • LyncUcwa worker process in Internet Information Services


    (IIS) Manager
    • ASP.NET\Requests Queued

    For Mobility Service (Mcx)

    • CSIntMcxAppPool and CSExtMcxAppPool worker


    processes in Internet Information Services (IIS) Manager
    Settings for Mcx on IIS 7.5

    1. maxConcurrentThreadsPerCPU is set to zero (0)

    2. maxConcurrentRequestsPerCPU is set to zero (0)

    3. ASP.NET process model is set to AutoConfig (for IIS 7.5 only)

    4. HTTP.sys queue limit is set to 1,000 (by default)

    Note: only to the Skype for Business Server 2015 Mobility Service (Mcx). Does
    not apply to Unified Communications Web API (UCWA)
    • Since the Address Book can become quite large, the
    mobile client makes use of the Address Book Web
    Services
    • This requires that for all search requests to internal
    Lync enabled users is made via a web based query
    (ASWQ)
    Edge Services Include:

    • Access Edge: Federation


    • Web Conferencing Edge: Conferencing for External Users
    • A/V Edge: External A/V communication, Desktop Sharing

    You might also like