Tuesday, March 21, 2017

Skype for Business Cloud Connector Version 1.4.2 Release

Very important information's about the actual release of CCE Version 1.4.2


https://blogs.technet.microsoft.com/sfbhybridvoice/2017/03/20/skype-for-business-cloud-connector-version-1-4-2-release/


Important Support Changes:
Starting with CCE 1.4.2 we will be a little more prescriptive on updates and SLAs:
When we release version N (1.4.2 in this case) there is a 60 day window within which version N-1 (the prior released version, 1.4.1) will also be supported against the SLA commitment. After 60 days only version N is supported against the SLA commitment.

Improvements:

a lot of new certificate based commands are included and all issues are now fixed!

Target: Define the certificate target, either EdgeServer or MediationServer.
  • Set-CcExternalCertificateFilePath -Path <Path to Edge PFX Cerfiticate> -Target EdgeServer
    Set the path to the certificate that has private key which the script will import and assign to the external interface of the Edge server during deployment.
  • Set-CcExternalCertificateFilePath -Path <Path to PSTN Gateway Certificate> -Target MediationServer.
    Set the path to the certificate that has the certificate chain of the issuing CA for the PSTN Gateway which the script will import to the Mediation server certificate store during deployment.
Import: Import the certificate for the Edge server or Mediation server.
  • Set-CcExternalCertificateFilePath -Path <Path to Edge PFX Cerfiticate> -Target EdgeServer -Import.
    Used to both import new certificate to the Edge server and assign it to the external interface. This action will put appliance in maintenance mode.
  • Set-CcExternalCertificateFilePath -Path < Path to PSTN Gateway Certificate > -Target MediationServer -Import.
    Used to import new certificate chain of the issuing CA for PSTN Gateway certificate to the Mediatioin Server.
Defined certificate paths saved in “C:\ProgramData\CloudConnector\module.ini”:
  • ExternalCertificateFilePath.
  • GatewayCertificateFilePath.

New certificate management cmdlets

  • Backup-CcCertificationAuthorityBacks up the certification authority service to a file and saves it to the CA folder under the site share directory.
  • Export-CcRootCertificateExports the root CA certificate to a local file on the Cloud Connector host server.
  • Renew-CcCACertificateReinstalls the Certification Authority Service AD Server to create a new root CA certificate..
  • Renew-CcServerCertificateRenews the certificates for Cloud Connector when they are near expiration or already expired.
  • Remove-CsCertificationAuthorityFileRemoves the certification authority service backup file “<SiteRootDirectory>\CA\SfB CCE Root.p12” in the CA folder under the site share directory for Cloud Connector.
  • Remove-CcLegacyServerCertificate:Removes legacy server certificates on the Central Management Store, Mediation Server, and Edge Server after you execute the Renew-CcCACertificate or Renew CcServerCertificate cmdlets.
  • Reset-CcCACertificate: Resets the certificate authority servers to install a new certificate authority certificate.
Cloud Connector cmdlet reference: https://technet.microsoft.com/EN-US/library/mt740652.aspx

Saturday, March 11, 2017

Rename a Skype for Business Server (Front end or others)

Rename a Skype for Business Server (Front end or others)


The procedure is explained in simple step's. I had this a couple of times, not only why a customer wanted to change the name. Its the same if you made a typo ;)

Today a came across with an double task to do. Upgrading a SBS from Lync 2013 to Skype for Business. This ahs put me into a dilemma of the chicken egg problem.
Should I do an in-place upgrade first or a rename or or or?

The answer to me was straight forward. Since the servers to be reinstalled, I decided removing the SBA entirely and do a re-deployment with SfB. Since it was an SBS, equal with an Front End server, please make sure there are no user hosted or anything else.

Renaming Process:

  1. Remove Skype for Business server from topology
  2. Publish topology.
  3. Run Skype for Business Server Deployment Wizard local setup on server to remove Lync components (or run the bootstrapper)
  4. Uninstall SQL Server. Front-ends have LyncLocal and RTCLocal instances. Remove both, rebooting between instance removal.  Edge only has RTCLocal instance. 
  5. Remove SQL Server 2012 Management Objects (x64)
  6. Remove SQL Server 2012 Native Client (x64)
  7. Remove Microsoft System CLR Types for SQL Server 2012 (x64)
  8. Remove Microsoft Skype for Business Server 2015, Front End Server
  9. Remove Microsoft Skype for Business Server 2015, Core Components
  10. Delete leftover data:
    Delete C:\Program Files\Microsoft SQL Server
    Delete C:\Program Files\Microsoft Skype for Business Server 2015
    Delete C:\CSData
  11. Rename server and restart
  12. Wait until AD replication completes with new server name.
  13. Open Topology Builder, add a new server to existing pool and publish. (If this is a SBA or Standard Edition Server, the pool and the server FQDN is identical.)
  14. Reinstall Skype for Business Server 2015components and all cumulative updates
  15. Generate new certificate with updated server name and assign to appropriate services using Skype for Business Server 2015 Deployment Wizard.
  16. Restart all servers in pool at same time (only relevant for front-end servers in an Enterprise pool).



Note and Warnings:
Careful if this is the Pool where CMS is located. There you need to migrate the CMS to another pool first and starte the rename procedure. than you can move back the CMS.
Same to users or other applications. simply move them to a different server and move back after the rename procedure has finished.

Note:
This procedure applies to Lync server too.

Tuesday, March 7, 2017

Polycom Group 30x, 500 and 700 support Office 365 Skype for Business Online


Polycom Group 30x, 500 and 700 support Office 365 Skype for Business Online.
You need to upgrade the Software Version to V.6.0.1 and you are good to go.



Skype for Business Cumulative Update List (10.03.2017)

It is now the 7th Update
(some may say it's CU 7, but it is only called the 7th update, the correct name is: CU4HF1
)


Note:
Windows 2016 Server is not supported for Skype for Business Server 2015 yet.



Version
Cumulative Update
KB Article
6.0.9319.277
February 2017: CU4 HF1
6.0.9319.272
November 2016: CU4
6.0.9319.259
June 2016: CU3
6.0.9319.235
March 2016: CU2
6.0.9319.102
November 2015: CU1
6.0.9319.88
September 2015: RTM HF2
6.0.9319.55
June 2015: RTM HF1
6.0.9319.0
RTM
NA




Author:

Saturday, February 11, 2017

Tenant Update Time Window for Cloud Connector (Location based)


As you can define several identities for the Tenant Update Time Window.
Nevertheless you will not find a dedicated Time Zone switch.

New-CsTenantUpdateTimeWindow -Identity AlwaysOn -Daily -StartTime 0:00 -Duration 24:00


The TIME ZONE (e.g. GMT, UTC, ..) applies on CsPSTNHybridSite physical location, where the CCE is located and the Time Zone is tight on the local Hyper-V (CCE Appliance).

The process for planning the time window across multiple location is simple:


  • define all necessary TenantUpdateTimeWindows, including StartTime and max. Duration
  • define all physical location
  • set the CCE Hyper-V Host to the physical location time zone and with the correct time
  • make sure the VM's will get there time fro the physical host (CCE)


If you disabled OS auto update or Bits auto update, your host and virtual machine may miss important windows updates; your Skype for Business Cloud Connector Edition will not upgrade to new version automatically. That means you may need spend time to modify your configuration and apply updates manually during business hours, which may affect the SLA of Skype for Business Cloud Connector Edition. It is highly recommended that you keep auto update enabled.



Monday, January 23, 2017

Cloud Connector Edition set automatic tenant update time windows

A very important task after installing a CCE (Cloud Connector Edition)

You must set a proper Update Time for your CCE Windows Updates und CCE Patching.

WARNING 1:
If you don't do this, at any point of time the CCE might start installation updates and will set you offline for the installation for up to 3hrs+.

WARNING 2:
You have to configure the UPDATE Window before you deploy the CCE!

NOTE:
The time zone is not configurable, but is tight to the Hyper-V host (the CCE location) defined in the windows host. Make sure the time zone setting are correct on the CCE!


First login in to your Office 365 Tenant

Import-Module skypeonlineconnector
$cred = Get-Credential
$Session = New-CsOnlineSession -Credential $cred -Verbose
Import-PSSession $session


Enable (Updates Windows)

You have to identify (name) and define a update windows

New-CsTenantUpdateTimeWindow -Identity AlwaysOn -Daily -StartTime 0:00 -Duration 24:00

You have to identify your CCE site and assign the update windows
The Update windows should be setup for both WindowsUpdates and CCE BitsUpdate

Set-CsHybridPSTNSite -Identity <SiteName> -OsUpdateTimeWindow @{add="AlwaysOn"} -BitsUpdateTimeWindow @{add="AlwaysOn"}


Disable (Update Windows)

Create a time window in which the update will not be applied:

New-CsTenantUpdateTimeWindow -Identity NeverOn -Monthly -WeeksOfMonth First -DaysOfWeek Sunday -StartTime 3:00 -Duration 0:0

Apply the new time window to your site:

Set-CsHybridPSTNSite -Identity <SiteName> -OsUpdateTimeWindow @{add="NeverOn"} -BitsUpdateTimeWindow @{add="NeverOn"}


Further information's:

The switch in the cmdlet -BitsUpdateTimeWindow can be modified with add, remove and replace

Other example:

  • New-CsTenantUpdateTimeWindow -Identity Night -Daily -StartTime 22:00 -Duration 6:00

  • New-CsTenantUpdateTimeWindow -Identity WeekdayNight -Weekly -DaysOfWeek Monday,Tuesday,Wednesday,Thursday,Friday -StartTime 22:00 -Duration 4:00

  • New-CsTenantUpdateTimeWindow -Identity FirstAndLastWeekend -Monthly -WeeksOfMonth First,Last -DaysOfWeek Sunday,Saturday -StartTime 0:00 -Duration 10:00

  • New-CsTenantUpdateTimeWindow -Identity MidDayOfMonth -Monthly -DayOfMonth 15 -StartTime 0:00 -Duration


Sunday, January 15, 2017

Installing Cloud Connector Edition in Office 365

Based on the following PDF, I have published on Technet Gallery, I explain how to setup a CCE Appliance from Sonus, the SBC 1000 Cloud Link.

Generally, if you use the same CloudConnector.ini, as provided in the How-To Guide, you will also be able installing the CCE on a dedicated physical Hyper-V Host.

The full 96 pages you can download here:
https://gallery.technet.microsoft.com/Cloud-Connector-Configurati-521b533f

Happy reading ;)



Logical Infrastructure



DNS

DNS access is required externally for the Access Edge Server and the Media Relay (Audio); video is not implemented for local breakouts. The internal CCE servers must resolve internal DNS names and the Access Edge component via external DNS. Therefore, the Access Edge should resolve DNS externally and have a host file (C:\Windows\System32\drivers\hosts) for internal DNS resolution.


Note:
The onmicrosoft.com DNS suffix external tenant is not supported.

SIP.<sipdomain> for any CCE is not supported,  it is reserved for the Office 365 Access Edge.



External DNS entries for CCE (also used for certificates):

Access Edge:     e.g., access.sipdomain.com         CCE Site (x) Access Edge

SIP domain:       e.g., sip.sipdomain.com                Office 365 Access Edge



DNS Record for sonusms01.com
Record Type
Setting
Comment
CCE Site A



Accesspool
A
123.123.123.1
IP of Access Edge, Single CCE SITE or Site A
mr01
A
123.123.123.2
Not required to be set (mr can be the same IP as Access Edge
CCE Site B



accesspool02
A
12.123.123.1
IP of Access Edge, Multi CCE SITES, e.g. Site B
mr02
A
12.123.123.2
Not required to be set
Office 365



sip
CNAME
sipdir.online.lync.com

lyncdiscover
CNAME
webdir.online.lync.com

_sip.tls
SRV
100 1 443 sipdir.online.lync.com

_sipfederationtls.tcp
SRV
sipfed.online.lync.com








Note:

Media Relay is not required in the certificate. The MRAS service will issue its own certificate for media encryption. Therefore, a DNS Record is not required too and optional.
The MR can have its own IP Address, but is neither required nor a good advice.






DNS Access queries in CCE


All internal VMs will query the CCE AD DNS installed automatically on the DC VM.
The Edge Server VM,  has a an host file install for internal DNS and uses any external “public” DNS Server for Internet related queries, as for the Office 365 tenant.







Note:
All other DNS records necessary for the internal and external (Internet) networks remain unchanged for Office 365 deployments.

Note:
During CCE installation is might be required setting the internal DNS (AD) pointing to an external system.
 

External Certificates


Notes: A CN starting with SIP.<domain> is not supported with others than wildcard certificate. SIP is a placeholder for access edge client logins.

It is possible to use a single certificate for all CCE sites, as long the other sites are listed with their fully qualified domain name (FQDN) in the SAN entries.


Single CCE Site


In addition to the DNS entries, publicly-signed SAN certificates are also required:





SN/CN
accesspool.sonusms01.com
Single CCE SITE
SAN
accesspool.sonusms01.com

SAN
sip.sonusms01.com



Note:
Single CCE site deployment is similar to the well-known on-premises deployments for Edge Servers; the principals are identical. That is, if an Edge Pool is used, the external Pool Name must be addressed with HLB or DNS LB, but if it is a single server, only the server name is needed.



Multi-Site CCE Site with Shared Certificates


Multiple CCE Sites can be registered with Office 365:




SN/CN
accesspool.sonusms01.com

SAN
accesspool.sonusms01.com
CCE Site 1
SAN
accesspool01.sonusms01.com
CCE Site 2
SAN
sip.sonusms01.com



Wildcard Certificates


Wildcard certificate are support.  





SN/CN
name.sonusms01.com
It can be sip.* too in this case
SAN
sip.sonusms01.com
1
SAN
*.sonusms01.com
Wildcard
SAN
xx
Any other SAN

Notes: Wildcards are supported as sn=sip.sipdomain.com, san=sip.sipdomain.com + san=*.sipdomain.com.
Microsoft also supports sn=*.sipdomain.com, san=sip.sipdomain.com + san=*.sipdomain.com.



Internal Certificates


All internal servers–including the Domain Controller–require certificates, which can be either private certificates or externally signed.

·        Typically, a CA is installed using the CCE automated setup, and the certificate can be generated automatically based on the CA

·        The “Member Servers” are in a joint domain joint with the CCE Active Directory Forest

·        Root Certificates are propagated automatically, but with the Edge component, you have to import the Root Certificate for the internal site of the Edge


CMS VMs (primary or backup) require a default certificate with server FQDN as the subject name.

Mediation Server VMs require a default certificate with the Mediation Server Pool FQDN as the subject name. A single certificate can be used across all mediation server VMs, or each VM can use its own certificate, as long as they all have the pool FQDN in the subject name.

Edge VMs requires an internal certificate with the Edge Server internal pool FQDN as the subject name. A single certificate can be used across all Edge Server VMs, or each VM can use its own certificate, as long as they all have the internal pool FQDN in the subject name.

Note:
Remember to import the Root CA certificates if internal or private certificates are going to be used. With the Sonus CCE Appliance, this step is handled by the CCE Installation Wizard.
 

Firewall Port Configuration[1]


Internal Firewall


Source IP
Destination IP
Source Port
Destination Port
Cloud Connector Mediation component
SBC/PSTN Gateway
Any
TCP 5060**
SBC/PSTN Gateway
Cloud Connector Mediation component
Any
TCP 5068/TLS 5067
Cloud Connector Mediation component
Internal clients
49 152–57 500*
TCP 50,000–50,019
Cloud Connector Mediation component
Internal clients
49 152–57 500*
UDP 50,000–50,019
Internal clients
Cloud Connector Mediation component
TCP 50,000–50,019
49 152–57 500*
Internal clients
Cloud Connector Mediation component
UDP 50,000–50,019
49 152–57 500*

* This is the default port range on the Mediation component. For optimal call flow, four ports per call are required.

** This port should be configured on the SBC/PSTN gateway; 5060 is an example. Other ports on the SBC/PSTN gateway can be configured as required.



External Firewall - Minimum Configuration


Source IP
Destination IP
Source Port
Destination Port
Any
Cloud Connector Edge External Interface
Any
TCP 5061
Cloud Connector Edge External Interface
Any UDP 3478 UDP 3478
Any
Cloud Connector Edge External Interface
TCP 50,000–59,999
TCP 443
Any
Cloud Connector Edge External Interface UDP 3478 UDP 3478
Cloud Connector Edge External Interface
Any
TCP 50,000–59,999
TCP 443



External Firewall - Recommended Configuration


Source IP
Destination IP
Source Port
Destination Port
Any
Cloud Connector Edge External Interface
Any
TCP 5061
Cloud Connector Edge External Interface
Any TCP 50,000–59,999 Any
Cloud Connector Edge External Interface
Any
UDP 3478; UDP 50,000–59,999
Any
Any
Cloud Connector Edge External Interface Any TCP 443; TCP 50,000–59,999
Any
Cloud Connector Edge External Interface
Any
UDP 3478; UDP 50,000–59,999




Configuration Guide for Users, Dial-Plans, Voice Routes and PSTN Usage


This section covers the view for Cloud Connector Edition Setup only. Remember to assign an Office 365 license before users are enabled for a Skype for Business online account.


Connect to MSOnline


Best is connecting to MSOnline too

Import-Module MSOnline
$credential = get-credential
Connect-MsolService -Credential $credential






Connect to Skype for Business Online


The Business Online Connector (Windows PowerShell module) can be download from the Microsoft download center.

For more information go to Configuring your computer for Skype for Business Online management.

Import-Module skypeonlineconnector
$cred = Get-Credential
$Session = New-CsOnlineSession -Credential $cred -Verbose
Import-PSSession $session



Configuration Data Definition CloudConnector.ini


The LAN site is network address 192.168.210.0/24

Parameter
Value
SIP Domain
sonusms01.com
Virtual Machine Domain
sfbhybridtest.local
Server Name
AD
IP
192.168.210.115
Online SIP Federation FQDN
sipfed.online.lync.com
Site Name
AEPSITE1
Base VMIP
192.168.210.119
Management Switch Name
SfB CCE Management Switch
Internet Switch Name
SfB CCE Internet Switch
Corpnet Switch Name
SfB CCE Corpnet Switch
Management IP Address Prefix
192.168.219.0
Internet Default Gateway
192.168.211.1
Corpnet Default Gateway
192.168.210.1
Internet DNS IP Address
8.8.8.8
Corpnet DNS IP Address
8.8.8.8


Primary CMS

Server Name
CMS-Server
IP Address
192.168.210.116
Share Name
CmsFileStore


Mediation Server

Server Name
MediationServer
Pool Name
mspool
IP Address
192.168.210.117
 

Edge Server



Internal Server Name
Edge-064913
External MR Public IPs
12.8.245.86
External SIP IPs
192.168.211.86
Internal Pool Name
Edgepool
Internal Server IPs
192.168.210.118
External MR IPs
192.168.211.86
External SIP Pool Name
AEPSITE2


Gateway

FQDN
Sbc1.sfbhybridtest.local
IP Address
192.168.210.113
PORT
5060
Protocol
TCP
Enable Refer Support
true


Sonus Network (specific too)

Network Type
intranet
Deployment Type
standalone




Set the Network Interfaces on CCE
The first step is navigating to the Settings tab –> ASM Configuration in the Node Interfaces section. Here a real IP address is assigned to the physical SBC network interface.
Two Class C networks are defined:
NIC 1 LAN (and CCE VMs):                                         IP: 192.168.100.0/24, IP: 192.168.100.114
NIC 2 Internet (and CCE Edge VMs):                       IP: 192.168.211.0/24, IP: 192.168.211.85

Set VM and Hyper-V Networks on CCE
Next click the Tasks tab –> Configure CCE, where the CCE deployment information is provided, such as CCE VM IP addresses, internal/external DNS server, and so on. The Deployment Type also needs to be chosen, either Standalone or Corporate Intranet. This defines a single CCE (non-HA) and LAN deployment.
Note:
The internal DNS will be set in the next section.


Adjust or Administer the DNS Server Setting
Under System –> Node-Level Settings, change the Primary Server IP/DNS within Domain Name Service window to the Controller IP address, 192.168.100.115.




Start CCE Deployment on Appliance Configuration (Wizard)


After verifying the settings and parameters, CCE deployment is ready. This can take one to two hours.

Navigate to System and click “Deploy CCE VM” where there is a summary of all the important parameters from the CloudConnector.ini file.


Deploy the CCE Appliance by clicking “Prepare CCE” at the bottom of the page.

 
You will be asked providing the certificate password, either your password for the imported certificate file or the certificate requires answer file writing the certificate into the CCE appliance, storing the file locally.

Next step will be a reminder proceeding with the CCE installation process.


Finalizing CCE Deployment on Appliance using the Hyper-V host powershell


The process for installing the CCE VMs and automatically letting them be configured is identically with the process described in the Technet.

Register-CcAppliance
Install-CcAppliance

Next you need to provide the required user accounts and password:
Local VmAdmin, DomainAdmin, SafeModeAdmin, ExternalCert’s and
user name and password of your Office 365 admin account
Next start the deployment for Cloud Connector Appliance with the cmdlet Install-CcAppliance


The VM deployment will start immediately. Connect to the HOST with the defined IP address and open the Virtual Machine Manager to find:
·        The VM being cloned
·        SysPrep
·        VM started
·        Updated (Windows Update)
·        Finalized


Note:
If you started a redeployment, you must unregister the existing CCE Appliance configuration with your Office 365 tenant, by using:
 
Get-CsHybridPSTNAppliance
(NOTE: mark the IDENTITY)

Unregister-CsHybridPSTNAppliance -identity <MarkedName> -Force




[1] Taken from TechNet