Tuesday, October 20, 2015

Skype for Business and SQL Server 2014 licensing

With Skype for Business Server 2015, the usability for SQL Server has advanced once more.

We have now a couple of possibilities. Today I'm going to discuss all of them and will advice the actual licensing strategy based on SQL Server 2104 in regards to Skype for Business Server 2015 recommendations.

The general licensing guides are available here: http://www.microsoft.com/en-us/licensing/product-licensing/sql-server-2014.aspx


One generic topic I have to discuss first. In many cases we are using Hyper Visor technologies, meaning the SQL servers are virtualized. Here one important consideration you should keep in mind.
If the SQL Server is virtual AND you use CPU CORE licensing, you can run as many virtual SQL on a single PHYSICAL host as you want. You only need to license the physical CPU of that host.
This applies to all physical hosts uses.
Say you have 3 VMWare/ Hyper-V physical servers, and you run three SQL server. You will position 1 and 2 on 2 physical hosts only (not on the third one), you only need to license 2, instead of 3 SQL servers

Why I mention this is, you need to unterstand that the licensing model and might be adjusted with the described scenarios if you run SQL virtualized. You might save costs if you position SQL servers optimized within a virtual environment.


IMPORTANT INFORMATION REGARDING CORE LICENSES:

Please consult the actual licensing guide if you license pro core. It is a difference between physical and virtual CPUs.
Additionally, there is FACTOR you need to consider the core license counts, based on the CPU type.
The minimum core license is:
physical CPU Core        -> min 2 CORE Licenses
virtual CPU Core (VM) -> min. 4 CORE Licenses



Licensing general terms based on Microsofts advanced licensing description:

 All SQL Server version provide high availability feature as clustering (only two-node), backup log shipping and  mirroring.
 ..
Always On (advanced HA feature) is only available in the Enterprise Edition. Additionally this includes support for multiple, active (readable) secondary servers, as well as for multi-site failover clustering.
in Skype for Business Server 2015, it is important to remember that a Multi-Site Pool Failover is not supported within a single Pool. Only Pool Paring is supported. Therefore I don't recognize any multi-site failover scenario for SQL in regards with Skype for Business.

Especially for Always On, but for other scenarios too, per active SQL server the equal number of passive SQL server is free of charge. You need to name the server, list it in your assessment sheets, but do not need to pay for those server a licensing fee.
Passive means in the licensing terms: TRULY PASSIVE.

Truly passive mean and do NOT allow for example the following services:
  • Reporting
  • Backup
  • Running procedures

In case of say a setup, were you run an Always On configuration and have one active and two passive node, e.g. in two different physical location. you need 2x SQL server licensed and 1x don't requires a license.
Even this is not a scenario wich you will consider with Skype for Business.


Core license:
You need to count the v-host with the most CPU in any case. Explaining, only the vCPU (virtual CPU) are counted.

Explaining a license shift:
In the even of a failure, where the passive, the secondary node becomes active, the assigned license is automatically (dynamically) moved to the secondly node. (Named: License Mobility with Server Farm SA Benefit) 


Remember at the end, you require an active Software Assurance contract for those setups:
Failover Servers: SA customers are allowed to run passive SQL Server 2014 instances on a separated OSE or server for high availability.



Finally we can have a look into the possible Skype for Business Backend Server recommendations.

1. Scenario - SINGLE SQL Server




Well this scenario is may be suitable for a Test LAb, but not for production.
Just for licensing, you only need to license:

Licensing:
2x SQL Server 2014 Std/Ent per Core or Server

2. Scenario - Clustered SQL Server



Still a common scenario, you should consider the availability for your storage. But say assuming your storage ist redundant, even maybe mirrored, this could be still a very suitable scenario.
As its the best description for a cluster, the failover clustering is not on the database level, it is on the server level. Meaning the SQL Server themselves are clustered.

Licensing:
2x SQL Server 2014 Std/Ent per core or server


3. Scenario - MIRROW SQL Server (without witness)



This is the first setup, where we do not have a server cluster itself, we mirror the database. Meaning we log ship the primary database to a secondary (only secondary) database.
The high availability is based on the database itself!

But in this setup, in the event of a server or database failure on the primary node, the database will NOT switch automatically. We have not witness and we have to initiate the switch manually.

Licensing:
1x SQL Server 2014 Std/Ent per core or server



4. Scenario - MIRROR SQL Server (recommended)



 
Here it come with an fully automated failover setup. The principals are still the same as describe in scenario 3, but we utilize a third server as witness. Therefore a systems can recognize a failure and identify a possible split brain issue.

Licensing:
1x SQL Server 2014 Std/Ent per core or server
1x SQL Server 2014 Express Edition (free of charge) 

5. Scenario - ALWAYS ON SQL Server





Why we don't need a witness (quorum) an SQL?
The Always On configuration relies on WSFC (Windows Server Failover Clustering) and here we must have a FileShareWitness configured. So the Witness is the Share not a dedicated Server an more.

Licensing:
1x SQL Server 2014 Enterprise per core or server
  


Monday, October 12, 2015

Wildcard Certificate Support in Skype for Business

Coming back to the most common question about certificates in Skype for Business and Lync Server.

Can we use Wildcard Certificates in Skype for Business or Lync Server?


Simple answer is: YESNO

First lets have a look into a certificate:

A Certificate has a Common Name (CN) and Subject Alternative Names (SAN)
A classic wildcard certificate is a certificate where the CN look like: CN=*.domain.com



In Skype for Business the main reason for certificate use is TLS/MTLS data encryption and the other point it the server authentication/ validation.
Skype for Business is using the Common Name CN for authentication/ validation trusts.


Only if a server with in the Topology or for Federation purposes presents a valid certificate with its matching Common Name (CN) the entire traffic can be used with TLS/MTLS.



Therefor we understand a CN identifier as FQDN of the Server or the Pool is RECOMMENDED!





A valid SAN Wildcard certificate could look like this:


CN   = POOL01.DOMAIN.COM
+

SAN = POOL01.DOMAIN.COM
SAN = SIP.DOMAIN.COM
SAN = *.DOMAIN.COM





A dedicated article to Skype for Business does not exits yet, you have to refer to: Environmental requirements for Skype for Business Server 2015.
Still an internal deployment guide exists here https://technet.microsoft.com/en-us/library/dn933910.aspx 
It will address the same issue in the same way as it was with Lync 2010 and Lync 2013.


SUMMARY:

Please carefully consider the use of a wildcard certificate. Even if you figure out the CN wildcard certificate is working, due to the feature required and named above it is NOT supported. Therefor make use of SAN wildcard only. Some other interface like the internal Edge NIC for example do never support a wildcard, also not if this is defined optional.

If you follow a simple advice, make use for wildcard certificates ONLY on the Reverse Proxy and NOT on the internal / Edge servers at anytime.





As reference:
Lync 2010:
https://technet.microsoft.com/en-us/library/hh202161(v=ocs.14).aspx
Lync 2013:
https://technet.microsoft.com/en-us/library/hh202161(v=ocs.15).aspx

Skype for Business Server 2015:
https://technet.microsoft.com/EN-US/library/dn933910.aspx#Certs




NOTE:
Exchange UM and UC Integration is not covered in this article yet. Please check with your Exchange department first if they support wildcard.