Sunday, January 15, 2017

Installing Cloud Connector Edition in Office 365

Based on the following PDF, I have published on Technet Gallery, I explain how to setup a CCE Appliance from Sonus, the SBC 1000 Cloud Link.

Generally, if you use the same CloudConnector.ini, as provided in the How-To Guide, you will also be able installing the CCE on a dedicated physical Hyper-V Host.

The full 96 pages you can download here:
https://gallery.technet.microsoft.com/Cloud-Connector-Configurati-521b533f

Happy reading ;)



Logical Infrastructure



DNS

DNS access is required externally for the Access Edge Server and the Media Relay (Audio); video is not implemented for local breakouts. The internal CCE servers must resolve internal DNS names and the Access Edge component via external DNS. Therefore, the Access Edge should resolve DNS externally and have a host file (C:\Windows\System32\drivers\hosts) for internal DNS resolution.


Note:
The onmicrosoft.com DNS suffix external tenant is not supported.

SIP.<sipdomain> for any CCE is not supported,  it is reserved for the Office 365 Access Edge.



External DNS entries for CCE (also used for certificates):

Access Edge:     e.g., access.sipdomain.com         CCE Site (x) Access Edge

SIP domain:       e.g., sip.sipdomain.com                Office 365 Access Edge



DNS Record for sonusms01.com
Record Type
Setting
Comment
CCE Site A



Accesspool
A
123.123.123.1
IP of Access Edge, Single CCE SITE or Site A
mr01
A
123.123.123.2
Not required to be set (mr can be the same IP as Access Edge
CCE Site B



accesspool02
A
12.123.123.1
IP of Access Edge, Multi CCE SITES, e.g. Site B
mr02
A
12.123.123.2
Not required to be set
Office 365



sip
CNAME
sipdir.online.lync.com

lyncdiscover
CNAME
webdir.online.lync.com

_sip.tls
SRV
100 1 443 sipdir.online.lync.com

_sipfederationtls.tcp
SRV
sipfed.online.lync.com








Note:

Media Relay is not required in the certificate. The MRAS service will issue its own certificate for media encryption. Therefore, a DNS Record is not required too and optional.
The MR can have its own IP Address, but is neither required nor a good advice.






DNS Access queries in CCE


All internal VMs will query the CCE AD DNS installed automatically on the DC VM.
The Edge Server VM,  has a an host file install for internal DNS and uses any external “public” DNS Server for Internet related queries, as for the Office 365 tenant.







Note:
All other DNS records necessary for the internal and external (Internet) networks remain unchanged for Office 365 deployments.

Note:
During CCE installation is might be required setting the internal DNS (AD) pointing to an external system.
 

External Certificates


Notes: A CN starting with SIP.<domain> is not supported with others than wildcard certificate. SIP is a placeholder for access edge client logins.

It is possible to use a single certificate for all CCE sites, as long the other sites are listed with their fully qualified domain name (FQDN) in the SAN entries.


Single CCE Site


In addition to the DNS entries, publicly-signed SAN certificates are also required:





SN/CN
accesspool.sonusms01.com
Single CCE SITE
SAN
accesspool.sonusms01.com

SAN
sip.sonusms01.com



Note:
Single CCE site deployment is similar to the well-known on-premises deployments for Edge Servers; the principals are identical. That is, if an Edge Pool is used, the external Pool Name must be addressed with HLB or DNS LB, but if it is a single server, only the server name is needed.



Multi-Site CCE Site with Shared Certificates


Multiple CCE Sites can be registered with Office 365:




SN/CN
accesspool.sonusms01.com

SAN
accesspool.sonusms01.com
CCE Site 1
SAN
accesspool01.sonusms01.com
CCE Site 2
SAN
sip.sonusms01.com



Wildcard Certificates


Wildcard certificate are support.  





SN/CN
name.sonusms01.com
It can be sip.* too in this case
SAN
sip.sonusms01.com
1
SAN
*.sonusms01.com
Wildcard
SAN
xx
Any other SAN

Notes: Wildcards are supported as sn=sip.sipdomain.com, san=sip.sipdomain.com + san=*.sipdomain.com.
Microsoft also supports sn=*.sipdomain.com, san=sip.sipdomain.com + san=*.sipdomain.com.



Internal Certificates


All internal servers–including the Domain Controller–require certificates, which can be either private certificates or externally signed.

·        Typically, a CA is installed using the CCE automated setup, and the certificate can be generated automatically based on the CA

·        The “Member Servers” are in a joint domain joint with the CCE Active Directory Forest

·        Root Certificates are propagated automatically, but with the Edge component, you have to import the Root Certificate for the internal site of the Edge


CMS VMs (primary or backup) require a default certificate with server FQDN as the subject name.

Mediation Server VMs require a default certificate with the Mediation Server Pool FQDN as the subject name. A single certificate can be used across all mediation server VMs, or each VM can use its own certificate, as long as they all have the pool FQDN in the subject name.

Edge VMs requires an internal certificate with the Edge Server internal pool FQDN as the subject name. A single certificate can be used across all Edge Server VMs, or each VM can use its own certificate, as long as they all have the internal pool FQDN in the subject name.

Note:
Remember to import the Root CA certificates if internal or private certificates are going to be used. With the Sonus CCE Appliance, this step is handled by the CCE Installation Wizard.
 

Firewall Port Configuration[1]


Internal Firewall


Source IP
Destination IP
Source Port
Destination Port
Cloud Connector Mediation component
SBC/PSTN Gateway
Any
TCP 5060**
SBC/PSTN Gateway
Cloud Connector Mediation component
Any
TCP 5068/TLS 5067
Cloud Connector Mediation component
Internal clients
49 152–57 500*
TCP 50,000–50,019
Cloud Connector Mediation component
Internal clients
49 152–57 500*
UDP 50,000–50,019
Internal clients
Cloud Connector Mediation component
TCP 50,000–50,019
49 152–57 500*
Internal clients
Cloud Connector Mediation component
UDP 50,000–50,019
49 152–57 500*

* This is the default port range on the Mediation component. For optimal call flow, four ports per call are required.

** This port should be configured on the SBC/PSTN gateway; 5060 is an example. Other ports on the SBC/PSTN gateway can be configured as required.



External Firewall - Minimum Configuration


Source IP
Destination IP
Source Port
Destination Port
Any
Cloud Connector Edge External Interface
Any
TCP 5061
Cloud Connector Edge External Interface
Any UDP 3478 UDP 3478
Any
Cloud Connector Edge External Interface
TCP 50,000–59,999
TCP 443
Any
Cloud Connector Edge External Interface UDP 3478 UDP 3478
Cloud Connector Edge External Interface
Any
TCP 50,000–59,999
TCP 443



External Firewall - Recommended Configuration


Source IP
Destination IP
Source Port
Destination Port
Any
Cloud Connector Edge External Interface
Any
TCP 5061
Cloud Connector Edge External Interface
Any TCP 50,000–59,999 Any
Cloud Connector Edge External Interface
Any
UDP 3478; UDP 50,000–59,999
Any
Any
Cloud Connector Edge External Interface Any TCP 443; TCP 50,000–59,999
Any
Cloud Connector Edge External Interface
Any
UDP 3478; UDP 50,000–59,999




Configuration Guide for Users, Dial-Plans, Voice Routes and PSTN Usage


This section covers the view for Cloud Connector Edition Setup only. Remember to assign an Office 365 license before users are enabled for a Skype for Business online account.


Connect to MSOnline


Best is connecting to MSOnline too

Import-Module MSOnline
$credential = get-credential
Connect-MsolService -Credential $credential






Connect to Skype for Business Online


The Business Online Connector (Windows PowerShell module) can be download from the Microsoft download center.

For more information go to Configuring your computer for Skype for Business Online management.

Import-Module skypeonlineconnector
$cred = Get-Credential
$Session = New-CsOnlineSession -Credential $cred -Verbose
Import-PSSession $session



Configuration Data Definition CloudConnector.ini


The LAN site is network address 192.168.210.0/24

Parameter
Value
SIP Domain
sonusms01.com
Virtual Machine Domain
sfbhybridtest.local
Server Name
AD
IP
192.168.210.115
Online SIP Federation FQDN
sipfed.online.lync.com
Site Name
AEPSITE1
Base VMIP
192.168.210.119
Management Switch Name
SfB CCE Management Switch
Internet Switch Name
SfB CCE Internet Switch
Corpnet Switch Name
SfB CCE Corpnet Switch
Management IP Address Prefix
192.168.219.0
Internet Default Gateway
192.168.211.1
Corpnet Default Gateway
192.168.210.1
Internet DNS IP Address
8.8.8.8
Corpnet DNS IP Address
8.8.8.8


Primary CMS

Server Name
CMS-Server
IP Address
192.168.210.116
Share Name
CmsFileStore


Mediation Server

Server Name
MediationServer
Pool Name
mspool
IP Address
192.168.210.117
 

Edge Server



Internal Server Name
Edge-064913
External MR Public IPs
12.8.245.86
External SIP IPs
192.168.211.86
Internal Pool Name
Edgepool
Internal Server IPs
192.168.210.118
External MR IPs
192.168.211.86
External SIP Pool Name
AEPSITE2


Gateway

FQDN
Sbc1.sfbhybridtest.local
IP Address
192.168.210.113
PORT
5060
Protocol
TCP
Enable Refer Support
true


Sonus Network (specific too)

Network Type
intranet
Deployment Type
standalone




Set the Network Interfaces on CCE
The first step is navigating to the Settings tab –> ASM Configuration in the Node Interfaces section. Here a real IP address is assigned to the physical SBC network interface.
Two Class C networks are defined:
NIC 1 LAN (and CCE VMs):                                         IP: 192.168.100.0/24, IP: 192.168.100.114
NIC 2 Internet (and CCE Edge VMs):                       IP: 192.168.211.0/24, IP: 192.168.211.85

Set VM and Hyper-V Networks on CCE
Next click the Tasks tab –> Configure CCE, where the CCE deployment information is provided, such as CCE VM IP addresses, internal/external DNS server, and so on. The Deployment Type also needs to be chosen, either Standalone or Corporate Intranet. This defines a single CCE (non-HA) and LAN deployment.
Note:
The internal DNS will be set in the next section.


Adjust or Administer the DNS Server Setting
Under System –> Node-Level Settings, change the Primary Server IP/DNS within Domain Name Service window to the Controller IP address, 192.168.100.115.




Start CCE Deployment on Appliance Configuration (Wizard)


After verifying the settings and parameters, CCE deployment is ready. This can take one to two hours.

Navigate to System and click “Deploy CCE VM” where there is a summary of all the important parameters from the CloudConnector.ini file.


Deploy the CCE Appliance by clicking “Prepare CCE” at the bottom of the page.

 
You will be asked providing the certificate password, either your password for the imported certificate file or the certificate requires answer file writing the certificate into the CCE appliance, storing the file locally.

Next step will be a reminder proceeding with the CCE installation process.


Finalizing CCE Deployment on Appliance using the Hyper-V host powershell


The process for installing the CCE VMs and automatically letting them be configured is identically with the process described in the Technet.

Register-CcAppliance
Install-CcAppliance

Next you need to provide the required user accounts and password:
Local VmAdmin, DomainAdmin, SafeModeAdmin, ExternalCert’s and
user name and password of your Office 365 admin account
Next start the deployment for Cloud Connector Appliance with the cmdlet Install-CcAppliance


The VM deployment will start immediately. Connect to the HOST with the defined IP address and open the Virtual Machine Manager to find:
·        The VM being cloned
·        SysPrep
·        VM started
·        Updated (Windows Update)
·        Finalized


Note:
If you started a redeployment, you must unregister the existing CCE Appliance configuration with your Office 365 tenant, by using:
 
Get-CsHybridPSTNAppliance
(NOTE: mark the IDENTITY)

Unregister-CsHybridPSTNAppliance -identity <MarkedName> -Force




[1] Taken from TechNet

No comments:

Post a Comment