Skype for Business Hybrid deployment Part: 1
Skype for Business hybrid deployment is mixed environment with Skype for Business Online and On-Premises configuration. In Hybrid environment has existing on-premises deployment with users that were created in your on-premises Active Directory - with Skype for Business Online. Hybrid deployment allows you keep yours users on your Skype for Business or Lync Server on-premises and on Skype for Business Online using the Active Directory Synchronization to keep your on-premises and online users synchronized.
I will be posting series of article on Skype for Business hybrid deployment with cloud PBX.
1. First article will cover preparation of On-Premise Skype for Business / Lync Server and Skype for Business Online environment.
2. Second article will cover actual User Migration from Skype for Business / Lync Server On-Premise to Skype for Business Online.
3. Third Article covers user migration to Skype for Business Online with On-Premise PSTN using Cloud PBX.
4. Fourth Article covers Auto discover configuration for Skype for Business Hybrid deployment.
5. Fifth article covers Skype for Business Hybrid deployment lesson learned.
You must have the following configured in your environment in order to implement and deploy a hybrid deployment:
· A Microsoft Office 365 tenant with Skype for Business Online enabled. Note that you can use only a single tenant for a hybrid configuration with your on-premises deployment.
· A single on-premises deployment (infrastructure) of Skype for Business Server 2015, Lync Server 2013, or Lync Server 2010 that is deployed in a supported topology.
· Skype for Business Server 2015 administrative tools. If you are using Lync Server 2013 or Lync Server 2010, you can use the Lync Server 2013 administrative tools.
· To support Single Sign-on with Office 365 so that users can use the same login credentials for signing in to Office as they do on-premises, you can use the password sync features of Azure Active Directory (AAD) Connect. You can also use Active Directory Federation Services (AD FS) for single sign-on with Office 365.
· A single directory synchronization solution to keep your on-premises and online Active Directory objects synchronized. For details about Directory Synchronization, see Directory Integration Tools.
· For this document purpose I have used ADFS and DirSync.
Assuming that you already have setup ADFS for Office 365 and single sign-on and your On-prem ADDS accounts synced with Office 365. If not then you can refer below Microsoft article Set up ADFS for Office 365 for Single Sign-On.
Skype for Business client supportability:
There are some differences in the features supported in clients, as well as the features available in on-premises and online environments. Before you decide where you want to home users in your organization, you should review the Client comparison tables for Skype for Business Server 2015 to determine the client support for the various configurations of Skype for Business Server. The following clients are supported with Skype for Business Online in a hybrid deployment:
· Skype for Business 2015
· Skype for Business 2016
· Lync 2013
· Lync 2010
· Lync Windows Store app
· Lync Web App
· Lync Mobile
· Lync for Mac 2011
· Lync Room System and Skype for Business Room System
· Lync Basic 2013
Here are the steps:
1. Install Skype for Business online PowerShell module connector to configure hybrid environment.
a. My OS is windows 7 and Service Pack1. With 64 bit operating system.
b. Install PowerShell 3.0 or higher. If you have PowerShell 2.0 then install “Windows Management Framework 3.0” URL (https://www.microsoft.com/en-us/download/details.aspx?id=34595)
c. Time to install Skype for Business Online, Windows PowerShell Module (https://www.microsoft.com/en-us/download/details.aspx?id=39366)
d. Then install the Microsoft Online Services Sign-In Assistant for IT Professionals RTW from the Microsoft Download Center. Then install the Azure Active Directory Module for Windows PowerShell (64-bit version), and click Run to run the installer package.
e. Check what version PowerShell do you have. Running Get-Host | Select-Object Version
f. Now time to connect PowerShell to Skype for Business Online.
Open Windows PowerShell as administrator on computer where you install above pre-requisites.
$cred = Get-Credential
$session = New-CsOnlineSession -Credential $cred-OverrideAdminDomain "brcd.onmicrosoft.com"
Below is the Result:
2. You must have Hosting provider setup. . Run this command on Skype for Business connector Online PowerShell. To seehosting Provider details:
If hosting provider is not setup then you have to setup new new hosting provider.
I used hosting provider with the Identity "OCO" and VerificationLevel property is set to UseSourceVerification for my environment.
New-CsHostingProvider -Identity OCO -ProxyFqdn "sipfed.online.lync.com" -Enabled $True -HostsOCSUsers $True -EnabledSharedAddressSpace $True –VerificationLevel “UseSourceVerification”
You can AutodiscoverUrl later.
3. Enable your Office365 tenant for Skype Meeting Broadcast. [This is optional. Require if you are going to use Skype Meeting Broadcast] make sure EnableBroadcastMeeting should be True. Run this command on Skype for Business connector Online PowerShell.
Set-CsBroadcastMeetingConfiguration –EnableBroadcastMeeting $True
4. Now run Get-CsTenantFederationConfiguration - Run this command on Skype for Business connector Online PowerShell.
Run command Set-CsTenantFederationConfiguration -SharedSipAddressSpace $true
Run again Get-CsTenantFederationConfiguration to see shared Sip addressSpace is true
5. Currently Presence policy and Meeting configuration not set. All is default.
6. Configure Skype for Business / Lync Server on-premises for Hybrid mode:
a. On front End Server, open the PowerShell console of Skype for business/ Lync Server and run:
Check if the following parameters are enabled:
AllowFederatedUsers : True
EnablePartnerDiscovery : True
AllowOutsideUsers : True
RoutingMethod : UseDnsSrvRouting
EnableSharedAddressSpace : True
HostsOcsUsers : True
If not, then run the following command:
Set-CsAccessEdgeConfiguration -AllowFederatedUsers $true -EnablePartnerDiscovery $true -UseDnsSrvRouting -AllowOutsideUsers $True
Note: To check if these value was changed to correct values, you can run Get-CsAccessEdgeConfiguration again.
b. Check if you already have a Hosting providing on premises Skype for Business/ Lync Server.
Open Skype for business / Lync management Shell and run
If the Hosting providing do not exist, then create one typing the following command:
New-CsHostingProvider -Identity "LyncOnline" -Enabled $True -EnabledSharedAddressSpace $True -HostsOCSUsers $True -ProxyFqdn "sipfed.online.lync.com" -IsLocal $False -VerificationLevel UseSourceVerification
If your environment has Exchange Hybrid, then run this command as well:
New-CsHostingProvider -Identity "Exchange Online" -Enabled $True -EnabledSharedAddressSpace $True -HostsOCSUsers $False -ProxyFqdn "exap.um.outlook.com" -IsLocal $False -VerificationLevel UseSourceVerification
If you setup hosting provider then you need initiate the replication, run the below command to invoke replication.
Note: To check the creation of your host providing you can type
Get-Cshostingprovider -localstore again to see hosting provider information.
7. As far as Federation policy. Your On-Premises and Skype for Business Online federation policy must be identical.
a. Domain matching must be configured the same for your on-premises deployment and your Office 365 tenant. If partner discovery is enabled on the on-premises deployment, then open federation must be configured for your online tenant. If partner discovery is not enabled, then closed federation must be configured for your online tenant.
b. The Blocked domains list in the on-premises deployment must exactly match the Blocked domains list for your online tenant.
c. The Allowed domains list in the on-premises deployment must exactly match the Allowed domains list for your online tenant.
d. Federation must be enabled for the external communications for the online tenant, which is configured by using the Skype for Business Online Control Panel.
8. What is DNS requirement for Hybrid?
When creating DNS records for hybrid deployments, all Skype for Business external DNS records should point to the on-premises infrastructure.
DNS SRV record for _sipfederationtls._tcp.
Enable federated communication in a hybrid configuration. The Edge Server needs to know where to route federated traffic for the SIP domain that is split between on premises and online.
DNS A record(s) for Edge Web Conferencing Service FQDN, e.g. webcon.contoso.com resolving to Web Conferencing Edge external IP(s)
Internal corporate network connected users’ computers
Enable online users to present or view content in on-premises hosted meetings. Content includes PowerPoint files, whiteboards, polls, and shared notes.
Above both are available in my environment.
9. Firewall requirement for Hybrid deployment:
Refer complete firewall port requirement for Skype for Business online: complete firewall requirement
In addition to the port requirements for internal communication, you must also configure the following ports.
Protocol / Port
· Active Directory Federation Services (federation server role)
For more information, see Directory Integration Tools.
· Active Directory Federation Services (proxy server role) either on-premises or in Azure.
· Microsoft Online Services Portal
· My Company Portal
· Outlook Web App
· Client (communication between Skype for Business Online and your on-premises deployment.
TCP 80 and 443
· Microsoft Online Services Directory Synchronization Tool
Open inbound/outbound on the
Open inbound/outbound for data
Open inbound/outbound for
audio, video, application sharing sessions
Open inbound/outbound for audio
and video sessions
Open outbound for audio and
Verified for my deployment.
Now your environment is ready for user migration. Assuming that above steps are completed.
Next article will show User migration from Skype for Business / Lync Server On-premises user to Skype for Business Online (Cloud tenant).