BY SHAWN CATHCART
The last few years have been a very exciting time for the universal communications (UC) space. Not only have the feature sets continued to expand, but the ubiquity of the end-user experience across many different platforms and types of end points has driven a much richer collaborative environment within Skype for Business. Around feature parity, it has also seen the gap close between the traditional on-premises product and what is offered in the cloud with Skype for Business Online. This chapter will explore that feature parity, as well as practical guidance around deployment of hybrid configurations, which allow the richest experience for customers moving from on-premises to the cloud.
Overview
The proliferation of cloud services has been transformational to the technology industry. It has challenged the way we think about the normal life cycle of IT services. From design, implementation, operational consumption, and maintenance through feature expansion, updates and upgrades, and implementation refresh of the service. What typically existed as a two-to-three-year life cycle for an IT service is now tracked in terms of months. There is a constant onslaught of feature set updates and improvements that are equally as huge benefit to end users as they are a challenge to IT service administrators.
The traditional focus on the underlying infrastructure supporting an IT service is now being transitioned to a focus on staying abreast of feature set updates, the integration of those features into other applications, and user consumption of the service as a whole. That being said, many of the hybrid configurations that are the cornerstone of most companies’ cloud journey are a challenging mix of on-premises configuration, network connectivity, and migration planning. They also require a strong understanding of the cloud service features for users migrated to the cloud. The feature parity and coexistence state between on-premises users and cloud users is yet another layer of complexity.
I’m a strong advocate of cloud services—and not merely because of who I work for and what I do for a living. The cloud offers companies the opportunity to focus on the feature sets of an IT service that translate to operational efficiency and collaboration, without the additional effort of maintaining the underlying infrastructure for that service. But I’m also a very pragmatic and practical person. I have no desire to sugar coat the challenges in deploying the hybrid configurations that are common for most companies. My goal is to provide guidance in this chapter that is direct and technically applicable to the widest audience possible. My overviews are here to serve the purpose of clarifying what components of the Skype for Business service we are dealing with. While that seems an obvious statement, I’ve found that many customers get confused with the wide breadth of different modalities or components that make up the Skype for Business service. This confusion only increases when they attempt to understand how those components factor into a hybrid configuration. Figure 2-1 helps to summarize those components and will be key to drilling deeper into the specifics of hybrid configuration .
Figure 2-1. Office 365 architecture components for hybrid configurations
The other key focus will be on Hybrid Voice configurations. While there are plenty of strong feature sets in Skype for Business Online that justify the move to the cloud, such as conferencing, instant messaging, and federation, those are quite simple to understand and deploy when compared to the complexity of Hybrid Voice configurations. The user migration experience is also more complex, when you factor in the aspects of voice configurations such as dial plans, call flow, Public Switched Telephone Network (PSTN) connectivity, and the often-overlooked feature of voice mail.
You won’t find me spending much time on the topic of PSTN Calling within Skype for Business Online, and let me start by saying that my lack of covering the topic is not because I think it unimportant. On the contrary, it is my strong feeling that PSTN Calling and cloud-based Voice over Internet Protocol (VoIP) are absolutely the future for universal communications. It transforms voice back into the technology service model where it belongs. And not just for the end users, but, more important, for the technology teams responsible for implementing and maintaining that service. However, the surprising ease with which PSTN Calling can be deployed via Office 365 means that it’s something my customers, with their strong experience and knowledge of technology, tend not to require much assistance with. Also, PSTN Calling is not currently available in every country and region1 for customers using Office 365. The service is expanding rapidly, but by focusing on that topic, I’m limiting my audience quite significantly. Case in point: I’m based in Canada, as are all the customers I typically do work with, and as of the writing of this book, PSTN Calling is not yet available for Office 365 tenants hosted in the Canadian data centers. Last, I have seen that most customers end up in either a permanent or very long-term Skype hybrid configuration, so it makes sense to focus most of our time on the technical challenges with implementing Hybrid Voice.
With that said, let me clarify more fully what will be covered in this chapter and what knowledge you, the reader, should take away in the end.
What will be covered is
Overview of the Skype for Business Online service
Overview of Skype for Business hybrid configuration and topology considerations
A comparison of the differences between Cloud Voice versus Hybrid Voice
Deep technical dive on Hybrid Voice configuration and user-migration considerations and challenges
Service Administration tips pertinent to the Hybrid Voice configuration
Network performance and connectivity considerations
What will not be covered is
Non-Skype for Business Online–specific configurations in Office 365, such as identity management, directory synchronization, and Single Sign-On
General feature set descriptions for the Skype for Business Online service, such as Web and Dial-in conferencing features, etc.
What you will learn is
Deep technical configuration considerations for deploying Skype for Business hybrid
The supported topology and design considerations for deploying Hybrid Voice with on-premises PSTN connectivity
Guidance on provisioning and migrating Enterprise Voice users in a Hybrid Voice deployment
Skype for Business Online Overview
As a universal communications platform, Skype for Business Online provides many different types of communication features or modalities. While you may be familiar with these core components from a Lync or Skype for Business server deployment on-premises, it’s worthwhile to clarify how those components relate to the online service in Office 365.
Skype for Business Core Modalities : On-Premises vs. Office 365
Most of the core modalities between on-premises Lync Server 2013 or Skype for Business Server 2015 and Skype for Business Online are the same. However, there are several that are specific either only on-premises deployments or Skype for Business Online.
Figure 2-2 shows all the core components of the Skype for Business Online service.
Figure 2-2. Skype for Business Online core modalities
I’ll describe each in turn and discuss how they may differ from their on-premises equivalent. Microsoft has also recently released Microsoft Teams. Teams doesn’t specifically fit into a single workload within Office 365 but instead pulls in various features from the entire Office 365 suite.
Instant Messaging and Presence (IM&P)
This is the core of the Skype for Business product suite. Most customers and users are very familiar with the functionality provided within IM&P. Although understanding the feature set differences between the various client versions is often a little more difficult, they are well-documented here: https://technet.microsoft.com/en-us/library/dn933896.aspx .
Key feature set differences follow:
Features unavailable in Skype for Business Online
My Picture: URL Photo Experience: The option to point the Skype for Business client to pull your photo from a public Internet site. This is only available with on-premises deployments.
Address book synchronization between Skype for Business Server 2015 on-premises and Skype for Business Online is not supported.
Persistent Chat: While there is no direct equivalent to the Persistent Chat role in Skype for Business Online, Microsoft Teams accounts for most of this functionality plus even further integrations with SharePoint Online and Office 365 Groups.
Feature similar to on-premises deployments
Unified Contact Store: This behaves as it does with on-premises deployments of UCS with Exchange Server 2013 or newer versions. However, it only integrates with mailboxes hosted within Exchange Online.
Audio, Video, and Media
Before diving into this topic, let’s make an important clarification in terminology, specifically the difference between the Skype for Business product (the successor to Lync Server) and the Skype consumer product. While most people reading this book will be clear on the differences between those two, I want to ensure that the shorthand usage of “Skype” is always clear. Unless I specifically make reference to “Skype consumer,” assume that any references to Skype for SfB are in relation to the Skype for Business product suite.
So, with that out of the way, let’s discuss the core of Skype for Business audio and video, which are Skype-to-Skype audio and video calls. There is no specific difference in functionality here between on-premises and Skype for Business Online.
Features include
One-to-one audio and video calls to users
within your Office 365 tenant
Homed on-premises as part of a hybrid configuration
Federated users running Lync or Skype for Business
High-definition video (1920 × 1080) for peer-to-peer calls
Media also includes
File Transfer
Skype-to-Skype desktop and application sharing
These also do not differ in any significant way from the Skype for Business Server 2015 feature set.
Federation and Public IM
Federation allows for external connectivity to other organizations running Skype for Business or previous Microsoft universal communications platforms. Those supported with Skype for Business Online are
Skype for Business Server 2015
Lync Server 2013
Lync Server 2010
Office Communications Server 2007 R2
Federation is also used to facilitate the hybrid configuration for Skype for Business Online. Through a Federation connection between your on-premises deployment and Skype for Business Online, along with the configuration of a Shared SIP Namespace, you can split users between both environments.
Online Meetings
Skype for Business Online provides a rich multipart meeting experience, but it’s important to break down the unique components that make up Skype online meetings. I typically break these into two main categories.
Meeting modalities
Accessibility options (the different client options for connecting to online meetings)
While the accessibility options are essentially the same as the on-premises options, the Meeting modalities vary slightly.
I break them down as follows:
Web conferencing
Group Instant Messaging & Presence
Content sharing
Desktop sharing
Application sharing
Enhanced PowerPoint presentation
Collaborative tools
Whiteboarding
Polls
Q&A
Audio Conference Bridge
Refers to the audio bridge for PC audio for client application access (Skype for Business client, Skype for Business Web App, Skype for Business Mobile app)
Dial-in Conference Bridge
A dial-in conference bridge that is integrated with the audio conference bridge
Provides dial-in access numbers for PSTN dial-in
Allows for dial-out capabilities to bring other PSTN attendees into the meeting
Video conferencing
Soft client-based video end points (Skype for Business client, Web App, and Mobile app)
Skype Room System (SRS) end points
Interoperability with non-SRS end points
So, what are some of the differences in these conferencing modalities between on-premises deployments and Skype for Business Online?
Dial-in conferencing is easy to deploy via Office 365, with appropriate licensing.
Dial in conferencing can only be provided by the infrastructure that homes the user.
On-premises users must use dial-in conferencing provided by Skype for Business Server 2015 with PSTN connectivity for dial-in access numbers.
Skype for Business Online users must use Microsoft PSTN conferencing or one of the Audio Conferencing Providers (ACPs) that integrate with Office 365.
No cross-functionality. An on-premises user cannot be enabled for PSTN conferencing in Skype for Business Online.
Non-SRS interoperability currently has more flexibility with on-premises Skype for Business Server 2015, but this gap is being closed quickly.
SRS support is equal across on-premises and Skype for Business Online configurations.
Security and Archiving
In both the on-premises and Skype for Business Online scenarios, IM and media encryption is facilitated by use of a Transport Layer Security (TLS) protocol . However, with on-premises deployment, administrators can control the client versions, which are allowed to connect to the back-end servers. This ability for client version control or filtering is not currently available in Office 365.
From an archiving perspective , this is not controlled explicitly from within Skype for Business Online but, rather, by the user’s associated Exchange mailbox, via In-Place Hold. For an on-premises deployment of Skype for Business, archiving is possible, whether the mailbox is home on-premises or in Exchange Online.
However, for Skype for Business Online users, archiving is only possible currently if the mailbox is homed in Exchange Online.
Admin Center and PowerShell
Historically, the on-premises functionality within the Skype for Business Control Panel and Management Shell was deeper than what was found in the Skype for Business Online Admin Center and PowerShell module. This was mainly due to the on-premises product having functionality that wasn’t available within Skype for Business Online.
Persistent Chat
Enterprise Voice
Response Groups
Skype for Business Monitoring Reports
Skype for Business Call Quality Dashboard
This feature parity continues to be closed between on-premises and Office 365, and with it, an ever-increasing amount of functionality within Skype for Business Online.
Examples of functionality that has already been added include the following:
Skype for Business usage reports (covers the appropriate functionality provided by on-premises Monitoring reports)
Skype for Business Call Quality Dashboard in Office 365
Cloud PBX, PSTN Calling, and PSTN Conferencing (provides much of the functionality found within Enterprise Voice in Skype for Business Server 2015)
Features that are in preview or on the roadmap are
Microsoft Teams (provides similar functionality to Persistent Chat)
Cloud PBX Call Queues (provides Response Group functionality)
Cloud PBX Auto Attendants (provides AA functionality previously provided by Exchange Unified Messaging)
These are all configured and managed through the Skype for Business Online Admin Center and PowerShell module.
PSTN Conferencing
This is an easy win for most customers. One of the biggest conferencing experience issues is when the web conferencing and PC audio bridge is not integrated with the dial-in or PSTN conferencing bridge. It’s a confusing and poor end-user experience, connecting to the web conference via the PC and dialing into the audio bridge on the phone. This is easily solved, deployed, and managed by using PSTN Conferencing within Skype for Business Online.
PSTN Conferencing is easily managed via the Skype for Business Online Admin Center, and it integrates the dial-in conferencing details into the Skype Meeting invite via integration with Outlook. Microsoft has also added functionality to PSTN Conferencing, which now allows users to customize the dial-in access numbers, as follows:
Use a toll-free number.
Assign a service number.
Port a DID and use it for the dial-in access number.
PSTN Calling is required to facilitate this.
The configuration literally takes minutes for a huge improvement in conferencing experience and, frankly, ease of management.
Skype Meeting Broadcast (SMB)
Skype Meeting Broadcast provides capabilities for large meetings…very large meetings! This has long been a challenge on-premises, with the normal attendee limit for a Skype for Business Server 2015 being 250 attendees. While you could deploy a dedicated Enterprise Pool to facilitate very large meetings, it was still limited by the resources that could be made available within a single Enterprise Edition pool and the network connectivity on-premises.
The reality is that very large meetings, or town hall–style meetings, don’t tend to be highly interactive. This is just a logistical constraint. You can’t have 10,000 attendees IM’ing or presenting video and audio streams or content and have that be at all manageable. They are handled more like events, with presenters and event admin staff providing the content for the meeting, with a much larger audience consuming that content and usually providing feedback via polls or Q&As.
Skype Meeting Broadcast is designed specifically for this type of scenario and leverages the Office 365 data centers to provide the streaming of that content to up to 10,000 users! This requires having to deploy on-premises infrastructure with enough resources to host the meeting and network connectivity to stream out that content.
Cloud PBX, PSTN Calling, and Hybrid Voice
This is where we will spend most of our time. Understanding the differences between these and the supported topologies that can be deployed with them is critical to planning the voice capabilities you intend to use with Skype for Business Online. Much of this chapter is dedicated to this topic alone, so I won’t try to tackle it here.
What I will say is that we continue to close the gap in feature parity between on-premises Enterprise Voice and the voice capabilities available with Skype for Business Online. The end goal is to have feature sets available that will allow most customers to use Cloud PBX in combination with PSTN Calling and remove their reliance on on-premises voice infrastructure and PSTN connectivity. But for most, Hybrid Voice will be the intermediate step to providing that functionality today.
Skype for Business Hybrid
Skype for Business hybrid allows you to maintain a set of users with the same SIP domain between your on-premises deployment and Office 365 tenant. It is strictly a one-to-one relationship of an on-premises Skype for Business topology with a single Office 365 tenant .
Before I go further, I’d like to recommend that readers look at the Microsoft Cloud IT architecture resources. These are excellent materials that are kept up to date with visual representations of all the important IT architecture considerations with Microsoft’s cloud services ( https://aka.ms/clouditarch ).
Most pertinent to a discussion about Skype for Business Online are
Microsoft Cloud Networking for Enterprise Architects
Microsoft Hybrid Cloud for Enterprise Architects
I’d also recommend becoming deeply familiar with the architectural model diagrams for the Office 365 workloads that can be found at https://technet.microsoft.com/en-us/library/dn782272.aspx .
As with all hybrid configurations for Office 365 workloads, the key component is identity. Where are the user and group objects managed, or, in other words, what is the source of authority for those objects: on-premises Active Directory or Azure Active Directory? In the case of hybrid configurations, the source of authority sits with the on-premises Active Directory objects, hence the requirement for directory synchronization to Azure AD (see Figure 2-3).
Figure 2-3. Skype for Business Hybrid and Identity integration
Hybrid configuration also allows for on-premises PSTN connectivity for Enterprise Voice (Cloud PBX) enabled users within Skype for Business Online (Figure 2-4 and Figure 2-5). I’ll be expanding on this in more detail later in the chapter.
Figure 2-4. On-premises PSTN connectivity via Skype for Business Server 2015
Figure 2-5. On-premises PSTN connectivity via Cloud Connector Edition (CCE)
Hybrid configuration also allows you deeper integrations with the other Office 365 workloads, Exchange Online and SharePoint Online in particular (Figure 2-6).
Figure 2-6. Skype for Business hybrid integration with Exchange and SharePoint Online
Topology Considerations
Following are the key topology considerations when looking at Skype for Business hybrid:
On-premises infrastructure: This relates to the required on-premises infrastructure to establish Skype for Business hybrid configuration. It consists, at minimum, of
Skype for Business Edge: This is a single Skype for Business Edge server, although an Edge pool is recommended for high availability.
Skype for Business Front End: This can be a standard edition server or an enterprise pool. A three-server enterprise pool is the recommended minimum configuration to provide high availability.
Reverse Proxy: The existing reverse proxy solution used on-premises. Again, the recommendation is that this solution has high availability factored in.
Active Directory F orest: A supported Active Directory Forest topology. I will discuss this in more detail following.
Directory Synchronization: The recommended tool is Azure AD Connect.
Authentication: Synchronized or Federated authentication
Synchronized: Requires configuration of Password Synchronization within Azure AD Connect
Federated: Requires the deployment of a supported federated identity provider, such as Active Directory Federation Services (AD FS)
Client End Points: This covers the desktop and mobile clients, along with supported video end points, such as Skype Room Systems.
Office 365 Tenant: This concerns the single tenant used to establish Skype for Business hybrid configuration with the on-premises deployment. The key point here is that this is a one-to-one ratio. You cannot have multiple on-premises deployments of Skype for Business or Lync Server 2013 federated with a single Office 365 tenant using hybrid configuration.
Custom Domains: You must add and verify all the appropriate SIP domains on-premises that will be used for shared SIP address configuration. You must also determine what authentication method those domains are going to use: Managed or Federated.
Managed: Office 365 is the source of authority for authentication, and so, typically, password synchronization is used via Azure AD Connect.
Federated: Office 365 custom domains are configured to redirect authentication to a supported identity provider, such as AD FS.
Supported Topologies
Supported topologies for Skype for Business fall into two categories
Supported on-premises topologies
Supported on-premises topologies that are also supported for hybrid configurations
The biggest impact on the on-premises topology is the design or layout of the Active Directory forests. A single forest with a single Skype for Business topology is the easiest topology to support. But most enterprise customers have complex Active Directory forest designs, and these can become a blocker for hybrid configurations.
The supported Active Directory topologies for Skype for Business Server 2015 are
Single forest with single domain
Single forest with a single tree and multiple domains
Single forest with multiple trees and disjoint namespaces
Multiple forests in a central forest topology
Multiple forests in a resource forest topology
Multiple forests in a Skype for Business resource forest topology with Exchange Online
Multiple forests in a resource forest topology with Skype for Business Online and Azure Active Directory Connect
Reference URL: https://technet.microsoft.com/en-us/library/dn933910.aspx .
All the single-forest topologies are supported for hybrid configurations. However, when multiple forests are introduced, there is only a single, very specific topology that is supported for hybrid configuration (see Figure 2-7). It is detailed in the “Configure a Multi-Forest Environment for Hybrid Skype for Business” TechNet article found here: https://technet.microsoft.com/en-us/library/mt603995.aspx .
Figure 2-7. Multi-forest environment for Skype for Business hybrid
Even though the validation for the forest topology is covered in the TechNet article, I want to reiterate them here. Multiple user forests are supported. Keep the following in mind:
For either a single-user forest or multiple-user forest deployment, there must be a single deployment of Skype for Business Server. You cannot have multiple deployments of Skype for Business Server using hybrid configurations to a single Office 365 tenant.
Exchange Server can be deployed in the same resource forest as Skype for Business Server or in a different forest. You can also utilize Exchange Online.
Configuring Skype for Business Server in a central forest topology is not supported when hybrid mode is enabled. The main differentiator between a central and resource forest topology is over the objects used.
Central forest topology utilizes contact objects.
Resource forest topology utilizes disabled user objects.
While not explicitly stated, enabling users for Cloud PBX in this topology is supported. The article also discusses the issues of AD FS authentication and single-sign-on behavior in this type of resource forest topology. Its recommendations often get lost in the deep technical guidance on how to configure AD FS to support this topology, so I want to highlight it here, as it’s critically important.
To avoid having a broken single-sign-on experience or AD FS authentication failures in a multi-forest topology with hybrid, the SIP/SMTP/UPN attributes for users from each forest must be unique, and not synchronized between forests (Figure 2-8).
Figure 2-8. Sample configuration for user attribute synchronization to support multi-forest hybrid for Skype for Business
The key points are as follows:
Have a unique SIP/SMTP/UPN domain for each forest.
Do not synchronize the UPN between forests, as this breaks the single-sign-on via AD FS.
Deploy AD FS in each user forest, to facilitate federated authentication and single-sign-on for the SIP/SMTP/UPN domains hosted by that user forest.
FIM can be used to synchronize the required attributes between forests.
Azure AD Connect will be used to create a merged user account, made up of attributes from the user and resource forests, that will then be synchronized to Azure AD.
Custom domains added to the Office 356 tenant should be configured for Federated authentication, with references to the AD FS proxy in the user forest hosting that domain. AD FS is optional in this scenario. Managed authentication via password synchronization can also be used.
On-Premises Edge Considerations
A common scenario with many customers is to have only a single Skype for Business Edge server deployed. This is often the result of a phased rollout approach for Skype for Business, whereby, initially, high availability and capacity for external users are not a critical driver, and so a single Edge is deployed in an Edge Pool. This is essentially a pool with one Edge server.
While this technically fits the bill, it doesn’t provide any high availability or proper capacity for the increased traffic that deploying Skype for Business hybrid puts on the Edge server. The recommendation is to deploy one of the scaled consolidated Edge pool configurations. Those are highlighted here: https://technet.microsoft.com/en-us/library/mt346416.aspx .
One of the more common scenarios is the “Scaled consolidated Edge pool with DNS load balancing and private IP addresses and NAT.” This particular scenario has a requirement that is not explicitly called out in the TechNet documentation. That is, in this scenario, with private IPs and NAT, you are required to enable hairpinning on the network edge firewalls, to facilitate Edge-to-Edge media relay within an Edge pool.
Unlike Front End pools that utilized Windows Fabric to communicate and be aware of other nodes in the pool, Edge servers within an Edge pool really aren’t “aware” of each other. So, when they are required to do media relay between Edge servers (picture a user connected to each Edge server, trying to establish a media session; the Edge servers essentially must proxy this between themselves), the only reference the Edge servers have to each other is the NAT’d public IP defined for the A/V Edge service (see Figure 2-9). When using private IPs with NAT, this is not allowed, unless hairpinning on the firewalls is allowed. If you are using Public IPs, this isn’t an issue.
Figure 2-9. Network hairpinning requirement for Edge Server communication within an Edge Pool with NAT’d IPs
This is the main reason why you must state the Public IP for the A/V Edge service , if you configure your topology to not use Public IPs (Figure 2-10 and Figure 2-11).
Figure 2-10. Enabling NAT’d IP for the A/V Edge service
Figure 2-11. Sample configuration showing the Public IP for a NAT-enabled A/V Edge configuration
The other consideration is regarding what version of Lync Server/Skype for Business Server to deploy for the Edge role to support hybrid configurations. Microsoft does support Lync Server 2010/2013 and Skype for Business Server 2015 topologies for hybrid. Details are documented at this URL (specifically the Topology requirements): https://technet.microsoft.com/en-us/library/jj205403.aspx .
However, what functionality is supported, specifically Cloud PBX and Hybrid Voice , differs, based on the on-premises topology. This is discussed further in the section about Hybrid Voice configuration, but the key point is that the supported scenario for having Cloud PBX with Hybrid Voice requires the following:
Skype for Business Server Edge
Skype for Business Front End next hop (Enterprise Pool or Standard Edition)
That is listed in the article accessible from the following URL, under the prerequisites section: https://technet.microsoft.com/en-us/library/mt455212.aspx .
Configuration Tips and Best Practices
Through this next section, I’ll detail some sample configurations and common issues with the on-premises Edge configuration in relation to Skype for Business hybrid deployments.
Edge Configuration
There are several key pieces of the on-premises Skype for Business Edge configuration that must be validated to implement Skype for Business hybrid. This is also tied to some resulting configurations that must take place in the Office 365 tenant configuration.
Let’s start with on-premises federation configuration. This requires two main components.
Enabling Federation via your on-premises Access Edge configuration
Enabling Federation with Office 365 via Hosting Provider configuration with shared SIP address space
The article accessible from the following URL covers this process in detail: https://technet.microsoft.com/en-us/library/jj205126.aspx .
But here are the key PowerShell cmdlets (Figure 2-12, Figure 2-13, and Figure 2-14) for configuring each of the preceding items:
Figure 2-12. Setting the Access Edge configuration for hybrid deployment
Figure 2-13. Creating the Hosting Provider for Skype for Business hybrid configurations, including the Autodiscover URL
Figure 2-14. Error presented when multiple Hosting Provider configurations reference the same ProxyFqdn
You may receive an error regarding a “duplicate key sequence”:
This is typically related to a hosting provider with the -ProxyFqdn already specified. Using Get-CsHostingProvider will list all existing hosting provider configurations. You can either
Remove the existing hosting provider (often referenced as Lync Online, if you’ve upgraded from Lync Server 2010 or 2013), or
Set the existing hosting provider configuration with the new configuration
I typically recommend just removing the existing hosting provider and rerunning the preceding New-CsHostingProvider cmdlet again, as advised in the support article available from the following URL: https://support.microsoft.com/en-us/help/3108403/-there-is-a-duplicate-key-sequence-error-in-lync-or-skype-for-business-after-you-run-the-new-cshostingprovider-powershell-cmdlet .
Remove-CSHostingProvider -Identity LyncOnline.The identity may also be listed as SkypeforBusinessOnline, as follows: Remove-CSHostingProvider -Identity "Skype for Business Online".
Either way, the desired output from the cmdlet should be the same as what is shown in Figure 2-15.
Figure 2-15. Removing CSHostingProvider with PowerShell
Do not confuse the Access Edge configuration for Federation with the external access policy. This is viewed by running Get-CsExternalAccessPolicy. This controls if and to whom external Skype for Business users can communicate when outside an on-premises network. This is not required for hybrid configuration to be implemented, but it is often confused with the Access Edge configuration policy. The only parameter that would have an impact on hybrid usability would be the -EnableFederationAccess parameter defined by Set-CsExternalAccessPolicy. This dictates whether external users can communicate with federated users. All hybrid users homed in Skype for Business Online would be considered federated users in this instance. So, this would have to be enabled to allow external on-premises users to communicate with hybrid users in Skype for Business Online.
All the preceding can also be leveraged via the Skype for Business Control Panel. This will evaluate your existing hybrid configuration, both on-premises and in Office 365, and then apply the appropriate configurations I’ve highlighted in the preceding paragraph. Figure 2-16 shows the hybrid Configuration Wizard screens that list configuration errors, whereas Figure 2-17 shows the same Wizard without any errors identified.
Figure 2-16. Set up hybrid wizard “current” configuration
Figure 2-17. Set up hybrid “wizard” remediation configuration
Before you can complete this wizard, however, you must sign in to Office 365 with a global administrator account. Most customers keep a cloud-only account in their tenant space with the global administrator role. This ensures that if you are using federated authentication, say, via AD FS, and AD FS becomes unavailable, you still have a cloud-only account that can be used to administer the Office 365 tenant.
In regard to the Skype for Business hybrid setup in Control Panel, you must use a cloud-only account tied to the <tenant>.onmicrosoft.com default domain. If you attempt to use a synchronized account that has been given the global administrator role in your tenant, and which is using a custom domain, the logon will fail. This is due to the login here leveraging Autodiscover (lyncdiscover.contoso.com) to find its way to Office 365 to log on.
For Office 365 <tenant>.onmicrosoft.com domains, this record exists and will point to Office 365 and allow the sign-in to work as expected (Figure 2-18).
Figure 2-18. Authenticating to Office 365 to manage hybrid configuration via the Skype for Business Control Panel
If you use a synchronized account, you’ll typically see an error similar to that shown in Figure 2-19.
Figure 2-19. Error presented when authenticating with a synchronized account within the Skype for Business Control Panel
It fails to discover lyncdiscover.contoso.com (in this example, contosotest.com). This is expected. In a hybrid configuration, all external DNS records must point to the on-premises deployment (Edge and reverse proxy). This includes Lyncdiscover.contoso.com. By design, we don’t include Lyncdiscover.contoso.com on the internal DNS zones for the SIP domain. Instead, Lyncdiscoverinternal.contoso.com is used. So, when the front end server goes to look up Lyncdiscover.contoso.com in this instance, it does not find it in the internal DNS zone and gives the preceding error.
Office 365 Tenant Configuration
While configuring the Office 365 tenant configuration is most simple via the Control Panel wizard, you can also do it manually. This is detailed in TechNet article accessible from the following URL: https://technet.microsoft.com/en-us/library/jj205126.aspx#Anchor_1 .
It requires the Skype for Business Online connector module for Windows PowerShell, which can be downloaded here: https://go.microsoft.com/fwlink/p/?LinkId=391911 .
The following screenshot shows the cmdlets required to connect to Skype for Business Online PowerShell and the cmdlet for enabling shared SIP address space for your tenant (Figure 2-20).
Figure 2-20. Connecting to Skype for Business Online via remote PowerShell and enabling Shared SIP Address Space
Multiple Edge Pools and Federation Route
The last Edge configuration consideration I’ll discuss involves the Federation Route. You must configure all your Central Sites in the Skype for Business Topology to use a single Federation Route. Again, this isn’t very clearly stated, but it is implied. Under Topology requirements, it doesn’t state it explicitly for Skype for Business Server 2015; however, it does make the point when a mixed environment is listed. This is likely because an assumption is made that in a mixed environment, there may be multiple sites with multiple Edge pools.
The clarification is made that the Edge Pool is associated with SIP federation ( https://technet.microsoft.com/en-us/library/jj205403.aspx#Anchor_5 ).
The key points are
A single Edge Pool is assigned the Federation Route for all Central Sites in the topology.
The Edge servers in that pool must be able to resolve _sipfederationtls._tcp.<SIP domain> for each SIP domain that is split between on-premises and online( https://technet.microsoft.com/en-us/library/jj205403.aspx#Anchor_7 ).
Hybrid configuration is a one-to-one relationship between a single on-premises Edge Pool and an Office 365 tenant.
This is easily configured in the Skype for Business Topology Builder by configuring the site federation route assignment. Edit the properties of any Central Site and configure as displayed in Figure 2-21.
Figure 2-21. Configuring a global federation route across all Skype for Business Central Sites
Firewall Port and URL Configuration
The IPs and URLs for Office 365 workloads are clearly documented in information available at the following URL: https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2 .
Read the list carefully, paying attention to FQDNs that are listed as required vs. optional. For full functionality, ensure that there are no content filters blocking the FQDNs or IP ranges. If you selectively start blocking or disabling these, you will impact individual feature sets within Skype for Business Online, and it can be very tricky to troubleshoot.
Outside of those requirements, there are port requirements that are specific to Skype for Business Online hybrid configurations (Table 2-1). They are detailed in a document accessible from the following URL: https://technet.microsoft.com/en-us/library/jj205403.aspx#Anchor_9 .
Table 2-1. Port Requirements for Skype for Business Online Hybrid Configuration
Protocol | TCP or UDP | Source IP | Destination IP | Source Port | Destination Port | Notes |
|---|---|---|---|---|---|---|
SIP (MTLS) | TCP | Access Edge | Office 365 | Any | 5061 | Signaling |
SIP (MTLS) | TCP | Office 365 | Access Edge | Any | 5061 | Signaling |
STUN | TCP | A/V Edge | Office 365 | 50000-59999 | 443, 50000-59999 | Open for audio, video, application sharing sessions |
STUN | TCP | Office 365 | A/V Edge | 443 | 50000-59999 | Open for audio, video, application sharing sessions |
STUN | UDP | A/V Edge | Office 365 | 3478 | 3478 | Open for audio, video sessions |
STUN | UDP | Office 365 | A/V Edge | 3478 | 3478 | Open for audio, video sessions |
Overview of Cloud Voice vs. Hybrid Voice
In the following section, I will cover the difference between Cloud Voice and Hybrid Voice .
Topology Considerations and PSTN Connectivity
The architecture models clearly lay out the options for PSTN connectivity with Skype for Business Online. There are three options (see Figure 2-22, Figure 2-23, and Figure 2-24).
Cloud Voice via Cloud PBX and PSTN Calling
Hybrid Voice via Cloud PBX and on-premises PSTN connectivity via Skype for Business Server
Hybrid Voice via Cloud PBX and on-premises PSTN connectivity via Cloud Connector Edition
Figure 2-22. Cloud PBX with PSTN Calling
Figure 2-23. Cloud PBX with on-premises PSTN connectivity via Skype for Business Server
Figure 2-24. Cloud PBX with on-premises PSTN connectivity via Cloud Connector Edition
Laid out in the diagrams, it’s much easier to understand the different topologies. Customers often confuse the functionality of Cloud PBX with PSTN connectivity. This leads to a lot of confusion about the topologies for deploying Hybrid Voice.
Cloud Connector Edition is for those environments that do not already have Skype for Business Server deployed on-premises and have no specific requirements for an on-premises deployment. Such requirements for an on-premises deployment, at the time this is being written, might be the following:
Persistent Chat
Response Groups
VTC end-point interoperability for video conferencing
However, all the following features are on the roadmap and in preview at this time:
Microsoft Teams as an answer to Persistent Chat
Call Queues and Cloud PBX Auto Attendants as a replacement for Response Groups
Polycom RealConnect Service for registering on-premises VTCs to Skype for Business Online
I won’t be discussing Cloud Connector Edition here, but there are excellent resources and training materials for CCE found in the Skype Operations Framework (SOF) and the Skype Academy. The following resources are available to anyone who signs up with a Microsoft account and are highly recommended for hybrid configurations of Skype for Business Online:
My focus is on Hybrid Voice with Cloud PBX via Skype for Business Server. The planning considerations and prerequisites are clearly defined in documentation accessible from the following URL: https://technet.microsoft.com/en-us/library/mt455212.aspx .
But one key clarification is needed regarding the supported on-premises server versions, which are discussed in detail in the next section.
On-Premises Server Versions
The article lists the following table (Table 2-2) of supported server versions for Cloud PBX with on-premises PSTN connectivity.
Table 2-2. Supported Server Versions for Cloud PBX with On-Premises PSTN Connectivity
Server Role | Supported Versions |
|---|---|
Front End Server | Skype for Business Server 2015 Lync Server 2013 |
Edge Server | Skype for Business Server 2015 |
Mediation Server | Skype for Business Server 2015 Lync Server 2013 |
It’s important to clarify that Skype for Business Server 2015 Edge, Front End, and Mediation server roles are required. You cannot mix Skype for Business 2015 and Lync Server 2013 server roles in a supported configuration.
Essentially, you must have a fully deployed Skype for Business topology. You may then have a Lync Server 2013 Front End and Mediation server deployment alongside it. But the Edge server and its associated next hop must be Skype for Business Server 2015.
There are several other key on-premises configurations that must be in place to facilitate Hybrid Voice.
Skype for Business Edge server must be able to resolve _sipfederationtls._tcp.<SIP domain> for every SIP domain split between on-premises and Office 365.
Strict DNS match for _sipfederationtls._tcp.<SIP domain> is required.
Valid: _sipfederationtls._tcp.contoso.com points to sip.contoso.com
Invalid: _sipfederationtls._tcp.fabrikam.com points to sip.contoso.com
Sip.<sipdomain> must be in the SAN of the external Edge certificate for all supported SIP domains.
Lync Phone Edition (LPE) must be updated to minimum required firmware before moving to SfB Online.
Enterprise voice is configured and tested for on-premises users.
Cloud PBX license and Exchange Plan 2 are assigned to the users in Office 365.
Cloud Voice Mail and Unified Messaging
Another topic that causes a lot of confusion is how voice mail is provided to Skype for Business Online users. In the on-premises world, there are two options:
Voice mail provide by on-premises Exchange Unified Messaging (UM)
Voice mail provided by hosted voice mail in Exchange Online
Either way, the voice mail function ality is provided exclusively by Exchange UM. In Skype for Business Online, this is slightly different. For any user hosted in Skype for Business Online
Voice mail functionality is provided by Cloud PBX voice mail (also referred to as Azure Voicemail).
The voice mail is deposited into the user’s mailbox (on-premises or in Exchange Online).
Voice mail deposit does not utilize the Exchange UM role either in Exchange Online or on-premises. Instead, it is deposited via Exchange EWS with SMTP as a failback.
Exchange UM is still required to be enabled for the user to provide certain client-side UM features.
The main consideration here is the order of operations of a customer’s move to Office 365. Where is the user’s mailbox hosted at the time of their migration to Skype for Business Online with Hybrid Voice?
It is recommended that the mailbox be moved first. One of the main reasons for this regards the Meeting Migration Service. This service updates users’ web and dial-in conferencing ID’s for any scheduled Skype Meetings automatically, on the condition the mailbox is hosted in Exchange Online. If the mailbox is on-premises, the Skype Meeting Migration tool must be used instead.
With all the combinations of Skype for Business and Exchange both on-premises and in Office 365, a table (Table 2-3) is worth a thousand words!
Table 2-3. Comparison of Exchange On-Premises and Exchange Online
Exchange On-Premises | Exchange Online | |
|---|---|---|
Skype for Business Server | On-prem OAuth config Integration to on-prem OWA Voice mail integration with Exchange UM Subscriber Access and Auto Attendants via Exchange UM Voice mail policy defined via the Exchange UM dial plan and mailbox policy | OAuth configuration to Exchange Online Integration to Exchange Online OWA Voice mail policy defined by hosted voice mail policy in Skype for Business, which points to Exchange Online UM Subscriber Access and Auto Attendants via Exchange Online UM |
Skype for Business Online | OAuth configuration to on-premises Exchange Integration to on-prem OWA Voice mail service via Cloud PBX voice mail Voice mail deposit to on-prem Exchange mailbox User not licensed for Exchange Online | No on-prem OAuth required in this scenario Full online integration to OWA Subscriber Access and Auto Attendants via Exchange Online UM User licensed for Exchange Online |
So, what does this look like in PowerShell for the various user scenarios? Again, pictures speak louder than words. Figures 2-25 to 2-28 show the PowerShell output of the various Skype for Business configurations.
Figure 2-25. Skype for Business on-premises with Exchange UM on-premises
Figure 2-26. Skype for Business on-premises with Exchange UM online
Figure 2-27. Skype for Business Online & PSTN Calling with Exchange UM on-premises
Figure 2-28. Skype for Business Online and PSTN Calling with Exchange UM online
The key attributes here are
HostedVoiceMail: Enables or disables the user for hosted voice mail service, both on-premises and in Office 365
HostedVoiceMailPolicy: Defines the configuration for hosted voice mail
On-premises: There is an example following of what an on-premises hosted voice mail policy looks like. The key configuration is the destination and organization parameters that tell the policy where to redirect voice mail and for what domains (organizations).
Online: All users are labeled as BusinessVoice. There is no option to create custom HostedVoiceMailPolicy in Office 365. The configuration of this policy essentially redirects voice mail to Exchange Online mailboxes.
You’ll also notice that Figures 2-27 and 2-28 look identical. It’s important to point out that the HostedVoiceMail and HostedVoiceMailPolicy parameters have no impact on the call flow of Azure Voicemail to depositing into an Exchange mailbox.
The main reason for this is that Skype for Business Online users have voice mail service and processing supplied exclusively via Cloud PBX voice mail. Cloud PBX voice mail does not leverage any Exchange UM roles to deposit voice mail into users’ mailboxes.
Here’s a clear breakdown of voice mail scenarios , including those that leverage Exchange UM for voice mail depositing:
On-Premises SfB to EXO mailbox
Utilizes Exchange UM in EXO as the destination in the HostedMailboxPolicy that points to exap.um.outlook.com
SfBO to EXO mailbox
Processing handled completely by Azure Voicemail
Utilizes the default BusinessVoice HostedMailboxPolicy that points to sipedgeXXXX.infra.sfb.com to deposit into the mailbox
EXO UM isn’t utilized for depositing of voice mail, but it is for client-side features
SfBO to on-premises mailbox
Processing handled completely by Azure VoiceMail
Looks for EXO licensed/enabled mailbox. If one isn’t found, it uses Exchange hybrid and autodiscover/EWS/SMTP to deposit into the mailbox.
Only leverages UM Dial Plan for client-side features
Assuming that we are discussing environments with Skype for Business or Lync Server 2013 on-premises, and Enterprise voice is deployed, that Exchange UM is also leveraged for voice mail services. This is quite typical. It’s also very typical for Exchange mailboxes to be migrated to Office 365 prior to Skype for Business users. To that end, knowing how to set up the hosted voice mail policy on-premises is an important configuration for that migration period between moving users’ mailboxes and sending them over to Skype for Business Online.
Essentially, you must ensure the Enterprise Voice users are properly reconfigured to use the new hosted voice mail policy, once their mailboxes are migrated to Exchange Online. The prerequisite to configure the hosted voice mail policy for on-premises Enterprise Voice users prior to migrating them to Skype for Business Online are covered here: https://technet.microsoft.com/en-us/library/gg425807(v=ocs.15).aspx .
But following is a high-level summary :
Create a DNS SRV record for integration with hosted Exchange UM.
Create a _sipfederationtls._tcp.<SIP domain> DNS SRV record. This should already exist as part of your Skype for Business hybrid configuration.
Configure Edge Server integration with hosted Exchange UM.
Configure Federation via Set-CsAccessEdgeConfiguration. This should already exist as part of your Skype for Business hybrid configuration.
Create a hosting provider for hosted Exchange UM:
New-CsHostingProvider -Identity "Hosted UM" -Enabled $True -EnabledSharedAddressSpace $True -HostsOCSUsers $False -ProxyFqdn "exap.um.outlook.com" -IsLocal $False -VerificationLevel UseSourceVerification.
Create a hosted voice mail policy via one of the following methods:
Modify the global hosted voice mail policy.
Create a site or user level hosted voice mail policy, as follows:
New-CsHostedVoicemailPolicy -Identity EXOUM -Destination exap.um.outlook.com -Description "Hosted voice mail policy for Exchange Online users." -Organization contoso.onmicrosoft.com.
Assign the hosted voice mail policy.
For global or site level policies, this happens automatically.
For user level policies, it must be assigned per user, as follows:
Grant-CsHostedVoicemailPolicy -Identity "Ken Myer" -PolicyName EXOUM.
Create contact objects for hosted Exchange UM: Contact objects for both Subscriber Access and Auto Attendants are required.
Subscriber Access contact:
New-CsExUmContact -SipAddress "sip:[email protected]" -RegistrarPool "RedmondPool.contoso.com" -OU "HostedExUM Integration" -DisplayNumber "+14255550101"
Auto Attendant contact:
New-CsExUmContact -SipAddress "sip:[email protected]" -RegistrarPool "RedmondPool.contoso.com" -OU "HostedExUM Integration" -DisplayNumber "+14255550101" -AutoAttendant $True
Enable users for hosted voice mail, as follows:
Set-CsUser -HostedVoiceMail $True -Identity "contosokenmyer"
Ensure that users are licensed for Exchange Online and enabled for Exchange UM in Office 365.
Test and validate voice mail services against Exchange Online UM.
Migrating Enterprise Voice Users
I’ve just covered the voice mail impacts of users in various scenarios split between on-premises and Office 365. As mentioned, this was covered first, as users’ mailboxes are often moved to Office 365 prior to users being migrated to Skype for Business Online.
Next, we must look at what is involved in migrating on-premises Skype for Business users, Enterprise Voice users in particular, to Office 365. I’m going to focus specifically on Enterprise Voice users. The process for moving Enterprise Voice and Non-Enterprise Voice users is the same. There are simply a few extra considerations with moving Enterprise Voice users, so I’ll focus on that process.
Here are the high-level considerations for moving Enterprise Voice (EV ) users :
Ensure users are correctly enabled for EV on-premises.
Document which users are enabled for dial-in conferencing on-premises.
Document, as has been discussed, which users are enabled for voice mail services via Exchange UM.
Understand all syntax involved with the Move-CsUser PowerShell cmdlet.
Review web conferencing and dial-in conferencing ID changes and Skype Meeting invite updating.
Review post-move commands (enabling user for EV in SfBO).
Review Voice Policy vs. Voice Routing Policy considerations.
Enable Users for Enterprise Voice On-Premises
I won’t spend any time on this. Configuration of Enterprise Voice on-premises is a complex topic and has been covered extensively elsewhere. For the purposes of our discussion about hybrid configurations, we must simply ensure that
The on-premises user is enabled for Enterprise Voice
The Enterprise Voice user has a valid Line URI
A Voice Routing Policy is assigned.
This is only used by Skype for Business Online.
It can be scoped via the Global policy or via a user-level policy.
I’ll discuss details of the Voice Routing Policy further in a following section.
Dial-in Conferencing Considerations
The main consideration here is that Skype for Business Online users cannot leverage on-premises dial-in conferencing services. When a user is migrated to Skype for Business Online, they must be enabled for PSTN Conferencing within Office 365 or one of the other Audio Conferencing Providers supported by Office 365.
Because of this, their dial-in conferencing numbers and ID will change. This also means that any future scheduled Skype Meetings in Exchange must also be updated with their new PSTN Conferencing details. How this updating is done will be covered when I discuss web conferencing.
Voice Mail Considerations
These were covered extensively in the previous section. Suffice to say, it is strongly recommended to document the various voice mail configurations and how they apply to where users’ mailboxes are homed, or will be homed, in relation to the timing around migrating them to Skype for Business Online.
The Move-CsUser cmdlet
While users can be moved via the Skype for Business Control Panel, there are certain topology scenarios and reasons why you may be unable to use the Control Panel to move users. You may also want a scripted way of doing mass user migrations. As such, it is important to understand the syntax of the Move-CsUser PowerShell cmdlet.
Before we get into the syntax, though, what are the prerequisites for the workstation or server that you run the move cmdlet from? Ask and you shall receive!
Skype for Business Management Shell (Install Admin Tools from the Skype Deployment wizard)
Latest version of Skype for Business Online PowerShell Module:
The key reason for this is that the Move-CsUser cmdlet modifies numerous attributes on the Skype for Business user, both on-premises and in Office 365. The PowerShell session you are in must have access to both Skype for Business Server on-premises and Skype for Business Online.
The recommendation is to open the Skype for Business Management Shell and then connect to Skype for Business Online, via a PowerShell session (see Figure 2-29). The latter process was shown before when I discussed implementing the hybrid configuration, but here it is again, for reference.
Figure 2-29. Connecting to Skype for Business Online via remote PowerShell
When prompted for credentials, you must enter in Office 365 a UPN that has Global Administrator privileges.
If you are using the default <tenant>.onmicrosoft.com domain for the user, there are no additional considerations. However, if you are using a synchronized account using a custom domain (i.e., [email protected]), you must specify the -OverrideAdminDomain parameter with the New-CsOnlineSession cmdlet, for example: $CSSession = New-CsOnlineSession -Credential $cred -OverrideAdminDomain "contoso.onmicrosoft.com".
With your PowerShell session now in place, you are ready to run the Move-CsUser cmdlet. Here is an example of a typical user move being executed via Move-CsUser.
Move-CsUser -Identity [email protected] -Target sipfed.online.lync.com -Credential $cred -HostedMigrationOverrideUrl https://admin0a.online.lync.com/HostedMigration/hostedmigrationService.svc -ProxyPool fepool.contoso.comLet’s break down the key pieces here.
-Identity: The identity of the user being moved. Typically referenced by the user’s UPN or SIP address value
-Target: Where the user is to be moved. In this instance, Skype for Business Online (sipfed.online.lync.com)
-Credential: The credentials required for the move. In this instance, the credentials for the admin user in Office 365
-HostedMigrationOverrideUrl: This is a reference to the URL of your tenant’s Skype for Business Online Admin Center. This URL shouldn’t change once your tenant is provisioned. However, there are numerous URLs representing many different Office 365 data centers. So, where your tenant is located will impact what URL it is using. The easiest way to determine your URL is to simply open the Skype for Business Online Admin Center and look at the URL. The key piece of the URL is at the start. In the preceding example, it is admin0a.
-ProxyPool: This parameter is optional. It is required when you have multiple Central Sites, with multiple Edge Pools on-premises. This tells the Move-CsUser cmdlet explicitly which pool you’d like to proxy the move against. This would be the FQDN of the pool, associated with the Edge Pool that is identified as the Federation Route, which I discussed earlier. If you have configured all your Central Sites to use a single Edge Pool for the Federation Route, then you shouldn’t require this parameter.
Web Conferencing and Dial-in Conferencing ID Changes
When a user is moved from on-premises to Skype for Business Online, their contact list is moved with them (there is a limitation of 200 contacts in Skype for Business Online, so take that into consideration as well). However, as when you move users between pools on-premises, moving users online causes them to receive a new web conferencing ID and, if enabled for PSTN Conferencing, a new dial-in conferencing ID and numbers.
This is done automatically. However, references to these IDs inside a user’s Exchange calendar may not be based on where the user’s mailbox is homed, as has been discussed.
If the user’s mailbox is homed in Exchange Online, the Meeting Migration Service will do the following:
Find all old references to Skype Meeting ID occurrences in the user’s mailbox
Replace them with the user’s new web conferencing and PSTN conferencing IDs
Send out meeting updates to all attendees with the updated IDs
If the user’s mailbox is homed on-premises, the user must either
Manually update their Skype Meeting invites
Use the Skype Meeting Update Tool to update them automatically
To use the tool, users must have open Outlook, Skype for Business or Lync Server 2013 client, and the tool to update their Skype Meeting invites.
Post-Move Commands and Configuration
When you move an Enterprise Voice user, you might assume that the user is going to be automatically enabled for Enterprise Voice in Skype for Business Online. This is not the case. There is likely a good reason for this, but I’ve not found a scenario in which you wouldn’t want the user enabled automatically after being moved.
It’s just a simple PowerShell cmdlet that is required to enable the user appropriately for Enterprise Voice and Hosted Voicemail in Skype for Business Online. With your PowerShell session still connected to Skype for Business Online, the following cmdlet must be run to finish enabling the user:
Set-CsUser -Identity “<User ID>” -EnterpriseVoiceEnabled $True -HostedVoiceMail$TrueThere also used to be a requirement to enable the user’s mailbox for Exchange UM, if it hadn’t been explicitly done so as part of the mailbox migration to Exchange Online. This was facilitated by use of the Enable-CsOnlineUMMailbox cmdlet. However, this is no longer required, as it is now done automatically. The first time Cloud PBX voice mail processes a voice mail for a Skype for Business Online user, it checks to see if they are enabled for Exchange Online,and have an active mailbox present. If they do, it will automatically enable the mailbox for UM. Again, this isn’t required for depositing of the voice mail into the mailbox. But it is required for certain UM features to be available client-side.
Voice Policy vs. Voice Routing Policy
Voice policies in Skype for Business control the features that are available to Enterprise Voice users. While voice policies exist both on-premises and in Skype for Business Online, only on-premises voice policies can be customized. This is an important consideration when moving users online. Users migrated to Skype for Business Online who are enabled for Cloud PBX will all be assigned a predefined voice policy called HybridVoice. Again, this defines the voice features available to Skype for Business Online users. What it does not define, however, is what routes for PSTN connectivity are available to those users. For Hybrid Voice users, this PSTN connectivity is provided by on-premises infrastructure. As such, there must be on-premises policies within Skype for Business Server that define the routes and PSTN usages for Hybrid Voice users. This is where voice routing policies come into play.
Voice routing policies define the PSTN usages for Hybrid Voice users. This dictates the voice routes and trunks on-premises for PSTN connectivity. It is used exclusively for Hybrid Voice users and does not impact on-premises users. There are two scope levels for defining the voice routing policy, modifying the global policy, or creating a user level policy.
Typically, a user-level policy is used, so that users can be assigned the policy as they are moved over in migration groups. Following is an example of creating a user-level voice routing policy in PowerShell (Figure 2-30):
Figure 2-30. Creating an on-premises voice routing policy as part of a Hybrid Voice configuration
New-CSVoiceRoutingPolicy -Identity HybridVoice -Name Hybrid -PSTNUsages "Local", "Long Distance"You then need to grant the policy to users. I’ll take you on a complete walk-through of how to migrate a user over to Skype for Business Online in the “User Provisioning and Migration Tips” section of this chapter.
Service Administration
Now that we’ve gone through configuring hybrid, looking at all the prerequisites for Hybrid Voice and understanding the supported topologies that we can deploy hybrid within, let us step through the process and order of operations of moving a user to Skype for Business Online.
User Provisioning and Migration Tips
When we talk about user provisioning, there are two scenarios that we will encounter:
Moving of an existing Skype for Business on-premises user
Provisioning of a brand-new user account on-premises
The biggest consideration is understanding which object is the source of authority for modifying attributes. In a hybrid configuration, the source of authority is the on-premises user object. As such, even after the hybrid configuration is in place, Active Directory user objects and initial Skype for Business enablement still has to take place on-premises, to populate the appropriate attribute values that we want to synchronize to Office 365.
Let’s break down the order of operations for each of the scenarios.
Move existing user order of operations.
Validate Enterprise Voice functionality.
Assign user the Voice Routing Policy.
Ensure user object is synchronized to Office 365.
Apply appropriate license to user in Office 365.
Confirm license provisioning status.
Use Move-CsUser PowerShell cmdlet to migrate user online.
Enable user for HybridVoice and HostedVoiceMail in Skype for Business Online.
Validate user functionality
Instant Messaging and Presence
Web conferencing
Dial-in conferencing
Inbound/outbound PSTN calls
New user order of operations
Create user object in Active Directory with the appropriate UPN suffix, or alternate ID attribute, to synchronize to Office 365.
Enable user for Skype for Business and Enterprise Voice on-premises.
Complete all the same steps listed previously for an existing user.
So, here is an example of moving an on-premises user to Office 365.
On-premises user enabled for Enterprise Voice with hosted voice mail in Exchange Online (Figure 2-31):
Figure 2-31. Output of Get- CsUser for an on-premises user enabled for Enterprise Voice with hosted voice mail
Take note of the HostingProvider and RegistrarPool indicating that the user is still homed on-premises. We then assign it the newly created voice routing policy (Figure 2-32).
Figure 2-32. Granting the voice routing policy for Hybrid Voice to the on-premises user
The user object is synchronized to Office 365 (Figure 2-33).
Figure 2-33. Output of the Get-CsOnlineUser cmdlet for an on-premises Enterprise Voice user synchronized to Skype for Business Online
Notice that the hosting providers are set to SRV, indicating that it should be doing an SRV lookup for the on-premises Skype for Business Edge server to contact this user. The RegistrarPool is also blank, as the user is not homed in Skype for Business Online. We then license the user for Skype for Business Online, in this instance, as part of the E5 license SKU (see Figure 2-34).
Figure 2-34. Service included as part of the E5 license SKU in Office 365
The licensing provisioning typically happens quickly, within a few minutes. But it can take as long as 10–15 minutes. And on occasion there may be issues with a synchronized object that prevents the provisioning from completing successfully. You can either look in the Skype for Business Online Admin Center, refreshing it until the user displays in the enabled users list, or you can use a PowerShell cmdlet to check the provisioning status.
(Get-MsolUser -UserPrincipalName [email protected]).Licenses[0].ServiceStatusYou’ll be looking for the MCOSTANDARD SKU in this instance for Skype for Business Online Plan 2. The user has now been synchronized, and licensed, and we can now move them to Skype for Business Online (Figure 2-35).
Figure 2-35. Sample Move-CsUser cmdlet for moving an on-premises user to Skype for Business Online
If we then look at the on-premises attributes for our user, we see the following (Figure 2-36).
Figure 2-36. Output from Get-CsUser for an on-premises user moved to Skype for Business Online
Notice the HostingProvider is now listed as sipfed.online.lync.com and the RegistrarPool is blank, as they are no longer homed on the on-premises pool.
Now, let’s see what our user object looks like in Skype for Business Online after the move. We can see this by using the Get-CsOnlineUser cmdlet (Figure 2-37).
Figure 2-37. Output of Get-CsOnlineUser cmdlet for an online user after running Move-CsUser
You now see the HostingProvider attributes show sipfed.online.lync.com. But EnterpriseVoiceEnabled and HostedVoicemail by default are still set to False. As I discussed earlier, you must still enable the user for Enterprise Voice in Skype for Business Online after you move them. That is done with the following PowerShell cmdlet.
Set-CsUser -Identity <user's SIP address> -EnterpriseVoiceEnabled $True -HostedVoicemail $TrueOnce that is done, our user is now fully enabled for Hybrid Voice and will be able to make calls via the on-premises PSTN connectivity, by the PSTN Usages and trunks in Skype for Business Server on-premises (Figure 2-38).
Figure 2-38. Output of Get- CsOnlineUser for Hybrid Voice user migrated from on-premises and enabled for Enterprise Voice in Skype for Business Online
Summary
In this chapter, I covered the core components and modalities of the Skype for Business UC platform and how they differed from the on-premises product and that in Office 365. I clarified common misconceptions about how Cloud PBX, in combination with the type of PSTN Connectivity, define the types of deployments that can be supported by hybrid configurations. I also discussed infrastructure and configuration considerations in deploying hybrid configurations and various scenarios and examples of how to migrate users from on-premises Skype for Business to Skype for Business Online.
I hope it was enlightening for you, reader, and gave you a stronger sense of how to practically approach deploying Skype for Business Online and hybrid configurations within your environments.
Footnotes
1 Microsoft, “Countries and regions that are supported for Skype for Business Online PSTN Services,” https://support.office.com/en-us/article/Countries-and-regions-that-are-supported-for-Skype-for-Business-Online-PSTN-Services-6ba72f37-d303-4795-aa8f-7e1845078ed7?ui=en-US&rs=en-US&ad=US , 2017.