Skype for Business Mobility

Fabrizio VolpeSkype for Business MVP

Who Am I?

• I am Fabrizio Volpe – Microsoft MVP on Skype for Business

• I work for the Iccrea Banking Group• I am the author five IT books including Microsoft

Lync Server 2013: Basic Administration and the Lync Server Cookbook

• I tweet from @fabriziovlp• I blog at http://www.absoluteuc.org/

Quote

There is no subject so old that something new cannot be said about it.Fyodor Dostoevsky

Why Mobility is Important

Mobility is about "experiences spanning a variety of devices”

Cloud provides the infrastructure to keep the devices connected, and to support the services those devices consume

Comparing the Mobile Client with the Desktop Cient

Mobile client comparison tables for Skype for Business

Clients and Servers Version Matrix

• The Lync 2010 clients are still supported in Skype for Business

• Next version of the product will consider them as deprecated

Typical Scenario

Reverse ProxyRequired for:• Skype Web

Services• Mobility

Edge PoolRequired for:• SIP Clients• Federation

Skype for Business and Reverse Proxy

Reverse Proxy to publish Web Services Internet

Skype for Business Web Service functions include:

• Skype for Business Mobility client• Simple URL’s• LyncDiscover – client sign-in and

discovery• Meet – Connect to meetings• Dialin – Dial-In Conference settings

information• Schedule – Schedule Meetings• Skype for Business Web App client• Expand Distribution Groups• Address Book download

Skype for Business Sites in IIS

Skype for Business differentiates services meant to be exposed to the external network from the ones for the internal network using IIS sites

Using different ports also allows the Skype4B Front Ends to use a single IP address.

Reverse Proxy Ports Redirection

Reverse proxy receives calls on standard ports (80 and 443) and redirects them to the External Skype for Business website (8080 and 4443)

Certified Reverse Proxy

Web Application Proxy

The Web Application Proxy service functions as both a reverse proxy and an Active Directory Federation Services (AD FS) proxy

Role / feature How it supports this scenario

Active Directory Domain Services (AD DS)

Active Directory® Domain Services is required as a prerequisite before you can deploy AD FS. It is also required for Web Application Proxy deployments that use Kerberos constrained delegation.

Active Directory Federation Services (AD FS)

AD FS is required to provide authentication and authorization services to Web Application Proxy and to store the Web Application Proxy configuration

Remote Access (DirectAccess, Routing and Remote Access)

Remote Access is the role containing the Web Application Proxy role service

Services required to support the Web Application proxy

Mobile Clients on the Internal Network

• Autodiscover Service returns all Web Services URLs for the user's home pool, including the Mobility Service (Mcx and UCWA) URLs

• However, both the internal Mobility Service URL and the external Mobility Service URL are associated with the external Web Services FQDN

• Therefore, regardless of whether a mobile device is internal or external to the network, the device always connects to the Mobility Service externally through the reverse proxy

• DNS requirements for Skype for Business• https://

technet.microsoft.com/en-us/library/dn951397.aspx

Mobile Clients on the Internal Network

Debugging Mobility Issues: Lync Connectivity Analyzer

Lync Connectivity Analyzer attempts to connect to your server by using the same services and protocols that are used by the apps themselves.

The tool tests the following Lync Server components:

• Autodiscover service• Authentication Broker (Reach) service• Mobility (MCX) service• WebTicket service

Lync Connectivity Analyzer tests the configuration of the following additional components:

• Publication of DNS records for Autodiscover URLs• Certificates• Proxy servers

Scenario: Internal Mobile Client Establish a Connection to an Internal Client

• The mobile client is discovering the internal LYNCDISCOVERINTERNAL URL and will make use of the of the EXTERNAL MOBILITY URL

• Clients entitled for a direct peer-to peer setup• Important is the network path and it must be non NATed, a direct

route

Scenario: Internal Mobile Client establish a connection to an internal Client Behind a Firewall

• The mobile client must rely on the Edge Server and has to tunnel the

• signaling/ media• The mobile device will connect to and send its media session to

the external Edge interface• The internal full client connect media to Edge Server internal

interface.

Scenario: Internal Mobile Client establish a connection to an external Client

• Call to the external full client is rerouted via Edge Server and send to the external side again

• First to the external Edge interface than back through the Edge server to the remote client

Voice and Video Flow with Mobile Clients

What Happens if VOIP is Not Available?

External User Access: Skype Built-in Security

Authentication

NTLM TLS-DSK Passive authentication*

*ADFS based authentication

Mobility

Credential storageDevice control

Infrastructure protection

Brute force

External User Access: Security Requirements

Authentication

Pre-authentication No domain credentials 2-factor authentication

Mobility

Credential storageDevice controlDevice registration

External Internal

Edge Pool

HTTPS: 443

Access Edge – SIP/MTLS: 5061

Access Edge – SIP/TLS: 443

HTTPS: 4443

Front end pool

Active Directory

SIP/MTLS: 5061

Skype for Business external users External Firewall Internal Firewall

Skype for Business federation

and Public IM

Reverse ProxyHTTPS: 443

Infrastructure protection

Brute forceAccount lock-outDoS

Pool-level WebServiceConfiguration

Win

dows

Auth

UseC

ertA

uth

UseP

inAu

th

UseW

sFed

Pass

iveA

uth

Lync desktop

Lync Mac WP IP-

Phones

Mob

ilePr

efer

redA

uthT

ypeMobile

Authentication Options – new in SfB Server

Mobile Authentication Options – Configuration

Set-csWebServiceConfiguration –UseWsFedPassiveAuth $TRUE

Set-csWebServiceConfiguration –WsFedPassiveMetadataUri [URL]

Additional config for mobile to use passive authentication:

Set-CsWebServiceConfiguration -MobilePreferredAuthType WsFedPassive

Synchronized Conversations & Auto-Accept

Previously:

• Conversations on the mobile devices were not synchronized with desktop clients. You had to send the conversation (e-mail it?) from the mobile device to keep it on a different devices

• Users had to manually accept messages on mobile devices in a short amount of time

Synchronized conversations allow users to maintain their conversations across all of their devices

Auto-Accept allow the mobile client to accept incoming messages on the users behalf

Server requirements

• Skype for Business Server 2015 with Exchange 2013 on-premises /Exchange Online

• Skype for Business Online with Exchange 2013 on-premises/Exchange Online

Synchronized Conversations & Auto-Accept Requirements

• Users must be homed on Skype for Business  Server 2015

• Users must have a mailbox homed on Exchange 2013 (either on-premises or online)

• Skype for Business Server OAuth setup with the Exchange 2013 environment

Skype for Business and OAuth2

Skype for Business Server 2015, Microsoft Exchange Server 2013 (and Microsoft SharePoint Server 2013) can create security tokens that can be accepted by one another• Same certificate must be configured as the

OAuthTokenIssuer certificate on all of your Front End Servers

• Certificate must be at least 2048 bits

Integrating With Office 365 - Identities

Office 365 works with Windows Azure Active Directory (WAAD)

Users defined directly on WAAD (Cloud Identity)

Synchronized identity (DirSync with Password Sync)

Federated Identity (DirSync with Single Sign-On)

DirSync with Password Sync

• The Active Directory Domain Service stores passwords in form of a hash value representation of the actual user password

• The Password hash cannot be used to login to your on-premises network

DirSync with Single Sign-On

• Password is verified by the on-premises identity provider

• This means that the password hash does not need to be synchronized to Azure AD

Synchronized Conversations Configuration

Enable Server Side Conversation History

Set-CsConversationHistoryConfiguration -EnableServerConversationHistory $true -verboseSet-CsClientPolicy –identity “policy_name” –EnableServerConversationHistory $true -verbose

Verify replication and restart the front end service

Get-CsManagementStoreReplicationStatusRestart the SfB Services (assuming this is the first time Lync-Exchange auth has been configured)

Required settings

CsMobilityPolicy – AllowSaveIMHistory flag = TrueCsClientPolicy – DisableSavingIM = False

Monitor Mobility Service 

• LyncUcwa worker process in Internet Information Services (IIS) Manager

Performance Counters

• LyncUcwa worker process in Internet Information Services (IIS) Manager

• ASP.NET\Requests Queued

For Mobility Service (Mcx)

• CSIntMcxAppPool and CSExtMcxAppPool worker processes in Internet Information Services (IIS) Manager

High Performance for Mobility Service (Mcx)

Settings for Mcx on IIS 7.5

1. maxConcurrentThreadsPerCPU is set to zero (0)

2. maxConcurrentRequestsPerCPU is set to zero (0)

3. ASP.NET process model is set to AutoConfig (for IIS 7.5 only)

4. HTTP.sys queue limit is set to 1,000 (by default)

Note: only to the Skype for Business Server 2015 Mobility Service (Mcx). Does not apply to Unified Communications Web API (UCWA)

• Since the Address Book can become quite large, the mobile client makes use of the Address Book Web Services

• This requires that for all search requests to internal Lync enabled users is made via a web based query (ASWQ)

Address Book Web Services for Mobile Devices

Edge Servers

Edge Services Include:

• Access Edge: Federation• Web Conferencing Edge: Conferencing for External Users• A/V Edge: External A/V communication, Desktop Sharing

Edge ServersLoad Balancing