Skype for business mobility
-
Upload
fabrizio-volpe -
Category
Technology
-
view
3.557 -
download
11
Transcript of Skype for business mobility
Skype for Business Mobility
Fabrizio VolpeSkype for Business MVP
Who Am I?
• I am Fabrizio Volpe – Microsoft MVP on Skype for Business
• I work for the Iccrea Banking Group• I am the author five IT books including Microsoft
Lync Server 2013: Basic Administration and the Lync Server Cookbook
• I tweet from @fabriziovlp• I blog at http://www.absoluteuc.org/
Quote
There is no subject so old that something new cannot be said about it.Fyodor Dostoevsky
Why Mobility is Important
Mobility is about "experiences spanning a variety of devices”
Cloud provides the infrastructure to keep the devices connected, and to support the services those devices consume
Comparing the Mobile Client with the Desktop Cient
Mobile client comparison tables for Skype for Business
Clients and Servers Version Matrix
• The Lync 2010 clients are still supported in Skype for Business
• Next version of the product will consider them as deprecated
Typical Scenario
Reverse ProxyRequired for:• Skype Web
Services• Mobility
Edge PoolRequired for:• SIP Clients• Federation
Skype for Business and Reverse Proxy
Reverse Proxy to publish Web Services Internet
Skype for Business Web Service functions include:
• Skype for Business Mobility client• Simple URL’s• LyncDiscover – client sign-in and
discovery• Meet – Connect to meetings• Dialin – Dial-In Conference settings
information• Schedule – Schedule Meetings• Skype for Business Web App client• Expand Distribution Groups• Address Book download
Skype for Business Sites in IIS
Skype for Business differentiates services meant to be exposed to the external network from the ones for the internal network using IIS sites
Using different ports also allows the Skype4B Front Ends to use a single IP address.
Reverse Proxy Ports Redirection
Reverse proxy receives calls on standard ports (80 and 443) and redirects them to the External Skype for Business website (8080 and 4443)
Certified Reverse Proxy
Web Application Proxy
The Web Application Proxy service functions as both a reverse proxy and an Active Directory Federation Services (AD FS) proxy
Role / feature How it supports this scenario
Active Directory Domain Services (AD DS)
Active Directory® Domain Services is required as a prerequisite before you can deploy AD FS. It is also required for Web Application Proxy deployments that use Kerberos constrained delegation.
Active Directory Federation Services (AD FS)
AD FS is required to provide authentication and authorization services to Web Application Proxy and to store the Web Application Proxy configuration
Remote Access (DirectAccess, Routing and Remote Access)
Remote Access is the role containing the Web Application Proxy role service
Services required to support the Web Application proxy
Mobile Clients on the Internal Network
• Autodiscover Service returns all Web Services URLs for the user's home pool, including the Mobility Service (Mcx and UCWA) URLs
• However, both the internal Mobility Service URL and the external Mobility Service URL are associated with the external Web Services FQDN
• Therefore, regardless of whether a mobile device is internal or external to the network, the device always connects to the Mobility Service externally through the reverse proxy
• DNS requirements for Skype for Business• https://
technet.microsoft.com/en-us/library/dn951397.aspx
Mobile Clients on the Internal Network
Debugging Mobility Issues: Lync Connectivity Analyzer
Lync Connectivity Analyzer attempts to connect to your server by using the same services and protocols that are used by the apps themselves.
The tool tests the following Lync Server components:
• Autodiscover service• Authentication Broker (Reach) service• Mobility (MCX) service• WebTicket service
Lync Connectivity Analyzer tests the configuration of the following additional components:
• Publication of DNS records for Autodiscover URLs• Certificates• Proxy servers
Scenario: Internal Mobile Client Establish a Connection to an Internal Client
• The mobile client is discovering the internal LYNCDISCOVERINTERNAL URL and will make use of the of the EXTERNAL MOBILITY URL
• Clients entitled for a direct peer-to peer setup• Important is the network path and it must be non NATed, a direct
route
Scenario: Internal Mobile Client establish a connection to an internal Client Behind a Firewall
• The mobile client must rely on the Edge Server and has to tunnel the
• signaling/ media• The mobile device will connect to and send its media session to
the external Edge interface• The internal full client connect media to Edge Server internal
interface.
Scenario: Internal Mobile Client establish a connection to an external Client
• Call to the external full client is rerouted via Edge Server and send to the external side again
• First to the external Edge interface than back through the Edge server to the remote client
Voice and Video Flow with Mobile Clients
What Happens if VOIP is Not Available?
External User Access: Skype Built-in Security
Authentication
NTLM TLS-DSK Passive authentication*
*ADFS based authentication
Mobility
Credential storageDevice control
Infrastructure protection
Brute force
External User Access: Security Requirements
Authentication
Pre-authentication No domain credentials 2-factor authentication
Mobility
Credential storageDevice controlDevice registration
External Internal
Edge Pool
HTTPS: 443
Access Edge – SIP/MTLS: 5061
Access Edge – SIP/TLS: 443
HTTPS: 4443
Front end pool
Active Directory
SIP/MTLS: 5061
Skype for Business external users External Firewall Internal Firewall
Skype for Business federation
and Public IM
Reverse ProxyHTTPS: 443
Infrastructure protection
Brute forceAccount lock-outDoS
Pool-level WebServiceConfiguration
Win
dows
Auth
UseC
ertA
uth
UseP
inAu
th
UseW
sFed
Pass
iveA
uth
Lync desktop
Lync Mac WP IP-
Phones
Mob
ilePr
efer
redA
uthT
ypeMobile
Authentication Options – new in SfB Server
Mobile Authentication Options – Configuration
Set-csWebServiceConfiguration –UseWsFedPassiveAuth $TRUE
Set-csWebServiceConfiguration –WsFedPassiveMetadataUri [URL]
Additional config for mobile to use passive authentication:
Set-CsWebServiceConfiguration -MobilePreferredAuthType WsFedPassive
Synchronized Conversations & Auto-Accept
Previously:
• Conversations on the mobile devices were not synchronized with desktop clients. You had to send the conversation (e-mail it?) from the mobile device to keep it on a different devices
• Users had to manually accept messages on mobile devices in a short amount of time
Synchronized conversations allow users to maintain their conversations across all of their devices
Auto-Accept allow the mobile client to accept incoming messages on the users behalf
Server requirements
• Skype for Business Server 2015 with Exchange 2013 on-premises /Exchange Online
• Skype for Business Online with Exchange 2013 on-premises/Exchange Online
Synchronized Conversations & Auto-Accept Requirements
• Users must be homed on Skype for Business Server 2015
• Users must have a mailbox homed on Exchange 2013 (either on-premises or online)
• Skype for Business Server OAuth setup with the Exchange 2013 environment
Skype for Business and OAuth2
Skype for Business Server 2015, Microsoft Exchange Server 2013 (and Microsoft SharePoint Server 2013) can create security tokens that can be accepted by one another• Same certificate must be configured as the
OAuthTokenIssuer certificate on all of your Front End Servers
• Certificate must be at least 2048 bits
Integrating With Office 365 - Identities
Office 365 works with Windows Azure Active Directory (WAAD)
Users defined directly on WAAD (Cloud Identity)
Synchronized identity (DirSync with Password Sync)
Federated Identity (DirSync with Single Sign-On)
DirSync with Password Sync
• The Active Directory Domain Service stores passwords in form of a hash value representation of the actual user password
• The Password hash cannot be used to login to your on-premises network
DirSync with Single Sign-On
• Password is verified by the on-premises identity provider
• This means that the password hash does not need to be synchronized to Azure AD
Synchronized Conversations Configuration
Enable Server Side Conversation History
Set-CsConversationHistoryConfiguration -EnableServerConversationHistory $true -verboseSet-CsClientPolicy –identity “policy_name” –EnableServerConversationHistory $true -verbose
Verify replication and restart the front end service
Get-CsManagementStoreReplicationStatusRestart the SfB Services (assuming this is the first time Lync-Exchange auth has been configured)
Required settings
CsMobilityPolicy – AllowSaveIMHistory flag = TrueCsClientPolicy – DisableSavingIM = False
Monitor Mobility Service
• LyncUcwa worker process in Internet Information Services (IIS) Manager
Performance Counters
• LyncUcwa worker process in Internet Information Services (IIS) Manager
• ASP.NET\Requests Queued
For Mobility Service (Mcx)
• CSIntMcxAppPool and CSExtMcxAppPool worker processes in Internet Information Services (IIS) Manager
High Performance for Mobility Service (Mcx)
Settings for Mcx on IIS 7.5
1. maxConcurrentThreadsPerCPU is set to zero (0)
2. maxConcurrentRequestsPerCPU is set to zero (0)
3. ASP.NET process model is set to AutoConfig (for IIS 7.5 only)
4. HTTP.sys queue limit is set to 1,000 (by default)
Note: only to the Skype for Business Server 2015 Mobility Service (Mcx). Does not apply to Unified Communications Web API (UCWA)
• Since the Address Book can become quite large, the mobile client makes use of the Address Book Web Services
• This requires that for all search requests to internal Lync enabled users is made via a web based query (ASWQ)
Address Book Web Services for Mobile Devices
Edge Servers
Edge Services Include:
• Access Edge: Federation• Web Conferencing Edge: Conferencing for External Users• A/V Edge: External A/V communication, Desktop Sharing
Edge ServersLoad Balancing