There are a lot of blogs out there explaining how to configure the hybrid relationship between on premises Skype for Business Server and O365 Skype for Business Online. But, not most of the blogs contain all the information that requires to complete the configuration. Because of this reason, I thought of writing a post to cover end to end configuration without holding anything back.
In high level, Hybrid configuration requires;
- Edge server with Federation enabled
- Hosting Provider configured for Skype for Business online
- DNS SRV (_sipfederationtls._tcp.domain.com) resolve to on premises Access Edge.
- Port 5061 allowed from\to internet on the corporate Firewall for Access Edge interface
- Enable SharedAddressSpace in O365
- Skype for Business Hybrid setup in Skype for Business Control Pannel
Edge Server with Federation
Before even thinking about configuring Hybrid, The Skype for Business Edge server role must be deployed within the organization. Edge server is the component that act as a gateway in between On-premises servers and O365 Skype for Business Online.
If the Edge server exist, then the Federation need to be enabled in the Topology. Once federation is enabled, running below script will prepare the external services to support Skype for Business Hybrid;
Set-CSAccessEdgeConfiguration -AllowOutsideUsers 1 -AllowFederatedUsers 1 -EnablePartnerDiscovery 1 -UseDnsSrvRouting.
Hosting Provider Configuration
O365 is a hosted platform and Skype for Business Online is deployed on that platform. So, the Skype for Business Online need to be added as a Hosting Provider for On-premises server. Below command can be run on Skype for Business Management Shell as it is to configure the Hosting Provider;
New-CSHostingProvider -Identity SkypeforBusinessOnline -ProxyFqdn “sipfed.online.lync.com” -Enabled $true -EnabledSharedAddressSpace $true -HostsOCSUsers $true -VerificationLevel UseSourceVerification -IsLocal $false -AutodiscoverUrl https://webdir.online.lync.com/Autodiscover/AutodiscoverService.svc/root
Once configured, running Get-CsHosingProvider will show the current configuration.
DNS SRV configuration
Up in Edge server Federation configuration, the routing was set to DnsSrvRouting. This is where the SRV part comes in. System uses DNS SRV record to route traffic that suppose to be sent to the O365 Skype for Business Online. The SRV record that in question is _sipfederationtls._tcp.domain.com record. This record must be configured in public DNS and must resolve to Access Edge FQDN.
Also, is it mandatory that the Edge server resolve this DNS record externally. This means that the external interface of the Edge server must have public DNS configured. Usually, when Edge server deployed, the internal server names that it should resolve, will be added to the local host file. And the DNS is left blank on the internal interface. The external interface will have public DNS configured so that it can properly resolve external DNS entries and route traffic to the relevant destination.
When enabling federation on Skype for Business servers, TCP port 5061 must be opened both ways on the perimeter firewall against the Access Edge DMZ IP address. The same port will be used for Hybrid communication as it leverage Federation services on Skype for Business platform.
O365 Side Configuration
Specifically, Shared Address Space need to be enabled within O365. This attribute was enabled above, when configuring the Access Edge services. Once enabled, both Skype for Business Online and On-Premises servers will use the same domain name space as the SIP Domain.
To log in to O365 Skype for Business Online, use below commands in Windows PowerShell. Note that Skype for Business Online Connector Module must be installed before running below commands. Replace the proper domain name in “OverrideAdminDoamin. Use a global tenant administrator account when prompt for credentials (firstname.lastname@example.org)
$credential = get-credential
Connect-MsolService -Credential $credential
$lyncSession = New-CsOnlineSession -Credential $cred -OverrideAdminDomain domain.onmicrosoft.com
Import-PSSession $lyncSession -AllowClobber
Once connected, run below command to enable SharedAddressSpace in Skype for Business Online;
Set-CsTenantFederationConfiguration -SharedSipAddressSpace $true
Hybrid Setup in Skype for Business Control Panel
We are almost there. To complete the Hybrid setup, the configuration need to be completed in Skype for Business Control Panel. This bit is often getting missed out on most of the blogs out there.
Open Skype for Business Control Panel and then click on “Setup Hybrid with Skype for Business Online”
Notice that it mentioned the prerequisites the need to be completed before setting up Hybrid. Confirm the first 3 points are addresses before moving forward. Else, it will come up with an error when configuring each stage.
Click on “Sign in to O365” and type the user name and the password on the prompt. Note that the user name must be a tenant admin user (email@example.com).
Couple of “Next”s after, confirm that the all components are checked in green. If all above bits in this article was configures, the checks will come up as green.
Now, the Skype for Business hybrid configuration with O365 Skype for Business Online is done. But, if the users that are enabled in O365 Skype for Business Online will see the presence of On Premises users. But the On Premises user will not be able to see the presence of online users.
To fix this, Online users need to be configured as “Hybrid” users. The below command will set the user’s msRTCSIP-DeploymentLocator attribute with Skype for Business Online server value so that when an On Premises user search for an Online user, the SUBSCRIPTION will forward to O365 and will not look at the On Premises server for that user.
Enable-CsUser -identity <SIP Address> -SipAddressType <Email, UserPrincipleName> -HostingProviderProxyFqdn “sipfed.online.lync.com”
Once the command completes, this users will be shown in Skype for Business Control Panel as an “Online” user.
Note: There can be a scenario that AD prep for Lync\Skype for Business was done after the AAD Connect or MIM deployed. In such scenario, a schema refresh will be needed in AAD Connect\MIM to replicate attributes to O365. Once the schema being refreshed in AAD Connect\MIM, the required attributes must be mapped and synced to O365. It’s always a must to have attributes (specifically the msRTCSIP-DeploymentLocator attribute) properly synced between on-premises AD and O365.
Go through with this article to get an overall idea of what attributes are needed sync for Lync\Skype for Business Hybrid deployment.
Give it a go and post any question on this one, if there’s any.