Wednesday, October 25, 2017

Microsoft Techdays 2017 in Stockholm

Today I joined some 2000 computer nerds at Microsoft Techdays, the largest IT conference in Sweden. Besides meeting a lot of old and new friends I attended the following sessions which I have summarized here.

"The best road to a complete communications solution in the cloud."
(Bästa vägen till en komplett kommunikationslösning i molnet - this session was held in Swedish and auto translated by Office 36... me.)

Presented by Peter Klein - Tele2, Level 100

Start to analyze your organizations communication needs.

According to Microsoft / Tele2 some common needs are:
  • Empower employees / Always connected with data in the cloud
  • Engage customers / Customer focus in everything we do
  • Optimize operations   
  • Transform products     
  • Embrace Collaboration / Collaboration culture
  • Encourage Mobility / Activity based office

63% of Swedish organizations with more than 200 employees is using SFB
85% of these are using SFB primarily for meetings. (IT-bussen 2016)

Skype for business - good to use during a meeting.
Microsoft Teams - to be used before, during and after a meeting.
(Scheduling, recording, transcription, translation, AI)
In the future AI will probably be used during meetings to ensure that people follow the agenda, collect action items and remind participants about them later on.

3% of Swedish organizations with more than 200 employees is using SFB as their primary telephone system. We are still using multiple systems and multiple devices, but the presence state or call logs are seldom unified over these systems. We want to show the same one number (which can be used for SMS as well) when calling out, no matter which system we use.

The SOF - Skype Operations Framework is changing into "Fast track for cloud voice".

The envisioning and design workshops remains in this program.
Map your colleagues to "roles" - depending on how are they communicating?
User adoption (get the users to use the solution!)

Why should you put your communications in the cloud?
  • Evergreen telephony
  • Focus on the core business
  • Ease of administration
  • Ease of support
  • International deployment
  • Integration with cloud applications

Why should you NOT put your communications in the cloud?
  • Missing functionality
  • Legal requirements
  • Cost of migration
  • Integrations that cannot be made

Announcing "Tele2 Connect 365" a cloud-to-cloud solution, that builds on the existing "Tele2 switch" cloud service.

Everything you need to know about Microsoft Teams and how Office 365 Groups are used.

Presented by Ståle Hansen -, Level 400
(This session was held in Scandinavian "Skavlan" English.)

With Teams we can finally go email free - at least for selected projects. The persistent Teams chat can be an effective replacement for email.

Office 365 groups - a single identity across services - is both an Exchange group and an Azure AD group. The group used in Teams is an Office 365 group, but the group used for SharePoint is an Azure AD group. The SharePoint site is created when needed (when you store the first file) and not at the initial creation of the Team.

File sharing in the Channel chat and in the private chat is not the same, OneDrive for the private chat and SharePoint for the channel chat.

Where stuff is stored - note that there is no "Teams storage".

Teams does not introduce new ways of storing stuff, "only" a new way of consuming the data stored in Office 365.

Skype for business Online plan 2 is needed for interoperability with Teams.

Maximums (as of today):
  • 500,000 teams in a single tenant
  • 2,500 users in a team
  • 250 teams per user
  • 80 users in a meeting
  • 20 users in a private chat
Office 365 for IT pros - an online book with lots of good information around Office 365 groups.

There are no PowerShell commands to control the behavior of the "Teams service" right now, but New-UnifiedGroup, Remove-UnifiedGroup and Get-UnifiedGrouplinks -LinkType member can be used to create, delete and check groups / teams.

It is possible to limit the creation of Teams to a specific group (like "helpdesk") in case you would like to limit the number of groups created.

There's a new App in town - Microsoft Teams Apps

Presented by Wictor Wilen

A Teams App is a service available in Microsoft Teams, in the right context, which could be made available through the Office Store.

A Teams App can be Tabs / Bots / Connectors / Compose Extensions.
  • Tab is essentially an iframe.
  • Bots are built using the bot framework
  • Connectors push information or "interactive cards" into a channel
  • Compose Extensions can augment data into the Teams Compose box.
A Teams app can be sideloaded (added) in the development version of a Teams client.

Skype for business becomes Teams - What does it mean to me?
Skype for business blir Teams - Vad betyder det för mig?

Presented by Martin Lidholm

Unified Communication might be renamed Intelligent Communication

Teams the first real front-end application for all Office 365 services.
Looking at Cisco Spark as well as Teams we see a strong trend to use a single application to consume several cloud services.

Two reasons for using Skype for business on-premises are Legal requirements or that you started early with Skype for business and have done custom integrations.
Is Skype for business 2019 going to be "the last" version of Skype for business?
No, this has not been communicated.
What will come in the 2019 version?
Support for new OS / SQL and cloud innovations that can be easily ported to the on-premises version.
Is Teams "based on" Skype consumer?
No, but it shares a new backend service with Skype consumer.

  • Cloud PBX is being replaced by a new "Bring your own SIP Trunk" where customers could connect a SIP trunk straight to Office 365.
  • The UCMA API or something similar is missing in Microsoft Teams, and it is not even in the roadmap at this time.
  • Skype Room Systems will be adapted and work with Microsoft Teams to protect investments already done.
  • Pexip and BlueJeans will develop solutions similar to Polycoms Real Connect for Office 365.
  • Headsets and other devices that work well with Skype for business will work well with Teams as well.

The recently published public roadmap contains a lot of new things that is coming in the coming 9 months.

Tuesday, October 10, 2017

Skype for business Server 2015 prerequisites on Windows 2016

In June of 2017 the article "Server requirements for Skype for Business Server 2015" were updated to list Windows Server 2016 as an operating system "that will allow you to install and successfully use Skype for Business Server 2015."

This support requires Cumulative Update number 5 to be downloaded by the Skype for business Deployment tool as described in the article "How to install Skype for Business Server 2015 on Windows Server 2016". This article does not specify how to prepare the Windows 2016 Server before running setup.exe and downloading CU5. So, besides installing all available updates for Windows 2016 I used the following powershell command to add required components:

Add-WindowsFeature RSAT-ADDS, Web-Server, Web-Static-Content, Web-Default-Doc, Web-Http-Errors, Web-Asp-Net, Web-Net-Ext, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows-Auth, Web-Client-Auth, Web-Filtering, Web-Stat-Compression, Web-Dyn-Compression, NET-WCF-HTTP-Activation45, Web-Asp-Net45, Web-Mgmt-Tools, Web-Scripting-Tools, Web-Mgmt-Compat, Windows-Identity-Foundation

After running the command above my "Add Roles and Features Wizard" looked like this:

And before running the Skype for business Control Panel I had to download and install Silverlight just as described in my article about "Skype for business Server 2015 prerequisites on Windows 2012 R2".

How to add twitter to your Microsoft Teams channel

I am a fan of twitter and I am really happy that I now can add twitter feeds to my channels in Microsoft Teams. Would you like to do that to? This is how.

1. Open the "Connectors" window from the channel properties (not the Team properties)

2. Find Twitter in the list of connectors and click "Add" (twice.)

3. Enter a twitter account to be used by the connector, and specify which twitter accounts and hashtags you would like to follow. Also specify the frequency at which you would like to receive new tweets, click "Save" and close the Connectors window.

4. Now you should see a post confirming that new tweets will be posted to the channel.

5. Sit back and wait for the tweets to roll in!

Hope you will enjoy looking at tweets and discussing them in your team! Please follow me on twitter at @mkressmark

Saturday, September 30, 2017

Ignite 2017 An overview of Microsoft Teams architecture

On demand recording available here.

Microsoft Teams is designed for the cloud to be agile at massive scale to amplify the value of Office 365.

Teams are clients utilizing Teams services, Office 365 services, the Skype infrastructure and Azure. A "Team" in Microsoft Teams consist of a modern group (Office 365 group), a SharePoint site and a set of "Channels".

If you get a message and have not used Teams in the last 60 to 90 minutes you will get an email about it. If you paste a URL into a Teams channel the URL preview service will display a preview so that people will see what it is before clicking it.

Data at rest resides in your region based on your tenant affinity, and this will shift to even more local in country storage in the future.

The conversations are stored in memory when sent - for speed, but also in Azure (blob, tables, queues) and in Exchange. Files used in a team/channel conversation are stored in SharePoint. Teams utilizes O365 Information Protection tools so that features like eDiscovery, Legal hold and Retention policies can be used on the stored data.

You can invite guests, and revoke access to guests through the AD token in the tenant that represents the guest. If you need to block the option of creating a Team in Teams, you can block the option of creating groups in AD.

Questions and Answers

Giving someone guest access - will this not give access to all the underlying infrastructure, what about access rights and licensing?
Yes, the guest is a guest in the "Azure AD" tenant, not only in Teams (licensing not answered.)

Is the meeting scheduling process quicker than in Skype for Business if we try to create like 1000s of meetings?
Yes/No, the scheduling is done using the Exchange Online calendar.

Will Teams work with Skype for Business on-premises?
Yes, they can run side-by-side.

What about Teams "replacing" Skype for business?
A lot of the core capabilities are already there. Certain things like data residency, broadcast meetings and non-persistent chat is not in Teams yet, however we will see a lot of activities during next year to bring feature parity (and better) between the products. A gradual move of users to Teams will take place and have already started.

Files stored in Onedrive for business - in who's Onedrive?
In 1-on-1 chats files will stored in Onedrive for business and permissions automatically assigned to the peer you are chatting with.

Will it be possible to programmatically create teams?
Yes, the ability to create teams, add members etc, is on the roadmap. (coming this year.)

How about delegation?

It is not availble now, but is coming.

Can we configure the set of connectors available to the users?

Can we support naming conventions when creating teams?
Teams will honor the naming conventions used for groups (available, but not in all tenants just yet.)

Will the Teams calendaring feature work with Exchange Online vNext?

Are there plans to replace the Onedrive storage with something else?
No, not at this point.

What happens if we move a mailbox from on-premises to online?
The data will merge.

Can we have individual permissions per Channel?

This is a big ask from customers and is "in process", so soon yes.

Can we migrate a Team from on tenant to another?
No, not at this point.

Can we define retention policies for chats and for team conversations?
Yes, this is being worked on right now and released soon.

Will Teams have to be changed in order for customers to adhere to the new EU GDPR rules?
Teams will support GDPR requirements when it must be enforced in May 2018 (as well as all of Office 365.)

Can we use the conferencing hardware for Skype room systems in Teams?
Yes, this is coming during next year.

How does authentication in the desktop client use?
Standard Azure authentication is used.

Is the number of people allowed in a team going to be increased?
Yes, the current limit of 999 persons per team will be increased very soon.

In a 1-to-1 chat, is messages from both participants stored in both users mailboxes?
Yes, and for guests in the cloud storage.

Will it be possible to integrate an existing SharePoint site with a team?
Yes, a tab can be added and point to a specific SharePoint site.

Is voicemail available in Teams?

Can we verify that different Data residency requirements for a Team with people from 5 different countries are met?
Data residency is done per tenant.

Can Teams use on-premises or a hybrid SharePoint for the Teams site?
No, Teams work with SharePoint Online only.

Will I be able to sign-in to two different tenants from the Teams client?
No, not right now, but the guest access concept will change over time, and something similar to the current Skype for business federation will come.

Can we audit failed access attempts to a team, or private channels?
Not now, good feedback.

Will media flow peer-to-peer in a Teams call?
Yes, if not blocked by firewalls.

In a Teams meeting will one or several MCUs be used?
A single "Home MCU" will run/mix the meeting.

Will there be APIs or ways to programmatically control a Teams MCU/meeting?
There are "hooks" available, and more of this is on the roadmap.

Are there plans for an on-premises version of Teams?

What are the plans for CCE-like functionality for Teams?
The plans are to certify SBCs to connect directly to the cloud voice solution, so an on-premises SIP Trunk could be connected to the colud. CCE will not be needed in the future.

Thursday, September 28, 2017

Ignite 2017 Collaborate in a chat-based workspace with Microsoft Teams

We see a shift from individual productivity towards team based productivity. The presentation featured a long demo of Microsoft Teams. The following features were presented:

The customer Dentsu Aegis Network talked about their journey with Microsoft Teams.


Teams Roadmap   
Product help  
Known issues   
Product Ideas   
Teams Dev Hub

Questions and Answers

How about Channels with different membership than the parent team?
This "shared channel" concept is being worked on.

How can we control the provisioning / creation of Teams?
There are Office 365 policies on who can create groups, a group = a team behind the scenes.

What happens when a user that created a team is terminated?
Policies for archiving and in place hold will still apply, and there is an option to promote another user to become the new owner of a team.

Can we track how many teams and channels are created?
Yes, this will be exposed in the Admin center later on.

Can we re-brand the Teams client?
No, but there is the concept of themes.

How about clientless meeting join?
It is coming in teams, but not there yet.

Which browsers are supported?
Most of them except for Safari.

Can we allow non-Azure AD accounts as guests in teams?
No, this is being worked on, but no time plan can be given at this time.

Ignite 2017 Demystifying internet connectivity to Skype for Business Online and Microsoft Teams

On demand recording available here.

Microsoft runs a high-quality network around the globe to provide services to customers. This Network is closer than you might think, and it means that only little of the traffic actually uses the public Internet.

This article describes the network in greater detail:
How Microsoft builds its fast and reliable global network

And recently Microsoft announced a new nice addition to this network:
A cable stretching 4,000 miles between the US and Spain is the key to a high-speed future

Audio & video is realtime traffic and must be handled different from emails / web browser traffic. The stateless UDP protocol is used for realtime traffic, if a packet is lost there is no point resending it.

Most networks were designed when we had all services on-premises. Now we moved many services online, and we need to reconsider how we do networking.

The network has peering with more than 2500 ISPs around the world in more than 130 locations.

The ideal scenario is a local internet breakout in every office, and not a central breakout point. The analogy used is, "the faster you can get on the freeway the faster you will reach your destination." Identify Office 365 traffic, use local DNS resolution and egress as close to the user as possible.

What kind of performance measures do we need to get a good experience?
In short:

To make a short story long:
Media Quality and Network Connectivity Performance in Skype for Business Online

How can we check these metrics?
Use the Skype for Business Network Assessment Tool.This tool has been a part of the Skype Operations Framework and I have covered it earlier in this blog.

QoS is always a good idea even if our servers now are online, it will have a good impact on peer-to-peer traffic.

Questions and Answers

What about VPNs?
Use split tunneling.

The proxy pac file must contain all Office 365 URLs / FQDNs, but the firewall is allowing/blocking locations based on IP addresses.
How do we match URLs / FQDNs to IP address automatically, to update both pac file and firewall?
This is a challenge.

What ports are Teams using for realtime audio / video?
Teams are using the same destination ports as Skype for business online.

Tuesday, September 26, 2017

Ignite 2017 Plan your UC refresh correctly: Skype for Business on-premises vNext

We will not forget our existing customers - we are investing in another refresh of Skype for business. We imagine organizations running Teams and Skype for business side-by-side, and we want ALL to be piloting Teams now.

Next Skype for business Server 2019 release Preview mid 2018 / Release late 2018
(I took the liberty of adding an "s" on this slide...)

The new client will be released as a click-to-run application on Windows 10, not .msi,
and the new client will work with Skype for Business Server 2015 as well.

Upgrade paths

Support for SQL Server 2016, no in-place upgrade and no Standard edition server will be available. (However, Front End pools with a single server will be supported.. The Director role will be removed (and a small applause erupted in the room) as well as the Persistent Chat role

New features
  • A new Hybrid Aware Office 365 Portal will be available (CSCP and Silverlight will finally vanish from the product.)
  • Certain "Exchange dependent functionalities", like voice mail, auto attendant and call queues, will now be delivered straight from the cloud.
  • Modern Authentication (currently in public preview.)
  • A Meeting Migration Service is available in the cloud already.

The new server and other new things will be available at - sign up today!

Questions and Answers (with special guest - Matt Landis)

How does Cloud Connector Edition CCE fit in with the new server and Teams?
It can co-exist with S4B Server 2019. In the future it might be possible to point an SBC straight to the cloud for calls to Microsoft Teams.

Calling plans with Teams - will there be opportunities for partners to resell and make money of this?
Look at what we have today in Skype for business.

Upgrade story for Skype for business 2015 Multi tenant installations? 
Multi tenant (hosting pack) will not be available in S4B Server 2019.

How about CQD, Statsman, Reporting server?

CQD - will come in new versions online, and an updated Statsman will come.

Will we still need TLS 1.0, 1.1 and 1.2?
It will be possible to disable TLS 1.0 and 1.1 even for Skype for business 2015 (possibly Cumulative Update 7)

Will there be a migration path from Skype consumer?
Not at release time.

If I move my users to Teams, can I still use my on-premises SIP trunk?
Yes, with Cloud Connector Edition today, and the vision is to remove any on-premises components and direct the SIP trunk straight to Office 365.

Roles (standard and director goes away) what about persistent chat? (from Get-CsJosh)
Persistent chat will not be a part of S4B Server 2019.

Will we get "plug-in less meeting joins" in the meeting web app?

Plans for Response groups?
Nothing new, RGS and Call queues (if hybrid.)

How about SBA / SBS?
They will still be supported, but stay as they are today, nothing new.

Will there be a new Office Online Server version?
Unknown to us right now...

Will SDN be developed further?
No, but there might come new solutions from partners.

Are there changes to how quorum and Windows fabric works?
Yes, a new version of Windows fabric will be used which is better. Enterprise Pools with one Front End will be supported, or three to 16 Front Ends will be supported, but not a pool with 2 Front Ends only.

What are you doing on stage Matt? (Ken)
Matt is invited as MVP and guest blogger and he seems to like to be on stage :-)

Monday, September 25, 2017

Ignite 2017 General Session - Microsoft 365: Transform your communications with Microsoft Teams and Skype for Business

The session started out with some thoughtful quotes like: "Gone are the days of hierarchy - People want to work in Teams!". "Microsoft Teams is the enabler for Artificial Intelligence in communications." "We are moving beyond Unified Communications... to Intelligent Communications." (Hmm, time to rename this blog already?)

Microsoft Teams is the hub for intelligent communications, before, during, and after your meeting.
  • Before the meeting, Microsoft Teams will surface relevant documents and participant information.
  • During the meeting, for closed captioning and voice recognition.
  • After the meeting, the conversation, documents, notes & action items are shared with the entire team.
We all want to remove the barriers when it comes to hearing (audio) understanding (translation) or seeing (video) each other.

After 10 minutes the first demo came with Gifs in a conversation, guest access, the SurveyMonkey app, files, webpages in the client. The following demo showed:
  • The contact list and presence (a presence unified with the presence in Skype for business).
  • The "Calls app" - a telephone - with call logs, voice mail (with transcript), a dialer (so that everyone can understand it really is a phone) and Call transfer.
  • Scheduling meetings in Teams or Outlook with Dial-in conferencing available in some 90 countries.
  • Joining a meeting with a presentation and video gallery.
  • Showing a Contact card with a built-in organization chart.
  • The demo / meeting continued in the mobile client.
  • Reviewing a meeting that already took place, right from the conversation view, with subtitles and search.
All the above features are already in the product or in preview.

30 minutes in an interview with two customers followed, Accenture and Cerner. They have rolled out and is using Teams already.

The 3 main questions / concerns around Skype for business / Microsoft Teams:

What does this mean for Skype for business Server?
Skype for business vNext is coming next year, both a Server and Client, with fixes, support and improved Teams interoperability.

Is Microsoft Teams ready?
Yes. Teams is already used by large organizations. Auditing and call analytics are in Teams and existing phones, Rooms systems and video interop will work with Teams.

How is Microsoft going to help us in the transition?
  • A Microsoft Teams & Skype for business Admin Center is coming, with the capability to report on the "Teams upgrade status" for users.
  • The Teams client will download in the background and the Skype for business client will display an "Upgrade button" when ready.
  • Presence will be unified and calls with transfer and hold will work across platforms.
  • All users do not need to move to Teams at the same time.

The Microsoft Teams & Skype for business Admin Center.
"One click upgrade"
You will see if your friends are on Skype for business or Teams.

For more info and help:

Related Microsoft Teams articles:

MsIgnite 2017 TK01 Technology Keynote: Create a modern workplace with Microsoft 365

It would be nice with a single app for everything we need to do, but that is not possible or practical just yet. However, Microsoft Teams are a step in that direction, a hub for teamwork. Teams collect conversations, files and apps (150+ of them) into a single frame. Microsoft Teams is part of a new strategy or "vision for intelligent communications in Office 365", which will bring technologies such as Artificial Intelligence, speech recognition and cognitive services to our communication.

This new "Core communications client" runs on a new backend built for the Skype infrastructure, and it will replace Skype for business "over time", not immediately. Just to be clear "We still plan to fully support Skype for business during this transition".

Next a long demo session followed showing among other things:

  • Mobile Outlook running on iOS is smart, it understands emails about flights, deliveries and reservations, and can summarize and simplify these kinds of mail.
  • The Cortana scheduling service can schedule a meeting for you automatically
  • A new whiteboard application for the Surface Hub with an intelligent canvas which understand shapes and freehand text.

Then the Microsoft Teams information and demo (at about 20 and 30 minutes into the recording) showing:

  • Guest access (for any Azure AD account (with MFA))
  • Files / OneNote / Power BI dashboard tabs
  • Threaded persistent conversations (with emojis and Gif's)
  • Meeting with Dialin conferencing
  • Recorded meeting, using Stream (showing transcript and facial recognition of speaker for searches)

Looking at a recorded meeting in style.

Other Microsoft 365 features in demo:
  • Offline access to files in SharePoint
  • Files on-demand (handle cloud and local files the same way)
  • Yammer "Employee townhall meeting" 
Finally, a demo on how easy it is to install and configure a new PC using Intune provisioning over the Internet, answer 5 questions and log in - done! 

Some interesting new Analytics in Microsoft 365 were shown as well:

Notice the "Skype: Enabled vs active users" dial.

Microsoft Ignite 2017 - first links

I have just watched the awesome keynote from Microsoft Ignite 2017, unfortunately I am not in Orlando but rather following Ignite from home. Some of the main themes were:


But for me, the news around Microsoft Teams were most interesting:

Now I do not agree with the headlines of the articles below, I like to use the quote "The Rumors of My Death Have Been Greatly Exaggerated." The way I see it Microsoft is not "killing", "retiring", "ending" or "replacing" anything, Microsoft is simply adding cool tools to the toolbox of Unified Communications.


Monday, August 7, 2017

Two Skype for business client fixes explained

The Skype for Business 2016 client is continuously being updated. This blog post will highlight two of these fixes with some graphics to show both the issues and solutions.

If you were using the initial client release and clicked the red exclamation mark ("Set high importance for this message") you would get a small little visual indicator like this.

In a peer-to-peer chat this might be enough to highlight that this message is extra important, but when chatting in a persistent chat room this red mark could easily pass you by.

In the April 4, 2017, update for Skype for Business 2016 (KB3178717)

The following fix were included:

Make the high importance icon more prominent when messages are marked as important in Skype for Business 2016

After installing the April update, the important messages will stand out a much better.

The initial client release had a bug in that it was hiding the search button used to execute a search as found in the search dialog of a persistent chat room.

In the Security update for Skype for Business 2016: May 9, 2017

The following fix were included:

"Search Chat Room History" window pushes OK/Cancel buttons off the visible bottom in Skype for Business 2016

And after applying, the button is fully visible again.

Have fun sending important messages and searching in your persistent chat rooms!

Thursday, February 2, 2017

MsIgnite BRK3061 - Ready Your Network for Skype for Business Online

Presented by Hao Yan

What impacts Call Quality & Reliability?
Environment – noisy environment (the Skype for Business media stack provides noise reduction and echo cancellation, but that is not enough to solve all acoustic disturbances.)
Devices – 50% of the problem and easy to fix!
Use high quality devices (certified devices) instead of laptop built-in devices, please do not be penny wise and pound foolish considering the investment you already made.
Network – 50% of the problem and hard(er) to fix, still most organizations is looking into this without addressing the device issue. Use the Skype for Business Online Call Quality Dashboard to verify device and network impact on call quality.

The Microsoft network have more than 100 Points of Presence worldwide and every 5 minutes performance is monitored from any point to any point; Skype for business as a part of Office 365 lives in this network.

Office 365 networking

1. A user from the internet must reach Office 365.
2. Authentication / Directory Sync must go between your network and Office 365.
3. DNS and certificate services must be reached from your network.
4. Express route (optional) is a dedicated private connection with predictable bandwidth that can replace nr 2. It is not a security solution, but can improve network performance and allow for end-to-end Quality of Service.

Networking is a teamwork between you, your ISP and Microsoft. If there are issues we must break it down and find out where we can improve. See Tune Skype for Business Online performance for more information.

How can we measure network performance?

Use the tools recommended in the "Determine Network Readiness" section of the Skype Operations Framework. Target Skype’s world wide Anycast IP – this will find the closest peering point between your network and the Microsoft network. Measure the network before, during and after the Skype for business implementation.

Routing and firewall configuration

Allow outbound UDP/TCP traffic to all Office 365 URLs and IP address ranges. URLs and IP address ranges are updated monthly, subscribe to the RSS feed to get change notifications.

Outbound destination port openings

  • Minimum: TCP 443
  • Better: TCP 443 + UDP/TCP 3478
  • Best: TCP 443 + UDP/TCP 3478 + UDP/TCP 50,000 - 59,999

The use of a Http proxy is supported, but direct IP routing is better since the proxy does not add anything for Skype for business traffic - all content is encrypted anyway. If a proxy must be used make sure to turn off deep packet inspection for Skype for business media traffic and update the PAC file to allow all Office 365 URLs and IP address ranges.

Virtual Private Networks

Skype for business over VPN is not supported. A VPN will encrypt the already encrypted Skype for business media traffic, this is of no use and will only add latency. Call over a VPN is 2 times more likely to drop and have a 0,1 to 0,4 lower MOS score than a non-VPN call. The solution to this is to bypass the VPN for Skype for business traffic by implementing split-tunnel.

Quality of Service (QoS)

QoS can been seen as insurance. First plan so that you never get network congestions, but if you do get congestions it is important to prioritize the important traffic (real-time Skype for business media) over non-essential emailing and web browsing. Bandwidth planning and QoS goes hand-in-hand. Therefore, enable QoS in your all your internal networks, Wifi, LAN and WAN.

Tuesday, January 31, 2017

MsIgnite BRK4007 - Troubleshoot media flows in Skype for Business across online, server and hybrid

One of the better sessions from Ignite 2016 if you ask me. A recording of the session can be found on YouTube.
Presented by Thomas Binder
  • Candidate - A combination of an IP address and port to be used for a media channel.
  • ICE - Interactive Connectivity Establishment, a technique (and RFC 2545) to combine client-side techniques with server support to find the most appropriate way of sending media to another end-point; uses STUN and TURN. The Skype for business A/V edge server is a STUN/TURN server.
  • STUN - Simple Traversal of UDP through NAT or Session Traversal Utilities for NAT
  • TURN - Traversal Using Relay NAT
  • MRAS - Media Relay Authentication Service, is a service on the Edge Server that is responsible for providing credentials to clients in order for them to be able to request ports and establish media sessions through the Edge Server. Without credentials, clients can not include Edge Server candidates in their candidate list when trying to establish a media session.
  • SDP - Session Description Protocol (aka Self-Description Protocol)
  • RTP - Real-time Transport Protocol - sending the media
  • RTCP - Real-time Control Protocol - controlling the media during transfer and used for reporting.
  • NAT - Network address translation - a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.
Problem / Solution
The problem: sending media over NAT devices and through firewalls.
The solution: ICE, STUN, TURN
There are five phases of ICE, one that happens seldom more seldom, and four that is processed every time a call is made.

1. Sign-in - MRAS Request
When a client sign-in it requests a token from MRAS, this is done once at sign-in and after 8 hours by default. This is how the client learns that an edge server exists and how it can be used, e.g. which addresses to use. The MRAS request and response can be seen in the SIP traces.

2. Candidate Discovery - a gathering of local, proxy and reflexive addresses (nothing is sent in this phase)

3. Candidate Exchange - the caller sends a list of candidates (SIP package) to the callee, and the callee initiates a candidate discovery and send back a list of candidates.

4. Connectivity Checks - a run thorough of "all" candidates trying to connect to the other sides list of candidates to find the optimal media path. (These Connectivity checks using STUN packets are not seen in a SIP trace but visible using Wireshark.)

5. Candidate Promotion - When checks are done the optimal media path and/or optimal candidate media pairs are selected. The final candidate promotion can take up to 10 seconds to happen, so if you are tracing on a test call and want to make sure you get the complete picture, make sure your test call lasts at least 10 seconds. A second invite (re-invite) and OK with only the final candidates will come eventually.

Candidates can be of different types such as
host - local IP of a client computer
srflx - server reflexive
relay - external IP and port on the A/V edge

In SDP we will also find TCP-PASS / TCP-ACT which means TCP passive or active. This is because even if we can send from a candidate (IP:port) we are not 100% sure that we can receive on that same IP:port, and that is why we list both active and passive candidates for TCP.

Candidates traditionally comes in pairs where one candidate is used for RTP and the other for RTCP. If both clients can use multiplexing for RTCP (a=rtcp-mux in SDP (newer clients can do this)) only one candidate can be used for both RTP and RTCP.

High ports in the external firewall
Do we need to open the high 50,000 - 59,999 TCP ports outbound?
This has been in the documentation for a long time, and it has confused a lot of people.
If two edge servers will talk to each other we will not use the high ports as destination ports. For UDP the traffic will flow from port 3478 to port 3478, and multiple sessions can be handled. TCP is not stateless so it can have only one connection from one ip-address:one port to another ip-addres:another port. So the edge will use different source ports, but the destination port will always be 443.

If your firewall is only filtering on the destination port - then forget about the 50,000 - 59,000 port range, but if your firewall requires you to configure source ports, use the "source port" column below.

However, if we have two external users connected to two different edge servers, and they cannot establish a media path client to client, we will again benefit if the 50,000 - 59,999 port range is open since we then can establish media using only a single edge server. If the high ports are blocked we can still connect edge to edge and the call will go through, but this consuming more resources and using more hops (latency).

And the final scenario is when using an edge pool with DNS load balancing. In this scenario, an external user connected to one edge server tries to set up media to an internal user connected to another edge server. In this case the external firewall must allow public to public IP hair pinning or the call will fail (or the 50,000 - 59,999 port range could be opened to avoid this.)

Changes to ports for Skype for business Online
If we look at the documentation found at Office 365 URLs and IP address ranges we will see that UDP ports 3478 and 3479, 3480, & 3481 should be opened - but they are not used yet in Skype for business Online. Further on, firewall openings for Skype for business Online will be simplified, and UDP 3479 - 3481 will be used, but it has not happened just yet.

Understanding how Lync establishes audio/video paths using ICE
Microsoft Lync Server 2010 Resource Kit (Chapter 9)