SfB Voice Lab Part 3 – SfB 2015 On-Prem Deployment
To read other parts in this series, please click the links below:
Part 1: Overview and Architecture
Part 2: Azure Prep Work
Part 3: Skype for Business 2015 On-Prem Deployment
Part 4: AudioCodes Mediant Virtual Edition (VE) Deployment
Part 5: SIP Trunk Setup (IntelePeer – AudioCodes – Skype for Business)
Part 6: Office 365 and Skype for Business Online Deployment (Hybrid)
Part 7: On-Prem PSTN Connectivity with Hybrid (OPCH) setup and Tenant Dial Plans
Part 8: Cloud Connector Edition (CCE) Deployment
Part 9: Legacy PBX Deployment and SfB Integration
Hi there! Thanks for coming back and continuing along on this epic voice journey. In Part 1, we highlighted the architecture and goals of this series. In Part 2, we created the virtual machines in Azure.
In Part 3, we will step through the deployment of our Skype for Business 2015 topology.
Install and Configure: Active Directory
We won’t be able to do anything without a working Active Directory environment. So, first things first, let’s install Active Directory Domain Services on DC01.
Here is an excellent step-by-step article on how to deploy Active Directory on Windows Server 2016.
Good, AD DS is now installed and we have a working domain to play with.
Now might be a good time to remind you that we are building this in Azure, and Azure does some funky things with DHCP and DNS. For starters, we’re going to let Azure assign IP addresses to our machines. This is why we setup the VNet. Something you may notice is that although we are using “Dynamic” IP addresses for our Virtual Machines, the DHCP lease duration is actually quite long…136 years according to my VM. So I’m pretty sure I don’t have to worry about the lease expiring.
What we’ll have to be concerned with however, is DNS. This is an Active Directory Domain after all. DNS is critical to its health. While we can continue to use the DHCP to obtain the IP address automatically, we will need to statically assign the DNS server on any server that will be joined to the domain.
DNS services are installed on DC01. Now there are a couple of options here. 1) We can assign DNS manually on each server, or 2) We can set a custom DNS server at the Virtual Network layer in Azure. I like automation and I’ll likely forget to manually set each server, so I opted to set this via the Virtual Network configuration on VNet01. Just remember that we will need to ensure that the SfB Edge server uses public DNS servers, and not the internal DNS Server. (The SfB Edge server needs to be able to resolve its own Public IP Address)
Install and Configure: Active Directory Certificate Services
Skype for Business uses TLS and MTLS to encrypt communication. To accomplish this, we use certificates. There are generally three (3) approaches to using certificates in Skype for Business. 1) Use internally signed certificates. 2) Use 3rd Party Publicly trusted certificates. 3) Use a combination of both.
How you chose to deploy really depends on your goals and requirements. For example, if you use SfB as an internal IM tool only, and don’t deploy an Edge infrastructure, you may get away with only using an internal CA. If, however you deploy an Edge server and will host meetings with external entities or enable federation, you will need a 3rd Party Publicly trusted CA. Typically, an internal Enterprise CA is used for issuing the certificates to the Front End servers, and a 3rd Party Publicly trusted CA is used to issue certs to the Edge servers. There are however exceptions to this rule. For example, if you have a lot of Mac’s deployed, and don’t have a management system for distributing the Internal Root CA to the keychain of every machine, it may be easier to use a 3rd Party CA for all Front End services. A little costlier up front, but a lot easier for administrative purposes in the long run.
There are a lot of resources available for deploying a PKI Infrastructure. I won’t go through this step-by-step, but here is a reference article for deploying a single-tier Microsoft Enterprise CA. I also won’t go into the setup of a two-tier or three-tier PKI infrastructure, but it’s worth understanding for a production environment.
For my lab, I will use a combination of an Internal CA and a 3rd Party Publicly Trusted CA.
Deploy: Skype for Business Front End
Just to review our deployment.
- Single Standard Edition Server
- Single Edge Server
- Single Office Online Server
Deploying Skype for Business in Azure really isn’t any different than deploying in On-Prem. We start out by extending the Schema and preparing AD. Then create our topology, publish it and install our services.
Here is an excellent step-by-step article from MVP Christophe Boucetta. The only difference is Christophe is deploying an Enterprise Edition Pool, whereas we are deploying a Standard Edition Pool.
Christophe Boucetta: Step-By-Step: Installation of Skype For Business Server 2015
Here’s a snippet from the original Topology Builder.
As you can see, at this point we have a single Standard Edition server with a collocated Mediation Server role, and a single Edge Server deployed.
Deploy: Skype for Business Edge Server
We have a single Edge server defined in the topology. Once the Topology is published we are ready to begin building our Edge server. The Edge server OS Virtual Machine and VM Network Interfaces were deployed and configured in Part 2: Azure Prep Work. Here’s two articles from MVP’s that can be followed for Edge server deployment.
Jeff Schertz: Skype for Business Edge Server Deployment
NOTE: There is one unique thing we need to do since our Edge server is running in Azure.
When multiple IP addresses are assigned to an Azure Network Interface, the NIC within the OS must be manually configured. Meaning we cannot allow the NIC to acquire its IP Addresses from Dynamically from Azure, as we have done with the other servers.
- From a command prompt, type ipconfig /all. You only see the Primary private IP address (through DHCP).
- Type ncpa.cpl in the command prompt to open the Network connections window.
- Open the properties for the appropriate adapter: Local Area Connection.
- Double-click Internet Protocol version 4 (IPv4).
Select Use the following IP address and enter the following values:
- IP address: Enter the Primary private IP address
- Subnet mask: Set based on your subnet. For example, if the subnet is a /24 subnet then the subnet mask is 255.255.255.0.
- Default gateway: The first IP address in the subnet. If your subnet is 10.0.0.0/24, then the gateway IP address is 10.0.0.1.
Click Use the following DNS server addresses and enter the following values:
- Preferred DNS server: If you are not using your own DNS server, enter 22.214.171.124. If you are using your own DNS server, enter the IP address for your server.
Click the Advanced button and add additional IP addresses. Add each of the secondary private IP addresses listed in step 8 to the NIC with the same subnet specified for the primary IP address.
If you do not follow the steps above correctly, you may lose connectivity to your VM. Ensure the information entered for step 5 is accurate before proceeding.
- Click OK to close out the TCP/IP settings and then OK again to close the adapter settings. Your RDP connection is re-established.
- From a command prompt, type ipconfig /all. All IP addresses you added are shown and DHCP is turned off.
Deploy: Office Online Server (Office Web Apps)
To support the presentation of PowerPoint documents in our lab, we have to deploy an Office Online Server. Previously known as the Office Web Apps server. Again, here are two articles from MVP’s that can be referenced.
Jeff Schertz: Office Web Apps and Skype for Business Integration
Christophe Boucetta: Step by Step: Configuring Office Online Server with Skype for Business 2015
Deploy: Reverse Proxy
Still in progress…
That’s it for Part 3. In this part we setup our Skype for Business infrastructure.
Continue the series where next we will setup up our AudioCodes SBC. Part 4: AudioCodes Mediant Virtual Edition (VE) Deployment
As always, feel free to post any questions or comments.