The Skype for Business (Lync) apps are one of the ubiquitous aspect of the product. Mobility is cross platform (Android, IOS and Windows are supported), has specific requirements and (in Skype for Business) adds some specific limits for clients on authentication, security and features. As part of the default server features, mobility is now both easier and more critical to understand. In this session, we will see what has been made available for the mobile users and what will be released. Configurations, requirements and deployment suggestions will be explained for on-premises, Cloud and hybrid deployments
2. • I am Fabrizio Volpe – Microsoft MVP on Skype for Business
• I work for the Iccrea Banking Group
• I am the author five IT books including Microsoft Lync Server
2013: Basic Administration and the Lync Server Cookbook
• I tweet from @fabriziovlp
• I blog at http://www.absoluteuc.org/
3. There is no subject so old that something new cannot be said
about it.
Fyodor Dostoevsky
4. Mobility is about "experiences spanning a variety of devices”
Cloud provides the infrastructure to keep the devices
connected, and to support the services those devices
consume
8. Reverse Proxy to publish Web Services Internet
Skype for Business Web Service functions include:
• Skype for Business Mobility client
• Simple URL’s
• LyncDiscover – client sign-in and discovery
• Meet – Connect to meetings
• Dialin – Dial-In Conference settings information
• Schedule – Schedule Meetings
• Skype for Business Web App client
• Expand Distribution Groups
• Address Book download
9. Skype for Business differentiates services meant to be exposed to the external
network from the ones for the internal network using IIS sites
Using different ports also allows the Skype4B Front Ends to use a single IP
address.
10. Reverse proxy receives calls on standard ports (80 and 443) and redirects
them to the External Skype for Business website (8080 and 4443)
11.
12. The Web Application Proxy service functions as both a reverse proxy and an Active
Directory Federation Services (AD FS) proxy
Role / feature How it supports this scenario
Active Directory Domain Services (AD DS) Active Directory® Domain Services is required as a prerequisite before you can deploy
AD FS. It is also required for Web Application Proxy deployments that use Kerberos
constrained delegation.
Active Directory Federation Services (AD FS) AD FS is required to provide authentication and authorization services to Web
Application Proxy and to store the Web Application Proxy configuration
Remote Access (DirectAccess, Routing and
Remote Access)
Remote Access is the role containing the Web Application Proxy role service
Services required to support the Web Application proxy
13.
14. • Autodiscover Service returns all Web Services URLs
for the user's home pool, including the Mobility
Service (Mcx and UCWA) URLs
• However, both the internal Mobility Service URL and
the external Mobility Service URL are associated with
the external Web Services FQDN
• Therefore, regardless of whether a mobile device is
internal or external to the network, the device
always connects to the Mobility Service externally
through the reverse proxy
• DNS requirements for Skype for Business
• https://technet.microsoft.com/en-
us/library/dn951397.aspx
15. Lync Connectivity Analyzer attempts to connect to your server
by using the same services and protocols that are used by the
apps themselves.
The tool tests the following Lync Server components:
• Autodiscover service
• Authentication Broker (Reach) service
• Mobility (MCX) service
• WebTicket service
Lync Connectivity Analyzer tests the configuration of the
following additional components:
• Publication of DNS records for Autodiscover URLs
• Certificates
• Proxy servers
16. • The mobile client is discovering the internal LYNCDISCOVERINTERNAL
URL and will make use of the of the EXTERNAL MOBILITY URL
• Clients entitled for a direct peer-to peer setup
• Important is the network path and it must be non NATed, a direct route
17. • The mobile client must rely on the Edge Server and has to tunnel the
• signaling/ media
• The mobile device will connect to and send its media session to the
external Edge interface
• The internal full client connect media to Edge Server internal interface.
18. • Call to the external full client is rerouted via Edge Server and send to the
external side again
• First to the external Edge interface than back through the Edge server to
the remote client
22. Authentication
Pre-authentication
No domain credentials
2-factor authentication
Mobility
Credential storage
Device control
Device registration
External Internal
Edge Pool
HTTPS: 443
Access Edge – SIP/MTLS: 5061
Access Edge – SIP/TLS: 443
HTTPS: 4443
Front end pool
Active Directory
SIP/MTLS: 5061
Skype for Business
external users
External Firewall Internal Firewall
Skype for Business
federation
and Public IM
Reverse Proxy
HTTPS: 443
Infrastructure protection
Brute force
Account lock-out
DoS
25. Previously:
• Conversations on the mobile devices were not synchronized with desktop
clients. You had to send the conversation (e-mail it?) from the mobile
device to keep it on a different devices
• Users had to manually accept messages on mobile devices in a short
amount of time
Synchronized conversations allow users to maintain their conversations
across all of their devices
Auto-Accept allow the mobile client to accept incoming messages on the
users behalf
Server requirements
• Skype for Business Server 2015 with Exchange 2013 on-premises
/Exchange Online
• Skype for Business Online with Exchange 2013 on-premises/Exchange
Online
26. • Users must be homed on Skype for
Business Server 2015
• Users must have a mailbox homed on
Exchange 2013 (either on-premises or online)
• Skype for Business Server OAuth setup with
the Exchange 2013 environment
27. Skype for Business Server 2015, Microsoft Exchange Server 2013 (and
Microsoft SharePoint Server 2013) can create security tokens that can
be accepted by one another
• Same certificate must be configured as the OAuthTokenIssuer
certificate on all of your Front End Servers
• Certificate must be at least 2048 bits
28. Office 365 works with Windows Azure Active Directory
(WAAD)
Users defined directly on WAAD (Cloud Identity)
Synchronized identity (DirSync with Password Sync)
Federated Identity (DirSync with Single Sign-On)
29. • The Active Directory Domain Service stores passwords
in form of a hash value representation of the actual
user password
• The Password hash cannot be used to login to your
on-premises network
30. • Password is verified by the on-premises identity
provider
• This means that the password hash does not need
to be synchronized to Azure AD
31. Enable Server Side Conversation History
Set-CsConversationHistoryConfiguration -EnableServerConversationHistory $true -
verbose
Set-CsClientPolicy –identity “policy_name” –EnableServerConversationHistory $true -
verbose
Verify replication and restart the front end service
Get-CsManagementStoreReplicationStatus
Restart the SfB Services (assuming this is the first time Lync-Exchange auth has been
configured)
Required settings
CsMobilityPolicy – AllowSaveIMHistory flag = True
CsClientPolicy – DisableSavingIM = False
32. • LyncUcwa worker process in Internet Information Services
(IIS) Manager
Performance Counters
• LyncUcwa worker process in Internet Information Services
(IIS) Manager
• ASP.NETRequests Queued
For Mobility Service (Mcx)
• CSIntMcxAppPool and CSExtMcxAppPool worker
processes in Internet Information Services (IIS) Manager
33. Settings for Mcx on IIS 7.5
1. maxConcurrentThreadsPerCPU is set to zero (0)
2. maxConcurrentRequestsPerCPU is set to zero (0)
3. ASP.NET process model is set to AutoConfig (for IIS 7.5 only)
4. HTTP.sys queue limit is set to 1,000 (by default)
Note: only to the Skype for Business Server 2015 Mobility Service (Mcx). Does
not apply to Unified Communications Web API (UCWA)
34. • Since the Address Book can become quite large, the
mobile client makes use of the Address Book Web
Services
• This requires that for all search requests to internal
Lync enabled users is made via a web based query
(ASWQ)