Planning for hybrid deployment
Consider the following requirements for users and your network infrastructure while planning for a hybrid deployment.
Infrastructure requirements
You must have the following available in your environment in order to implement and configure a Skype for Business Server 2015 hybrid deployment.
- An Active Directory Federation Services (AD FS) Server running Windows 2008 R2 SP1 or the latest service pack. For additional system requirements for AD FS, see Active Directory Federation Services 2.0.
- An on-premises deployment of Skype for Business Server 2015 or Lync Server 2010 with Cumulative Updates for Lync Server 2010: March 2013.
- Skype for Business Server 2015 administrative tools.
- A Directory Synchronization server. For details about Directory Synchronization, see the Directory Synchronization Tool.
Skype for Business client support
There are some differences in the features supported in Skype for Business clients, as well as the features available in on-premises and online environments. Before you decide where you want to home users in your organization, you can view the client support for the various configurations of Skype for Business Server. The following clients are supported with Skype for Business Online in a Skype for Business hybrid deployment:
- Lync 2010
- Skype for Business
- Skype for BusinessMicrosoft Store app
- Skype for Business Web App
- Lync Mobile
- Lync for Mac 2011
- Lync Basic 2013
Topology Requirements
To configure your Skype for Business Server 2015 deployment for hybrid with Skype for Business Online, you need to have one of the following supported topologies:
- Microsoft Office Communications Server 2007 R2 with Skype for Business Server 2015 on-premises. The Skype for Business Server 2015 federation Edge Server and the next hop server from the federation Edge Server must be running Skype for Business Server 2015, and there must be a Central Management Store deployed. The Edge Server and pool must be deployed on-premises.
- Microsoft Lync Server 2010 with Cumulative Updates for Lync Server 2010: February 2013 applied, and the Skype for Business Server 2015 administrative tools installed on-premises. The federation Edge Server and next hop server from the federation Edge Server must be running either Microsoft Lync Server 2010 with the latest cumulative updates.
Important: The Skype for Business Server 2015 administrative tools should be installed on a separate server that has access to connect to the existing Lync Server 2010 deployment. The Move-CsUser cmdlet to move users from your on-premises deployment to Skype for Business Online must be run from the Skype for Business Server 2015 administrative tools connected to your on-premises deployment.
- A Skype for Business Server 2015 deployment with all servers running Skype for Business Server 2015.
Requirements for Federation Allowed/Blocked Lists
The Allowed domains list includes domains that have a partner Edge fully qualified domain name (FQDN) configured. These are sometimes referred to as allowed partner servers or direct federation partners. You should be familiar with the difference between Open Federation and Closed Federation, referred to as partner discovery and allowed partner domain list, respectively, in on-premises deployments. The following requirements must be met to successfully configure a hybrid deployment:
- Domain matching must be configured the same for your on-premises deployment and your Office 365 tenant. If partner discovery is enabled on the on-premises deployment, then open federation must be configured for your online tenant. If partner discovery is not enabled, then closed federation must be configured for your online tenant.
- The Blocked domains list in the on-premises deployment must exactly match the Blocked domains list for your online tenant.
- The Allowed domains list in the on-premises deployment must exactly match the Allowed domains list for your online tenant.
- Federation must be enabled for the external communications for the online tenant, which is configured by using the Skype for Business Online Control Panel.
DNS Settings
When creating DNS SRV records for hybrid deployments, the records, _sipfederationtls._tcp.<domain> and _sip._tls.<domain>, should point to the on-premises Access Proxy.
Firewall Considerations
Computers on your network must be able to perform standard Internet DNS lookups. If these computers can reach standard Internet sites, your network meets this requirement.
Depending on the location of your data center, you must also configure your network firewall devices to accept connections based on wildcard domain names (for example, all traffic from *.partner.outlook.cn). If your organization’s firewalls do not support wildcard name configurations, you will have to manually determine the IP address ranges that you would like to allow and the specified ports.
Refer to the Help topic URLs and IP address ranges for Office 365.
Port and Protocol Requirements
In addition to the port requirements for internal Skype for Business Server 2015 communication, you must also configure the following ports for your on-premises network.
Protocol / Port | Applications |
TCP 443 | Open inbound
|
TCP 80 and 443 | Open inbound
|
TCP 5061 | Open inbound/outbound on the Edge Server |
PSOM/TLS 443 | Open inbound/outbound for data sharing sessions |
STUN/TCP 443 | Open inbound/outbound for audio, video, application sharing sessions |
STUN/UDP 3478 | Open inbound/outbound for audio and video sessions |
RTP/TCP 50000-59999 | Open outbound for audio and video sessions |
User Accounts and Data
In a Skype for Business Server 2015 hybrid deployment, any user that you want to home in Skype for Business Online must first be created in the on-premises deployment, so that the user account is created in Active Directory Domain Services. You can then move the user to Skype for Business Online, which will move the user’s contact list.
When you synchronize user accounts between your Skype for Business on-premises and Skype for Business Online deployments with AD FS and Dirsync, you need to synchronize the AD accounts for all Skype for Business users in your organization between your on-premises and online Skype for Business deployments, even if users are not moved to Skype for Business Online. If you do not synchronize all users, communication between on-premises and online users in your organization may not work as expected.
Note: If the user is created by using the online portal for Office 365, the user account will not be synchronized with on-premises Active Directory, and the user will not exist in the on-premises Active Directory. If you have already created users in Skype for Business Online, and want to configure hybrid with an on-premises Skype for Business Server, see Moving users from Skype for Business Online to Skype for Business on-premises in Skype for Business Server 2015.
You should also consider the following user-related issues when planning for a hybrid deployment.
- User contacts – The limit for contacts for Skype for Business Online users is 250. Any contacts beyond that number will be removed from the user’s contact list when the account is moved to Skype for Business Online.
- Instant Messaging and Presence – User contact lists, groups, and access control lists (ACLs) are migrated with the user account.
- Conferencing data, meeting content, and scheduled meetings – This content is not migrated with the user account. Users must reschedule meetings after their accounts are migrated to Skype for Business Online.
User Policies and Features
- In a Skype for Business Server 2015 hybrid environment, users can be enabled for Instant Messaging, voice, and meetings either on-premises or online, but not both simultaneously.
- Lync Client – Some users may require a new client version when they are moved to Skype for Business Online.
- On-premises policies and configuration (non-user) – Online and on-premises policies require separate configuration. You cannot set global policies that apply to both.
Configuring hybrid deployments for Skype for Business Server 2015
This section describes the steps necessary for configuring hybrid Skype for Business Server 2015 deployments. If you have users enabled for Skype for Business in Skype for Business Online, but that have not been enabled in an on-premises deployment, see Moving users from Skype for Business Online to Skype for Business on-premises in Skype for Business Server 2015.
Administrator Credentials
When you are asked to provide your administrator credentials, use the username and password for the administrator account for your Office 365 tenant. You will also use these credentials when you configure Active Directory Federation Services (AD FS) 2.0, Directory Synchronization, Single sign-on, federation, and moving users to Lync Online.
Connecting to Skype for Business Online PowerShell
Administrators now have the ability to use Windows PowerShell to manage Skype for Business Online and their Skype for Business Online user accounts. To do this, you must first download and install the Lync Online Connector Module from the Microsoft Download Center. For more information on downloading, installing, and using the Skype for Business Online Connector Module, and for detailed information about using the module, see Using Windows PowerShell to manage Lync Online.
Steps to prepare and configure Skype for Business Server 2015 on-premises for hybrid with Skype for Business Online
The following table lists the steps required to prepare your environment for a hybrid deployment with Microsoft Skype for Business Online and Microsoft Office 365.
Completed? | Step | Description |
Create a tenant account for Office 365 and enable Skype for Business Online | Set up Skype for Business Online. | |
Add your domain and verify ownership | Your domain is sometimes also referred to as your vanity domain. You must add your domain to your Office 365 tenant, and then follow the steps to validate the domain with Office 365. This is to confirm that you are the owner of the domain. To add your domain to your Office 365 tenant, follow the steps described at Add a domain to Office 365. Complete all of the steps in each section in the topic, including “Edit DNS records for your Office 365 services.” | |
Prepare for Active Directory synchronization | Active Directory synchronization keeps your on-premises Active Directory continuously synchronized with Office 365. This lets you create synchronized versions of each user account and group, and also enables global address list (GAL) synchronization from your local Microsoft Exchange Server environment to Microsoft Exchange Online.
You need to synchronize the AD accounts for all Skype for Business users in your organization between your on-premises and online Skype for Business deployments, even if users are not moved to Skype for Business Online. If you do not synchronize all users, communication between on-premises and online users in your organization may not work as expected. |
|
Create certificates for Active Directory Federation Services (AD FS) | After you create the certificates that are used for identity federation with Office 365, you must install and assign them. | |
Move pilot users to Skype for Business Online | After you have completed the steps to prepare and configure your environment for Skype for Business Online, you can start moving pilot users to Skype for Business Online. See Move users to Skype for Business Online in Skype for Business Server 2015 . | |
Administering users in a hybrid deployment | For details about how to administer users in a hybrid deployment, see Administering users in a hybrid Skype for Business Server 2015 deployment. |
Configure federation of Skype for Business Server 2015 with Skype for Business Online
Federation allows users in your on-premises deployment to communicate with Office 365 users in your organization. To configure federation, run the following cmdlets:
New-CSHostingProvider -Identity LyncOnline -ProxyFqdn "sipfed.online.partner.lync.cn" -Enabled $true -EnabledSharedAddressSpace $true -HostsOCSUsers $true -VerificationLevel UseSourceVerification -IsLocal $false -AutodiscoverUrl https://webdir.online.partner.lync.cn/Autodiscover/AutodiscoverService.svc/root
Configure Your Skype for Business Online Tenant for a Shared SIP Address Space
A Session Initiation Protocol (SIP) address is a unique identifier for each user on a network, similar to a phone number or an email address. Before you try to move Skype for Business users from on-premises to Skype for Business Online, you’ll need to configure your Office 365 tenant to share the SIP address space with your on-premises deployment. If this is not configured, you may see the following error message:
Move-CsUser : HostedMigration fault: Error=(510), Description=(This user’s tenant is not enabled for shared sip address space.)
To configure a shared SIP address space, establish a remote PowerShell session with Skype for Business Online, and then run the following cmdlet:
Set-CsTenantFederationConfiguration -SharedSipAddressSpace $true
To establish a remote PowerShell session with Skype for Business Online, you first need to install the Skype for Business Online module for Windows PowerShell, which you can get here: Windows PowerShell Module for ;Lync Online.
After you install the module, you can establish a remote session with the following cmdlets:
Import-Module LyncOnlineConnector
$cred = Get-Credential
$CSSession = New-CsOnlineSession -Credential $cred
Import-PSSession $CSSession -AllowClobber
For more information about how to establish a remote PowerShell session with Skype for Business Online, see Connecting to Lync Online by using Windows PowerShell.
For more information about using the Skype for Business Online PowerShell module, see Using Windows PowerShell to manage Lync Online.
Move users to Skype for Business Online in Skype for Business Server 2015
Before you start migrating users to Skype for Business Online, you should backup the user data associated with the accounts to be moved. Not all user data is moved with the user account. For information, see Backup and restoration requirements in Lync Server 2013: data.
Migrate User Settings to Skype for Business Online
User settings are moved with the user account. Some on-premises settings are not moved with the user account.
Moving Pilot Users to Skype for Business Online
Before you begin to move users to Skype for Business Online, you may want to move a few pilot users to confirm that your environment is correctly configured. You can then verify that Skype for Business features and services function as expected before attempting to move additional users.
To move an on-premises user to your Skype for Business Online tenant, run the following cmdlets in the Skype for Business Server Management Shell, using the administrator credentials for your Microsoft Office 365 tenant. Replace “[email protected]” with the information for the user that you want to move.
$creds=Get-Credential
Move-CsUser -Identity [email protected] -Target sipfed.online.partner.lync.cn -Credential $creds -HostedMigrationOverrideUrl <URL>
The format of the URL specified for the HostedMigrationOverrideUrl parameter must be the URL to the pool where the Hosted Migration service is running, in the following format: Https://<Pool FQDN>/HostedMigration/hostedmigrationService.svc.
You can determine the URL to the Hosted Migration Service by viewing the URL for the Skype for Business Online Control Panel for your Office 365 tenant account.
To determine the Hosted Migration Service URL for your Office 365 tenant
- Login to your Office 365 tenant as an administrator.
- Open the Skype for Business admin center.
- With the Skype for Business admin center displayed, select and copy the URL in the address bar up to partner.lync.cn. An example URL looks similar to the following:
https://webdir0a.online.partner.lync.cn/lscp/?language=zh-cn&tenantID=
- Replace webdir in the URL with admin, resulting in the following:
https://admin0a.online.partner.lync.cn
- Append the following string to the URL: /HostedMigration/hostedmigrationservice.svc. The resulting URL, which is the value of the HostedMigrationOverrideUrl, should look like the following:
https://admin0a.online.partner.lync.cn/HostedMigration/hostedmigrationservice.svc
Moving Users to Lync Online
You can move multiple users by using the Get-CsUser cmdlet with the –Filter parameter to select the users with a specific property assigned to the user accounts, such as RegistrarPool. You can then pipe the returned users to the Move-CsUser cmdlet, as shown in the following example.
Get-CsUser -Filter {UserProperty -eq "UserPropertyValue"} | Move-CsUser -Target sipfed.online.partner.lync.cn -Credential $creds -HostedMigrationOverrideUrl <URL>
You can also use the –OU parameter to retrieve all users in the specified OU, as shown in the following example.
Get-CsUser -OU "cn=hybridusers,cn=contoso.." | Move-CsUser -Target sipfed.online.partner.lync.cn -Credentials $creds -HostedMigrationOverrideUrl <URL>
Verify Skype for Business Online User Settings and Features
You can verify that the user was moved successfully in the following ways:
- View the status of the user in the Skype for Business Online Control Panel. The visual indicator for on-premises users and online users is different.
- Run the following cmdlet:
Get-CsUser -Identity
Administering users in a hybrid Skype for Business Server 2015 deployment
You can manage user settings and policies for users migrated to Skype for Business Online by using the User Management features available in the Microsoft Office 365 online portal. You must sign in by using your tenant administrator account to perform administration tasks.
Moving Users Back to On-premises
This section applies only to users that were created and enabled for Skype for Business on-premises and then moved from an on-premises deployment to Skype for Business Online. If you want to move users that were created in Skype for Business Online (and not ever enabled for Skype for Business in an on-premises deployment), see Moving users from Skype for Business Online to Skype for Business on-premises in Skype for Business Server 2015.
Run the following cmdlets to move a user from Skype for Business Online back to Skype for Business on-premises:
$cred=Get-Credential
Move-CsUser -Identity [email protected] -Target localpool.contoso.com -Credential $cred -HostedMigrationOverrideUrl <URL>
To determine the URL for the Hosted Migration service, see “To determine the Hosted Migration Service URL for your Office 365 tenant” in the preceding section.
Migrating Skype for Business Online users to Skype for Business on-premises in Skype for Business Server 2015
These steps are necessary only for migrating user accounts that were originally enabled for Skype for Business in Skype for Business Online, before you deployed Skype for Business on-premises. To move users who were originally enabled for Skype for Business on-premises, then later moved to Skype for Business Online, see “Administering users in a hybrid Skype for Business Server 2015 deployment” in this topic. Additionally, all users being moved must have accounts in the on-premises Active Directory.
Migrating User Accounts Originally Enabled in Skype for Business Online to Skype for Business On-Premises
- First, make sure that your organization is configured for hybrid.
- Install the Windows Azure Active Directory Sync Tool.
- To enable your users to use single sign-on for Skype for Business Online, install Active Directory Federation Services
- On your on-premises deployment, in Skype for Business Management Shell, type the following cmdlets to create the hosting provider for Skype for Business Online:
Set-CSAccessEdgeConfiguration -AllowOutsideUsers 1 -AllowFederatedUsers 1 -UseDnsSrvRouting -EnablePartnerDiscovery $true
New-CSHostingProvider -Identity LyncOnline -Name LyncOnlin -ProxyFqdn "sipfed.online.partner.lync.cn" -Enabled $true -EnabledSharedAddressSpace $true -HostsOCSUsers $true -VerificationLevel UseSourceVerification -IsLocal $false -AutodiscoverUrl https://webdir.online.partner.lync.cn/Autodiscover/AutodiscoverService.svc/root
- Confirm that on your on-premises Edge Servers, you have the certificate chain that enables connection to Skype for Business Online For more information, see Lync Online Service SSL certificate changes for client connectivity.
- In your on-premises Active Directory, enable the affected user accounts for Skype for Business on-premises. You can do this for an individual user by typing the following cmdlet:
Enable-CsUser -Identity "username" -SipAddress "sip: [email protected]" -HostingProviderProxyFqdn "sipfed.online.partner.lync.cn"
Or you can create a script that reads user names from a file and provides them as input to the Enable-CsUser cmdlet:
Enable-CsUser -Identity $Identity -SipAddress $SipAddress -HostingProviderProxyFqdn "sipfed.online.partner.lync.cn"
- Run DirSync to sync the Skype for Business Online users with the updated Skype for Business on-premises users.
- Update some DNS records to direct all SIP traffic to Skype for Business on-premises:
- Update the lyncdiscover.contoso.com A record to point to the FQDN of the on-premises reverse proxy server.
- Update the _sip._tls.contoso.com SRV record to resolve to the public IP or VIP address of the Access Edge service of Skype for Business on-premises.
- Update the _sipfederationtls._tcp.contoso.com SRV record to resolve to the public IP or VIP address of the Access Edge service of Skype for Business on-premises.
- If your organization uses split DNS (sometimes called “split-brain DNS”), make sure that users resolving names through the internal DNS zone are directed to the Front End Pool.
- Run he Get-CsUser cmdlet to check some properties about the users you’ll be moving. You want to make sure that the HostingProviderProxyFQDN is set to “sipfed.online.partner.lync.cn” and that the SIP addresses are set correctly.
- Move Skype for Business Online users to Skype for Business on-premises.To move a single user, run the following cmdlets:
$cred = Get-Credential
Move-CsUser -Identity <username>@contoso.com -Target "<fe-pool>.contoso.com" -Credential $cred -HostedMigrationOverrideURL <URL>
You can move multiple users by using the Get-CsUSer cmdlet with the –Filter parameter to select the users with a specific property. For example, you could select all Skype for Business Online users by filtering for {Hosting Provider –eq “sipfed.online.partner.lync.cn”}. You can then pipe the returned users to the Move-CsUSer cmdlet, as shown in the following example.
Get-CsUser -Filter {Hosting Provider -eq "sipfed.online.partner.lync.cn"} | Move-CsUser -Target "<fe-pool>.contoso.com" -Credential $creds -HostedMigrationOverrideURL <URL>
The format of the URL specified for the HostedMigrationOverrideUrl parameter must be the URL to the pool where the Hosted Migration service is running, in the following format: Https://<Pool FQDN>/HostedMigration/hostedmigrationService.svc. You can determine the URL to the Hosted Migration Service by viewing the URL for the Skype for Business Online Control Panel for your Office 365 tenant account.
Note: The default maximum size for transaction log files of the rtcxds database is 16 GB. This might not be big enough if you’re moving a large number of users at once, especially if you have mirroring enabled. To get around this you can increase the file size or back up the log files regularly. For more information, see https://support.microsoft.com/kb/2756725.
- This is an optional step. If you need to integrate with Exchange 2013 Online, you need to use an additional hosting provider. For details, see Configuring on-premises Lync Server 2013 integration with Exchange Online.
- The users are now moved. To check that a user has correct values for the attributes shown in the following table, type this cmdlet:
Get-CsUser | fl DisplayName,HostingProvider,SipAddress,Enabled
AD attribute Attribute name Value for Skype for Business Online user Value for Skype for Business on-premises user msRTCSIP-DeploymentLocator HostingProvider sipfed.online.partner.lync.cn SRV: msRTCSIP-PrimaryUserAddress SIPAddress sip:[email protected] sip:[email protected] sRTCSIP-UserEnabled Enabled True True - Each user who has been moved will need to log out of Skype for Business, then log back in. When they log in they should verify their contact lists, and add contacts if needed. Note that scheduled meetings are not migrated from Skype for Business Online to Skype for Business on-premises. Users will need to reschedule these meetings after being moved.After the DNS records are updated and all users are directed to On premise, the HostingProvider attribute directs the Skype for Business user to either use SRV records or direct them to the Online provider “sipfed.online.partner.lync.cn.”