Monday, August 7, 2017

Two Skype for business client fixes explained

The Skype for Business 2016 client is continuously being updated. This blog post will highlight two of these fixes with some graphics to show both the issues and solutions.

If you were using the initial client release and clicked the red exclamation mark ("Set high importance for this message") you would get a small little visual indicator like this.

In a peer-to-peer chat this might be enough to highlight that this message is extra important, but when chatting in a persistent chat room this red mark could easily pass you by.

In the April 4, 2017, update for Skype for Business 2016 (KB3178717)

The following fix were included:

Make the high importance icon more prominent when messages are marked as important in Skype for Business 2016

After installing the April update, the important messages will stand out a much better.

The initial client release had a bug in that it was hiding the search button used to execute a search as found in the search dialog of a persistent chat room.

In the Security update for Skype for Business 2016: May 9, 2017

The following fix were included:

"Search Chat Room History" window pushes OK/Cancel buttons off the visible bottom in Skype for Business 2016

And after applying, the button is fully visible again.

Have fun sending important messages and searching in your persistent chat rooms!

Thursday, February 2, 2017

MsIgnite BRK3061 - Ready Your Network for Skype for Business Online

Presented by Hao Yan

What impacts Call Quality & Reliability?
Environment – noisy environment (the Skype for Business media stack provides noise reduction and echo cancellation, but that is not enough to solve all acoustic disturbances.)
Devices – 50% of the problem and easy to fix!
Use high quality devices (certified devices) instead of laptop built-in devices, please do not be penny wise and pound foolish considering the investment you already made.
Network – 50% of the problem and hard(er) to fix, still most organizations is looking into this without addressing the device issue. Use the Skype for Business Online Call Quality Dashboard to verify device and network impact on call quality.

The Microsoft network have more than 100 Points of Presence worldwide and every 5 minutes performance is monitored from any point to any point; Skype for business as a part of Office 365 lives in this network.

Office 365 networking

1. A user from the internet must reach Office 365.
2. Authentication / Directory Sync must go between your network and Office 365.
3. DNS and certificate services must be reached from your network.
4. Express route (optional) is a dedicated private connection with predictable bandwidth that can replace nr 2. It is not a security solution, but can improve network performance and allow for end-to-end Quality of Service.

Networking is a teamwork between you, your ISP and Microsoft. If there are issues we must break it down and find out where we can improve. See Tune Skype for Business Online performance for more information.

How can we measure network performance?

Use the tools recommended in the "Determine Network Readiness" section of the Skype Operations Framework. Target Skype’s world wide Anycast IP – this will find the closest peering point between your network and the Microsoft network. Measure the network before, during and after the Skype for business implementation.

Routing and firewall configuration

Allow outbound UDP/TCP traffic to all Office 365 URLs and IP address ranges. URLs and IP address ranges are updated monthly, subscribe to the RSS feed to get change notifications.

Outbound destination port openings

  • Minimum: TCP 443
  • Better: TCP 443 + UDP/TCP 3478
  • Best: TCP 443 + UDP/TCP 3478 + UDP/TCP 50,000 - 59,999

The use of a Http proxy is supported, but direct IP routing is better since the proxy does not add anything for Skype for business traffic - all content is encrypted anyway. If a proxy must be used make sure to turn off deep packet inspection for Skype for business media traffic and update the PAC file to allow all Office 365 URLs and IP address ranges.

Virtual Private Networks

Skype for business over VPN is not supported. A VPN will encrypt the already encrypted Skype for business media traffic, this is of no use and will only add latency. Call over a VPN is 2 times more likely to drop and have a 0,1 to 0,4 lower MOS score than a non-VPN call. The solution to this is to bypass the VPN for Skype for business traffic by implementing split-tunnel.

Quality of Service (QoS)

QoS can been seen as insurance. First plan so that you never get network congestions, but if you do get congestions it is important to prioritize the important traffic (real-time Skype for business media) over non-essential emailing and web browsing. Bandwidth planning and QoS goes hand-in-hand. Therefore, enable QoS in your all your internal networks, Wifi, LAN and WAN.

Tuesday, January 31, 2017

MsIgnite BRK4007 - Troubleshoot media flows in Skype for Business across online, server and hybrid

One of the better sessions from Ignite 2016 if you ask me. A recording of the session can be found on YouTube.
Presented by Thomas Binder
  • Candidate - A combination of an IP address and port to be used for a media channel.
  • ICE - Interactive Connectivity Establishment, a technique (and RFC 2545) to combine client-side techniques with server support to find the most appropriate way of sending media to another end-point; uses STUN and TURN. The Skype for business A/V edge server is a STUN/TURN server.
  • STUN - Simple Traversal of UDP through NAT or Session Traversal Utilities for NAT
  • TURN - Traversal Using Relay NAT
  • MRAS - Media Relay Authentication Service, is a service on the Edge Server that is responsible for providing credentials to clients in order for them to be able to request ports and establish media sessions through the Edge Server. Without credentials, clients can not include Edge Server candidates in their candidate list when trying to establish a media session.
  • SDP - Session Description Protocol (aka Self-Description Protocol)
  • RTP - Real-time Transport Protocol - sending the media
  • RTCP - Real-time Control Protocol - controlling the media during transfer and used for reporting.
  • NAT - Network address translation - a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.
Problem / Solution
The problem: sending media over NAT devices and through firewalls.
The solution: ICE, STUN, TURN
There are five phases of ICE, one that happens seldom more seldom, and four that is processed every time a call is made.

1. Sign-in - MRAS Request
When a client sign-in it requests a token from MRAS, this is done once at sign-in and after 8 hours by default. This is how the client learns that an edge server exists and how it can be used, e.g. which addresses to use. The MRAS request and response can be seen in the SIP traces.

2. Candidate Discovery - a gathering of local, proxy and reflexive addresses (nothing is sent in this phase)

3. Candidate Exchange - the caller sends a list of candidates (SIP package) to the callee, and the callee initiates a candidate discovery and send back a list of candidates.

4. Connectivity Checks - a run thorough of "all" candidates trying to connect to the other sides list of candidates to find the optimal media path. (These Connectivity checks using STUN packets are not seen in a SIP trace but visible using Wireshark.)

5. Candidate Promotion - When checks are done the optimal media path and/or optimal candidate media pairs are selected. The final candidate promotion can take up to 10 seconds to happen, so if you are tracing on a test call and want to make sure you get the complete picture, make sure your test call lasts at least 10 seconds. A second invite (re-invite) and OK with only the final candidates will come eventually.

Candidates can be of different types such as
host - local IP of a client computer
srflx - server reflexive
relay - external IP and port on the A/V edge

In SDP we will also find TCP-PASS / TCP-ACT which means TCP passive or active. This is because even if we can send from a candidate (IP:port) we are not 100% sure that we can receive on that same IP:port, and that is why we list both active and passive candidates for TCP.

Candidates traditionally comes in pairs where one candidate is used for RTP and the other for RTCP. If both clients can use multiplexing for RTCP (a=rtcp-mux in SDP (newer clients can do this)) only one candidate can be used for both RTP and RTCP.

High ports in the external firewall
Do we need to open the high 50,000 - 59,999 TCP ports outbound?
This has been in the documentation for a long time, and it has confused a lot of people.
If two edge servers will talk to each other we will not use the high ports as destination ports. For UDP the traffic will flow from port 3478 to port 3478, and multiple sessions can be handled. TCP is not stateless so it can have only one connection from one ip-address:one port to another ip-addres:another port. So the edge will use different source ports, but the destination port will always be 443.

If your firewall is only filtering on the destination port - then forget about the 50,000 - 59,000 port range, but if your firewall requires you to configure source ports, use the "source port" column below.

However, if we have two external users connected to two different edge servers, and they cannot establish a media path client to client, we will again benefit if the 50,000 - 59,999 port range is open since we then can establish media using only a single edge server. If the high ports are blocked we can still connect edge to edge and the call will go through, but this consuming more resources and using more hops (latency).

And the final scenario is when using an edge pool with DNS load balancing. In this scenario, an external user connected to one edge server tries to set up media to an internal user connected to another edge server. In this case the external firewall must allow public to public IP hair pinning or the call will fail (or the 50,000 - 59,999 port range could be opened to avoid this.)

Changes to ports for Skype for business Online
If we look at the documentation found at Office 365 URLs and IP address ranges we will see that UDP ports 3478 and 3479, 3480, & 3481 should be opened - but they are not used yet in Skype for business Online. Further on, firewall openings for Skype for business Online will be simplified, and UDP 3479 - 3481 will be used, but it has not happened just yet.

Understanding how Lync establishes audio/video paths using ICE
Microsoft Lync Server 2010 Resource Kit (Chapter 9)

Friday, November 11, 2016

MsIgnite BRK3079 - Configure Skype for Business Cloud Connector Edition with your SBC

Presented by Lasse Nordvik Wedø (@lawedo)
Skype for Business Cloud Connector Edition (CCE) is a set of 4 virtual machines delivered as an appliance.

  • Active directory domain controller
    Holds Service pointers, Internal DNS used by CCE, Internal Certificates. This active directory do not share schema with your internal domains, it is separate and used by CCE only.
  • Skype for Business Edge Server
    The Edge server is a multihomed virtual machine that talks to the Internet on "the outside" and it must be able to use external public DNS from the Internet.
  • Skype for Business Mediation Server
    Terminates SIP trunks to/from the outside world (the SBC) and transcodes media.
  • Skype for Business Central Management Store
    Holds information on the Topology used by Mediation and Edge.
CCE can be seen as a gateway between Office 365 and your own PSTN connection. Please note that CCE does not contain a Skype for Business Registrar, i.e. it is not possible to home users in CCE.

The presentation continued with PowerShell demos on how to configure Office 365 for CCE, how to configure a user for PSTN access, how to configure a Sonus SBC with integrated CCE, number manipulation and mulitsite configuration.
Key commands:
Why should we use an Session Border Controller (SBC) together with CCE?
With a SBC we can connect multiple trunks to a single instance of CCE and we can also handle analog devices such as fax machines. We can do additional transcoding, SIP message manipulation, TLS connections, DTMF, reduce latency and DDoS protection just to name a few advantages. An SBC will also allow us to use an existing infrastructure (trunks) so that we can migrate smoothly and retain a carrier contract.

It takes about 75 minutes to get up and running with CCE on a Sonus appliance, compared to several hours if you chose to download the CCE software and install it manually.

Plan for Skype for Business Cloud Connector Edition

Thursday, November 3, 2016

MsIgnite BRK2087 - Build native cloud apps for Skype for Business: Skype Developer platform overview

Presented by Andrew Bybee

The bots are coming...

The presentation started with a demo of the Smartsheet integration with presence, conversations and meetings.

Next was Skype for Salesforce where Skype is built into the Salesforce GUI / Webpage featuring videocalling in Edge without a plugin with the call and editing in Salesfore happening in the same window.

Embedded video calling in Google Chrome using the WebRTC implementation in Chrome were demoed, using a "media provider" built into the Chrome browser, just as in Edge.

Web and Chat is cool, but voice still accounts for more than 60% of the traffic for most customer service organizations. Hence, "Trusted applications" in the cloud will be supported by a coming "Trusted applications API", which was demoed together with the WebSDK in the session. A demo featured an anonymous user in a web chat session with an agent who could bring in a second agent / expert and a consumer Skype healthcare bot via the Bot Framework. The demo also featured a PSTN call into a trusted application via Office 365 PSTN calling with DTMF signalling, basic IVR and agent routing.   

UCMA will probably not be ported to the cloud, but WebRTC is on the roadmap for Skype for business (starting with Online)

Lots of opportunities if you like to code!


Skype Developer Platform
Skype for Business Apps

Wednesday, November 2, 2016

Welcome Microsoft Teams!

At an event in New York and online Microsoft announced Microsoft teams today. Microsoft Teams Builds on Office 365 and adds a chat-based workspace to Office 365.

Microsoft Teams - a part of the Office 365 ecosystem

Microsoft Teams is threaded persistant chats or conversations where the Activity view can be seen as the "inbox" in Teams. A Team "channel" can be seen as the digital equivalent of an ad-hoc meeting in a normal Office environment. Moving images, emojis, stickers, or GIFs, can easily be pasted into team conversations. Microsoft Teams builds on Office 365 groups, and has built-in access to PowerBI, Graph, SharePoint, OneNote, and Skype for Business. A "team" is simply a group of people organized around a common goal, and a sharepoint site is automatically created for each new Team that is created in Microsoft Teams.

Bots are included in Microsoft Teams from start. T-bot can answer questions about the MicorosftTeams product, like: How do I create a channel? Who-bot can answer questions about people.  Polly is a poll / voting bot can be used in conversations. Currently some 85 bots are available. 

In general, a web browser is all you need to access Microsoft Teams and mobile clients are available as well.

Preview now, General Availability next year.


MsIgnite BRK3059 - Deploy Cloud Connector Edition with Microsoft Office 365

Presented by Korneel Bullens   

Options for voice in Office 365
  • Cloud PBX with PSTN Calling service
    Available in United States, United Kingdom, Puerto Rico, Preview starting for France and Spain
  • Cloud PBX with on-premises PSTN connectivity
    Hosts users online, connects via on premises
  • Skype for Business Cloud Connector Edition (CCE)
    Hybrid offering that contains a set of virtualized machines

Cloud Connector Overview

CCE was first released in April of 2016 and there have been 3 minor updates or versions so far. The next major version (2.0) is probably coming early next year.

CCE should be seen as a "black box", i.e. do not change the topology, scripts, software or anything really. CCE deploys in approximately 7 hours (or 45 min if you get it as an appliance.)

CCE is scaled for 70 percent internal traffic, that is media not going through edge component of CCE, and 30 percent external traffic. It is not designed to be used in hosting scenarios.

CCE do not support media bypass, custom dialplans or co-existence with on-prem S4B Pools.

The presentation continued with technical details around the installation of CCE.

Interesting to see new "cc-commands" like Install-CcAppliance, rather than the good old "cs-commands".

Questions and Answers

Is it possible to use VLAN tagging for the two different networks CCE is connected to?

Is it possible to use a public certificate on the inside?
No, import the internal CA root certificate.

Is it possible to let CCE share hardware with something else?
No, the cloud connector is an appliance.