Tuesday, October 18, 2016

Understanding Cloud Connector Edition (CCE) Network Design

Understanding Cloud Connector Edition (CCE) Network

CCE virtual machines

First I like to introduce the internal VM structure to CCE again. We will from here understand better the requirement for virtual networks.

We require network connection to the internet, the SBC and the virtual machines themselves.

PICTURE: CCE Network 00.png

The Cloud Connector Edition is built with 4 virtual machines, a subset from a typical on-premise deployment.

Domain Controller:
supporting the internal CCE PKI and the authentication for “CCE domain joint” machines.
Single NIC (internal VM only)

contains the subset for the Skype for Business relevant minimalistic Topology
Single NIC (internal VM only)

Mediation Server:
Codec transcoding unit for the Session Boarder Controller, between the RTP data stream from Office 365 and Skype for Business Clients to the SBC.
Single NIC (internal VM and SBC on same subnet only)
The Mediation likewise the on-premise setup doesn’t allow a dual NIC setup. More over the SBC can be with on the same vNET or routed into the LAN.

Edge Server:
The Edge connects the rest of the CCE VMs with Office 365 tenant over the internet.
Dual NIC (internal VM and Internet)

CCE Network Switches in Hyper-V

Core to the CCE image installation is the ISO -> VHDX conversion. This process is generating the VM including their owned disks. The Windows Server ISO image is taken from a local storage (HDD) . Additionally, it requires a Windows Update process before the generalization occurs. This is done via temporary IP address assigned to the SfB CCE Corpnet Switch and uses a temporary IP from the BaseVMIP parameter, it must reach out to the Internet for Windows Updates.

In total we need to provide three (3) virtual switches in Hyper-V:
§  SfB CCE Corpnet Switch
The Corpnet enabled the VMs accessing each other (all VMs on this HOST), allows RDP into the VM, allows Skype for Business Clients to connect to the Mediation Server and connects the Mediation Server to the PSTN Gateway. It is also used for Windows and SfB Updates and required an Internet connection.

§  SfB CCE Management Switch
The management switch to provides temporary network connectivity of host and VMs during the VM deployment and will be disconnected after provisioning. ManagementIPPrefix in MUST be configured as different subnet from other internal IPs.

§  SfB CCE Internet Switch
Only used for Edge external access to the DMZ1 which is internet facing.

The parameter in the CCE CloudConnector.ini file represent the virtual switch names (vSwitch). They are not subject to chance and should be kept.

Those parameters are used during the setup scripting for VM installation.

SfB CCE Management Switch
SfB CCE Internet Switch
SfB CCE Corpnet Switch


PICTURE: CCE Network 01.png

CCE typical Network setup in Hyper-V

The CCE usability is defined with two possible access point, where the Skype for Business is either in the internal LAN or it outside the corporate network (Internet or any other LAN, e.g. Home Office).

Next we are discussing the position where the CCE and it SBC should be located. Since the CCE has it Edge Server, we shouldn’t place the CCE into the internal LAN. Best approach is the dedicated DMZ segment.

It plays a minor role if the SBC (ox IP-PBX) is within the sale DMZ or located on the internal LAN. This Media stream can be handled through a firewall without NAT. Same applies to the internal Skype for Business client.

As general security advice, the illustration below is the best approach and will isolate the CCE within its own DMZ.

PICTURE: CCE Network 03.png


If we have a look into the more detailed setup approach, where we wish the SBC is placed inside the CCE own DMZ, the firewalls are located on the external, Internet facing and the internal LAN facing connectivity paint.
The internal firewall must NOT have NAT enabled. A straight routing is required.

This illustration doesn’t reflect the entire routing, with either gateways nor static routes. But in general the Internet facing vNET required a default route in the direction of the Internet ( -> GW INET). While the internal, LAN directed vNET, require a static route in the form of e.g. -> GW-LAN

PICTURE: CCE Network 02.png


The last I wish highlighting again is:

You shouldn’t change the generic CCE vSwitch structure manually. The CCE deployment will fail if you do so. Same applies to the vSwitch naming. The setup is case sensitive, so please keep an eye on your typing’s.

If you deploy the CCE on a dedicated physical host (server) or you are choosing an Appliance, the network design is identical.

Friday, October 14, 2016

Skype for Business Network Assessment (Requirement for Office 365)

The network assessment is very crucial with Office 365 voice implementations.

This is valid if you run:
- PSTN Calling
- Cloud Connector Edition
- or any hybrid scenario

I also recommend a choosing a partner how has the appropriated knowledge and can analyze your network entirely.

Several tool and service are available measuring the network performance in the director the Office 365 datacenters. Either with or without the Express Route setup.
This should be part of the Microsoft Skype Operations Framework

The most optimal tool is the IR Prognosis UC Assessor:

The Assessor is the right tool, for professional analysis and repots.


A free tool is available too from Microsoft it was release September 2016


Even if this tool also provide the rudimentary information, it is not simple in setup, neither it is capable providing a end-2-end monitoring.

You need a XML configuration file for you environment:

<?xml version="1.0" encoding="utf-8" ?>
        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
<add key="Relay.IP" value=""/>

      <!-- At least one of the following two protocols must be configured   -->
      <!-- Configure only one if testing only one protocol                  -->
      <!-- If both are configured, UDP will be preferred if it is available -->
      <add key="Relay.UDPPort" value="3478"/>
      <add key="Relay.TCPPort" value="443"/>

      <!-- WMAFilePath configures the WMA file to be streamed -->
      <!-- WMAOutputFilePath contains the received audio -->
      <!-- If WMAOutputFilePath already exists,the existing file will be overwritten-->
      <add key="WMAFilePath" value="Tone.wma"/>
      <add key="WMAOutputFilePath" value="ReceivedAudioFile.wma"/>

      <add key="NumIterations" value="3"/>
      <add key="ResultsFilePath" value="results.tsv"/>
      <add key="Delimiter" value="  "/>
      <add key="IntervalInSeconds" value="5"/>    </appSettings>

The Analyzer : ResultsAnalyzer.exe results.tsv provides you with an output of test results.
As you can see it is not made for permanent analysis and it can be seen just as an indicator.

Result Output:

Skype for Business - Network Assessment Tool - Results Analyzer
Input file:           results.tsv
Total rows read:      10
Total rows skipped:   0
Total rows processed: 10

90th percentile values per metric:
Packet loss rate:     0.50 %
RTT latency:          70.5 ms
Jitter:               10.0 ms
Packet reorder ratio: 0.00 %

If this is a Skype for Business Client machine connecting to the Microsoft network Edge:
Packet loss rate:     PASSED
RTT latency:          PASSED
Jitter:               PASSED
Packet reorder ratio: PASSED

If this is a network Edge connecting to the Microsoft network Edge:
Packet loss rate:     PASSED
RTT latency:          FAILED
Jitter:               PASSED
Packet reorder ratio: PASSED

Other solution available:
EventZero and Nectar, which aren't yet available in Europe

Friday, October 7, 2016

Cloud Connector Edition with Skype for Business from Ignite, Atlanta US

Have fun watching it ;)


Busy on Busy guide for Skype for Business

Some general statements to Busy on Busy:
  • It is only available for user homed on Skype for Business Pool (SE or EE)
  • CU3 must be installed on all Pool Members
  • Not working for user homed on Lync 2013 or SBA.
  • Using Busy on Busy requires a Voice Policy in Skype for Business (Global, Sites or User)

Busy on Busy supports only three different types:

- BusyOnBusy:
If the user is on an active call, the busy signal will be played to the caller.
- VoiceMailOnBusy:
If the user is on an active call, the call will be forwarded to the users Voice Mail
- Off:
If the user is on an active call: all other feature are working as expected, either no answer, or the users local Voice Mail or Team Delegate settings are active

The BusyOnBusy feature has an timeout of 12min.
if the user got disconnected for a call, e.g he was on disconnected from the network, which can be happened with a mobile phone or if you got connected via Wifi, the busy signal stay active for 12min before it will be reset.

As well remember the Busy Options cannot be configured by any user themselves. This is only an administrative task.



1. Identify the Pool in your topology


2. Define the Server Application on the Pool which should host BusyOnBusy

New-CsServerApplication -Identity 'Service:Registrar:%FQDN%/BusyOptions' -Uri http://www.microsoft.com/LCS/BusyOptions -Critical $False -Enabled $True -Priority (Get-CsServerApplication -Identity 'Service:Registrar:%FQDN%/UserServices').Priority

whereby: %FQDN%, Pools FQDN: (only SfB 2015), e.g. SfBFEPool01.domain.local

3. Verify the CsServerAppliaction

Get-CsServerAppliaction | where-object $_.Name -eq "BusyOptions"}

4. Update the Admin Role
This command adds the three new commandlets to the Admin Role.
Which are:
  • Get-CsBusyOptions
  • Set-CsBusyOptions
  • Remove-CsBusyOptions
Updating by using:


5. Configure Users

Configuration a user, if he has the Voice Policy for BusyOnBusy generally assigned:

for user with Busy on Busy:

Set-CsBusyOptions -Identity "Thomas Poett" -ActionType BusyOnBusy

for user with VoiceMail on Busy:

Set-CsBusyOptions -Identity "Thomas Poett" -ActionType VoiceMailOnBusy

If you want to remove the BusyOnBusy setting from a user, use:



With the current CU3, the BosyOnBusy has an false positive error.
What does this mean.

If you query a user for this Busy Options and the user hasn't configured any setting, the commandlet Get-CsBusyOptions will show you an "red" error.
But this is not an error, it mainly provides the information that BusyOnBusy is NOT configured with this user.

Tuesday, August 9, 2016

Multiple Phone Numbers for Skype for Business Users

As we know, Skype for Business only supports a maximum 2 phone numbers per user.
The LineURI and the PrivateLineURI.

At point of writing this article, this option is on available for On-Premise users

(09. Aug. 2016)

While the PrivateLineURI is not aware of the current user status.
If you are calling the Private Number while you are "do not disturb" the phone call will ring at your endpoint.

How do we work around this typical PBX feature with Skype for Business?

This is proposed solution is a little bit a hassle to configure, but works perfectly.

Skype for Business has two services/ features:

Unassigned Number

if we combine those services in a manner supporting a multi number concept for users, we have the same feature available like every traditional PBX.

The process workflow explains what we need to configure.
You can create multiple Unassigned Number with the same Announcement. This will give you the option have beside the LineURI multiple other number assigned to this user.

Create the announcement:

New-CsAnnouncement -Parent service:ApplicationServer:SfBFrontEnd.domain.local -Name "Forwarding to USER" -TargetURI "sip:user@domain.com"


Create the Unassigned Number:

We can create unassigned numbers via the CSCP or via PowerShell. I have provided both methods.

The second option via PowerShell:

New-CsUnassignedNumber -Identity "Second Number for USER" -AnnouncementService "ApplicationServer:FEPOOL.domain.local" -NumberRangeStart "tel:+498912345678" -NumberRangeEnd "tel:+498912345678" -AnnouncementName "Forward to USER"


Remove Server from Topology Error EventID 1034

Once more I ran into the issue with the say EventID 1034.

LS File Transfer Agent Service


Skype for Business Server 2015, File Transfer Agent service encountered an error while accessing a file share and will continuously attempt to access this file share until this issue is resolved. While this condition persists, replication to replica machines might not occur.
Can't watch SfBFrontEnd.domain.local
Cause: Possible issues with file share permission.


This issue while removing a Server from the Topology is not related to any permission issues, rather it is related to DeleteReplicas.
This occurs, if anything with the server removal was not working as expected, even if the removal and the bootstrapper process ran well.

You should verify first the:

As you see the replication is working fine and we only have a Polycom RMX which did have the do not replication option set in the topology.

Next step is the verification of the
Get-CsManagementStoreReplicationStatus -CentralManagementStoreStatus

Here we can see the DeletedReplicas and the "old" Lync Server" lingers around in the XDS Database.


If do didn't delete the removed server, go and manually uninstall all Lync or Skype for Business Server components.
It might be the Core Component helping solving this issue.




This is the "hardcore" removal within the XDS Topology Database.

Best you do a database backup before you touch and modify the SQL database.

Prepare the following script in SQL:

USE [xds]


SELECT TOP 1000 [ReplicaId]


  FROM [xds].[dbo].[Replica]


Sorry for having this screen shot in german:

As you can see, the old Lync Server is allocated in row 2.
This is causing the issue.

We need to delete this row with another script:

USE [xds]


DELETE FROM [dbo].[Replica]

      WHERE ReplicaId IN (2)


Now the problem is solved after your run the command:


Monday, August 8, 2016

Skype for Business Cloud Connector with Sonus @MicrosoftDE und @Westcon

Hallo zusammen,

mit Microsoft, Westcon und Sonus veranstalten wir eine super Event zu Office 365 E5 Skype for Business Online und Cloud Connector.

Bitte fleißig anmelden.


Wann? Wo ?
13.09.2016 Microsoft Hamburg, Gassstraße 6a, Gebäude M, 22761 Hamburg
14.09.2016 Microsoft Berlin, Unter den Linden 17, 10117 Berlin
20.09.2016 Microsoft Köln, Holzmarkt 2a, 50676 Köln
21.09.2016 Microsoft München, Walter-Gropius-Straße 1-3:, 80807 München


11:30 – 12:15Registrierung und Lunch
12:15 – 12:25Begrüßung durch Sonus
12:25 – 12:55Microsoft: Office 365 E5, CloudPBX
12:55 – 13:10Sonus: SBC und Cloud Link Lösungen 
13:10 – 13:30Westcon: MVP über Cloud Connector Edition mit Sonus Appliance
13:30 – 13:45Pause
13:45 – 14:15Sonus: Migration PBX nach CloudPBX
14:15 – 14:45Westcon: End-2-End Sales Motion (mit Skype for Business ECO System) und Sonus Partner Programm
14:45 – 15:30Fragen & Antworten, Networking

Bitte beachten, die Teilnahmeplätze sind limitiert!

Saturday, August 6, 2016

500 - Internal Server Error - Skype for Business Mobility

500 - Internal Server Error - Skype for Business Mobility

this is very common error, which can be related to some of the following issue:
  • wrong internal/ external certificate
  • firewall ports 4443-443 not assigned correctly
  • firewall does a packet inspection and change (reverse proxy)
  • load balancer issue, wrong persistence, wrong ticket validity period,...
  • Direct Server Return (DRS) issue on load balancer

I could continue with this list.

But there is one issue not discussed on the blog side yet.
if you see a Error 500 in the IIS LogFile, showing the /AUTH module, possibly the IIS has a wrong configuration and it is not related to any of the other common (caused) issues.

/webticket/webticketservice.svc/auth - 4443 - COP 500 0 0 3037

As we know, the client first receive the JSON WebService link information.
Then try to access the WebTicketService and will receive an ERROR 401, because the authentication wasn't done yet.
It now tries to connect to the webticketservice and try the authentication, which is NTLM!

If the negotiate option is first, it will fail and generate the ERROR 500.


On all Skype for Business Frontend Servers, you should check manually on the Internal and the External Website, if NTLM is the first choice for authentication and NEGOTIATE the second option.

Use the appcmd command to query the settings:
C:\Windows\System32\inetsrv>appcmd list config /section:windowsAuthentication
<windowsAuthentication enabled="true" useKernelMode="false">  
<add value="Negotiate" />   --> Must NOT be first!
<add value="NTLM" />  

If you need changing this setup, please user this method:
cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM,Negotiate"


appcmd set config /section:windowsAuthentication /-providers.[value='Negotiate']

appcmd set config -section:system.webServer/security/authentication/windowsAuthentication /+"providers.[value='Negotiate']" /commit:apphost

Monday, July 4, 2016

Cloud Connector Edition Hybrid Voice Guide Version 2

Hi to all excited CloudPBX fans.

I finalized the Cloud Connector Edition Hybrid Voice Guide Version 2.
All important changes are covered and contains the full explanation of CCE Multi-Site Design, as well as how users must be configured.


Have fun reading it.


This guide is for Microsoft customers and partners, as well as vendors useful in the same (I promise ;) ).
It explains the entire technology and all related commands and cmslets.
Important is the Multi-Site CCE Design, which is most complex, but fully discovered and made open for your understanding.

A huge thanks the Westcon UCC, who allowed my spending a lot of time finishing this.
Therefore I'm very pleased in supporting the readers and try my best answering all question. You can contact me via my blog http://lyncuc.blogspot.com


Introduction of Cloud Connector Edition 5
Generic terms of Office 365 PSTN connectivity 5
Topology support in Office 365 with Skype for Business 6
On-Premise without any Office 365 connectivity 6
On-Premise Skype for Business with Office 365 Cloud PBX connectivity (Federation to Office 365 and Cloud PBX and PSTN CALLING SERVICE) 6
Office 365 with CCE (Cloud PBX) 7
Office 365 with PSTN Calling Service (native Calling Plan) 7
Typical Skype for Business federated On-Premise Installation 7
Tenant support in Office 365 10
Cloud Connector Active Directory Forest 11
Cloud Connector (CCE) Topologies 12
Outbound Call Flow 12
Inbound Call Flow 13
CCE “SBA” in planning: 14
High Availability: 15
Multi-Site deployment 15
CCE Voice Routing with multi-site (generics) 17
CCE Voice Routing on gateways (optional) – not yet supported by Microsoft 19
Migration to Cloud PBX with Cloud Connector Edition 20
Greenfield 20
Skype for Business with Enterprise Voice on-premise 21
Target: native Cloud Connector Edition 21
Target: Cloud Connector Edition with Office 365 Calling Plan (Cloud Voice Users) 21
Target: Cloud Connector Edition + Skype for Business partial Enterprise Voice (on-premise) 22
Target: Cloud Connector Edition + Office 365 Calling Plan (Cloud Voice Users) + Skype for Business partial Enterprise Voice (on-premise) 22
Summary: 23
Infrastructure requirements for Cloud Connector Edition 24
Physical infrastructure 24
Logical infrastructure 25
DNS 25
Certificates externally 26
Certificates internally 27
Firewall Port Configuration 28
Configuration Guide for Users, Dial-Plans, Voice Routes and PSTN Usage 29
Connect to Skype for Business Online 29
CCE Site generation and assignment 30
Management Guide for Users 30
Moving a User to Skype for Business Online 31
CCE User to Site assignment 32
Configuration Guide for Dial-Plans 34
Configuration Guide for Voice Routes 35
Appendix 36
Commandlets for Online configuration 36
Dial-in conferencing cmdlets 36
E911 and Location Information Service (LIS) cmdlets 36
Skype Meeting Broadcast cmdlets 36
PSTN calling cmdlets 36
Hybrid PSTN site and user cmdlets 37
Internet Protocol (IP) phone cmdlets 38
Reporting cmdlets 38
Online User cmdlets 38
Reading/ Writing Users Information and Settings 39

Tuesday, June 21, 2016

Activate Office 365 for Internal User Rights (IUR)

Microsoft Partners are entitled for Office 365 E3 internal use:

If you wish activating your license, please follow the short introduction below and click the respective links:

How to earn Office 365 (E3) internal-use rights benefits through Microsoft Partner Network programs

How to activate and assign Office 365 (E3) internal-use rights licenses

New partners:
Please begin by signing up for a Microsoft Action Pack subscription or earning either a silver or gold competency. (You may also learn how to earn Office 365 (E3) internal-use rights benefits from the Microsoft Partner Network programs here.)Existing partners:
Use the following directions to help you get started:A. Activate Office 365 (E3) IUR on an online tenant:
  1. Go to the Microsoft Partner Digital Download Portal (http://aka.ms/ActivateIUR).
  2. Sign in with the Microsoft Account (formerly Windows Live account) currently assigned administrator rights.
  3. Select the Microsoft Online Services section.


Sunday, June 19, 2016

OneDrive Bulk Data Upload

Hi all,

just a side Skype for Business.
I upgrade my Office 365 Home account getting the 1TB HDD Storage.
Wow, what a nice opportunity have a valued backup in the Cloud.

Now I had the question in mind:
Damn, how should I get approx. 400GB into the cloud?

Microsoft tells you two option if you run Windows 10, assuming we all do so.
1a. Open EDGE Browser, navigate to OneDrive and drag&drop files and folder.
1b. Chose the upload feature in EDGE once you open OneDrive and choose the folder you like to sync
2.  Copy all your data on you local hard drive and let it sync

Super idea, 400GB didn't fit on any of my laptops anymore. So bad and stupid option
Second I tried use drap&drop. Perfect it failed, simply not working.
Ok, than lets chose the Folder Upload option.
And see here it goes, it took 1hr screen the files on my external disk. Than the upload started with approx. 35.000 files.

After two days, how wonders, it failed.

No intelligent option in the EDGE Browser giving me a way restarting the upload. -> Result totally useless

Even breaking it into smaller pieces resulted in a failure.

A side I don't know why there is no proper tool for upload, why IE is not working and why the Win8.1 option for online folder was removed. Also if you use EDGE, your RAM is utilized by 100% making this Laptop unusable for multiple days.
Yes, I'm totally frustrated with Microsoft here.


Thanks to some intelligent ideas, I decided splitting the folders in to smaller pieces and copy them into OneDrive.
What a hassle but using BITS is the best idea for syncing.

Once finished, I'm using OneDrive online and move the folder to its dedicated Backup Location.

This deletes the local HDD copy on my Laptop and I can proceed further.

I know this is not a very user friendly solution and I really hope Microsoft is developing some better tools and solutions.