Skype for Business Cloud Connector Edition Public DNS, IP and Certificates requirements


Skype for Business Cloud Connector Edition deploys multiple VMs which allows users to connect with on-premises PSTN Infrastructure. As it contains Edge Server role, then obviously it requires Public DNS, IP and Certificates to function properly.

Let’s discuss internal things first.

Internal IP Addresses: Each CCE VM required one internal IP address, it means, you need four internal IP address for every CCE deployment. Make sure these IPs are from dedicated subnet, must not use existing subnets.

Internal DNS records: As each CCE deploys one ADDS, therefore all the internal dns records will point to deployed CCE internal dns.

Internal Certificates: Each CCE domain controller deploys certificate services with directory services, therefore all the internal certificate will be issued by internal certificate server.

Internal requirement looks simple but there are many more things which you need to plan in well advance to make the deployment successful.

Now let’s focus on external requirements which are very important to work CCE correctly.

External IP Addresses: One public IP address is required for external interface of edge server. This IP will be used by Access Edge and Media Relay Edge. You can use either direct public IP address or NAT IP address, if it is NAT IP address then specify both address. If it is NAT IP address then specify public IP address of the NAT device (one more parameter: “ExternalMRPublicIPs”) for media relay edge.

External DNS Records: External DNS records are mandatory for CCE employment. Onmicrosoft.com suffix is not supported for external DNS entries. You need to create external DNS record for access edge. In single site HA deployment, you need one dns record with multiple ip address and for multisite deployment, you need multiple dns records with multiple IP addresses.

Public Certificates: Public certificate require for each Edge component in CCE deployment. Certificates must have an exportable private key to copy between Edge components. Before you request public certificate, must plan for it properly.

You can have two different scenarios:

  1. Single SIP Domain
  2. Multiple SIP Domain

While choosing certificate, you can choose either SAN certificate with multiple entries or wildcard certificate.

Therefore, now you can have four different options;

First option: Single SIP domain with multiple SAN entries.

SN = <site1-accessedgepool>.sipdomain.com, SAN = sip.sipdomain.com, <site1-accessedgepool>.sipdomain.com, <site2-accessedgepool>.sipdomain.com

Second option: Single SIP domain with wildcard entry.

SN = sip.sipdomain.com, SAN = sip.sipdomain.com, *.sipdomain.com

(Note: With the above configuration, you must not create any sip.sipdomain.com entry in external DNS because this name belongs to the Office 365 deployment)

Third Option: Multiple SIP domain with multiple SAN entries.

SN = <site1-accessedgepool>.sipdomain1.com, SAN = sip.sipdomain1.com, sip.sipdomain2.com, <site1-accessedgepool>.sipdomain1.com, <site2-accessedgepool>.sipdomain1.com, <site1-accessedgepool>.sipdomain2.com, <site2-accessedgepool>.sipdomain2.com

Fourth option: Multiple SIP domain with wildcard entry.

SN = sip.sipdomain1.com, SAN = sip.sipdomain1.com, sip.sipdomain2.com, *.sipdomain1.com, *.sipdomain2.com

I hope this blog post will help you to plan IP addressing, subnets, dns records and certificates for CCE deployment.

Advertisements

2 thoughts on “Skype for Business Cloud Connector Edition Public DNS, IP and Certificates requirements

  1. Marc

    Hi, Nice info but what is it the configuration certificate when you have an OnPrem SfB infrastructure and On-line SfB with CCE. Thanks for your lights. Marc

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s