Skype for Business Cloud Connector Edition deploys multiple VMs which allows users to connect with on-premises PSTN Infrastructure. As it contains Edge Server role, then obviously it requires Public DNS, IP and Certificates to function properly.
Let’s discuss internal things first.
Internal IP Addresses: Each CCE VM required one internal IP address, it means, you need four internal IP address for every CCE deployment. Make sure these IPs are from dedicated subnet, must not use existing subnets.
Internal DNS records: As each CCE deploys one ADDS, therefore all the internal dns records will point to deployed CCE internal dns.
Internal Certificates: Each CCE domain controller deploys certificate services with directory services, therefore all the internal certificate will be issued by internal certificate server.
Internal requirement looks simple but there are many more things which you need to plan in well advance to make the deployment successful.
Now let’s focus on external requirements which are very important to work CCE correctly.
External IP Addresses: One public IP address is required for external interface of edge server. This IP will be used by Access Edge and Media Relay Edge. You can use either direct public IP address or NAT IP address, if it is NAT IP address then specify both address. If it is NAT IP address then specify public IP address of the NAT device (one more parameter: “ExternalMRPublicIPs”) for media relay edge.
External DNS Records: External DNS records are mandatory for CCE employment. Onmicrosoft.com suffix is not supported for external DNS entries. You need to create external DNS record for access edge. In single site HA deployment, you need one dns record with multiple ip address and for multisite deployment, you need multiple dns records with multiple IP addresses.
Public Certificates: Public certificate require for each Edge component in CCE deployment. Certificates must have an exportable private key to copy between Edge components. Before you request public certificate, must plan for it properly.
You can have two different scenarios:
- Single SIP Domain
- Multiple SIP Domain
While choosing certificate, you can choose either SAN certificate with multiple entries or wildcard certificate.
Therefore, now you can have four different options;
First option: Single SIP domain with multiple SAN entries.
SN = <site1-accessedgepool>.sipdomain.com, SAN = sip.sipdomain.com, <site1-accessedgepool>.sipdomain.com, <site2-accessedgepool>.sipdomain.com
Second option: Single SIP domain with wildcard entry.
SN = sip.sipdomain.com, SAN = sip.sipdomain.com, *.sipdomain.com
(Note: With the above configuration, you must not create any sip.sipdomain.com entry in external DNS because this name belongs to the Office 365 deployment)
Third Option: Multiple SIP domain with multiple SAN entries.
SN = <site1-accessedgepool>.sipdomain1.com, SAN = sip.sipdomain1.com, sip.sipdomain2.com, <site1-accessedgepool>.sipdomain1.com, <site2-accessedgepool>.sipdomain1.com, <site1-accessedgepool>.sipdomain2.com, <site2-accessedgepool>.sipdomain2.com
Fourth option: Multiple SIP domain with wildcard entry.
SN = sip.sipdomain1.com, SAN = sip.sipdomain1.com, sip.sipdomain2.com, *.sipdomain1.com, *.sipdomain2.com
I hope this blog post will help you to plan IP addressing, subnets, dns records and certificates for CCE deployment.
InsideMSTech 
Hi, Nice info but what is it the configuration certificate when you have an OnPrem SfB infrastructure and On-line SfB with CCE. Thanks for your lights. Marc
LikeLike
Certificate requirements has been covered in this article, see last section of the article which describes public certificate.
And for the on-premises SfB deployments please go through https://technet.microsoft.com/en-in/library/dn933910.aspx#Certs and https://insidemstech.com/2015/06/30/step-by-step-skype-for-business-server-standard-edition-deployment/
LikeLike