Deployment Guide



Yüklə 138,83 Kb.
Pdf görüntüsü
tarix14.10.2017
ölçüsü138,83 Kb.
#5072


Deployment Guide

1

citrix.com



This guide focuses on defining the deployment process for Microsoft Skype for Business 

with Citrix NetScaler 

Deploying Skype for  

Business Server 2015  

with NetScaler

Deployment Guide




2

citrix.com



Deploying Skype for Business with NetScaler

Deployment Guide

Table of Contents

Introduction  

3

Overview of Microsoft Skype for Business  



3

Recommended Topology  

6

Load balancing Microsoft Skype for Business 2015 with NetScaler  



9

Conclusion  

24

Appendix  



25


3

citrix.com



Deploying Skype for Business with NetScaler

Deployment Guide

This guide defines the process for deploying Microsoft Skype for Business Server 2015 with NetScaler. 

Microsoft Skype for Business Server 2015 is an enterprise collaboration, messaging and telephony 

platform and is the successor to Lync 2013.



Overview of Microsoft Skype for Business

Skype for Business Server Roles

•  There are two server topologies that can be used for Skype for Business. The Standard Editiontopology is 

designed for small organizations, and pilot projects in large organizations. It enables many Skype for Business 

Server features such as instant messaging (IM), presence, confer- encing, and Enterprise Voice, including the 

necessary databases to run on a single server. This enables Skype for Business Server functionality at a lower 

cost, but does not provide a truly highly available solution.

•  Enterprise Edition topologies allow features such as pooling of servers with multiple roles; which allow for high 

availability.

•  The primary difference between these editions is support for high-availability features that are only included 

in the Enterprise Edition. To implement high-availability, multiple Front-End servers must be deployed to a pool 

and SQL Servers need to be mirrored. Standard Edition servers cannot be pooled.

•  An Enterprise Edition deployment enables the creation of multiple servers with different roles.

The primary roles are –

•  Front end servers

•  Edge servers

•  Director servers

•  Database (SQL) servers

Citrix NetScaler is a world-class product with the proven ability to load balance, 

accelerate, optimize, and secure enterprise applications. It provides availability, 

scalability, optimization and security for Microsoft Skype for Business deployments. 

Citrix is strongly committed to its partnership with Microsoft. For several years, Citrix 

has completed certifications and provided deployment guides for key Microsoft 

applications including Lync, Exchange, SharePoint and Dynamics CRM. NetScaler’s rich 

application delivery capabilities significantly enhance the performance of these 

enterprise applications.



4

citrix.com



Deploying Skype for Business with NetScaler

Deployment Guide

Front End Servers

The front end server runs most basic functions, and plays a critical role in the deployment. This server role must 

be deployed in an Enterprise Edition deployment, in addition to the Database server that hosts the SQL Server 

instance that holds the Skype for Business database.

A front end pool includes identically configured front end servers that work together to provide services for a 

common group of users. This type of configuration provides improved scalability and failover.

The front end server performs the following functions:

•  User authentication and registration

•  Presence information and contact card exchange

•  Address book services and distribution list expansion

•  IM functionality, including multi-party IM conferences

•  Web conferencing, PSTN Dial-in conferencing and A/V conferencing (if deployed)

•  Application hosting for applications included with Skype for Business Server (for example, Conferencing 

Attendant and Response Group application) and third-party applications

•  Option: monitoring-collection of usage information in the form of call detail records (CDRs) and call error 

records (CERs). This information provides metrics about the quality of the media (audio and video) traversing 

the network for both Enterprise voice calls and A/V conferences.

•  Web components of supported web-based tasks such as Web Scheduler and Join Launcher.

•  Optional: Archiving - archival of IM communications and meeting content for compliance.

•  Optional: Persistent Chat Web Services for Chat Room management and Persistent Chat Web Services for File 

Upload/Download [if persistent chat is enabled]

•  Front end pools are the primary store for user and conference data. Information about each user is replicated 

amongst the servers in the pool, and backed up on the database servers.

•  Additionally, one front end server in the deployment serves as the Central Management Server, which manages 

and deploys basic configuration data to all servers running Skype for Business services. The central 

management server also provides server management shell and file trans- fer capabilities for Skype for 

Business. During the implementation, management tools such as the Skype for Business topology builder 

should be installed on this server.

•  The database servers run Microsoft SQL Server and provide the database services for the front end pool. They 

serve as backup stores for user and conference data, and are the primary stores for other databases such as 

the response group database. A deployment with a single data- base server is possible but a solution that uses 

SQL Server mirroring is recommended for failover. Skype for Business is not installed on database servers.



5

citrix.com



Deploying Skype for Business with NetScaler

Deployment Guide

Edge Servers

•  Edge servers enable users to communicate with external users outside of the organization’s core network. 

These users might include employees working offsite, business partners, and users that were invited to join 

hosted Skype for Business meeting conferences. The edge server is also responsible for enabling connectivity 

to public IM services, such as Windows Live, Skype, and Google Talk.

•  Edge servers enable mobile support for Skype for Business. Users on supported mobile devices (Apple iOS, 

Android, Windows Phone or Nokia) can perform activities such as sending and receiving instant messages, 

viewing contacts, and viewing presence. In addition, some enter- prise voice features, such as click to join a 

conference, call via work, single number reach, voice mail, and missed calls are also supported. Push 

notifications are supported for mobile devices that don’t support applications running in the background.

•  Edge servers include a fully-integrated Extensible Messaging and Presence Protocol (XMPP) proxy, with an 

XMPP gateway included on front end servers. Configuring the XMPP compo- nents enables Skype for 

Business Server 2015 users to add contacts from XMPP-based partners (such as Google Talk) for instant 

messaging and presence.

Mediation Server

•  The Mediation Server is a necessary component for implementing Enterprise Voice and dial-in conferencing. 

It translates signalling, and, in some configurations, media. It can mediate traffic between your internal 

Skype for Business server and public switched telephone network (PSTN) gateways, IP-PBX, or a Session 

Initiation Protocol (SIP) trunk. The mediation server can be located on the same server as the front end 

server, or separated in a stand-alone mediation server pool.

Director Servers

•  Director servers can authenticate Skype for Business user requests but they do not store user account 

information, provide presence, or conferencing services. They are most useful for enhanced security in 

deployments that require external user access. The director servers authenticate requests before sending 

them to internal servers. In the event of a denial-of-ser- vice attack, the attack ends with the Director and 

does not reach the Front End Servers.

Persistent Chat Front End Servers

•  Persistent chat enables users to participate in multiparty, topic-based conversations that persist over time. 

The persistent chat front end server runs this service, while the persistent chat database server stores the 

chat history data, and information about categories and chat rooms. The optional persistent chat compliance 

back end server can store chat content and events for compliance purposes.

•  Deployments running Skype for Business Server Standard Edition can run persistent chat on the same server. You 

cannot configure a persistent chat front-end server and Enterprise Edition front- end server on the same server.



Workload Types

Instant Messaging and Presence

•  Instant messaging (IM) enables users to communicate with each other in real time on their com- puters using 

text-based messages. Both two-party and multiparty IM sessions are supported. A participant in a two-party 

IM conversation can add a third participant to the conversation at any time. When this happens, the 

cConversation window changes to support conferencing features.




6

citrix.com



Deploying Skype for Business with NetScaler

Deployment Guide

•  Presence provides information to users about the status of other users on the network. A user’s presence 

status provides information to help others decide whether they should try to contact the user and whether to 

use instant messaging, phone, or email. Presence encourages instant com- munication when possible, but it 

also provides information about whether a user is in a meeting or out of the office, indicating that instant 

communication is not possible. This presence status is dis- played as a presence icon in Skype for Business and 

other presence-aware applications, including Microsoft Outlook, SharePoint, Word, and Excel. The presence 

icon represents the user’s current availability and willingness to communicate.

Audio/Video & Web Conferencing

•  With web conferencing, users can share and collaborate on documentsduring meetings and conference 

sessions. Additionally, users can share all or part of their desktop with each other in real time.

•  A/V conferencing enables real-time audio and video communications between users.

Enterprise Voice

•  Skype for Business Server 2015 supports multiple trunks between mediation servers and gate- ways. A trunk is 

a logical association between a port number and mediation server with a port number and gateway. This 

means that a mediation server can have multiple trunks to different gateways, and a gateway can have 

multiple trunks to different mediation servers. Inter-trunk routing makes it possible for Skype for Business to 

interconnect an IP-PBX to a public switched telephone network (PSTN) gateway or to interconnect multiple 

IP-PBX systems.

•  Skype for Business serves as the glue (that is, the interconnection) between different telephony systems. 

Microsoft Skype for Business Server 2015 makes improvements in the areas of call forwarding, simultaneous 

ringing, voice mail handling, and caller ID presentation.



Recommended topology for Hardware Load Balancers and Reverse Proxy


7

citrix.com



Deploying Skype for Business with NetScaler

Deployment Guide

Front End Pool internal interface load balancer setting

The configuration mentioned in the later sections of this guide will need to be duplicated for all of the individual 

servers/services mentioned here.

Server

NetScaler  

VServer Port

Node Port/  

Forward to

Port Type

NetScaler  

Persistence Profile

Description

Front End 443

443

TCP


Source IP

Used for internal ports for SIP/ TLS 

communication for remote user access, 

accessing internal Web conferences, and 

STUN/TCP inbound and outbound media 

communications for accessing internal 

media and A/V sessions.

Front End 135

135

TCP


Source IP

RPC


Front End 444

444


TCP

Source IP

HTTPS – Intra and Interpool 

communication

Front End 5061

5061


TCP

Source IP

SIP/MTLS

Front End 443

4443

TCP


Source IP

HTTPS


Front End 80

8080


TCP

Source IP

HTTP

Front End 5065



5065

TCP


Source IP

Used for incoming SIP listening

requests for application sharing.

Front End 5071

5071

TCP


Source IP

Used for incoming SIP requests for

the Response Group application.

Front End 5072

5072

TCP


Source IP

Used for incoming SIP requests for 

Attendant (dial in conferencing).

Front End 5073

5073

TCP


Source IP

Used for incoming SIP requests

for the Skype for Business Server 

Conferencing Announcement service  

(that is, for dial-in conferencing).

Front End 5075

5075

TCP


Source IP

Used for incoming SIP requests for

the Call Park application.

Front End 5076

5076

TCP


Source IP

Used for incoming SIP requests for

the Audio Test service.

Front End 5080

5080

TCP


Source IP

Used for call admission control by the 

Bandwidth Policy service for A/V Edge 

TURN traffic.

Front End 448

448


TCP

Source IP

Used for call admission control by the 

Skype for Business Server Bandwidth 

Policy Service.



8

citrix.com



Deploying Skype for Business with NetScaler

Deployment Guide

Front End Pool external interface load balancer setting

Server

NetScaler  

VServer Port

Node Port/  

Forward to

Port Type

NetScaler  

Persistence Profile

Description

Front End 443

443

TCP


Source IP

Used for internal ports for SIP/ TLS 

communication for remote user access, 

accessing internal Web conferences, and 

STUN/TCP inbound and outbound media 

communications for accessing internal 

media and A/V sessions.

Front End 443

4443

TCP


Source IP

RPC


Front End 80

8080


TCP

No Persistence

HTTPS – Intra and Interpool 

communication



Director Pool Load balancer settings

Server

NetScaler  

VServer Port

Node Port/  

Forward to

Port Type

NetScaler  

Persistence Profile

Description

Director


443

443


TCP

None


Used for internal ports for SIP/ TLS 

communication for remote user access, 

accessing internal Web conferences, and 

STUN/TCP inbound and outbound media 

communications for accessing internal 

media and A/V sessions.

Director

443


4443

TCP


None

HTTPS


Director

80

8080



TCP

None


HTTP

Director


5061

5061


TCP

None


Used for internal communications 

between servers and for client 

connections.

Edge internal interface load balancer setting

Server

NetScaler  

VServer Port

Node Port/  

Forward to

Port Type

NetScaler  

Persistence Profile

Description

A/V


443

443


TCP

Source IP

Used for internal ports for SIP/ TLS 

communication for remote user access, 

accessing internal Web conferences, and 

STUN/TCP inbound and outbound media 

communications for accessing internal 

media and A/V sessions.

Access

5061


5061

TCP


Source IP

Used for internal ports for SIP/MTLS 

communication for remote user access or 

federation.

A/V

5062


5062

TCP


Source IP

Used for internal ports for SIP/MTLS 

authentication of IM communications 

flowing outbound through the internal 

firewall. (MRAS authentication)

A/V


3478

3478


UDP

Source IP

Used for internal ports for STUN/ 

UDP inbound and outbound media 

communications.



9

citrix.com



Deploying Skype for Business with NetScaler

Deployment Guide

Edge External Load Balancer Settings

Server

NetScaler  

VServer Port

Node Port/  

Forward to

Port Type

NetScaler  

Persistence Profile

Description

A/V, Ac-


cess, Web 

Conf


443

443


TCP

Source Address

Affinity

Used for external ports for SIP/ TLS 

communication for remote user access, 

accessing internal Web conferences, and 

STUN/TCP inbound and outbound media 

communications for accessing internal 

media and A/V sessions.

Access


5061

5061


TCP

Source Address

Affinity

Used for external ports for SIP/MTLS 

communication for remote user access or 

federation.

A/V

3478


3478

UDP


Source Address

Affinity


Used for external ports for STUN/ 

UDP inbound and outbound media 

communications.

Note: For the vi rtual servers that are created for the A/V Edge Ext ernal services (on port 443 and 3478 as described above), USIP mode 

(Use Source IP) should be enabled for the backend services. Also, the useproxyport setting on the virtual servers should be disabled. These 

settings can be found in the Basic settings screen for the virtual server and services.



Port information for Reverse Proxy External interface

Description

Port

Destination IP

Source IP

Address book downloads, Address Book Web Query service, Auto-

Discover, client updates, meeting content, device updates, Group 

expansion, Office Web Apps for conferencing, dial-in conferencing, 

and meetings.

443


Reverse proxy listener 

(Virtual Server IP on 

NetScaler)

Any


Port information for Reverse Proxy Internal interface

Description

Port

Destination IP

Source IP

Traffic sent to port 443 on the reverse proxy external interface is 

redirected to a pool on port 4443 from the reverse proxy internal 

interface so that the pool web services can distinguish it from 

internal web traffic.

4443


Front End Server, Front 

End pool, Director, 

Director pool

Internal reverse 

proxy interface

Load Balancing Microsoft Skype for Business 2015 with NetScaler

Recommended Topology for load balancinginternal traffic

For this scenario, NetScaler acts as the HLB for Skype for Business, load balancing various enter- prise server 

roles. To assist in understanding the required network setup, we will use the following convention –

•  Network A: Internal Network (such as 192.168.1.x)

•  Network B: External/Perimeter Network (such as 10.10.1.x) with Internet connectivity




10

citrix.com



Deploying Skype for Business with NetScaler

Deployment Guide

Lab  Setup  

 

Role

FQDN

IP Network Interfaces

Additional Information

Active Directory

dc.yourdomain.com

192.168.1.x

Domain Controller & DNS

SQL Server 2014

sqlsfb.yourdomain.com

192.168.1.x

Default Instance for 

Skype for Business 2015

Skype for Business 2015 Front-End 1 sfbfe1.yourdomain.com

192.168.1.x

Pool Name: pool.  

yourdomain.com

Skype for Business 2015 Front-End 2 sfbfe2.yourdomain.com

192.168.1.x

Pool Name: pool.  

yourdomain.com

Skype for Business 2015 Director 1

sfbdir1.yourdomain.com

192.168.1.x

Pool Name: dirpool.  

yourdomain.com

Skype for Business 2015 Director 2

sfbdir2.yourdomain.com

192.168.1.x

Pool Name: dirpool.  

yourdomain.com

Outlook Web App server

owa.yourdomain.com

192.168.1.x

NetScaler

10.10.1.x

Front End Pool

pool.Yourdomain.com

192.168.1.61

NS VIP 1

Director Pool

dirpool.yourdomain.com

192.168.1.62

NS VIP 2

OWA Pool


owa.yourdomain.com

192.168.1.63

NS VIP 3

Configuring NetScaler for enabling Skype for Business internal traffic

To enable Skype for Business usage over the internal network on a NetScaler load balanced envi- ronment, 

perform the following steps –

Note: Of the services listed in the tables earlier, you may choose to deploy some or all of the ser- vices in your 

Skype for Business deployment. Perform the steps mentioned below only for the Skype for Business services 

deployed in your environment; when services that are not deployed in your Skype for Business environment are 

provisioned on NetScaler, theywill be shown as Down.

Step 1: Add Custom Monitors

Configure custom monitors for all applicable ports in the deployment. To determine the list of monitors to be 

configured, refer to the list of internal server ports listed in the Recommended Topology section presented earlier.

These monitors need to be enabled for each port to ensure that Skype for Business services are up and running. 

A generic monitor may determine that the server is up (since itresponds to ping requests) and continue to 

forward requests to servers, even though the actual Skype for Business service may be down.

To create monitors, navigate to Traffic Management>Load Balancing>Monitors. Then, click Add as shown below -




11

citrix.com



Deploying Skype for Business with NetScaler

Deployment Guide

Add an individual monitor for each service as shown below (the example port used is 5061)

 

Use the following template for settings in the Create Monitor window for each monitor –



Setting

Value

Name


MON_SFB_

Type


TCP

Standard Parameters>Interval

5 Seconds

Standard Parameters> Response Time-out

2 Seconds

Standard Parameters> Destination Port


(Here,
refers to the port number for the particular service that you are configuring the 


monitor for)

Step 2: Add Skype for Business application servers

Next, add the Skype for Business application servers to the NetScaler appliance by navigating to Traffic 

Management>Load Balancing>Servers and clicking the Add button, as shown below -

 

 



12

citrix.com



Deploying Skype for Business with NetScaler

Deployment Guide

This will show the Create Server prompt, shown below. Provide a meaningful server name (or retain the IP 

address as shown below) and the IP Address of the server. All the servers that are being load balanced (Front 

End, Edge, Director or Database) should be added in this manner.

 

 

After adding the servers, verify that they are enabled by looking at the list of servers in the Servers list at Traffic 



Management>Load Balancing>Servers

 

 



Step 3: Create Skype for Business Services

Now, add services corresponding to the various Skype for Business services (listed in the tables pre- sented 

earlier) to the NetScaler appliance by navigating to Traffic Management>Load Balancing>Services and clicking 

the Add button, as shown below -

 

 

In the Load Balancing Service section, add an appropriate service name (as shown below) and port number as 



detailed in the tables for each of the services that are to be deployed over NetScaler.


13

citrix.com



Deploying Skype for Business with NetScaler

Deployment Guide

 

 



After completing this configuration, click OK. Other additional features such as AppFlow logging can be enabled 

by clicking the More option, however this is not required for this configuration.

After completing the configuration as stated above, you should see the following list of services in your NetScaler 

device (or a subset, depending upon the services you have chosen to deploy).




14

citrix.com



Deploying Skype for Business with NetScaler

Deployment Guide

Step 4: Create NetScaler Virtual Servers

After creating the relevant servers and services as described above, you should create virtual serv- ers that will 

load balance these services. Navigate to Traffic Management>Load Balancing>Virtual Servers, then click Add as 

shown in the next screenshot.

 

 



The Load Balancing Virtual Server screen will be displayed. As stated earlier, this configuration should be 

repeated for all services that are deployed in your Skype for Business environment.

As an example, the virtual server configured below is for the incoming Response Group SIP request handling on 

port 5071 on the front end server.

 

 

After creating the virtual servers, bind the appropriate services to them by selecting Load Balancer Virtual Server 



Service Bindings under the Service header as shown below -

 

 




15

citrix.com



Deploying Skype for Business with NetScaler

Deployment Guide

To bind these services, click Add Binding.

 

 

Then, select the appropriate services (created earlier) using the Select Service option.



Once services have been successfully bound, return to the Virtual Servers listing screen and verify that the virtual 

server is shown as Up, as illustrated below.




16

citrix.com



Deploying Skype for Business with NetScaler

Deployment Guide

After adding the required virtual servers, the listing should include the following entries-

Note: With older NetScaler releases (<10.5.e), the SIP_SSL protocol for the v_director_5061 and v_ front_

end_5061 may not be available. In that case, these virtual servers should be configured with TCP and Source  

IP persistency.

In the list above, the following IP information is used –



IP Address

Details

192.168.1.61

NetScaler Virtual Server for Front End Servers

192.168.1.62

NetScaler Virtual Server for Director Servers

192.168.1.63

NetScaler Virtual Server for Office Web App Server

192.168.1.66

NetScaler Virtual Server for CAS (Exchange)

Step 5: Internal DNS Considerations

Below is an example of internal DNS Configuration used while testing in the lab: (please refer to the IP 

information table in the last section to understand which IP links to which NetScaler virtual server)



FQDN

IP Address

dialin.yourdomain.com

192.168.1.62

meet.yourdomain.com

192.168.1.62

Lyncdiscover.yourdomain.com

192.168.1.62

Owa.yourdomain.com

192.168.1.63

LyncWeb.yourdomain.com

192.168.1.61

LyncWebDir.yourdomain.com

192.168.1.62



17

citrix.com



Deploying Skype for Business with NetScaler

Deployment Guide

Step 6: SSL Certificate Considerations

Create the following server certificates, and then bind them to the appropriate NetScaler virtual servers using the 

commands shown. You can also do this by navigating to the Certificates section at Traffic Management>SSL using 

the NetScaler GUI.

Note: These certificates must be created when setting up Skype For Business. You can select these certificates 

from the Skype for Business Front End and Director Servers and apply them as shown below.

Certificate Attributes: 

Subject: CN=Dirpool.yourdomain.com 

X509v3 Subject Alternative Name: 

 

DNS:sip.Yourdomain.com, DNS:dir2.yourdomain.com, DNS:Dirpool.yourdomain.com, DNS:Dir1.



Yourdomain.com, DNS:dialin.yourdomain.com, DNS:meet.yourdomain.com, DNS:admin. yourdomain.com, 

DNS:lyncdiscoverInternal.Yourdomain.com, DNS:lyncdiscover.Yourdomain.com Commands to be executed  

on the NetScaler: 

add sslcertKeysfb_cert -cert dirpool.pem -key dirpool.pem  

bind sslvserver v_director_443 –certkeyNamesfb_cert 

bind sslvserver v_director_444 –certkeyNamesfb_cert  

bind sslvserver v_director_5061 –certkeyNamesfb_cert 

(These three virtual servers correspond to Director pool ports 443, 444 and 5061)

Certificate Attributes: 

Subject: CN=LyncwebDir.yourdomain.com 

X509v3 Subject Alternative Name: 

 

DNS:Dirpool.yourdomain.com, DNS:dialin.yourdomain.com, DNS:meet.yourdomain.com, DNS:admin.



yourdomain.com, DNS:Skype for BusinessdiscoverInternal.Yourdomain.com, DNS:Skype for Businessdiscover.

Yourdomain.com 

Commands to be executed on the NetScaler: 

addsslcertKeydirwebcert -cert dirweb.pem -key dirwebkey.pem  

bind sslvserverv_director_4443 -certkeyNamedirwebcert 

(This virtual server corresponds to Director pool port 4443)




18

citrix.com



Deploying Skype for Business with NetScaler

Deployment Guide

Certificate Attributes: 

X509v3 Subject Alternative Name: 

 

DNS:sip.Yourdomain.com, DNS:UCUpdates-r2.yourdomain.com, DNS:UCupdates-r2, DNS:Skype for 



Businessfe01.Yourdomain.com, DNS:Skype for Businessfe02.Yourdomain.com, DNS:Skype for Businessfe03.

Yourdomain.com, DNS:Skype for Businessfe04.Yourdomain.com, DNS:Pool.Yourdomain.com, DNS:dialin.

yourdomain.com, DNS:meet.yourdomain.com, DNS:admin. yourdomain.com, DNS:Skype for 

BusinessdiscoverInternal.Yourdomain.com, DNS:Skype for BusinessWeb.Yourdomain.com, DNS:Skype for 

Businessdiscover.Yourdomain.com 

Commands to be executed on the NetScaler: 

add sslcertKeypoolupdate_cert -cert pool-update-r2.pem -key pool-update- r2.ky 

bind sslvserver v_front_end_443 –certkeyNamepoolupdate_cert  

bind sslvserver v_front_end_444 –certkeyNamepoolupdate_cert  

bind sslvserver v_front_end_4443 –certkeyNamepoolupdate_cert  

bind sslvserver v_front_end_5061 –certkeyNamepoolupdate_cert 

(These four virtual servers correspond to front end pool ports 443, 444, 4443 and 5061)



Optional: Monitoring Resources

The front-end pool SIP Traffic on port 5061 is encrypted. However, you can optionally enable the unencrypted 

port 5060 for health monitoring (Note: SIP communication only occurs on the encrypted port, you can choose 

toenableport 5060 for health monitoring purposes only). This is achieved with the Skype for Business Topology 

Builder as shown below.

Once this change has been made, publish the topology to enable this port and create the custom NetScaler 

monitor. When creating this monitor, use SIP_TCP as the protocol for the monitor as the NetScaler appliance 

supports Extended Content Verification using SIP_TCP. For versions of NetScaler older than 10.5.e, you may use 

SIP_UDP as the protocol. Optionally, you can create cus- tom monitors for the internal SIP virtual servers.

 



19

citrix.com



Deploying Skype for Business with NetScaler

Deployment Guide

Load Balancing and Reverse Proxy for External traffic

Load Balancing Edge Pool

For the Edge pool, the NetScaler will serve as the connectivity point to both the internal and exter- nal NICs for 

multiple edge servers in an array.

•  Access Edge: The Access Edge service provides a single, trusted connection point for both out-bound and 

inbound Session Initiation Protocol (SIP) traffic.

•  Web Conferencing Edge: The Web Conferencing Edge service enables external users to join meetings that are 

hosted on an internal Skype for Business Server 2015 deployment.

•  A/V Edge service: The A/V Edge service makes audio, video, application sharing, and file transfer available to 

external users. Users can add audio and video to meetings that include external participants, and they can 

communicate using audio and/or video directly with an external user in point-to-point sessions. The A/V Edge 

service also provides support for desktop sharing and file transfer.

•  XMPP Proxy: The XMPP Proxy service accepts and sends extensible messaging and presence pro- tocol (XMPP) 

messages to and from configured XMPP Federated partners.

HTTPS Reverse Proxy

For Microsoft Skype for Business Server 2015 Edge Server deployments, an HTTPS reverse proxy (i.e. NetScaler) 

in the perimeter network is required for external clients to access the Skype for Business Server 2015 Web 

Services (called Web Components in Office Communications Server) on the Director and the user’s home pool. A 

reverse proxy is required because web services are located in the internal Skype for Business Pool; the Skype for 

Business Edge does not provide these features.

Some of the features that require external access through a reverse proxy include the following:

•  Enabling external users to download meeting content for your meetings.

•  Enabling external users to expand distribution groups.

•  Enabling remote users to download files from the Address Book service.

•  Accessing the Skype for Business Web App client.

•  Accessing the Dial-in Conferencing Settings webpage.

•  Accessing the Location Information service.

•  Enabling external devices to connect to Device Update web service and obtain updates.

•  Enabling mobile applications to automatically discover and use the mobility (Mcx) URLs from the Internet.

•  Enabling the Skype for Business 2015 client, Skype for Business Windows Store app and Skype for Business 

2015 Mobile client to locate the Skype for Business Discover (autodiscover) URLs and use the Unified 

Communications Web API (UCWA).




20

citrix.com



Deploying Skype for Business with NetScaler

Deployment Guide

Mobility

All mobility service traffic goes through the reverse proxy, regardless of the origination point—internal or 

external. In the case of a single reverse proxy, farm of reverse proxies, or a device acting as a reverse proxy, an 

issue can arise when the internal traffic is egressing through an interface and attempting to immediately ingress 

on the same interface. This often leads to a security rule viola- tion known as spoofing, or TCP packet spoofing. 

Hair pinning (the egress and immediate ingress of a packet or series of packets) must be allowed in order for 

mobility to function. One way to resolve this issue is to use a reverse proxy separate from the firewall (the 

spoofing prevention rule should always be enforced at the firewall). The hairpin can occur at the external 

interface of the reverse proxy instead of the firewall external interface. Spoofing is detected at the firewall, and 

rules are relaxed at the reverse proxy, thereby allowing the hairpin required by mobile traffic.



Federations & XMPP Partners

Federation, public instant messaging connectivity and Extensible Messaging and Presence Protocol (XMPP) 

define a different class of external users – Federated users. Users of a federated Skype for Business Server 

deployment or XMPP deployment have access to a limited set of services and are authenticated by the external 

deployment. Remote users are members of your Skype for Business Server deployment and have access to all 

services offered.

Public instant messaging connectivity is a special type of federation that allows a Skype for Business Server 

client to access configured public Instant Messaging partners using Skype for Business. Instant messaging 

connectivity is supported between Skype for Business and Skype users. (More details are provided at https://

technet.microsoft.com/en-us/library/dn705313.aspx in the Clients and Interoperability Matrix)

A public instant messaging connectivity configuration allows Skype for Business user’s access to public instant 

messaging connectivity users by:

•  IM and Presence

•  Visibility of public instant messaging connectivity contacts in Skype for Business client

•  Person to person IM conversations with contacts

•  Audio and video calls with Windows Live users

Skype for Business Server federation defines an agreement between your Skype for Business Server deployment 

and other Office Communications Server 2007 R2 or Lync deployments. A Skype for Business Server federated 

configuration provides Skype for Business users with access to federated users by:

•  IM and Presence

•  Creation of federated contacts in the Skype for Business client

XMPP federation defines an external deployment based on the eXtensible Messaging and Presence Protocol. An 

XMPP configuration provides Skype for Business users with access to allowed XMPP domain users by:

•  IM and Presence – person to person only

•  Creation of XMPP federated contacts in the Skype for Business client



21

citrix.com



Deploying Skype for Business with NetScaler

Deployment Guide

Load balancing external traffic

Lab Setup - External

Role

FQDN

IP Network  

Interfaces

Additional Information

Skype for Business Edge Internal Server

Edge1.yourdomain.com

192.168.1.x

Skype for Business Edge External Server 1 sfbEdge01.yourdomain. com

192.168.1.x

Skype for Business Edge External Server 1 sfbEdge02.yourdomain. com

192.168.1.x

NetScaler

10.105.157.x

Step 1: Create Services

The steps for configuration here are similar to the steps used for the internal deployment. Refer to the 

configuration tables provided earlier and configure the external deployment services using the same process. 

You should see the following virtual servers in your deployment.




22

citrix.com



Deploying Skype for Business with NetScaler

Deployment Guide

Step 2: Configure Virtual Servers

As configured for the internal deployment, configure virtual servers corresponding to the services created in the 

last step. You should have the following virtual servers (or a subset, depending on the Skype for Business services 

setup in your environment)

External DNS Considerations

Below is an example of external DNS Configuration used while testing in the lab:

FQDN

IP Address

Owa.yourdomain.com

10.105.157.154:443

Lyncdiscover.yourdomain.com

10.105.157.155:443

Lyncweb.yourdomain.com

10.105.157.156:443

LyncWebDir.yourdomain.com

10.105.157.155:443

Dialin.yourdomain.com

10.105.157.155:443

Meet.yourdomain.com

10.105.157.155:443

Mail.yourdomain.com

10.105.157.157:443

Sip.yourdomain.com

10.105.157.151:5061

webconf.yourdomain.com

10.105.157.152:443

av.yourdomain.com

10.105.157.153:443

(Refer to the last screenshot for details on which IP corresponds to which virtual server)




23

citrix.com



Deploying Skype for Business with NetScaler

Deployment Guide

SSL Certificate Considerations

Create the below Server Certificate using a Public Trusted CA with Subject name and Subject alter- native names 

as shown below. This is necessary as an Internal CA would not be trusted by external clients. 

Certificate Attributes: 

Subject: CN=*.yourdomain.com  

Subject Alternative Name: 

 DNS:dialin.yourdomain.com, 

 

DNS:meet.yourdomain.com, 



DNS:Skype for Businessdiscover.yourdomain.com,  

DNS:Skype for Businesswebdir.yourdomain.com,  

DNS:admin.yourdomain.com,  

DNS:sip.yourdomain.com,  

DNS:webconf.yourdomain.com,  

DNS:av.yourdomain.com,  

DNS:owa.yourdomain.com, 

DNS:Skype for Businessweb.yourdomain.com, 

DNS:*.yourdomain.com 

(Example: The above cert is generated with rp.pem and its corresponding private key rpkey.pem) 

Commands to be executed on the NetScaler: 

Add this cert inside the NS and bind it with the External VIPs as shown below -

add sslcertKeyrpcert -cert rp.pem -key rpkey.pem  

bind sslvserverv_rproxy_443_owa –certkeyNamerpcert 

bind sslvserver v_rproxy_director_443 –certkeyNamerpcert  

bind sslvserver v_rproxy_frontend_443 –certkeyNamerpcert



Benefits of using a hardware load balancer

Skype for Business 2015 allows load balancing of network traffic that is unique to Skype for Business such as SIP 

and media traffic. Basic DNS load balancing can also support Front End, Edge Server, Director, and stand-alone 

Mediation Server pools. While DNS load balancing is lean and easy to maintain, this simplicity comes at the cost 

of availability, security and quality of service for end users.

The benefits of using a hardware load balancer in your Skype for Business 2015 deployment are -

1. Persistency of HTTP traffic

Though IM traffic is SIP based, data such as Address books,Shared content, Web based meeting connectivity, 

Group expansion and Device updates is HTTP-based. HTTP traffic is session oriented and therefore needs 

persistence. DNS load balancing does not support persistency and deploying a single server creates a single point 

of failure.

a. Hardware load balancers can support load balancing HTTP traffic with persistence

b. NetScaler provides industry leading HTTP load balancing, monitoring and persistence capabilities

c. Leverage connection multiplexing for optimal server utilization

d. Improve performance by enabling advanced compression and caching features



24

citrix.com



Deploying Skype for Business with NetScaler

Deployment Guide

2. Quick automatic failure

DNS load balancing relies on the client or endpoint to determine the availability of servers in each pool, which is 

more reactive than preventative. A query for an FQDN provides a list of IPs for all pool members. If a client 

connects to a failed node, only then will it will resort to the next node in the list, which can lead to delays. Failed 

nodes must be manually removed from list.

a. A hardware load balancers provide monitors to check availability. This provides a proactive failure management 

and detection

b. Leverage application aware monitors of NetScaler for intelligent monitoring

c. NetScaler GSLB provides a disaster recovery solution across multiple data centers distributed across 

geographical locations.

3. Seamless integration for federation cases

OCS 2007 does not support DNS load balancing. Public IM services such as Skype, Google Talk etc., generally do 

not support DNS load balancing. DNS load balancing on your Edge Servers causes an interruptionin failover 

capabilitiesand increases the difficulty involved in interenterprise integration. These scenarios will work as long 

as all Edge Servers in the pool are up and running, but if one Edge Server is unavailable, any requests for these 

scenarios that are sent to it will fail, instead of routing to another Edge Server.

a. Hardware load balancers provide seamless integration and provide transparent load balancing and monitoring.

4. Seamless integration for Exchange Server Unified Management – Microsoft recommends hard- ware load 

balancing for Exchange.

5. Support for telephony equipment

Call failure rates are high when using DNS load balancing for the mediation server role with an IPBX that does not 

understand DNS LB.

Conclusion

A leading application delivery solution, Citrix NetScaler exceeds Microsoft’s external load balancer 

recommendations for Skype for Business deployments. Working closely with Microsoft’s engineer- ing and test 

teams, Citrix has designed NetScaler to optimize the delivery of traffic, achieving significant TCO savings while 

providing increased availability, capacity, performance, security and manageability.

To learn more about how NetScaler can bring these benefits to Skype for Business installations or address other 

application delivery requirements, please visit http://www.citrix.com.



25

citrix.com



Deploying Skype for Business with NetScaler

Deployment Guide

Appendix

Product versions used during testing



Product

Version

Microsoft Skype for Business

Skype For Business Server

SQL Server (SQL Server 2012)

SQL Server 2014

Citrix NetScaler

NetScaler 11.0

Skype for Business PowerShell Commands



Product

Version

Export Configuration for Edge Servers

Export-CsConfiguration –FileName

Update Address Book

Update-CsAddressBook

Verify Status of Replication

Get-CsManagementStoreReplicationStatus

Display Access Edge Configuration

Get-CsAccessEdgeConfiguration

Corporate Headquarters

Fort Lauderdale, FL, USA



Silicon Valley Headquarters

Santa Clara, CA, USA



EMEA Headquarters

Schaffhausen, Switzerland



India Development Center

Bangalore, India



Online Division Headquarters

Santa Barbara, CA, USA



Pacific Headquarters

Hong Kong, China



Latin America Headquarters

Coral Gables, FL, USA



UK Development Center

Chalfont, United Kingdom



About Citrix  

Citrix (NASDAQ:CTXS) is leading the transition to software-defining the workplace, uniting virtualization, mobility management, networking and 

SaaS solutions to enable new ways for businesses and people to work better. Citrix solutions power business mobility through secure, mobile 

workspaces that provide people with instant access to apps, desktops, data and communications on any device, over any network and cloud. 

With annual revenue in 2014 of $3.14 billion, Citrix solutions are in use at more than 330,000 organizations and by over 100 million users globally. 

Learn more at www.citrix.com.

Copyright © 2016 Citrix Systems, Inc. All rights reserved. Citrix and NetScaler are trademarks of Citrix Systems, Inc. and/or one of its subsidiaries, 

and may be registered in the U.S. and other countries. Other product and company names mentioned herein may be trademarks of their 

respective companies..

0616/PDF 



Yüklə 138,83 Kb.

Dostları ilə paylaş:




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©genderi.org 2024
rəhbərliyinə müraciət

    Ana səhifə