Forum Discussion

Deleted's avatar
Deleted
Oct 21, 2017
Solved

Hybird SIP domain

If we plan to hybrid a sip domain on the tenant,  but they have five sip domains. I know if we plan to hybrid one sip domain and we need to hybrid four domains on a same tenant. For the DNS, can we...
Federation
Installation
  • Damien Margaritis's avatar
    Damien Margaritis
    Oct 22, 2017

    Hi John,

     

    I wrote a detailed response that keeps being posted as an answer then mysteriously disappearing... Let me try just posting the summary, then the full post:

     

    Summary

     

    • SIP Domains only on Skype for Business Online: point all records to cloud
    • SIP Domains on-prem and online (hybrid), point to on-premises Edge server(s) & Reverse Proxy
      • Edge server certificate will always require an additional SAN entry
      • Reverse Proxy certificate won't if you are happy to allow lyncdiscover over http (port 80)

     

Damien Margaritis's avatar
Damien Margaritis
Iron Contributor
Oct 22, 2017

Hi John,

 

I wrote a detailed response that keeps being posted as an answer then mysteriously disappearing... Let me try just posting the summary, then the full post:

 

Summary

 

  • SIP Domains only on Skype for Business Online: point all records to cloud
  • SIP Domains on-prem and online (hybrid), point to on-premises Edge server(s) & Reverse Proxy
    • Edge server certificate will always require an additional SAN entry
    • Reverse Proxy certificate won't if you are happy to allow lyncdiscover over http (port 80)

 

Damien Margaritis's avatar
Damien Margaritis
Iron Contributor
Oct 22, 2017

For any SIP domains that only exist in Office 365, all DNS records can point to Office 365. There are 4 records per domain that you need to configure:

 

SRV Records

 

TypeServiceProtocolPortWeightPriorityTTLNameTarget

SRV_sip_tls44311001 hour<DomainName>sipdir.online.lync.com
SRV_sipfederationtls_tcp506111001 hour<DomainName>sipfed.online.lync.com

 

CNAME Records

 

TypeHost nameDestinationTTL

CNAMEsip.<DomainName>sipdir.online.lync.com1 hour
CNAMElyncdiscover.<DomainName>webdir.online.lync.com1 hour

 

For any hybrid SIP Domains, domains that exist in both Skype for Business On-Premises and Skype for Business Online, all DNS records need to point to your on-premises Edge Server(s) and Reverse Proxy.

 

This does of course impact the number of SANs required on your public certificates. However, if you follow the below guidance you can limit the number of SANs required on your Reverse Proxy certificate

  • Damien Margaritis's avatar
    Damien Margaritis
    Iron Contributor
    Oct 22, 2017

    DNS Records for Remote User/Federation (Edge Server Certificate)

     

    For each hybrid domain in your environment, you will need to create the following records. These will hit the public certificate on your Edge server/pool. It's important that the domains are consistent between A Records and SRV Records. For example:

     

    SRV _sip._tls.domain.com > A Record sip.domain.com:443

     

    This means that, on your edge servers, you will need an additional SAN entry for each hybrid SIP Domain you want to support.

     

    A Records

     

    Type FQDN IP Address

    Asip.domain.com<edge server access public IP address>

     

     

    SRV Records

     

    TypeServiceProtocolPortWeightPriorityTTLNameTarget

    SRV_sip_tls44311001 hourdomain.comsip.domain.com
    SRV_sipfederationtls_tcp506111001 hourdomain.comsip.domain.com

     

    • Damien Margaritis's avatar
      Damien Margaritis
      Iron Contributor
      Oct 22, 2017

      DNS Records for web services (Reverse Proxy certificate)

       

      For most URLs in a hybrid Skype for Business environment, you can negate the need to add additional entries to the public certificate by only using the same main domain for all URLs. For example:

       

      Meet URLs

       

      The meet simple URL, when supporting multiple domains, can be constructed like the following example, which uses the same base domain for all supported hybrid SIP Domains:

       

      https://skype.domain.com/sipdomain1/Meet

      https://skype.domain.com/sipdomain2/Meet

      https://skype.domain.com/sipdomain3/Meet

       

      Dialin URL

       

      An on-premises/hybrid Skype for Business environment only requires a single Dialin URL, no need for multiple:

       

      https://dialin.domain.com/

      • Damien Margaritis's avatar
        Damien Margaritis
        Iron Contributor
        Oct 22, 2017

        However, as the lyncdiscover record is constructed using the SIP Domain entered when a user signs into the Skype for Business mobility client, you cannot use the same logic used in the meet URL example.

         

        If you want to avoid updating the Reverse Proxy's public certificate SAN list, it can be done, but you will need to open port 80 (http) and allow for lyncdiscover to resolve and return the Skype for Business Front End pool's web services url unsecured. This works the following way:

         

        - Client enters in SIP Domain in Mobility client (eg john.doe@domain.com

        - Client tries to connect to secure web services (HTTPS) at https://lyncdiscover.domain.com/ - fails

        - Client tries to connect to unsecure web services (HTTP) at http://lyncdiscover.domain.com/ - successful

        - XML is returned to client which contains Skype for Busienss pool web services URL, which uses the primary pool SIP Domain.

Resources