SOLVED

Hybird SIP domain

Deleted
Not applicable

If we plan to hybrid a sip domain on the tenant,  but they have five sip domains.

I know if we plan to hybrid one sip domain and we need to hybrid four domains on a same tenant.

For the DNS, can we still point four hybrid domains to lyncdiscover to lynconline?

All sip domains Sip federation SRV records will point to on-premise edge server.

 

 

Thanks.

 

23 Replies

Possible to simplify your question as I am not getting what you wanted to achieve? 

 

You have 5 sip domains, and you plan to use 1 sip domain as a Hybrid? And? 

We can’t only hybrid one sip domain.
We want to minimize the impact for another domains , can we still point lyncdiscover to online for another SIP domains login?
But the SIP federation can still work because we will add sip.adomain.com sip.bdomain.com... on on-premise edge server.

Assumed the followings;

 

Hybrid domains

1.domain.com

2.domain.com

3.domain.com

4.domain.com

 

1 online domain

5.domain.com

 

In this case, Yes, you can point 5.domain.com to SFB Online, while 1-4.domain.com points to Hybrid Edge.

Hybrid domains

1.domain.com

 

 

1 online domain

2.domain.com

3.domain.com

4.domain.com

5.domain.com

 

For federation. I need point all to the on-premise edge?

Yes. 

Can we put lyncdiscover to online webdir.online.lync.com ?

1 online domain

2.domain.com

3.domain.com

4.domain.com

5.domain.com

 

Hybrid and Online SIP domains , SIP and SIP federation update to on-premise edge server.

Sip.2.domain.com 

Sip.3.domain.com 

Sip.4.domain.com 

Sip.5.domain.com 

 

Then we can minimize the impact login process to another on-line sip domains users. 

 

Make it simple, for Online SIP domain, use the DNS records given by Microsoft in the portal. For Hybrid-domains, point to On-prem Edge and Reverse Proxy, if you have one.  

And yes, you can point lyncdiscover to online webdir.online.lync.com

Currently all SIP domains pointed to online webdir.online.lync.com. 

Go to first question if we  hybrid one sip domain, I need to hybrid all sip domains right? 

But online SIP domains  lyncdiscover can still point to webdir.online.lync.com.

 

hybrid domain can't see online sip domains , if we didn't point all online SIP domains SRV to on-premise edge server? Because it require additional SANs certificate for edge server.

 

We can't save cost for the SAN certificate for another online SIP domains?

 

Thanks.

I see, in this case;

 

Only 1 Hybrid domain, let's say for example, "hybrid.abc.com".

 

DNS record for Hybrid domain.

- Point to on-prem Edge for only "hybrid.abc.com" domain.  

 

Certificate for Hybrid domain.

- Get only one certificate for "hybrid.abc.com"

- No need to consider Certificate and DSN records for Online domains. 

- No need to include all other ONLINE DOMAINS. 

 

DNS record for Online Domains.

- Don't change DNS records for Online domains. 

No additional certificates required for Online domain.

 

 

 

Hi John,

 

For any SIP domains that only exist in Office 365, all DNS records can point to Office 365. There are 4 records per domain that you need to configure:

 

SRV Records

 

TypeServiceProtocolPortWeightPriorityTTLNameTarget

SRV_sip_tls44311001 hour<DomainName>sipdir.online.lync.com
SRV_sipfederationtls_tcp506111001 hour<DomainName>sipfed.online.lync.com

 

CNAME Records

 

TypeHost nameDestinationTTL

CNAMEsip.<DomainName>sipdir.online.lync.com1 hour
CNAMElyncdiscover.<DomainName>webdir.online.lync.com1 hour

 

For any hybrid SIP Domains, domains that exist in both Skype for Business On-Premises and Skype for Business Online, all DNS records need to point to your on-premises Edge Server(s) and Reverse Proxy.

 

This does of course impact the number of SANs required on your public certificates. However, if you follow the below guidance you can limit the number of SANs required on your Reverse Proxy certificate

 

DNS Records for Remote User/Federation (Edge Server Certificate)

 

For each hybrid domain in your environment, you will need to create the following records. These will hit the public certificate on your Edge server/pool. It's important that the domains are consistent between A Records and SRV Records. For example:

 

SRV _sip._tls.domain.com > A Record sip.domain.com:443

 

This means that, on your edge servers, you will need an additional SAN entry for each hybrid SIP Domain you want to support.

 

A Records

 

Type FQDN IP Address

Asip.domain.com<edge server access public IP address>

 

 

SRV Records

 

TypeServiceProtocolPortWeightPriorityTTLNameTarget

SRV_sip_tls44311001 hourdomain.comsip.domain.com
SRV_sipfederationtls_tcp506111001 hourdomain.comsip.domain.com

 

DNS Records for web services (Reverse Proxy certificate)

 

For most URLs in a hybrid Skype for Business environment, you can negate the need to add additional entries to the public certificate by only using the same main domain for all URLs. For example:

 

Meet URLs

 

The meet simple URL, when supporting multiple domains, can be constructed like the following example, which uses the same base domain for all supported hybrid SIP Domains:

 

https://skype.domain.com/sipdomain1/Meet

https://skype.domain.com/sipdomain2/Meet

https://skype.domain.com/sipdomain3/Meet

 

Dialin URL

 

An on-premises/hybrid Skype for Business environment only requires a single Dialin URL, no need for multiple:

 

https://dialin.domain.com

 

However, as the lyncdiscover record is constructed using the SIP Domain entered when a user signs into the Skype for Business mobility client, you cannot use the same logic used in the meet URL example.

 

If you want to avoid updating the Reverse Proxy's public certificate SAN list, it can be done, but you will need to open port 80 (http) and allow for lyncdiscover to resolve and return the Skype for Business Front End pool's web services url unsecured. This works the following way:

 

  1. Client enters in SIP Domain in Mobility client (eg john.doe@domain.com)
  2. Client tries to connect to secure web services (HTTPS) at https://lyncdiscover.domain.com - fails
  3. Client tries to connect to unsecure web services (HTTP) at http://lyncdiscover.domain.com - successful
  4. XML is returned to client which contains Skype for Busienss pool web services URL, which uses the primary pool SIP Domain. Here's an example of a domain in my environment that uses lyncdiscover over port 80, and shows web services in the primary SIP Doamin - this matches the domain on the Reverse Proxy certificate:

22.jpg

 

 

 

Summary

 

  • SIP Domains only on Skype for Business Online: point all records to cloud
  • SIP Domains on-prem and online (hybrid), point to on-premises Edge server(s) & Reverse Proxy
    • Edge server certificate will always require an additional SAN entry
    • Reverse Proxy certificate won't if you are happy to allow lyncdiscover over http (port 80)

 

I hope this helps.

 

Damien

 

best response confirmed by VI_Migration (Silver Contributor)
Solution

Hi John,

 

I wrote a detailed response that keeps being posted as an answer then mysteriously disappearing... Let me try just posting the summary, then the full post:

 

Summary

 

  • SIP Domains only on Skype for Business Online: point all records to cloud
  • SIP Domains on-prem and online (hybrid), point to on-premises Edge server(s) & Reverse Proxy
    • Edge server certificate will always require an additional SAN entry
    • Reverse Proxy certificate won't if you are happy to allow lyncdiscover over http (port 80)

 

For any SIP domains that only exist in Office 365, all DNS records can point to Office 365. There are 4 records per domain that you need to configure:

 

SRV Records

 

TypeServiceProtocolPortWeightPriorityTTLNameTarget

SRV_sip_tls44311001 hour<DomainName>sipdir.online.lync.com
SRV_sipfederationtls_tcp506111001 hour<DomainName>sipfed.online.lync.com

 

CNAME Records

 

TypeHost nameDestinationTTL

CNAMEsip.<DomainName>sipdir.online.lync.com1 hour
CNAMElyncdiscover.<DomainName>webdir.online.lync.com1 hour

 

For any hybrid SIP Domains, domains that exist in both Skype for Business On-Premises and Skype for Business Online, all DNS records need to point to your on-premises Edge Server(s) and Reverse Proxy.

 

This does of course impact the number of SANs required on your public certificates. However, if you follow the below guidance you can limit the number of SANs required on your Reverse Proxy certificate

DNS Records for Remote User/Federation (Edge Server Certificate)

 

For each hybrid domain in your environment, you will need to create the following records. These will hit the public certificate on your Edge server/pool. It's important that the domains are consistent between A Records and SRV Records. For example:

 

SRV _sip._tls.domain.com > A Record sip.domain.com:443

 

This means that, on your edge servers, you will need an additional SAN entry for each hybrid SIP Domain you want to support.

 

A Records

 

Type FQDN IP Address

Asip.domain.com<edge server access public IP address>

 

 

SRV Records

 

TypeServiceProtocolPortWeightPriorityTTLNameTarget

SRV_sip_tls44311001 hourdomain.comsip.domain.com
SRV_sipfederationtls_tcp506111001 hourdomain.comsip.domain.com

 

DNS Records for web services (Reverse Proxy certificate)

 

For most URLs in a hybrid Skype for Business environment, you can negate the need to add additional entries to the public certificate by only using the same main domain for all URLs. For example:

 

Meet URLs

 

The meet simple URL, when supporting multiple domains, can be constructed like the following example, which uses the same base domain for all supported hybrid SIP Domains:

 

https://skype.domain.com/sipdomain1/Meet

https://skype.domain.com/sipdomain2/Meet

https://skype.domain.com/sipdomain3/Meet

 

Dialin URL

 

An on-premises/hybrid Skype for Business environment only requires a single Dialin URL, no need for multiple:

 

https://dialin.domain.com

However, as the lyncdiscover record is constructed using the SIP Domain entered when a user signs into the Skype for Business mobility client, you cannot use the same logic used in the meet URL example.

 

If you want to avoid updating the Reverse Proxy's public certificate SAN list, it can be done, but you will need to open port 80 (http) and allow for lyncdiscover to resolve and return the Skype for Business Front End pool's web services url unsecured. This works the following way:

 

- Client enters in SIP Domain in Mobility client (eg john.doe@domain.com

- Client tries to connect to secure web services (HTTPS) at https://lyncdiscover.domain.com - fails

- Client tries to connect to unsecure web services (HTTP) at http://lyncdiscover.domain.com - successful

- XML is returned to client which contains Skype for Busienss pool web services URL, which uses the primary pool SIP Domain.

Here's an example of a domain in my environment that uses lyncdiscover over port 80, and shows web services in the primary SIP Doamin - this matches the domain on the Reverse Proxy certificate:

22.jpg

 

Summary

 

SIP Domains only on Skype for Business Online: point all records to cloud
SIP Domains on-prem and online (hybrid), point to on-premises Edge server(s) & Reverse Proxy
Edge server certificate will always require an additional SAN entry
Reverse Proxy certificate won't if you are happy to allow lyncdiscover over http (port 80)

Hi Damien,

Thank you for your detail explain.

We didn't plan to reduce SANs for RP lyncdiscover for all sip domains.

Conclusion ,  We better point all sip domains to On-prem RP lyncdiscover, for all hybrid & online domains.

Hi John,

 

It would be incorrect to point online only domains to on-premises Reverse Proxy. These should point directly to Skype for Business Online.

 

Damien

1 best response

Accepted Solutions
best response confirmed by VI_Migration (Silver Contributor)
Solution

Hi John,

 

I wrote a detailed response that keeps being posted as an answer then mysteriously disappearing... Let me try just posting the summary, then the full post:

 

Summary

 

  • SIP Domains only on Skype for Business Online: point all records to cloud
  • SIP Domains on-prem and online (hybrid), point to on-premises Edge server(s) & Reverse Proxy
    • Edge server certificate will always require an additional SAN entry
    • Reverse Proxy certificate won't if you are happy to allow lyncdiscover over http (port 80)

 

View solution in original post