Based on the following PDF, I have published on Technet Gallery, I explain how to setup a CCE Appliance from Sonus, the SBC 1000 Cloud Link.
Generally, if you use the same CloudConnector.ini, as provided in the How-To Guide, you will also be able installing the CCE on a dedicated physical Hyper-V Host.
The full 96 pages you can download here:
https://gallery.technet.microsoft.com/Cloud-Connector-Configurati-521b533f
Happy reading ;)
DNS
![]()
Connect-MsolService -Credential $credential
![]()
The Business Online Connector (Windows PowerShell module) can be download from the Microsoft download center.
For more information go to Configuring your computer for Skype for Business Online management.
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
Generally, if you use the same CloudConnector.ini, as provided in the How-To Guide, you will also be able installing the CCE on a dedicated physical Hyper-V Host.
The full 96 pages you can download here:
https://gallery.technet.microsoft.com/Cloud-Connector-Configurati-521b533f
Happy reading ;)
Logical Infrastructure
DNS access is required externally for the Access Edge Server and the Media Relay (Audio); video is not implemented for local breakouts. The internal CCE servers must resolve internal DNS names and the Access Edge component via external DNS. Therefore, the Access Edge should resolve DNS externally and have a host file (C:\Windows\System32\drivers\hosts) for internal DNS resolution.
Note:
The onmicrosoft.com DNS suffix external tenant is not supported.
The onmicrosoft.com DNS suffix external tenant is not supported.
SIP.<sipdomain> for any CCE is not supported, it is reserved for the Office 365 Access Edge.
External DNS entries for CCE (also used for certificates):
Access Edge: e.g., access.sipdomain.com CCE Site (x) Access Edge
SIP domain: e.g., sip.sipdomain.com Office 365 Access Edge
DNS Record for sonusms01.com | Record Type | Setting | Comment |
CCE Site A | |||
Accesspool | A | 123.123.123.1 | IP of Access Edge, Single CCE SITE or Site A |
mr01 | A | 123.123.123.2 | Not required to be set (mr can be the same IP as Access Edge |
CCE Site B | |||
accesspool02 | A | 12.123.123.1 | IP of Access Edge, Multi CCE SITES, e.g. Site B |
mr02 | A | 12.123.123.2 | Not required to be set |
Office 365 | |||
sip | CNAME | sipdir.online.lync.com | |
lyncdiscover | CNAME | webdir.online.lync.com | |
_sip.tls | SRV | 100 1 443 sipdir.online.lync.com | |
_sipfederationtls.tcp | SRV | sipfed.online.lync.com | |
Note:
Media Relay is not required in the certificate. The MRAS service will issue its own certificate for media encryption. Therefore, a DNS Record is not required too and optional.
The MR can have its own IP Address, but is neither required nor a good advice.
The MR can have its own IP Address, but is neither required nor a good advice.
DNS Access queries in CCE
All internal VMs will query the CCE AD DNS installed automatically on the DC VM.
The Edge Server VM, has a an host file install for internal DNS and uses any external “public” DNS Server for Internet related queries, as for the Office 365 tenant.
Note:
All other DNS records necessary for the internal and external (Internet) networks remain unchanged for Office 365 deployments.
All other DNS records necessary for the internal and external (Internet) networks remain unchanged for Office 365 deployments.
Note:
During CCE installation is might be required setting the internal DNS (AD) pointing to an external system.
During CCE installation is might be required setting the internal DNS (AD) pointing to an external system.
External Certificates
Notes:A CN starting with SIP.<domain> is not supported with others than wildcard certificate. SIP is a placeholder for access edge client logins.
It is possible to use a single certificate for all CCE sites, as long the other sites are listed with their fully qualified domain name (FQDN) in the SAN entries.
Single CCE Site
In addition to the DNS entries, publicly-signed SAN certificates are also required:
SN/CN | accesspool.sonusms01.com | Single CCE SITE |
SAN | accesspool.sonusms01.com | |
SAN | sip.sonusms01.com |
Note:
Single CCE site deployment is similar to the well-known on-premises deployments for Edge Servers; the principals are identical. That is, if an Edge Pool is used, the external Pool Name must be addressed with HLB or DNS LB, but if it is a single server, only the server name is needed.Multi-Site CCE Site with Shared Certificates
Multiple CCE Sites can be registered with Office 365:
SN/CN | accesspool.sonusms01.com | |
SAN | accesspool.sonusms01.com | CCE Site 1 |
SAN | accesspool01.sonusms01.com | CCE Site 2 |
SAN | sip.sonusms01.com |
Wildcard Certificates
Wildcard certificate are support.
SN/CN | name.sonusms01.com | It can be sip.* too in this case |
SAN | sip.sonusms01.com | 1 |
SAN | *.sonusms01.com | Wildcard |
SAN | xx | Any other SAN |
Notes:Wildcards are supported as sn=sip.sipdomain.com, san=sip.sipdomain.com + san=*.sipdomain.com.
Microsoft also supports sn=*.sipdomain.com, san=sip.sipdomain.com + san=*.sipdomain.com.Internal Certificates
All internal servers–including the Domain Controller–require certificates, which can be either private certificates or externally signed.
· Typically, a CA is installed using the CCE automated setup, and the certificate can be generated automatically based on the CA
· The “Member Servers” are in a joint domain joint with the CCE Active Directory Forest
· Root Certificates are propagated automatically, but with the Edge component, you have to import the Root Certificate for the internal site of the Edge
CMS VMs (primary or backup) require a default certificate with server FQDN as the subject name.
Mediation Server VMs require a default certificate with the Mediation Server Pool FQDN as the subject name. A single certificate can be used across all mediation server VMs, or each VM can use its own certificate, as long as they all have the pool FQDN in the subject name.
Edge VMs requires an internal certificate with the Edge Server internal pool FQDN as the subject name. A single certificate can be used across all Edge Server VMs, or each VM can use its own certificate, as long as they all have the internal pool FQDN in the subject name.
Note:
Remember to import the Root CA certificates if internal or private certificates are going to be used. With the Sonus CCE Appliance, this step is handled by the CCE Installation Wizard.
Remember to import the Root CA certificates if internal or private certificates are going to be used. With the Sonus CCE Appliance, this step is handled by the CCE Installation Wizard.
Firewall Port Configuration[1]
Internal Firewall
Source IP | Destination IP | Source Port | Destination Port |
Cloud Connector Mediation component | SBC/PSTN Gateway | Any | TCP 5060** |
SBC/PSTN Gateway | Cloud Connector Mediation component | Any | TCP 5068/TLS 5067 |
Cloud Connector Mediation component | Internal clients | 49 152–57 500* | TCP 50,000–50,019 |
Cloud Connector Mediation component | Internal clients | 49 152–57 500* | UDP 50,000–50,019 |
Internal clients | Cloud Connector Mediation component | TCP 50,000–50,019 | 49 152–57 500* |
Internal clients | Cloud Connector Mediation component | UDP 50,000–50,019 | 49 152–57 500* |
* This is the default port range on the Mediation component. For optimal call flow, four ports per call are required.
** This port should be configured on the SBC/PSTN gateway; 5060 is an example. Other ports on the SBC/PSTN gateway can be configured as required.
External Firewall - Minimum Configuration
Source IP | Destination IP | Source Port | Destination Port |
Any | Cloud Connector Edge External Interface | Any | TCP 5061 |
Cloud Connector Edge External Interface | Any | UDP 3478 | UDP 3478 |
Any | Cloud Connector Edge External Interface | TCP 50,000–59,999 | TCP 443 |
Any | Cloud Connector Edge External Interface | UDP 3478 | UDP 3478 |
Cloud Connector Edge External Interface | Any | TCP 50,000–59,999 | TCP 443 |
External Firewall - Recommended Configuration
Source IP | Destination IP | Source Port | Destination Port |
Any | Cloud Connector Edge External Interface | Any | TCP 5061 |
Cloud Connector Edge External Interface | Any | TCP 50,000–59,999 | Any |
Cloud Connector Edge External Interface | Any | UDP 3478; UDP 50,000–59,999 | Any |
Any | Cloud Connector Edge External Interface | Any | TCP 443; TCP 50,000–59,999 |
Any | Cloud Connector Edge External Interface | Any | UDP 3478; UDP 50,000–59,999 |
Configuration Guide for Users, Dial-Plans, Voice Routes and PSTN Usage
This section covers the view for Cloud Connector Edition Setup only. Remember to assign an Office 365 license before users are enabled for a Skype for Business online account.
Connect to MSOnline
Best is connecting to MSOnline too
Import-Module MSOnline
$credential = get-credentialConnect-MsolService -Credential $credential
Connect to Skype for Business Online
The Business Online Connector (Windows PowerShell module) can be download from the Microsoft download center.
For more information go to Configuring your computer for Skype for Business Online management.
Import-Module skypeonlineconnector$cred = Get-Credential$Session = New-CsOnlineSession -Credential $cred -VerboseImport-PSSession $sessionConfiguration Data Definition CloudConnector.ini
The LAN site is network address 192.168.210.0/24
Parameter | Value |
SIP Domain | sonusms01.com |
Virtual Machine Domain | sfbhybridtest.local |
Server Name | AD |
IP | 192.168.210.115 |
Online SIP Federation FQDN | sipfed.online.lync.com |
Site Name | AEPSITE1 |
Base VMIP | 192.168.210.119 |
Management Switch Name | SfB CCE Management Switch |
Internet Switch Name | SfB CCE Internet Switch |
Corpnet Switch Name | SfB CCE Corpnet Switch |
Management IP Address Prefix | 192.168.219.0 |
Internet Default Gateway | 192.168.211.1 |
Corpnet Default Gateway | 192.168.210.1 |
Internet DNS IP Address | 8.8.8.8 |
Corpnet DNS IP Address | 8.8.8.8 |
Primary CMS | |
Server Name | CMS-Server |
IP Address | 192.168.210.116 |
Share Name | CmsFileStore |
Mediation Server | |
Server Name | MediationServer |
Pool Name | mspool |
IP Address | 192.168.210.117 |
Edge Server | |
Internal Server Name | Edge-064913 |
External MR Public IPs | 12.8.245.86 |
External SIP IPs | 192.168.211.86 |
Internal Pool Name | Edgepool |
Internal Server IPs | 192.168.210.118 |
External MR IPs | 192.168.211.86 |
External SIP Pool Name | AEPSITE2 |
Gateway | |
FQDN | Sbc1.sfbhybridtest.local |
IP Address | 192.168.210.113 |
PORT | 5060 |
Protocol | TCP |
Enable Refer Support | true |
Sonus Network (specific too) | |
Network Type | intranet |
Deployment Type | standalone |
Set the Network Interfaces on CCE
The first step is navigating to the Settings tab–> ASM Configuration in the Node Interfaces section. Here a real IP address is assigned to the physical SBC network interface.
Two Class C networks are defined:
NIC 1 LAN (and CCE VMs): IP: 192.168.100.0/24, IP: 192.168.100.114
NIC 2 Internet (and CCE Edge VMs): IP: 192.168.211.0/24, IP: 192.168.211.85
Set VM and Hyper-V Networks on CCE
Next click the Tasks tab–>Configure CCE, where the CCE deployment information is provided, such as CCE VM IP addresses, internal/external DNS server, and so on. The Deployment Type also needs to be chosen, either Standalone or Corporate Intranet. This defines a single CCE (non-HA) and LAN deployment.
Note:
The internal DNS will be set in the next section.
Adjust or Administer the DNS Server Setting
Under System –> Node-Level Settings, change the Primary Server IP/DNS within Domain Name Service window to the Controller IP address, 192.168.100.115.
Start CCE Deployment on Appliance Configuration (Wizard)
After verifying the settings and parameters, CCE deployment is ready. This can take one to two hours.
Navigate to System and click “Deploy CCE VM” where there is a summary of all the important parameters from the CloudConnector.ini file.
Deploy the CCE Appliance by clicking “Prepare CCE” at the bottom of the page.
You will be asked providing the certificate password, either your password for the imported certificate file or the certificate requires answer file writing the certificate into the CCE appliance, storing the file locally.
Next step will be a reminder proceeding with the CCE installation process.
Finalizing CCE Deployment on Appliance using the Hyper-V host powershell
The process for installing the CCE VMs and automatically letting them be configured is identically with the process described in the Technet.
Register-CcAppliance
Install-CcAppliance
Install-CcAppliance
Next you need to provide the required user accounts and password:
Local VmAdmin, DomainAdmin, SafeModeAdmin, ExternalCert’s and
user name and password of your Office 365 admin account
user name and password of your Office 365 admin account
Next start the deployment for Cloud Connector Appliance with the cmdlet Install-CcAppliance
The VM deployment will start immediately. Connect to the HOST with the defined IP address and open the Virtual Machine Manager to find:
· The VM being cloned
· SysPrep
· VM started
· Updated (Windows Update)
· Finalized
Note:
If you started a redeployment, you must unregister the existing CCE Appliance configuration with your Office 365 tenant, by using:
Get-CsHybridPSTNAppliance
(NOTE: markthe IDENTITY)
Unregister-CsHybridPSTNAppliance -identity <MarkedName> -Force