Installing Cloud Connector Edition in Office 365

Based on the following PDF, I have published on Technet Gallery, I explain how to setup a CCE Appliance from Sonus, the SBC 1000 Cloud Link.

Generally, if you use the same CloudConnector.ini, as provided in the How-To Guide, you will also be able installing the CCE on a dedicated physical Hyper-V Host.

The full 96 pages you can download here:
https://gallery.technet.microsoft.com/Cloud-Connector-Configurati-521b533f

Happy reading ;)

Logical Infrastructure

DNS

DNS access is required externally for the Access Edge Server and the Media Relay (Audio); video is not implemented for local breakouts. The internal CCE servers must resolve internal DNS names and the Access Edge component via external DNS. Therefore, the Access Edge should resolve DNS externally and have a host file (C:\Windows\System32\drivers\hosts) for internal DNS resolution.

Note:
The onmicrosoft.com DNS suffix external tenant is not supported.

SIP.<sipdomain> for any CCE is not supported,  it is reserved for the Office 365 Access Edge.

External DNS entries for CCE (also used for certificates):

Access Edge:     e.g., access.sipdomain.com         CCE Site (x) Access Edge

SIP domain:       e.g., sip.sipdomain.com                Office 365 Access Edge

DNS Record for sonusms01.com	Record Type	Setting	Comment
CCE Site A
Accesspool	A	123.123.123.1	IP of Access Edge, Single CCE SITE or Site A
mr01	A	123.123.123.2	Not required to be set (mr can be the same IP as Access Edge
CCE Site B
accesspool02	A	12.123.123.1	IP of Access Edge, Multi CCE SITES, e.g. Site B
mr02	A	12.123.123.2	Not required to be set
Office 365
sip	CNAME	sipdir.online.lync.com
lyncdiscover	CNAME	webdir.online.lync.com
_sip.tls	SRV	100 1 443 sipdir.online.lync.com
_sipfederationtls.tcp	SRV	sipfed.online.lync.com

Note:

Media Relay is not required in the certificate. The MRAS service will issue its own certificate for media encryption. Therefore, a DNS Record is not required too and optional.
The MR can have its own IP Address, but is neither required nor a good advice.

DNS Access queries in CCE

All internal VMs will query the CCE AD DNS installed automatically on the DC VM.

The Edge Server VM,  has a an host file install for internal DNS and uses any external “public” DNS Server for Internet related queries, as for the Office 365 tenant.

Note:
All other DNS records necessary for the internal and external (Internet) networks remain unchanged for Office 365 deployments.

Note:
During CCE installation is might be required setting the internal DNS (AD) pointing to an external system.

 

External Certificates

Notes: A CN starting with SIP.<domain> is not supported with others than wildcard certificate. SIP is a placeholder for access edge client logins.

It is possible to use a single certificate for all CCE sites, as long the other sites are listed with their fully qualified domain name (FQDN) in the SAN entries.

Single CCE Site

In addition to the DNS entries, publicly-signed SAN certificates are also required:

SN/CN	accesspool.sonusms01.com	Single CCE SITE
SAN	accesspool.sonusms01.com
SAN	sip.sonusms01.com

Note:

Single CCE site deployment is similar to the well-known on-premises deployments for Edge Servers; the principals are identical. That is, if an Edge Pool is used, the external Pool Name must be addressed with HLB or DNS LB, but if it is a single server, only the server name is needed.

Multi-Site CCE Site with Shared Certificates

Multiple CCE Sites can be registered with Office 365:

SN/CN	accesspool.sonusms01.com
SAN	accesspool.sonusms01.com	CCE Site 1
SAN	accesspool01.sonusms01.com	CCE Site 2
SAN	sip.sonusms01.com

Wildcard Certificates

Wildcard certificate are support.  

SN/CN	name.sonusms01.com	It can be sip.* too in this case
SAN	sip.sonusms01.com	1
SAN	*.sonusms01.com	Wildcard
SAN	xx	Any other SAN

Notes: Wildcards are supported as sn=sip.sipdomain.com, san=sip.sipdomain.com + san=*.sipdomain.com.

Microsoft also supports sn=*.sipdomain.com, san=sip.sipdomain.com + san=*.sipdomain.com.

Internal Certificates

All internal servers–including the Domain Controller–require certificates, which can be either private certificates or externally signed.

·        Typically, a CA is installed using the CCE automated setup, and the certificate can be generated automatically based on the CA

·        The “Member Servers” are in a joint domain joint with the CCE Active Directory Forest

·        Root Certificates are propagated automatically, but with the Edge component, you have to import the Root Certificate for the internal site of the Edge

CMS VMs (primary or backup) require a default certificate with server FQDN as the subject name.

Mediation Server VMs require a default certificate with the Mediation Server Pool FQDN as the subject name. A single certificate can be used across all mediation server VMs, or each VM can use its own certificate, as long as they all have the pool FQDN in the subject name.

Edge VMs requires an internal certificate with the Edge Server internal pool FQDN as the subject name. A single certificate can be used across all Edge Server VMs, or each VM can use its own certificate, as long as they all have the internal pool FQDN in the subject name.

Note:
Remember to import the Root CA certificates if internal or private certificates are going to be used. With the Sonus CCE Appliance, this step is handled by the CCE Installation Wizard.

 

Firewall Port Configuration[1]

Internal Firewall

Source IP	Destination IP	Source Port	Destination Port
Cloud Connector Mediation component	SBC/PSTN Gateway	Any	TCP 5060**
SBC/PSTN Gateway	Cloud Connector Mediation component	Any	TCP 5068/TLS 5067
Cloud Connector Mediation component	Internal clients	49 152–57 500*	TCP 50,000–50,019
Cloud Connector Mediation component	Internal clients	49 152–57 500*	UDP 50,000–50,019
Internal clients	Cloud Connector Mediation component	TCP 50,000–50,019	49 152–57 500*
Internal clients	Cloud Connector Mediation component	UDP 50,000–50,019	49 152–57 500*

* This is the default port range on the Mediation component. For optimal call flow, four ports per call are required.

** This port should be configured on the SBC/PSTN gateway; 5060 is an example. Other ports on the SBC/PSTN gateway can be configured as required.

External Firewall - Minimum Configuration

Source IP	Destination IP	Source Port	Destination Port
Any	Cloud Connector Edge External Interface	Any	TCP 5061
Cloud Connector Edge External Interface	Any	UDP 3478	UDP 3478
Any	Cloud Connector Edge External Interface	TCP 50,000–59,999	TCP 443
Any	Cloud Connector Edge External Interface	UDP 3478	UDP 3478
Cloud Connector Edge External Interface	Any	TCP 50,000–59,999	TCP 443

External Firewall - Recommended Configuration

Source IP	Destination IP	Source Port	Destination Port
Any	Cloud Connector Edge External Interface	Any	TCP 5061
Cloud Connector Edge External Interface	Any	TCP 50,000–59,999	Any
Cloud Connector Edge External Interface	Any	UDP 3478; UDP 50,000–59,999	Any
Any	Cloud Connector Edge External Interface	Any	TCP 443; TCP 50,000–59,999
Any	Cloud Connector Edge External Interface	Any	UDP 3478; UDP 50,000–59,999

Configuration Guide for Users, Dial-Plans, Voice Routes and PSTN Usage

This section covers the view for Cloud Connector Edition Setup only. Remember to assign an Office 365 license before users are enabled for a Skype for Business online account.

Connect to MSOnline

Best is connecting to MSOnline too

Import-Module MSOnline

$credential = get-credential
Connect-MsolService -Credential $credential

Connect to Skype for Business Online

The Business Online Connector (Windows PowerShell module) can be download from the Microsoft download center.

For more information go to Configuring your computer for Skype for Business Online management.

Import-Module skypeonlineconnector

$cred = Get-Credential

$Session = New-CsOnlineSession -Credential $cred -Verbose

Import-PSSession $session

Configuration Data Definition CloudConnector.ini

The LAN site is network address 192.168.210.0/24

Parameter	Value
SIP Domain	sonusms01.com
Virtual Machine Domain	sfbhybridtest.local
Server Name	AD
IP	192.168.210.115
Online SIP Federation FQDN	sipfed.online.lync.com
Site Name	AEPSITE1
Base VMIP	192.168.210.119
Management Switch Name	SfB CCE Management Switch
Internet Switch Name	SfB CCE Internet Switch
Corpnet Switch Name	SfB CCE Corpnet Switch
Management IP Address Prefix	192.168.219.0
Internet Default Gateway	192.168.211.1
Corpnet Default Gateway	192.168.210.1
Internet DNS IP Address	8.8.8.8
Corpnet DNS IP Address	8.8.8.8
Primary CMS
Server Name	CMS-Server
IP Address	192.168.210.116
Share Name	CmsFileStore
Mediation Server
Server Name	MediationServer
Pool Name	mspool
IP Address	192.168.210.117
Edge Server
Internal Server Name	Edge-064913
External MR Public IPs	12.8.245.86
External SIP IPs	192.168.211.86
Internal Pool Name	Edgepool
Internal Server IPs	192.168.210.118
External MR IPs	192.168.211.86
External SIP Pool Name	AEPSITE2
Gateway
FQDN	Sbc1.sfbhybridtest.local
IP Address	192.168.210.113
PORT	5060
Protocol	TCP
Enable Refer Support	true
Sonus Network (specific too)
Network Type	intranet
Deployment Type	standalone

Network and CloudConnector.ini on CCE Site

Set the Network Interfaces on CCE

The first step is navigating to the Settings tab –> ASM Configuration in the Node Interfaces section. Here a real IP address is assigned to the physical SBC network interface.

Two Class C networks are defined:

NIC 1 LAN (and CCE VMs):                                         IP: 192.168.100.0/24, IP: 192.168.100.114

NIC 2 Internet (and CCE Edge VMs):                       IP: 192.168.211.0/24, IP: 192.168.211.85

Set VM and Hyper-V Networks on CCE

Next click the Tasks tab –> Configure CCE, where the CCE deployment information is provided, such as CCE VM IP addresses, internal/external DNS server, and so on. The Deployment Type also needs to be chosen, either Standalone or Corporate Intranet. This defines a single CCE (non-HA) and LAN deployment.

Note:

The internal DNS will be set in the next section.

Adjust or Administer the DNS Server Setting

Under System –> Node-Level Settings, change the Primary Server IP/DNS within Domain Name Service window to the Controller IP address, 192.168.100.115.

Start CCE Deployment on Appliance Configuration (Wizard)

After verifying the settings and parameters, CCE deployment is ready. This can take one to two hours.

Navigate to System and click “Deploy CCE VM” where there is a summary of all the important parameters from the CloudConnector.ini file.

Deploy the CCE Appliance by clicking “Prepare CCE” at the bottom of the page.

 

You will be asked providing the certificate password, either your password for the imported certificate file or the certificate requires answer file writing the certificate into the CCE appliance, storing the file locally.

Next step will be a reminder proceeding with the CCE installation process.

Finalizing CCE Deployment on Appliance using the Hyper-V host powershell

The process for installing the CCE VMs and automatically letting them be configured is identically with the process described in the Technet.

Register-CcAppliance
Install-CcAppliance

Next you need to provide the required user accounts and password:

Local VmAdmin, DomainAdmin, SafeModeAdmin, ExternalCert’s and
user name and password of your Office 365 admin account

Next start the deployment for Cloud Connector Appliance with the cmdlet Install-CcAppliance

The VM deployment will start immediately. Connect to the HOST with the defined IP address and open the Virtual Machine Manager to find:

·        The VM being cloned

·        SysPrep

·        VM started

·        Updated (Windows Update)

·        Finalized

Note:

If you started a redeployment, you must unregister the existing CCE Appliance configuration with your Office 365 tenant, by using:

 

Get-CsHybridPSTNAppliance

(NOTE: mark the IDENTITY)

Unregister-CsHybridPSTNAppliance -identity <MarkedName> -Force

Author: Thomas Poett MVP, Business Unit Lead Microsoft Unified Communication 

---

[1] Taken from TechNet