Understanding Cloud Connector Edition (CCE) Network Design

-
Understanding Cloud Connector Edition (CCE) Network

CCE virtual machines

First I like to introduce the internal VM structure to CCE again. We will from here understand better the requirement for virtual networks.

We require network connection to the internet, the SBC and the virtual machines themselves.


PICTURE: CCE Network 00.png

 
The Cloud Connector Edition is built with 4 virtual machines, a subset from a typical on-premise deployment.

Domain Controller:
supporting the internal CCE PKI and the authentication for “CCE domain joint” machines.
Single NIC (internal VM only)

CMS:
contains the subset for the Skype for Business relevant minimalistic Topology
Single NIC (internal VM only)

Mediation Server:
Codec transcoding unit for the Session Boarder Controller, between the RTP data stream from Office 365 and Skype for Business Clients to the SBC.
Single NIC (internal VM and SBC on same subnet only)
NOTE:
The Mediation likewise the on-premise setup doesn’t allow a dual NIC setup. More over the SBC can be with on the same vNET or routed into the LAN.

Edge Server:
The Edge connects the rest of the CCE VMs with Office 365 tenant over the internet.
Dual NIC (internal VM and Internet)
 

CCE Network Switches in Hyper-V


Core to the CCE image installation is the ISO -> VHDX conversion. This process is generating the VM including their owned disks. The Windows Server ISO image is taken from a local storage (HDD) . Additionally, it requires a Windows Update process before the generalization occurs. This is done via temporary IP address assigned to the SfB CCE Corpnet Switch and uses a temporary IP from the BaseVMIP parameter, it must reach out to the Internet for Windows Updates.

In total we need to provide three (3) virtual switches in Hyper-V:
 
§  SfB CCE Corpnet Switch
The Corpnet enabled the VMs accessing each other (all VMs on this HOST), allows RDP into the VM, allows Skype for Business Clients to connect to the Mediation Server and connects the Mediation Server to the PSTN Gateway. It is also used for Windows and SfB Updates and required an Internet connection.

§  SfB CCE Management Switch
The management switch to provides temporary network connectivity of host and VMs during the VM deployment and will be disconnected after provisioning. ManagementIPPrefix in MUST be configured as different subnet from other internal IPs.

§  SfB CCE Internet Switch
Only used for Edge external access to the DMZ1 which is internet facing.


The parameter in the CCE CloudConnector.ini file represent the virtual switch names (vSwitch). They are not subject to chance and should be kept.

Those parameters are used during the setup scripting for VM installation.

PARAMETER
VALUE
ManagementSwitchName
SfB CCE Management Switch
InternetSwitchName
SfB CCE Internet Switch
CorpnetSwitchName
SfB CCE Corpnet Switch

 

PICTURE: CCE Network 01.png


CCE typical Network setup in Hyper-V


The CCE usability is defined with two possible access point, where the Skype for Business is either in the internal LAN or it outside the corporate network (Internet or any other LAN, e.g. Home Office).

Next we are discussing the position where the CCE and it SBC should be located. Since the CCE has it Edge Server, we shouldn’t place the CCE into the internal LAN. Best approach is the dedicated DMZ segment.

It plays a minor role if the SBC (ox IP-PBX) is within the sale DMZ or located on the internal LAN. This Media stream can be handled through a firewall without NAT. Same applies to the internal Skype for Business client.

As general security advice, the illustration below is the best approach and will isolate the CCE within its own DMZ.

 
PICTURE: CCE Network 03.png

 

If we have a look into the more detailed setup approach, where we wish the SBC is placed inside the CCE own DMZ, the firewalls are located on the external, Internet facing and the internal LAN facing connectivity paint.
 
NOTE:
The internal firewall must NOT have NAT enabled. A straight routing is required.

This illustration doesn’t reflect the entire routing, with either gateways nor static routes. But in general the Internet facing vNET required a default route in the direction of the Internet (0.0.0.0 -> GW INET). While the internal, LAN directed vNET, require a static route in the form of e.g. 10.0.0.0/8 -> GW-LAN
 

PICTURE: CCE Network 02.png

 

The last I wish highlighting again is:

You shouldn’t change the generic CCE vSwitch structure manually. The CCE deployment will fail if you do so. Same applies to the vSwitch naming. The setup is case sensitive, so please keep an eye on your typing’s.

If you deploy the CCE on a dedicated physical host (server) or you are choosing an Appliance, the network design is identical.


Comments

Post a Comment

Popular posts from this blog

How to hide users from GAL if they are AD Connect synchronized

-
Image
How to hide and un-hide users from Global Address List (GAL) in Exchange Online if they are AD Connect synchronized Hiding User from GAL isn't possible if those are synchronized form On-Premises Active Directory. The local AD is the leading system for all important attributes, like SMTP, UPN and hiding from GAL. Especially during a cross-tenant migration, you do not want to see not migrated user in the GAL. Those User aren't actively working until their cut-over day. Since the Exchange Online attribute  msExchHideFromAddressList s is an AD on-premises parameter, we have two possible ways hiding user in BME from GAL.   Modify the AD Connect for your teant with a custom rule, by using a extensionAttribute to set the HidefromGAL. In this rule, for users which have an entry in the extensionAttribute, hiding / un-hiding will be controlled by AD Connect This is the best option for Cross-Tenant Migration, if you run 2 or more AD Connect system We direct modif...
Read more

Cannot join external Lync Meeting: Lync Edge Server Single IP Address (Lync Edge Server Single IP Web Conferenceing Problem)

-
Image
Lync Edge Server FQDN and IP PORTS (Version 1.2, Update 26.11.2014) As we all know, we can configure Lync Edge Server in several way. 1) Single Edge Server with a SINGLE IP ADDRESS 2) Single Edge Server with MULTIPLE IP ADDRESSES (3x IPs) 3) Multiple Edge Server in a Pool, with MULTIPLE IP ADDRESSES (Zx 3 IPs) Regardless what we are going to configure, there are common / well-known TCP Port necessary making Lync work, which are: Access: Port: 443 and 5061 Conferencing: Port: 443 and (444) AV: Port: 443 (I have not listed other ports, e.g. STUN or the dynamic port range. This is not required for the topic discussed here) External FQDN with single IP address: What can we see here? If we are going to choose a single IP address, we would have TCP Port overlapping. Therefore the only way avoiding this is assigning other ports. Additionally we will also see and are reminded that Lync highly depends on DNS. If we have single IP, we must have use single, uniqu...
Read more

MFA with Guest Access and different tenants settings

-
Image
There is an update regarding MFA Multi Factor Authentication. If you are guest with a different Tenant, the MFA Settings are now reflecting the settings of all tenants in a different way. Each MFA setting is reflected and you can setup your MFA device as per tenant and the admin settings allow. Login to your Profile in Office 365/ Azure AD: https://account.activedirectory.windowsazure.com/r/#/profile or https://myapps.microsoft.com Go to your PROFILE: Sign in to https://myapps.microsoft.com Select your account name in the top right, then select profile. Select Additional security verification. If might be happen, your admin hast configured MFA, so you wouldn't see this menu. Simply switch the tenant to the guest tenant where you need to configure MFA. Once you go back to your profile and you will find the MFA device and other settings a usual:
Read more