Chapter 15. Skype for Business Online Concepts and Planning

This chapter looks at the basic concepts of Skype for Business Online, including the features it supports, the fundamental requirements to implement it, the protocols involved, and the clients you can deploy to your users for them to get online.

What is Skype for Business Online?

Skype for Business Online (SBO) is one of the key services in Office 365. It offers secure instant messaging, peer-to-peer audio and video conferencing, and presentation-sharing capabilities and enables you to provide your users secure communications and collaboration capabilities on any computer, tablet, or mobile phone. Whether you are at your desk or on the road, SBO enables you to communicate with your colleagues, attend meetings, share your entire desktop or just one application, or present Microsoft PowerPoint decks to one or many people quickly and easily. As an administrator, you can control which services you want your users to have and extend your connectivity to partners or even to your customers over the Skype consumer platform.

Features

SBO has several built-in features and capabilities that work across all client software applications. These include the following.

• Instant messaging
• Presence information incorporated across the Office 365 platform
• Peer-to-peer Voice over IP (VoIP) audio communications
• Peer-to-peer video communications
• Peer-to-peer file transfers
• Web conferencing, including text, audio, video, and presentation sharing
• Federated connectivity with other Session Initiation Protocol (SIP)–based systems and the consumer Skype network
• Software development kits (SDKs) for developing client applications
• Optional integration with PSTN for dial-in conferencing and full telephony features
• Clients available for Windows and Mac, Android, iOS, Windows Phone, and web clients

Here are more details about each of these features.

Instant messaging

SBO clients can use text, emoticons, and GIFs to communicate, using instant messaging. The full Windows and Mac clients have full control over fonts and formatting. Instant messaging provides real-time communications and is an excellent choice for when you are multitasking or need to ask a question that is either less formal in nature or more time-sensitive than an email. Instant messaging is also very tolerant of latency and poor network connectivity, and SBO works very well over in-flight Internet connectivity, edge cellular networks, and satellite links.

Presence

SBO provides presence indications within the application and integrates with both Exchange Online and SharePoint Online. Presence uses colored icons, commonly called jelly beans, to indicate whether another user is available, away, busy, or offline. With presence, you can see at a glance whether a colleague is available to chat, and you can launch chats right out of email or from Microsoft SharePoint sites. See Figure 15-1 for a list of the default presence indicators.

Figure 15-1 Skype for Business Online presence indicators

Peer-to-peer Voice over IP audio communications

Because it uses VoIP, SBO gives you the ability to conduct voice calls with others, using either your computer’s built-in microphone and speakers or external hardware. Voice chats can be one to one or involve multiple participants and, if policy permits, be recorded by a participant for later playback.

Peer-to-peer video communications

As long as you have a webcam, SBO can take voice chats to the next level with video. Again, whether one to one or many, you can conduct video calls with others over the network to provide more interaction or to show someone something specific, and video calls can also be recorded for later playback if policy permits.

Peer-to-peer file transfers

Users can also use SBO to transfer files to one another. This can be disabled by policy if compliance needs require it, but when enabled, it provides a very fast and easy way for users to perform ad hoc file transfers without having to set up any infrastructure or send links to their OneDrive for Business. These can be small text files or multi-gigabyte virtual hard drive images or anything in between. The sender can either drag and drop a file to the chat window or browse their file system, and the receiver will find the file transfer in their My Received Files folder in their profile.

Web conferencing including text, audio, video, and presentation sharing

SBO also enables you to share content with others. Whether it’s a user sharing their desktop with the help desk, a manager sharing the latest Microsoft Excel workbook with their team, or a presenter sharing a PowerPoint deck with their audience, content sharing enables users to engage by using a live presentation of whatever content you need to share. Presenters can share an entire desktop or only a single window and can pause or stop sharing at any time. This is an excellent way to deliver presentations or training or simply to demonstrate something to a remote user. Any client can join web conferences, and users without an installed SBO client can participate using only a web browser.

Federated connectivity with other SIP-based systems and the consumer Skype network

One of the most useful features of SBO is that it can interoperate with other systems. Although you can control this as the admin, if your corporate policy permits it, you can establish federation with other Skype for Business and Skype for Business Online organizations and the consumer Skype network. That way, your users can easily communicate with customers, partners, and vendors to provide a fully interactive experience with them. You can configure your SBO organization to be fully open or to federate only with the specific organizations that you choose, and you can grant or deny permission to communicate with external parties on a per-user basis if need be. As an example, you might want to permit connectivity to the consumer Skype system, but only for customer service and human resources users to interact with customers and job candidates. You can easily configure this or any other mix of capabilities to meet your company’s needs.

SDKs for developing client applications

SDKs are designed to help developers extend Skype for Business and Skype for Business Online capabilities across both desktop and mobile apps. There are Web SDKs that support instant messaging and presence (IM&P), audio and video, a user representational state transfer (REST) application programming interface (API) that provides IM&P, Desktop APIs for developers to build their own clients, and the Unified Communications Managed API that developers can use to incorporate both hardware and software into SBO. You can learn more about these at https://dev.office.com/skype/sdks.

Optional integration with PSTN for dial-in conferencing and full telephony features

With the right licenses, Skype for Business Online offers PSTN conferencing and telephony capabilities, enabling customers to use SBO for their full telephone solution. Cloud PBX lets you provide direct-dial telephone numbers, call groups, call parking and forwarding, voicemail, and more. Calling plans are available that can include toll-free dial-in numbers for conferencing, enabling you to provide your users with a complete telephone solution that works with both soft phones and VoIP hardware phones.

Clients available for Windows and Mac, Android, iOS, Windows Phone, and web clients

There are Skype for Business clients for both the Windows and Mac platforms as well as all three major mobile platforms. Users can also take advantage of many of the SBO features by using only a web browser, and third-party and open-source options are also available.

Differences with on-premises

Skype for Business Online is powered by Office 365. Although almost all the features and capabilities of on-premises functions are available online, the online version does require you to have the latest version of the client software, whereas on-premises can support older client versions. On-premises also supports persistent chat rooms, which are not available in SBO. Finally, there is more integration and compatibility with various conference-room systems when using on-premises than there is with online.

Skype for Business Online only works with other SIP products at this time, although a number of gateways are available that can enable Skype on-premises to integrate with other messaging systems, such as those based on the Extensible Messaging and Presence Protocol (XMPP) or Sametime protocol.

If your business does not have an existing SIP-based conferencing and instant messaging solution, SBO is the obvious choice, but if you have an existing investment in conferencing hardware such as speaker phones and telepresence, you might find that older hardware can work with on-premises, but you will need to upgrade to go to online.

Both Skype for Business and Skype for Business Online evolved from a long line of Microsoft products, including Windows Messenger, Live Communications Server, Office Communications Server, and then Microsoft Lync and, finally, Skype for Business.

Differences from consumer Skype

Although both Skype for Business Online and the consumer Skype product are from Microsoft and can interoperate, they are completely different solutions. They do not share any infrastructure, use separate code bases, and should not be confused with one another. The consumer Skype platform was acquired by Microsoft in 2012 and is free to use for many features, with additional ones at a cost. Users create and manage their own accounts and can interact with any other Skype user they wish to, with the full set of features in the consumer product. Skype for Business Online is available as part of an Office 365 subscription, is managed by a company’s administrators, and can be configured to remove features or lock down aspects that a company wishes to control. You control access to SBO as the administrator assigning licenses to your users for the features you wish them to use.

Understanding the protocols

SBO uses many protocols, depending on workload and network conditions. It also uses several ports and both TCP and UDP, depending on what the client is trying to do. Do not assume that everything will work fine if you only open outbound connections to TCP 443. SBO clients can fall back to that when other ports are blocked, but that affects performance severely. You will not need to make any configuration as an administrator related to any of these protocols, but it is helpful to understand them, especially when you need to troubleshoot connections. Take a look at the protocols SBO and clients use.

Session Initiation Protocol

SIP is probably the hardest working protocol in the Skype for Business Online service. It’s responsible for signaling, establishing multimedia communication sessions, and instant messaging. It doesn’t work alone, but as the most important protocol within SBO, it’s the one to which you pay the most attention.

SIP stands for Session Initiation Protocol, and the name does indicate the protocol’s main purpose. It is an Internet Engineering Taskforce (IETF) standard Internet protocol first defined by RFC 2543, currently defined by RFC 3261 (https://tools.ietf.org/html/rfc3261) and numerous updates or enhancements. Numerous systems, supporting the same types of services as SBO, use it. These systems might have varying degrees of compatibility.

Although it does perform work on its own, it also helps all the other protocols by establishing the session(s) necessary for them to operate. It sets up and terminates all the sessions between endpoints and can carry data to support voice, video, instant messaging, and presence.

The most important aspect of SIP, as far as administering SBO is concerned, has to do with addressing. A SIP namespace is a DNS zone associated with an organization using a SIP-based messaging platform. Within that namespace are some DNS records to help clients identify the network address of endpoints and to help other organizations’ systems establish federation so that users in both organizations can all communicate with one another. Users have SIP addresses, or Uniform Resource Identifiers (URIs), that define their address within a SIP system. These SIP addresses take the form of username@SIPdomain and most closely resemble an SMTP address. More about that follows in this chapter.

Interactive Connectivity Establishment

Another IETF protocol, Interactive Connectivity Establishment (ICE), is defined in RFC 5245 (https://tools.ietf.org/html/rfc5245). Its purpose is to help two systems identify the optimum path to communicate with one another. If two clients are on the same network, have no firewall or other network access control list (ACL) between them to block communications, and have no device performing network address translation (NAT), then they can establish a direct, peer-to-peer connection between them for voice, video, and instant messaging. SBO uses ICE to determine whether peer-to-peer communication is possible for voice, video, and file transfer. However, you will see that instant messaging and presence traffic always passes between client and server in SBO. ICE uses both STUN and TURN, explanations of which follow, to find the best path for communications.

Session Traversal Utilities for NAT

The protocol formerly known as Simple Traversal of UDP through NAT provides a standard set of approaches to enable applications to discover and work with NAT devices. It is defined by RFC 5389 (https://tools.ietf.org/html/rfc5389). When SBO clients can make direct connections with one another, they will, but they first have to find one another. SIP registration uses Session Traversal Utilities for NAT (STUN) to identify the public network address that traffic exiting the client network is translated to and then to register that with the SBO service.

Traversal Using Relay around NAT

Traversal Using Relays around NAT (TURN) defines several extensions to STUN and enables communications when two hosts cannot communicate directly with one another by using a relay system that both can reach independently. In SBO, audio, video, presentation sharing, and file transfer all travel directly from one client to another over the network when possible, but if they cannot, TURN enables this communication to take place by establishing a relay through the SBO service. TURN is defined in RFC 5766 (https://tools.ietf.org/html/rfc5766).

SIP addresses

Every user of Skype for Business Online must have a SIP address. This address is the unique identifier that enables one user to contact another. SIP addresses are in the format of username@SIPdomain, where the SIPdomain is a unique, registered DNS namespace with the appropriate DNS records. When clients start the SBO client, it uses that SIP address to find the appropriate endpoints for the service and register the client connection with the service. Users can inform their clients, customers, colleagues, and others of their SIP address to facilitate communications over SBO if desired. Every user of SBO has one, and only one, SIP address. Unlike email, there are no SIP aliases.

proxyAddresses

A user’s SIP address is stored in the Exchange proxyAddresses attribute in Azure Active Directory. If you have synchronized your on-premises Active Directory with your Office 365 tenant, and you have extended your on-premises schema for Exchange, the user’s SIP address is mastered in your Active Directory. If not, you can set it directly in Office 365. However, if your Active Directory has been extended for Exchange and is synchronizing to Azure Active Directory, but a user does not have a SIP address in their proxyAddresses attribute, Skype for Business Online sets the user’s SIP address to match the User Principal Name in Azure AD. See Figure 15-2 for an example of the proxyAddresses attribute for a user.

Figure 15-2 The proxyAddresses attribute in Active Directory

Ideally, you extend your on-premises Active Directory schema for Exchange, even if you are not using Exchange on-premises, and you control the SIP Address locally in Active Directory.

msRTCSIP-* attributes

If you had one of the older communications systems in your environment, such as Office Communications Server, you have several attributes in your Active Directory that start with MS-RTC*. If they are blank, they can be ignored, but if some of them are populated, they can have interesting effects on your users’ SBO experience. The first is the msRTCSIP-PrimaryUserAddress attribute. This attribute in your on-premises Active Directory stores the SIP address for a user in older platforms and is synchronized to Azure AD. If it is blank, nothing is synchronized and no harm is caused, but if it is populated, it must match the SIP address in the proxyAddresses attribute, or it will prevent the user from successfully using SBO.

The second is msRTCSIP-UserEnabled. If blank or set to True, a user can use SBO if they have a license, but if set to False, it prevents a user from using SBO even if you have given them a license.

The third is msRTCSIP-OptionFlags. These values are also synchronized from on-premises Active Directory to Azure AD and can prevent certain SBO features from being available to users. It is not the intended way to permit or deny users’ access to SBO features, so it should be blanked if any data exists.

There are others, but these three are the ones you should check when using SBO. Check your users to see whether these attributes, and the others, are populated. If they are, and you no longer have any on-premises SIP system that might be using them, consider blanking them out for all users before you start to deploy SBO. You should test this for several users to ensure that there are no unforeseen consequences. Otherwise, compare the msRTCSIP-PrimaryUserAddress to the SIP address in proxyAddresses for every user to ensure that they match, and make sure no user has msRTCSIP-UserEnabled set to False.

SMTP, UPN, and SIP

Although a userObject exists in Azure AD and usually has a one-to-one relationship with an actual person, there are three attributes that all identify the user. The User Principal Name (UPN), the primary SMTP address, and the SIP address all work together to enable users to access Office 365 services and for those services to interoperate. Although there is no technical reason for all three to match for the service to work, you absolutely want them all to match to ensure ease of use and the best user experience and to reduce calls to the help desk from users.

If at all possible, ensure that your SIP namespace is the same as your SMTP namespace and that users’ primary SMTP address matches their SIP address. This both makes it simple for your users to communicate with others on different systems and enables presence within Microsoft Outlook and SharePoint Online to work automatically. Users should know what their email address is, and when both UPN and SIP match, it is easier for users to know what to enter in a specific client or prompt because the values are the same no matter which attribute is actually required. The answer to the question, “What do I put in here,” is always “Your email address.”

Authentication always requires the UPN. Exchange Online Autodiscover requires the user to authenticate and uses the primary SMTP address to discover the user’s mailbox and configure the email client. Skype for Business Online also requires users to authenticate but then uses the SIP address to discover the appropriate SIP endpoint to connect to. However, Outlook and Outlook Web App, SharePoint Online, the Office apps, and Skype for Business clients all need to talk to the other services to provide users with the best experience.

Presence relies on Skype for Business Online. When Outlook wants to display presence for someone in the Outlook client, such as when they have sent an email or are copied on it, it relies on the SBO client to use the SMTP address of that recipient to query presence for that user by assuming that that is also the user’s SIP address. If it is, presence works. If it is not, the only way presence works is if the client has a contact object that maps the primary SMTP address to the SIP address. The same thing happens in SharePoint Online. Users who have uploaded or modified documents in SharePoint Online, or who have a document open, appear by their displayName but are identified in the service by their SMTP address. When your SBO client attempts to query for presence, it uses the SMTP address as if it is also the SIP address.

The Skype for Business client can also pull your Exchange calendar information to update your presence automatically for meetings and to enable you to launch Skype meetings without having to log on to your email or even switch to Outlook. It uses your SIP address to connect to your Exchange or Exchange Online mailbox. If they match, this rich presence capability works.

Finally, in all cases, because the clients require authentication, they might prompt users to authenticate as well as enter values for what the client is trying to connect. Because the various prompts do not clearly indicate what value they need, UPN or SIP or SMTP, users can easily become confused trying to determine what value they should use for a specific prompt. When all values match, there is no confusion, and the number of prompts might also be reduced.

If you have multiple DNS names to support different business units or brands, that is fine. You can have up to 900 in a single Office 365 tenant. If users move from one brand to another and need to start using a new primary SMTP address, update their UPN and SIP to keep them consistent.

Network requirements

Skype for Business Online has more exacting requirements on the network than either Exchange Online or SharePoint Online. In addition to the various DNS records you have to create, the multiple protocols you need to permit, and the latency thresholds you need to monitor, you will find that SBO is a first indicator of any network issues. Do not underestimate the importance of ensuring that your network meets all the requirements for SBO so that your users enjoy the optimum SBO experience.

DNS records

It shouldn’t surprise you that Skype for Business Online depends heavily on DNS for it to function. You must set up two CNAME and two SRV records for each DNS namespace you plan to use. No matter what domain(s) you are using, the same four records are required, and you should add them to both internal and external DNS.

The two CNAME records help clients find the SIP and discovery endpoints for the service. The first SRV record identifies the SIP endpoint; the second is used for federation. Whether you plan to use federation or not, you must deploy all four records if you want all Skype for Business Online clients, including the web browser, to work properly.

To confirm what you should add to your DNS, follow these steps.

1. Using a global admin account, log on to the administrative portal.
2. On the left side, navigate to Setup | Domains.
3. Select the domain you want to use.

   If you have not verified the domain yet, you must do so before displaying the DNS records, but if you completed the domain verification and set the domain purpose for Skype for Business Online, you should see something like Figure 15-3 about half-way down the domain management page.

   

   Figure 15-3 Skype for Business DNS records

When it’s time to deploy Skype for Business Online for your domain, ensure that these records are in both internal and external DNS before you attempt to use SBO. Chapter 16, “Deploying Skype for Business Online,” goes into more detail on this.

Ports and protocols

Microsoft maintains a list of the Office 365 URLs and IP address ranges at https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US, which you can also find at http://aka.ms/ipaddrs. Bookmark this site and subscribe to the RSS feed so you are aware of any changes. On this page, all the various network addresses and FQDNs Office 365 uses are documented, as are the required specific ports and protocols. For all the services other than Skype for Business Online, that’s TCP 80 and TCP 443. With SBO, there are many more; permit them all if you want to have the best experience with SBO. Fortunately, when you are using SBO, you only need to permit your clients to initiate outbound connections to the service. There is no inbound, so your security teams and firewall admins should not object too strenuously to this. All connectivity to SBO services is encrypted, so you will see HTTP traffic associated with certificate validation. Always check the documentation at http://aka.ms/ipaddrs for the most current requirements. See Table 15-1 for current SBO requirements.

Table 15-1 Skype for Business ports and protocols

Protocol	Port	Reason
TCP	80	CRL/OCSP checks and CDN content
TCP	443	SIP, PSOM, HTTPS downloads, Call Quality Dashboard, Outlook Web App integration, Quick ips, federation with Skype consumer, and contact picture retrieval; also the fallback when other ports are blocked
UDP	3478–3481	Audio, video, and desktop sharing
TCP	5223	This is only required for older push notifications for the Lync mobile 2010 client for iOS.
TCP and UDP	50000–59999	Audio, video, and desktop sharing (optional)

TCP versus UDP

It’s very important for you to ensure that all the required connectivity is permitted in your environment. If any of the required outbound connectivity is blocked, you will drastically reduce the overall performance of SBO for your users and be in an unsupported configuration. The single most common cause of complaints about SBO performance is caused by not permitting the outbound UDP traffic.

TCP is a reliable, session-oriented transport protocol that ensures data delivery. It’s meant for applications that require all of the data to be delivered and when reliability is more important than both speed and efficiency. Sessions are established, packets are acknowledged, lost packets are retransmitted, out-of-order packets are held until they can be reassembled in order, and, when done, sessions are torn down. Use TCP for messages that you need to ensure are received, or for file transfers.

UDP is a connectionless transport protocol. It focuses on speed and low overhead; lost packets can be ignored and delivery order is not as important. You use UDP for queries that generate answers or when you are streaming data and any individual lost packets won’t matter.

Instant messaging and presence (IM&P), signaling, and data downloads all use TCP to ensure reliable message delivery. Those messages are both very small and very tolerant of latency. It’s very common to use Skype for Business Online when on an airplane to communicate with colleagues. Even when GoGo is satellite-based and latency is measured in seconds, IM&P works great over TCP 443.

However, audio, video, and desktop sharing all use streaming protocols to convey data. These are all more concerned with ensuring that the stream of data is delivered consistently without delay than with complete reliability. If a UDP datagram is lost or delivered out of order, it’s simply dropped. Most people won’t even notice this when listening to audio or viewing video, because the amount of data in that one lost datagram is insignificant. Audio, video, and desktop sharing are all very latency-sensitive. Anything that slows down the connection from client to service reduces performance, but because any single datagram is just a small sample of the audio or video stream, its loss will probably not even be noticed as long as the stream is uninterrupted.

When you force Skype for Business clients to use TCP 443 for everything, such as when your firewall admin doesn’t want to open those ports, or your security team wants to put everything through the proxy, any packet that is lost requires the entire stream to stop and wait for retransmission. That can take seconds to happen and results in many audio as well as video problems. You have probably been on a VoIP call when you heard buzzing or chirps, or someone on the call sounds like a bad text-to-speech engine. You have probably also been viewing a video share when the screen freezes, or the slides stop advancing, or you lose the presentation entirely and have to rejoin. All these issues and more can occur when a client cannot make connection over the UDP port ranges. Make sure that the firewall permits clients to make connections over the UDP ranges before you deploy Skype for Business Online to your users. In pilot, you might not notice as many issues because fewer users are online, but after you deploy to production, it will quickly become apparent if UDP is blocked.

The bottom line is simple. You must permit all the documented connectivity required to deliver proper performance.

Latency

Latency refers to any delay on a network. Low-latency networks usually have only small delays between a client requesting something and the server responding. High-latency networks have larger delays. Many things can contribute to high latency. Some are within your control; others might fall to your ISP. Although all applications benefit from the lowest latency possible, Skype for Business Online is one of the most latency-sensitive applications you have to support. For IM&P, latency is not really a problem, as mentioned, but for voice and video, you want to do everything you can to reduce latency. You want the latency between your clients and the service to be under 100 milliseconds. Under 50 is better and the target to shoot for. Although you cannot increase the speed of light, there are several things you can do to minimize latency.

• Keep DNS services local to the clients.
• Make sure those DNS servers can resolve Internet names directly rather than having to forward queries to remote DNS servers for resolution.
• Provide local Internet egress for your users in each key location.
• Do not proxy SBO traffic.
• Make sure your ISP peers with Microsoft to provide the optimum network path from your egress point to the service. See http://www.microsoft.com/peering for more information and ask your ISP to request peering with Microsoft if it is not already doing so.
• Do not force Skype traffic for virtual private network (VPN) users to route over the VPN. Use split-tunneling to ensure the fastest connection to the service.

  ---

  Note

  Although several ISPs do peer with Microsoft, and in multiple locations, the path between your egress point and ingress to the Microsoft Office 365 network might not be optimum. Check from all your key locations to confirm that the route is as short as possible. Tools such as tracert can help you check the path, but you might need to engage your ISP’s technical support to confirm that it is peering optimally. As a general rule, you should be able to get onto the Microsoft network in less than 50 milliseconds from most locations in the world. If you cannot (and you are not using satellite or dial-up) there is room for improvement. Finding where the latency occurs is the first step. You can download PsPing from https://live.sysinternals.com/ and use it to test latency.

  ---

Planning connectivity

Skype for Business Online depends more on network connectivity than any other Office 365 service. SBO can provide you and your users with an excellent experience for audio and video when the network is good, but any problems with the network can lead to a very poor experience. SBO is often the first indicator of network issues because it is the first application to suffer if the network is not healthy.

SBO clients can provide great performance over wireless networks when those networks are configured properly, but will suffer from terrible performance when they are not. If you just bought and connected several access points, set a Service Set Identifier (SSID), and called it done, expect to have Skype audio and video problems related to your Wi-Fi network, but if you had a site survey performed, scaled your Wi-Fi network for both user and bandwidth demands, and made sure your access points are optimized for real-time communications needs, your users should see just as good performance on Wi-Fi as on wired.

SBO can also be bandwidth intensive when using it for audio, video, and presentation sharing. Although peer-to-peer communications only use your LAN or WAN bandwidth, any session that involves three or more participants requires client–server communications. Audio uses between 64 and 80 kbps per channel, so a three-way audio call uses between 192 and 240 kbps. A larger meeting, with 20 users, consumes between 1.2 and 1.6 Mbps. Now consider the same meetings with video. If each user has HD-capable hardware, the three-person call could peak at 12 Mbps, whereas the 20-user video call could use 80 Mbps. You will want to use the Skype for Business Online Client Bandwidth calculator, available at https://www.microsoft.com/en-us/download/details.aspx?id=19011.

Considerations with proxies

As a general rule, you should not use a proxy server with Skype for Business at all. Proxies add latency to all traffic, even when they are configured with whitelists to permit traffic to connect without inspection. Those that attempt to do any kind of inspection introduce even more latency. Because all SBO traffic is encrypted, a proxy can do little unless you enable Transport Layer Security (TLS) inspection so that the proxy terminates the TLS connection, inspects the traffic, and then re-encrypts the connection. As you can imagine, that adds even more latency to your SBO traffic and might cause so much latency that you are over the 50-millisecond target before your traffic has even left your network. Unless your proxy is a Socket Secure (SOCKS) proxy, to put Skype traffic through a proxy requires it all to go over TCP 443, which, as mentioned, can make client performance much worse. Add to all of those considerations that most proxy solutions don’t have parsers that do anything with SIP, and you wind up with a very expensive latency engine.

If you really must proxy all traffic, and you are willing to accept that doing so might deteriorate audio and video performance, be aware that the Skype for Business client will attempt to make direct connections for all SIP traffic, and only when that fails or times out will it attempt to use any configured proxy. If your firewall sends RST ACK packets, the client will realize very quickly that it cannot connect directly, but because most firewalls are configured to drop traffic silently, this can add several seconds to the establishment of any SIP session. You really want to permit that traffic to go directly.

If you cannot, visit https://support.microsoft.com/en-us/help/3207112/skype-for-business-should-use-proxy-server-to-sign-in-instead-of-tryin to deploy the registry key that tells Skype for Business not to bother trying direct and, instead, go straight to using the proxy. Here is what you need to do.

1. Ensure that the client is fully updated.
2. Exit the Skype for Business client by choosing File | Exit.
3. Launch the Registry Editor.
4. Find the key HKEY_CURRENT_USERSoftwareMicrosoftUCCPlatformLync.
5. Create a new DWORD in this key named EnableDetectProxyForAllConnections.
6. Set the value to 1.
7. Restart the Skype for Business client.

Optimizing connectivity

Microsoft offers an entire deliverable called the Network Performance Assessment, which you can use to confirm that your network is sufficient for consuming SBO or to identify where it isn’t. Consider carefully whether you want to take advantage of that or perform your own assessment before deploying SBO to your users. The key things to assess include the following.

Table 15-2 Skype for Business Online target values for network tolerances

Metric	Target value
Latency between client and service	< 50 milliseconds
Round-trip Time	< 100 milliseconds
Burst packet loss	< 10% measured during any 200-millisecond interval
Packet loss	< 1% during any 15-second interval
Packet inter-arrival Jitter	< 30 milliseconds during any 15-second interval
Packet reorder	< 0.05% out-of-order packet arrival

Work with your network team, your security team, and your ISP together to ensure that you have the best connectivity to Office 365.

Troubleshooting connectivity

The end-to-end path ultimately determines whether SBO performs well or poorly. There are several tools you can use to assess your network and the quality of your connection to Office 365 for SBO before you deploy your first user.

Skype for Business Network Assessment Tool

The Skype for Business Network Assessment Tool can evaluate the path between your client and the SBO service. It’s a command-line tool you can download from https://www.microsoft.com/en-us/download/details.aspx?id=53885 and run on various workstations to assess the network conditions between client and service. It uses an audio file to place an audio call from the client to the closest SBO edge point and measures latency, round-trip time (RTT), jitter, loss, and packet reorder. You can edit the configuration file to run multiple consecutive tests over time and aggregate the results. To check your network, do the following.

1. Download the tool from https://www.microsoft.com/en-us/download/details.aspx?id=53885.
2. Expand the zip file to your directory of choice.
3. To run multiple tests over time, use Notepad or another text editor to edit the NetworkAssessmentTool.exe.config file.
4. Edit line 21 to set the number of tests you wish to run and edit line 24 to set the delay between each test you wish to run. In the following example, the test will run 36 times, pausing 5 minutes (300 seconds) between each test. This equates to a three-hour span with a 5-minute sample.

   <?xml version=”1.0” encoding=”utf-8” ?>
   <configuration>
       <startup>
           <supportedRuntime version=”v4.0” sku=“.NETFramework,Version=v4.5” />
       </startup>
       <appSettings>
         <add key=”Relay.IP” value=”13.107.8.2”/>
   
         <!-- At least one of the following two protocols must be configured   -->
         <!-- Configure only one if testing only one protocol                  -->
         <!-- If both are configured, UDP will be preferred if it is available -->
         <add key=”Relay.UDPPort” value=”3478”/>
         <add key=”Relay.TCPPort” value=”443”/>
   
         <!-- WMAFilePath configures the WMA file to be streamed                            -->
         <!-- WMAOutputFilePath contains the received audio (for the duration of the call). -->
         <!-- If WMAOutputFilePath already exists, the existing file will be overwritten.   -->
         <add key=”WMAFilePath” value=”Tone.wma”/>
         <add key=”WMAOutputFilePath” value=”ReceivedAudioFile.wma”/>
   
         <add key=”NumIterations” value=”36”/>
         <add key=”ResultsFilePath” value=”results.tsv”/>
         <add key=”Delimiter” value=” “/>
         <add key=”IntervalInSeconds” value=”300”/>
       </appSettings>
   </configuration>

5. Save the file.
6. Open a .cmd prompt in the working directory where you extracted the zip file and run the NetworkAssessmentTool.exe [enter] command.
7. When the tool completes, run the ResultsAnalyzer.exe results.tsv [enter] command. You should see results like those shown in Figure 15-4.
   

   Figure 15-4 An example analysis of the Network Assessment Tool, showing that all tests passed

Figure 15-4 shows that all tests passed, with an average packet loss rate of 0%, an RTT latency of 22.15 milliseconds, jitter of ~9.67 milliseconds, and a packet reorder ratio of 0%. Note that it provides these results for both client to edge and edge to edge. If you try this from a client and it fails, move your test machine to the edge and test again. If it succeeds there, you have issues to address within your network. If it still fails, you need to engage your ISP to determine where the problem is.

Fast Track Network Analysis

You can perform more detailed testing with the Fast Track Network Analysis tool. This is an online test you can use with a web browser as long as you have Java installed. It does require you to have a tenant already set up, but you do not have to have the SBO client installed or use a licensed user account. This tool tests your connectivity to confirm that outbound TCP and UDP ports are permitted; that the route and bandwidth are available; and that you have the quality of the connection to support VoIP, the capacity, the round-trip time, and the packet loss. Results are provided in a graphical view. Here’s how to use it.

1. Open a web browser and go to http://na1-fasttrack.cloudapp.net/o365nwtest.
2. Run the Java app when prompted to.
3. Type the name of your Office 365 tenant and click OK.

   That is, the tenantname.onmicrosoft.com name, not your SIP namespace or company domain.

   Several tests run, including some for both Exchange Online and SharePoint Online.

4. Check each to confirm that all tests pass. If any show a fail, investigate and resolve the issues before you deploy the service to any users. See Figure 15-5.
   

   Figure 15-5 The Fast Track Network Analysis tool showing all SBO ports open

There are more tools you can use to troubleshoot Skype for Business Online performance; Chapter 16 discusses those.

Network flows

Skype for Business Online uses both client–server and peer-to-peer connections, depending on the number of users and the scenario. Understanding the differences and when which is used can help you plan for sufficient capacity and troubleshoot issues if they arise.

Client–server

Most of the network traffic you see when using Skype for Business Online is client–server. Clients on your network initiate outbound connections to the Skype for Business servers in Office 365, using your Internet connection to reach the service. This includes registration, session setup, instant messaging, and presence and often includes audio, video, and desktop sharing. Whenever more than two clients are involved in audio/video/desktop sharing, or when two cannot make a direct IP connection to one another, that traffic goes client–server. When sizing your Internet connection and setting up your firewall for network address translation, keep this in mind.

Peer-to-peer

But when two (and only two) clients can make a direct IP connection to one another, are not blocked by any network filter or host-based firewall, and no NAT is between them, audio, video, and desktop sharing occurs over a peer-to-peer connection across your LAN or WAN. The session setup is still performed client–server, and presence updates are too, but one-on-one communications won’t use your Internet connection unless it has to, which helps conserve bandwidth and reduces outbound connections. Make sure any firewalls between locations permit the same UDP port ranges internally and that any client firewall is configured to permit the Skype client to make and receive connections from the internal network.

Licensing and client types

Skype for Business Online users have a number of options for connecting to and using the service. There are full-featured rich clients for their computers, mobile clients for their phones/tablets, and even some capabilities accessible through a web browser. As an admin, you have a number of options for licensing your users, based on what features and capabilities you want to provide. Because you must assign licenses before clients can use SBO no matter what client software is involved, the license and feature mix is discussed next.

Licenses and features

You can purchase several licenses to use Skype for Business Online. You want to make sure the license you choose includes the features you need to support for your users, including the client software you will deploy.

Skype for Business Online in E1, E3, and E5

Many customers obtain Skype for Business Online as part of a larger suite purchase of Office 365 services. In both the E1 and E3 suites, SBO includes the following features.

• Instant messaging
• Presence
• Audio, video, and desktop sharing
• Host meetings for up to 250 users
• Host meetings for up to 10000 users with Skype Meeting Broadcast

Compatible hardware and client software are required for all functions to work completely.

In the E5 suite, SBO also provides for the following.

• Make, receive, and transfer calls across a wide range of devices with Cloud PBX.
• Make domestic or international calls from current or new phone numbers with add-on PSTN calling.
• Create meetings with a dial-in number that attendees can join by telephone with PSTN conferencing.

Skype for Business Online for smaller businesses

Both the Office 365 Business Essentials and Business Premium licenses come with Skype for Business Online, with almost all of the same features as in the E1 and E3 enterprise suites.

• Instant messaging
• Presence
• Audio, video, and desktop sharing
• Host meetings for up to 250 users

The only thing missing is the 10,000 attendee Skype Meeting Broadcast feature.

Stand-alone Skype for Business Online

Skype for Business Online can also be purchased separately. Two plans are available. Plan 1 includes IM&P and PC-to-PC audio and video calling. Plan 2 includes online meetings of up to 250 attendees in Skype for Business Online and up to 10,000 attendees, using Skype Meeting Broadcast.

Client software

To use Skype for Business Online, users must have client software of some type. The SBO clients for mobile devices and tablets can be downloaded for free from the various app stores such as iTunes, Google Play, and the Windows Store. The Outlook Web Access capabilities for IM&P are available to any user on a supported web browser and with the appropriate license. The full rich client, which has to be installed on PCs, is included only with the E3 and E5 plans. E1 and SBO Plan 1 and Plan 2 users users can download the free client, but it is not full-featured.

Skype for Business full client

The full version of the Skype for Business client is software that is included with the various Office perpetual suites, Office ProPlus, or with the SBO Plan 2 license. You can download it from the Office 365 portal or install it with the Office or Office ProPlus suite. The full Skype client supports all the features and capabilities of Skype for Business Online as long as you have licensed the user appropriately.

Skype for Business basic client

The Skype for Business basic client can be downloaded from the Office 365 portal or separately from https://products.office.com/en-us/skype-for-business/download-app?tab=tabs-3. Although almost all features of SBO work with this client, the following features are not available when using the basic client, even when a user is properly licensed for them.

• Manage team call settings
• Manage delegates
• Make calls on behalf of another contact (manager/delegate scenario)
• Handle another’s calls if configured as a delegate
• Manage a high volume of calls
• Initiate a call to a Response Group
• Call park
• Group call pickup

Lync

If you have users with older versions of the Lync client installed, they will work with Skype for Business Online. However, not all features work, and you should expect the overall experience to be less than when using the current Skype client. You definitely want your users to be on the latest, current, and fully supported client software when using Office 365, whether older versions could work or not. See https://technet.microsoft.com/en-us/library/dn933896.aspx for a comparison.

Outlook Web App client

Users can access Skype for Business Online in Outlook Web App. Skype for Business Online IM&P is integrated right into the Outlook Web App client. To use it, in addition to being properly licensed, your users must have mailboxes in Exchange Online already. Then, they can just click the Skype for Business Online icon in the top toolbar, as Figure 15-6 shows.

Figure 15-6 Skype for Business Online in Outlook Web App

Skype Meetings app

Users can attend Skype for Business Online meetings by using only their web browser. They can view content and participate in audio discussions by using their Internet connection and a supported browser by installing a browser plug-in. When users are invited to a meeting and click the hyperlink to join an online meeting, they are prompted to install the plug-in if they have not installed the Skype for Business client, as Figure 15-7 shows. As long as they have administrative rights on their workstation, they can install the app and join meetings.

Figure 15-7 Prompt to install the Skype Meetings app after clicking the Join Now link in a meeting invite

Mobile clients

Skype for Business clients are available for iOS, Android, and Windows Mobile, available for download from their respective app stores. These apps provide significant functionality in Skype for Business Online, including IM&P, audio and video over Wi-Fi or cellular networks, and integration with Exchange Online to see upcoming meetings, view your contact list, and even place VoIP calls. You can also attend meetings and view presentations while on your mobile device or start up ad hoc meetings.

Users must download and install the Skype for Business mobile app themselves. Microsoft does not make the installers available separately, so if you are using Mobile Device Management (MDM) to push software to your users’ mobile devices, you will have to open things up.

Third-party clients

Although unsupported, open-source instant messaging clients can be used with Skype for Business Online for IM&P. They might require additional third-party plug-ins to work with SBO, and you won’t get voice or video, but they do work well for IM&P. Just be aware that future changes to the service might require future updates to the plug-in, but if you use Linux regularly and still want to be online when needed, it’s a workable solution even if it’s not officially supported.

Skype policies

Policies enable administrators to configure certain settings for their users within the service. These can include disabling actions such as saving Conversation History, limiting the maximum bandwidth available for video calls, or blocking file transfers. Many of these same things can be controlled by using Group Policy objects (GPOs), and if all your Skype for Business Online clients are using domain-joined Windows machines, you can certainly use GPOs to manage their experience. However, with mobile devices and BYODs, you might find that using Skype Policies is the more effective way to ensure that all clients are covered consistently. Take a look at the types of policies that are available to you.

Types of policies

Skype for Business Online offers several types of policies. There are four main types that you will want to focus on, which include:

• Client policies
• Conferencing policies
• External access policies
• Voice policies

As you can imagine, each of these four policy types controls with specific settings. Skype for Business Online includes several pre-configured policies, and as an administrator you can create your own custom policies if one of the included ones does not meet your needs.

Use client policies to enable or disable specific client features, such as file transfer, whether a user can be signed in but appear offline, or saving instant messages (IM)s to their Conversation History. Many of these settings come into play with human resources, regulatory, or compliance concerns.

Use conferencing policies to set limits or features in online conferences, such as the maximum number of attendees, maximum bandwidth for each audio or video stream, or allowing recording. You can use these policies to control or restrict conferences, reduce the overall impact on the network, or ensure that highly confidential meetings are not recorded.

External access policies control what a user can or cannot do with external parties. You might enable external federation but not allow certain users to communicate with external users, or disable certain people’s ability to communicate with consumer Skype users. Perhaps you want to permit IM&P but not audio and video. You use these policies when you have to permit external federation for some users but not others or otherwise restrict external communications.

Finally, customers use voice policies with Cloud PBX connectivity to the public telephone system and voicemail to control features such as call forwarding, call transfers, and simultaneous ringing.

The easiest way to work with Skype for Business Online policies is with Windows PowerShell. Here are the additional steps to take to start using Windows PowerShell to work with SBO after you have already set up your computer to work with Office 365, using remote PowerShell.

1. Download and install the Skype for Business Online PowerShell module from http://go.microsoft.com/fwlink/?LinkId=294688.
2. Run the SkypeOnlinePowershell.exe file to install the module.
3. Accept the license agreement and complete the installation.
4. Open a Windows PowerShell session on your computer. It does not need to be an administrative shell.
5. Run the following commands, in order, providing your administrative credentials where appropriate.

   Import-Module SkypeOnlineConnector
   
   $credential = Get-Credential
   
   $session = New-CsOnlineSession -Credential $credential -Verbose
   
   Import-PSSession $session

If all goes well, you will be connected to your Skype for Business Online tenant. See Figure 15-9.

Figure 15-9 Skype for Business Online remote PowerShell session

Finding the settings that work for your organization

As an admin, you might want to determine what policies are available to you and which settings you can change. Take a moment to confirm what your company needs. Work with management, human resources, legal, and the business to identify what might need to be turned off or disabled.

By default, Skype for Business Online provides full functionality to all users for everything you as an admin enable in the tenant. External federation is not on, but if you turn it on, then all users can take advantage of it. The same holds true for Public Internet Connectivity with Skype Consumer. Turn things off only if you must or if you want to control the deployment by rolling things out slowly.

You can list all the policies that are available or review the settings in the portal with the team members who will be involved in deciding which settings are required. Consider what user impact or business functionality might be lost by disabling something and make sure that it’s really necessary to do that. One very common thing some customers want to do is disable saving Instant Messaging history. By default, when users have both Outlook and Skype for Business installed, instant messages are saved to the Conversation History folder. This is an incredibly useful feature, because often links to URLs, names of people to contact, or other information is shared over IM. Being able to go back to that keeps you from having to ask the same question again and again, but because it is in email, it could be subject to discovery, and many companies are concerned that the more informal communications within instant messaging might present a risk if they become the subject of a discovery motion. You could spend more time on training your users to treat IM the same as email from that perspective rather than disabling saving IM history, but each business will approach this according to its needs.

Before you set policies for users, consider whether the graphical user interface (GUI) can be used to apply all the settings you require. By using Windows PowerShell, you can set a policy that matches what you can set through the GUI, but you can also control many more of the settings. If you can apply policy consistently to users with Windows PowerShell, this is not an issue, but if some of your administrative users use only the GUI, but others use Windows PowerShell, you might have users with different experiences, depending on whether they were configured through web browser or script. After you start to configure users with Windows PowerShell, it is best to use only Windows PowerShell from that point forward if any setting you need to apply is not available in the GUI. Either help those graphically inclined admins learn how to run basic Windows PowerShell commands, or take care of applying policy yourself.

Finally, refer to Zoran Cvetkovic’s blog post at https://techcommunity.microsoft.com/t5/Skype-for-Business-Blog/Custom-Policies-in-Skype-for-Business-Online/ba-p/60096 before you spend too much time either applying existing policies or creating your own. He has some great tips for ensuring that policy setting remains manageable.

Authentication

It’s very important to understand how authentication in Skype for Business Online works, especially if you plan to restrict access based on network location. Skype for Business Online does not work the same way as the other services do when it comes to using tokens for authentication, access, and refresh.

The initial authentication method you choose for your users (federated authentication to your on-premises IdP, password hash sync, cloud accounts) will be the same as for Exchange Online, SharePoint Online, and so on, with the same requirements for multifactor authentication, conditional access, and so on. Skype for Business Online supports Modern Authentication, just as modern versions of Outlook, the other Office apps, and current browsers do. Assume that you are using Active Directory, have implemented Azure ADConnect, and set up federation between Office 365 and your on-premises Active Directory Federation Services (AD FS) farm. When a user wants to connect to SBO for the first time, here is what happens.

1. The client gets an authentication token from the on-premises identity provider.
2. The client exchanges the authentication token (after verification) for an access token from the Microsoft Federation gateway and is directed to the Skype for Business Online service.

The client presents the access token and is given a Client Access Certificate (CAC.) This certificate, which has an eight-hour lifetime, is then used to connect to the Skype for Business Online service. That certificate looks like the one in Figure 15-10.

Figure 15-10 A client authentication certificate for Skype for Business Online

That is where things become very different from the other services. There is no concept of a refresh token. If the user’s session ends, and they reconnect before the certificate expires, they can reconnect without having to go through any additional authentication. That means any network restrictions, which limit how you can get that initial authentication token, do not come into play. If a user on their laptop authenticates to Skype for Business Online while on the corporate network, and then goes home and launches Skype again, they can reconnect to SBO even if you have set up Client Access Policies on AD FS that would prevent them from authenticating unless they were on the corporate network.

Because the user authenticated to your AD FS (and if you disable a user, reset their password, or remove their license, it will not immediately disconnect them from SBO), you hope the eight-hour lifetime of the certificate will not present too great a problem. The eight-hour lifetime for the CAC is not configurable.

Skype clients also need to authenticate to Exchange or Exchange Online to obtain your calendar information. The Skype client might prompt you for username and password, because this uses EWS and, in Exchange Online, that only uses older Active Authentication. This is just another reason for you to ensure that your users’ User Principal Name, primary SMTP address, and SIP address all match. When they do not, the prompts can become very confusing to users, and they can easily enter the wrong value when prompted.

What about Teams?

Microsoft Teams is the latest addition to the suite of products in Office 365 and is included with E1 and E3 licenses. It is a hub for teamwork, providing a single application through which teams can work together on projects; share information; collaborate; and conference using IM, audio, and video. It combines the best features of Skype for Business Online, SharePoint Online, and Microsoft OneNote, and it might be the future of collaboration and teamwork. Although there is a lot going on with Teams, this section focuses only on the potential overlap between Teams and SBO.

Comparing Skype for Business Online and Teams

There is some overlap between Skype for Business Online and Microsoft Teams. Some of your users might use only one or the other, but most will use both as appropriate. Each has its own features that the other lacks, and the good news is that you can run both on the same machine at the same time with minimal CPU or RAM usage.

How they are the same

The audio, video, and presentation sharing that Microsoft Teams provides is built on the next generation of Skype for Business technology. The ports and protocols are the same, the endpoints share many of the same namespaces and IP address ranges, and your users can interact directly with one another, whether they are using the Skype for Business Online client or the Microsoft Teams client. Much like SBO, there are mobile clients for all three major platforms as well as a web browser–based client for IM&P. You can schedule meetings in both and work collaboratively with others.

How they are different

Skype for Business Online offers full administration with policies, saves conversation history if desired, can federate with external SIP systems or with consumer Skype, and provides more mature reporting and troubleshooting capabilities. Teams lacks these things, although conversations within Teams are saved in the channel where they took place. Authorized users gain access to that history in Teams, but not through Outlook, and at the time of this writing, that content was not accessible through compliance searches.

However, Teams also offers the long-sought persistent chat room capabilities, which Skype for Business has but Skype for Business Online does not; it also integrates SharePoint Online and Office 365 Groups directly. Teams also has a rich and growing set of add-ins that you can add to a Team channel, including Office web apps, bots, surveys, and third-party apps. See Figure 15-11.

Figure 15-11 Some of the available add-ins for Teams

A growing list of Microsoft and third-party connectors also enables you to use Teams with your other key business applications and processes, some of which appear in Figure 15-12.

Figure 15-12 Some of the most popular Teams connectors

When should you use which?

That’s an easy question to ask but a more difficult question to answer. Skype for Business Online and Microsoft Teams are complementary in the enterprise and might even be so with individual users. You and your users can use one or the other or both as your work needs dictate. You might choose to use Teams for working with internal projects but use SBO for communications with others in the organization as well as with external customers or partners. The beauty of this approach is that you can work the way that works for you.

Summary

In this chapter, you learned the basic concepts of Skype for Business Online, including the features it supports, the fundamental requirements to implement it, the protocols involved, and the clients you can deploy to your users for them to get online. You learned about the options you can set for your users, how to connect to and manage the service through Windows PowerShell, and the importance of ensuring that your network is ready to support SBO. In the next chapter, you put this knowledge to use to deploy and manage the service for your users.