Skype® for Business 2015 (Lync® 2013) Servers, Roles and their Functions

Microsoft Lync is an evolutionary product for Unified Communications (UC). The initial product; Live Communications Server 2003, was only an Instant Messaging (IM) server. This then evolved through several interactions of Live Communications Server to Office Communications Server and then to Lync Server 2010; when a PBX replacement function was added. It then evolved even further to Lync Server 2013 which added much more including video conferencing, web and audio conferencing, softphone and PBX replacement and/or integration. Now, Microsoft have renamed Lync to Skype for Business.

SfB can be deployed On-Premise as part of the company’s overall IT infrastructure. The advantage being that everything is located, managed and controlled in-house. This makes it much easier to integrate into the companies IT infrastructure including ‘Office’ applications, ‘Contacts’ and Security Policies. But you then have to maintain and support the Lync deployment.

The above diagram shows the servers in a typical On-Premise Skype for Business 2015 deployment that supports video conferencing, web and audio conferencing, VIS, instant messaging (IM), application sharing and PBX replacement and/or integration.

The diagram also provides an indication of the external traffic and protocols through the Edge Pool, Reverse Proxy and ADFS Proxy into the Skype for Business environment. It intentionally does not show the traffic and protocols within the SfB On-Premise environment between the various Servers and their roles. However, we will specifically look at traffic and protocols used in A/V Conferencing and Application Sharing in a separate the paper in this series.
Please see: Part 3: Networks & Protocols used by Skype for Business 2015 – (Lync 2013).

SfB Server 2015 relies on a number of external components in order to function. These consist of various systems such as servers and their operating systems, databases, authentication and authorising systems, networking systems and infrastructure as well as telephone PBX systems.

Skype for Business Server 2015 is available in two versions, Standard Edition and Enterprise Edition. These two versions allow a variety of deployment options depending on the organisations requirements and budget. Whilst features between the two versions are similar, Enterprise Edition provides options for more scalability along with high-availability and disaster recovery that are not supported in Standard Edition. Hence, Enterprise Edition requires more investment and higher specification components compared to Standard Edition.

SfB Server 2015 is modular and made-up of several specific roles. Some of these roles can be combined on multiple servers to provide fault tolerance and high-availability. When combined across multiple servers they are called a Pool. For example, a large organisation requiring high-availability might use SfB Server 2015 Enterprise Edition and deploy the Front End role across multiple servers in a Front End Pool along with several mirrored Back End SQL Servers for the database in a Back End SQL Pool. SfB Server 2015 Enterprise Edition requires full SQL on a dedicated Back End SQL Server or Pool.

Alternatively, SME’s who want to introduce unified communications to their organisation might use SfB Server 2015 Standard Edition that can combine several roles onto one server. For example, the Standard Edition automatically installs SQL Server Express with the Front End Server and uses this database to store Skype information.

SfB Server 2015 Standard Edition offers a relatively low cost entry point based on that all components can be hosted on a single server; with the addition of an Edge Server if external connectivity is required. SfB Server 2015 Standard Edition also supports Front End Pool pairing, which adds some resiliency across multiple servers and sites.

Hence, an SME could typically deploy SfB Server 2015 Standard Edition on a single server that acts as a Front End Server, with additional collocated roles such as Mediation Server, Persistent Chat Server, Monitoring and Archiving Server. To this they could add an Edge Server for external connectivity and a SIP-PSTN Gateway to enable Enterprise Voice. Together, these would be enough to provide the SME with A/V & Web Conferencing, IM & Presence, Application Sharing and Enterprise Voice.

Now let’s take a closer look at each specific SfB Server 2015 role and their functions. We will look at the protocols and IP ports they use later in this paper.

As you can see, the Front End Server is at the core of any SfB Server 2015 deployment. It provides the links and services for user Authentication, Registration, Presence, Address Book, A/V Conferencing, Application Sharing, Instant Messaging, Web Conferencing and Dial-in over PSTN.

With SfB Server 2015, the Front End role has four significantly changed from previous versions. With regards to video conferencing and this paper, the main changes are:

• 1) The A/V Conferencing function can no longer be split out as a separate role and hence with SfB Server 2015, the A/V Conferencing function always exists on the Front End Server.

• 2) Under SfB Server 2015 Standard Edition, the Persistent Chat role can now be collocated on the Front End Server, but must be on a separate server under Enterprise Edition.

• 3) The XMPP Gateway role in now in the Front End Server and the Edge Server includes an XMPP Gateway Proxy service that helps communicate with remote XMPP applications. Furthermore, the previous restriction has been removed and an XMPP Gateway can now handle XMPP connections to multiple SIP domains.

4) If required, the Monitoring and Archiving roles will also now always be collocated on the Front End Server.

If you are deploying SfB Server 2015 Standard Edition, the Front End Server will also have automatically installed SQL Server Express as the database and there will be no need for a separate Back End SQL Server.

If you are deploying SfB Server 2015 Enterprise Edition, then it would typically consist of at least two Front End Servers load balanced in a Front End Pool with at least one separate and dedicated Back End SQL Server. Whilst the Front End Pool could also include several other Skype Server roles including the Mediation Server role, if needed, the Mediation Server can also be installed on a separate server to increase performance.

SfB Server 2015 Enterprise Edition uses dedicated Back End SQL Server(s) running full instances of SQL Server Enterprise for the Skype database. These may also be mirrored to improve resiliency and increase availability and data protection. As mentioned above, SfB Server 2015 Standard Edition will have the SQL Server Express database collocated on the Front End Server.

The Edge Server (or Edge Pool) sits on the perimeter of your organisation and its role is to enable secure remote access to the internal (On-Premise) Skype infrastructure. The Edge Server also enables ‘Federation’ with external organisations, thus providing secure communications with these organisations across the Internet.

As an analogy with the H.323 and SIP videoconferencing world, you could liken the function of the Edge Server to that of a Firewall Traversal solution or Session Border Controller (SBC) specifically for Skype environments.

In SfB Server 2015, the Edge Server consists of the following four separate services:

• 1) Access Edge Server

• 2) Web Conferencing Edge Server

• 3) A/V Edge Server

4) XMPP Gateway Proxy.

Each of the above services provide slightly different functions, hence depending on your organisations requirements, you might not need to use them all. SfB Server 2015 deploys all services together on each Edge Server within the Edge Pool.

The Edge Server, unlike many of the other internal server roles, does not require a database or file share services as it does not store data apart from the Local Configuration Store copy from the Central Management Store. Hence, the Edge Server runs a minimum set of services to make it as secure as possible.

Access Edge Server roles:

The Access Edge service provides a secure proxy for all remote Skype signalling traffic. Within SfB Server 2015, these services includes Remote Access, Federation and Public Provider connectivity. Remote Access capabilities enable ‘users’ to sign-in and use their devices across the Internet. As long as the appropriate configuration has been made, users can travel in and out of their office without ever making changes to their devices. This allows them to have full access to their internal features and functions no matter where they may be.

The Access Edge Server uses https on IP port 443 for Remote Access.

The Access Edge Server provides the capability to ‘Federate’ with other organisations who are also running Skype for Business or Lync so that they can communicate with each other as if they had just one Skype for Business deployment. Obviously, it’s better if all organisations deploy the latest SfB Server 2015. But if not, the limitations of Federating between organisations is that they will only get the lowest common feature set available between the different versions of SfB or Lync across that specific Federated connection.

The Access Edge Server uses certificates and Mutual Transport Layer Security (MTLS) to secure the SIP signalling between sites across the Internet. This ensures that Instant Messages (IM) and Presence are secure and not sent as plain text.

Public Provider Connectivity is a derivative of Federation that provides the capability for Skype users to communicate with contacts on public IM networks. These are typically called Public IM Connectivity (PIC) networks. Hence, Skype for Business users can see Presence and can instant message with Skype, MSN and other contacts on public IM networks simply by adding them their contact list. However, PIC sessions are limited to point-to-point calls and cannot be multipoint calls between three or more participants that are available within organisations or between federated contacts.

Web Conferencing Server roles:

The Web Conferencing Edge Server allows remote users to participate in web conferencing sessions. These sessions include internal SfB 2015 participants as well as other remote users. Web conferences can also involve data collaboration such as whiteboards and polling. Known web conference users must first be authenticated by the Access Edge Server.

Anonymous or unauthenticated users can also join an organisations web conferencing sessions if allowed. SfB Server 2015 Web Conferencing uses Microsoft’s Proprietary Shared Object Model (PSOM) protocol as well as https on IP port 443.

A/V Edge Server roles:

This is where it gets more interesting, especially when we are concerned about video conferencing. First of all, we must make a clear distinction and understand that Skype Web Conferencing is NOT the same as SfB A/V Conferencing and that when we talk about SfB integration with video conferencing, we really mean Skype for Business Server A/V Conferencing with H.323 and SIP standards compliant Video Conferencing.

Second, there is an A/V Edge Server that resides on the SfB Server 2015 Edge Server and an A/V Conferencing function, including the AVMCU, which resides on the SfB Server 2015 Front End Server.

The A/V Edge Server role is to provide a secure means of sending audio and video media streams between all the internal, external and federated Skype users. To enable devices to communicate from virtually any network connection to the Internet, the A/V Edge Server uses various methods including Interactive Connectivity Establishment (ICE), Simple Traversal Utilities for NAT (STUN) and Traversal Using Relay NAT (TURN).

In a vast majority of usage, devices would connect internally on a simple point-to-point basis and exchange media streams. However, when a device uses NAT (typically an external device behind a Firewall/Router), the A/V Edge Server acts as a relay between the internal and external devices. The A/V Edge Authentication Service is an additional service on the A/V Edge Server that supports media streams between internal and external users by authenticating media requests from internal users to external users. It does this by providing a temporary media token to the user to authenticate with the service before media streams are allowed to pass.

The A/V Edge Server uses a combination of both https on IP port 443 and UDP on IP port 3478 to initiate and allow the media streams.

XMPP Gateway Proxy:

XMPP (Extensible Messaging and Presence Protocol) is a message oriented protocol based on XML (Extensible Markup Language). It was originally called Jabber and developed by the Jabber open source community in 1999 for near real-time instant messaging, presence and contact list. XMPP is an open standards protocol and in 2002, the Internet Engineering Task Force (IETF) setup an XMPP working group to formalise the core protocols as an IETF instant messaging and presence technology.

XMPP based software is now widely deployed across the Internet, with derivatives being implemented in applications such as Google Talk (GTalk), AOL Instant Messaging (AIM) and Skype.

SfB Server 2015 has an XMPP Gateway proxy service in the Edge Server that works with the XMPP Gateway in the Front End Server. XMPP Federation allows users to have instant messaging with external contacts who are using XMPP based applications such as GTalk, AIM or older versions of what was Skype. Time will tell how Microsoft handles and integrates future versions of Skype with Skype for Business.

The XMPP Gateway proxy uses XMPP on TCP IP port 5269.

Federation is the term given to the feature that enables organisations that have deployed Skype for Business to communicate easily and securely with each other across the Internet. Federation uses the SfB Access Edge Server and XMPP Federation allows SfB users to view presence as well as instant messages. Organisations can also use Skype Federation to allow users to participate in Web Conferences or A/V Conferences with remote sites. Federation is quickly emerging as the chosen method in which organisations can have secure UC collaboration between each other.

The Reverse Proxy is a secure way to publish and provide access to SfB Server 2015 services to remote users on the Internet. By controlling specify IP ports that can pass traffic and restricting destination addresses (URL), you can safely control what passes between the Internet and the SfB Server. The Reverse Proxy is simply an extra hop between the remote user and SfB services. It intercepts all inbound and outbound messages. This way, packets never going directly between the ‘unprotected’ remote user and the ‘protected’ SfB services. The Reverse proxy provides the capability to inspect the remote users inbound traffic for any malicious content before it reaches the internal SfB service.

The following are just a few of the Skype for Business features that require the Reverse Proxy:

• Skype for Business Mobile clients
• Web Services
• Address Book download
• Web Conferencing content such as whiteboards, presentations and document sharing
• Device updates
• Dial-In conferencing pages

For example, Skype for Business Mobile clients encapsulate the SIP signalling in TCP packets and send them via the Reserve Proxy using https over IP port 443. So if you want to enable SfB Mobile clients, you need to deploy a Reverse Proxy.

Using a Reverse Proxy is essential if you want to provide Web Services to external users. Whilst the Reverse Proxy listens for external connections on TCP port 443, it uses SSL Bridging to forward theses connections to the Front End Server on TCP port 4443. This is because, for security purposes, the SfB Web Services contains separate virtual web directories. The external SfB Web Services directory listens on TCP port 4443 and hence this port should be used when publishing to the Internet.

The Directors role is optional in SfB Server 2015 (and Lync Server 2013) and is no longer ‘recommended’. Its main function is to authenticate endpoints and ‘direct’ users to the pool where their account is housed. In SfB Server 2015, like Lync Server 2013, the Director is a completely dedicated and specific role on a standalone server. This makes it easier to deploy (or remove) and increases the security.

Directors are most useful where multiple pools exist because they provide a single point of contact for authenticating endpoints. Furthermore, with regards to remote user access, a Director also serves as an extra hop between the Edge Pool and Front End Pool, hence adding an extra layer of protection against attacks.

Skype for Business Server 2015 relies heavily on Active Directory which ensures close integration with other Microsoft products such as Exchange and SharePoint. SfB Server 2015 relies on Active Directory Domain Services (ADDS) to maintain groups, users and other topology information. Lync also relies on Active Directory Certificate Services to provide a Certificate Authority for secure encrypted data traffic.

Prior to installing SfB Server 2015, organisations must update their Active Directory deployment to a function level of at least Windows Server 2003 SP2. They must also ensure that their Active Directory schema supports SfB Server 2015.

Skype for Business Online includes a Microsoft Azure Active Directory tenant for the online account. Hence, Directory Synchronisation is an important feature because it enables Active Directory user and group accounts to be synchronised between the On-Premise Active Directory Domain Services (ADDS) environment and the Microsoft Azure Directory tenants. For most organisations, it makes sense to use directory synchronisation with Single Sign-On (SSO) as together these create a seamless experience for Lync Online users. Active Directory Federation Servers (ADFS) must be implemented to use Single Sign-On.

In fact, a strict requirement for organisations that want to use the Skype Online/Server Hybrid model is that they must first deploy ADFS for SSO with Office 365 as they cannot use the Office 365 federated identity.

SfB Server 2015 uses a file share for each ‘pool’ for many tasks including Address Book, Configuration, Conferencing and other critical functions. SfB Server 2015 assigns strict permissions to these file shares which are validated when your topology is published. If, for any reason, file permissions get changed, then simply recreate the permissions by republishing your topology.

Similar to how the SQL Server and File Share Server are used with SfB Server 2015, the Office Web Applications Server role is treated as an external dependency for the Front End Server Pool. Its purpose is to provide integration with Office 2013 and is exclusively used to render PowerPoint slides for SfB Web and Mobile (an Lync) clients. Previously, Lync Server 2010 used Microsoft Silverlight for PowerPoint slide rendering, but this has been removed in Lync Server 2013 and SfB Server 2015.

The Office Web Applications Server (or Pool) can be used to support SfB Server 2015, Exchange Server 2013 and SharePoint 2013 as they all can use the service for viewing and editing. The advantage over Silverlight is that Office Web Application Server has better support for PowerPoint animations. The disadvantage is that it requires an extra Server in the Front End Pool.

Formerly known as Group Chat, in Lync Server 2013 (and SfB Server 2015) this has be rebranded to Persistent Chat and integrated with the rest of Lync. Persistent Chat should not be confused with Instant Messaging (IM) as they are not the same. Persistent Chat allows SfB Users to create chat rooms for persistent conservations about specific topics and subjects. With Persistent Chat, these chat rooms remain open even after all participants involved in the conversation have left. This then allows SfB Users to go back and view ongoing conversations, or search for content within the chat rooms. Hence, many organisations find that Persistent Chat provides a valuable method for collaboration between groups and users.

By contrast, with Instant Messaging, when all the participants leave the conversation, the session stops and cannot then be retrieved.

With SfB Server 2015 Standard Edition, the Persistent Chat role can be collocated on the Front End Server. Also, the Persistent Chat databases can be collocated with the rest of the SfB databases on the SQL Server. With SfB Server 2015 Enterprise Edition, whilst Persistent Chat must be installed on a dedicated server, the databases can still be collocated on the SQL Server.

With SfB Server 2015, the Monitoring and Archiving roles are collocated on the Front End Server or Pool as an option within the Skype for Business Topology Builder. The data is stored within the SQL Server, which maybe the same SQL instance used by the Front End Pool or a separate SQL instance. With SfB Server 2015 (and Lync Server 2013), the Monitoring role is really an agent that resides on each Front End Server. It then collects and manages information from all the SfB servers and stores it in a separate SQL database. It takes advantage of the SQL Server Reporting Services to create various reports about usage and call quality.

Whilst the Archiving role is mainly for legal compliance, it can archive Peer-to-Peer (P2P) Instant Messages, Web Conferences (including uploaded content and events), A/V used in P2P Instant Messages and Web Conferences, and Web Conference annotations and polls.

With SfB Server 2015, Skype data can be archived in a central store along with archived emails from Exchange 2013.

One obvious and major advantage that SfB Server 2015 (and Lync Server 2013) has over other Unified Communications products is its close integration with other Microsoft applications. This enables information stored in one application to be easily accessed by SfB, or vice versa. SfB Server 2015 integrates with Exchange 2013; specifically, the Exchanges Unified Messaging (UM) role allows SfB Server to use Exchange for voice mail, email and fax messages. Hence, voice messages stored in Exchange can be retrieved by SfB clients. Also, SfB clients can answer calls and receive messages through email in Outlook.

SfB Server 2015 also integrates with Exchange Outlook Web App (OWA) which then allows Instant Messages (IM) and Presence within an OWA session.

VIS is a new role within Skype for Business 2015 that allows you to integrate with specific third-party Video Teleconferencing Systems (VTC). VIS is currently a standalone role on a dedicated server within an On-Premise SfB deployment. The VIS acts as an intermediary between the third-party video conferencing endpoints (VTC) and Skype for Business Server 2015. The initial VIS release is specifically focussed on interoperability with Cisco/Tandberg video endpoints.

We will take a closer look at VIS, its advantages and limitations in a separate paper within this series.

Public Switched Telephone Network (PSTN) is the common network used for telephone systems around the world. The PSTN consists of a collection of circuit-switched analogue telephone lines, digital trunks (T1 & E1), 2G/3G/4G mobile cell connections and satellites that can all call each other via their interconnected switches.

Private Branch Exchange (PBX) is a device that enables organisations to create their own private exchange (network) to connect their internal telephones and fax machines and then call each other without going out to the PSTN. The PBX will usually also connect to the PSTN so that external telephone calls can be made and received.

There are essentially three types of PBX:

• Traditional PBX which is entirely based on analogue or digital handsets and has no IP capabilities.
• IP-PBX that is entirely based on Voice over IP (VoIP) with IP devices (does not support analogue devices).
• Hybrid-PBX are the most flexible and combine the capabilities of both traditional PBX and IP PBX.

The Mediation Server (or Pool) is a critical component in SfB Server 2015 for users who want Enterprise Voice and Dial-In services. The Mediation Server can be collocated in the Front End Pool. However, for capacity purposes, it maybe better on a dedicated server. The Mediation Server role is required for any connections to a legacy PBX or PSTN. There are various ways to connect, including via a Media Gateway, IP-PBX, SIP Session Border Controller (SBC) or SIP Trunk.

In SfB Server 2015, the Mediation Server is responsible for:

• Encrypting and de-encrypting media streams between SfB users and the PSTN or PBX
• SIP signalling over TCP or TLS between SfB users and the PSTN or PBX
• Transcoding media streams between SfB users and the PSTN or PBX

Basically, the Mediation Server acts as a Back-to-Back User Agent (B2BUA) between the two endpoints in a SIP call to help establish communications. With SfB Server 2015, when the Mediation Server receives a PSTN call request directly from the SfB client, it divides the call into two separate streams; SIP signalling and media. The Mediation Server then initiates the call through the connected Media Gateway or IP-PBX. Throughout the PSTN call, all SIP signalling is routed through the Mediation Server. However, SfB Server 2015 (and Lync Server 2013) supports a Media Bypass feature that is designed to improve call quality and increased the Mediation Server capacity.

In this scenario, when a remote user makes a PSTN call, they are connected through the Edge Server to the Mediation Server and onward to the Media Gateway or IP-PBX. Both the SIP signalling and media streams will be handled as if the user was on the LAN with the Media Bypass feature disabled (the Edge Server does not support Media Bypass).

Basically, the Media Gateway is a device that connects your internal SfB phone system to the external PSTN, usually via your PBX. However, depending on the capabilities of your PBX, you may not actually need a Media Gateway