Skype for Business – Cloud Connector Edition – Is it right for you?

As Microsoft push towards a cloud first / only model for Skype for Business enterprise voice a new server role has come about. Cloud Connector Edition. What is it? What hardware do I need? What are the requirements? What is it used for? Do I need it? What if I already have Skype for Business on-premises? How does it integrate with my legacy PBX? – All these questions are very pertinent and critically, misunderstanding the technology can lead to large scale business impacts if not fully understood. Let’s take a look by answering these questions below.

What is it?

Cloud Connector Edition (CCE) is a light weight, on-premises Skype for Business deployment. CCE consists of 3 virtual machines that contain the required roles in order to establish PSTN voice connectivity from your on-premises PBX to Skype for Business Online users using hybrid connectivity. The virtual machines are split as follows:

  1. Central Management Store
  2. Mediation Server
  3. Edge Server

These virtual machines are pre-packaged and downloadable from your EA subscriptions (soon). They are only supported on Hyper-V and only supported as Virtual Machines. There are no physical alternatives (yet). The CMS and Mediation virtual machines should be installed to the same hypervisor, on fast network storage or physical storage, that adheres to the Microsoft virtualization whitepaper released for Lync 2013. While the Edge server must be installed to a separate hypervisor that is within your DMZ.

Each CCE is capable of supporting up to 500 simultaneous PSTN calls. If your requirement is 501+ then you should install multiple CCEs. It is important to note that the CCE is only provided to support PSTN connectivity to Skype for Business Online users. You cannot deploy this in replacement of a full Skype for Business On-premises solution as it does not contain the IM, Conferencing or media rich content modalities typically found on an on-premises solution. The CCE does not act as a registrar so all users / devices must register with Skype for Business Online and Skype for Business Online must also support these devices and users.

What Hardware do I need?

The hardware requirements for a CCE is as follows.

CMS & Mediation Hypervisor

  • 2 x 6-core 2.26GHz CPUs
  • 64GB RAM
  • 2 x 146GB 10K SAS Hard Drives in RAID 1 Config – for OS
  • 6 x 146GB 15K SAS Hard Drives in RAID 10 Config – For virtual Machines
  • Quad-port Gigabit networks card – Teaming to single MAC address per team support only

Edge Hypervisor

  • 2 x 6-core 2.26GHz CPUs
  • 24GB RAM
  • 2 x 146GB 10K SAS Hard Drives in RAID 1 Config – for OS
  • 4 x 146GB 15K SAS Hard Drives in RAID 10 Config – For virtual Machines
  • Quad-port Gigabit networks card – Teaming to single MAC address per team support only

CMS & Mediation Virtual Machine Hardware

  • 2 x vCPUs
  • 32GB RAM
  • 72GB Hard Drive
  • 1 x Network Adapter

Edge Server Virtual Machine Hardware

  • 2 x vCPUs
  • 16GB RAM
  • 72GB Hard Drive
  • 2 x Network Adapters (1 for internal DMZ and the other for External)

The CCE is configured using Microsoft’s own supplied PowerShell scripts. It is recommended that these virtual machines be installed on their own hypervisors because these script will auto configure the hypervisor network configuration to meet the virtual machine needs. Collocating other production systems to these hypervisors is discouraged because of the risk to uptime during this reconfiguration.

What are the pre-requisites?

In order to deploy a CCE, obviously you first must have the required licencing subscription with Microsoft, and the hardware that meets the above specification already. In addition to this you will need the following:

  • Office 365 tenant with E5 licence plans
  • 1 x SSL UCC SAN certificate to cover the required external FQDNs of your CCE – these are ap.domain.com, dp.domain.com and mr.domain.com
  • Internal AD Certificate Authority for internal certificates for the CMS, Mediation server and also the internal interface of the edge server
  • Your legacy PBX system must be on the Skype for Business supported / certified program. If not, you will need a SBC between your PBX and CCE.
  • 3 x unused Public IP addresses
  • AADConnect with directory synchronisation

Also, your AD forest, domain and schema will need updating, but this is performed as part of the installation.

What is it used for?

CCE is used when businesses have no on-premises Lync 2013 or Skype for Business deployment. However, they consume Skype for Business Online and have the required E5 licence for Cloud PBX. They also have an existing relationship with their telephony carrier that offers them cheaper calling rates than Microsoft E5, or Cloud PBX does not have a presence in the country and cannot be used.

In these instances, Cloud PBX with On-Premises PSTN calling is the solution. Users would be registered in Skype for Business Online, but assigned an on-premises PSTN voice policy. The CCE is used to create hybrid voice between Skype for Business Online and the business office. The CCE is then used to bridge the connectivity between the on-premises PSTN gateway and Skype for Business by creating a SIP trunk between the CCE’s mediation server and the on premises legacy PBX.

Do I need it?

If you would like to use Cloud PBX with PSTN calling, then no. All your call control will be within the Office 365 cloud. There is no need for any on-premises infrastructure. If you already have a Skype for Business deployment, then you also do not need a CCE. Instead, you would configure your on-premises deployment for hybrid with Cloud PBX (Office 365).

If you have no on-premises Skype for Business and want to use Cloud PBX with on-premises PSTN calling then yes you will need a CCE, or a Skype for Business on-premises deployment.

How does it integrate with my legacy PBX?

In simple terms it doesn’t. The primary use of a CCE is to give your Skype for Business Online users the ability to use your existing telephony connectivity to the PSTN to make and receive phone calls. Integration is only for SIP trunking. In that, a CCE will use your legacy PBX for a SIP connection to the PSTN.

If you want users from your legacy telephony world to dial a Skype for Business Online user or vice versa, you will need to create your own dial plans, normalizations and routes on your PBX to redirect the calls inwards to the required destination. Or alternatively force the call out to the PSTN and back in. At the moment you are unable to create your own dial plans / normalization rules and routes within Skype for Business Online, you must use Microsoft’s pre-defined ones.

Is it right for you?

This is the million-dollar question. Only you can decide on that one. Hopefully the above answers will give you some food for thought, and help you understand the direction Microsoft are taking as well as the placement of services. However, there are a few technical limitations of a CCE, that could make the decision clearer for you. These are:

  • No media bypass
  • No Call via Work, or remote call control
  • No response groups
  • No integration with on-premises contact centres
  • No integration with on-premises VTCs
  • No Private Line
  • No integration with trusted applications, SefaUtil etc
  • No voice resiliency (if the internet connection goes down on-premises, no voice for your online users)
  • No Address Book synchronisation between legacy PBX and Skype for Business Online (Use AD instead)
  • No Common Area Phone support
  • Supported handsets are Polycom VVX family only (at present)

If any of these limitations prevent your business requirements from being met, then a CCE is not the right solution for you. Instead, you would need a Skype for Business on-premises deployment configured for hybrid voice.

In my opinion, I see little benefit of choosing a CCE over a Standard Edition Skype for Business on-premises deployment. The effort to deploy is almost the same, but the standard edition gives you the flexibility of being able to support the above limitations, whether you need them day one, or not. Some people think the future is cloud voice, that may be so in around 15 years’ time, but at least for the next 10 years the immediate future is hybrid.

22 thoughts on “Skype for Business – Cloud Connector Edition – Is it right for you?

  1. What about mobile outside voice or call park, for CCE? Does MS have plans to enable as much feature parity with sfb on premise? In other words will features like cma phones, analog devices, rsgs, or private lines etc be supported at somepoint as part of the roadmap for CCE?

    Like

    1. HI Shawn, mobile voice should be delivered via Office 365. Call park, CAP, RGS, Analog, Private Lines are not features yet. Microsoft pitching 2017 as feature parity with On-Prem so 2016 will be a year of fixes, trials and issues. Though I doubt Analog will come, probably still require SfB on prem rather than CCE, as CCE does not include the registrar service 😉

      Like

    1. All i know is that it has been pushed back to at least april. If i hear anything ill let you know. There is a security issue in that deployin the edge vm to dmz you are essentially deploying and unmanaged machine which obviously is not good.

      Like

      1. Edge in DMZ is no different to a normal Lync/SfB Edge in DMZ. New design for Jan has a DC added so that the CMS & Mediation Servers are in the Cloud Connector local domain rather than customer on prem domain. No trust is needed between the Cloud Connector domain and customer AD.

        Like

      2. Yeah this was the original plan, then they removed it (DC that is). probably back and we have to synch identities anyway, if not directly to that AD to O365 AD or SSO would never work.
        Also Edge server in CCE is unmanaged, a normal edge is managed😉 on the preview I had anyway.

        Like

  2. Thanks your helpful breakdown of CCE deployment pros and cons Mark. We are looking for the ability to integrate with a trusted application server in addition to PSTN connectivity via our softswitch so it looks like CCE won’t work and we’ll need to go with a Standard Edition Skype for Business on-premises deployment.

    What CAL’s are required?
    From what I read, the Enterprise and Plus CAL’s are required for normal PSTN in/out connectivity on a SfB server and they’re a bit pricey, especially compared to CCE being free with a SfB Cloud PBX license. We don’t need any of UC features of SfB server since they’re provided via Cloud PBX. We only need PSTN connectivity and ability to integrate with a proprietary application running on a trusted app server.

    You also mentioned that an E5 license is required for CCE; are you sure that’s the case?
    According to Microsoft on their SfB Online licensing overview page, E1, E3, and SfB Online Plan 2 users can purchase a SfB Cloud PBX add-on license to access PSTN calling.

    Like

    1. Hi Ken
      Thanks for taking the time to read the post. To answer the CALs for enterprise voice you need to ensure that each user enabled for EV has the standard + enterprise + plus CALs (they need all 3). If the user has an E5 licence assign in the cloud, then this covers the users for EV even if you are using on-prem only.

      When the article was written the information I had was that CloudPBX would be for E5 only. As you have quite rightly said Microsoft released it with lesser qualifying plans as an additional subscription.

      thanks

      Like

    1. Post was written 5 months ago when it was just an infant. Since then it has changed several times.

      From what I am reading in technet media bypass is still not a feature, as cloud accounts cannot bypass the CCE mediation server and connect directly to the on-prem SBC / PBX gateway.

      Not sure I mention anything about media route in this post though…

      Like

      1. according to their last pdf
        only the signalling is handled through the cloud, then the media stream
        for cloud connector is directed to user.
        this is a huge advantage comparing to Cloud PBX

        Like

      2. Ahh I see where you are going with this. Media Bypass I am referencing is specifically bypassing the CCE mediation server and getting the clients to connect to the SBC directly on-prem. This is not supported still I believe. The media bypass you are talking about is about bypassing Office 365 mediation services if I understand correctly?

        Like

  3. Hi,
    Great Article.
    Actually the CCE is 4 now VMs.
    A domain controller for Cloud connector is now included in the package.

    Like

    1. Yeah, they had that in there originally, then removed it, now put back in. Just hard to keep hold of all posts i do🙂. The other recommendation made now is that the CCE be hosted on a single hypervisor that is located inside a two-legged DMZ network. Though I don’t necessarily agree with that deployment model due to the amount of ports required to be open both ways to all inside networks for mediation (49000-65535) so will be interesting what the final recommendation is. Not long to wait now, just a few more days😉

      Like

  4. Hi Mark

    Great article, just a question regarding the Edge role, loads of guys don’t actually have a DMZ deployed within their network, can the Edge role be installed within their internal network?? or is DMZ a must?

    Like

    1. Hi

      Thank you for the feedback. I must start by stating that this article was written before the general release of CCE. Since this article it now is best practice to collocate all CCE virtual machines on a single hypervisor. The hypervisor should sit in a DMZ for your protection. This is recommended practice.

      I do see this a lot where customers do not have the infrastructure ready for a DMZ. The choice is down to each customer really whether they take and act on the advice and recommended topology or not. The biggest thing to remember is that deploying an Edge server in a production network is not a supported topology from a Microsoft stand point. That said if configured on a production network and you NAT through from the outside to the required interface / IP then fundamentally the application will work. It doesn’t care or check that it is in a DMZ network (how can it) as long as the routing is configured properly, then that’s all that matters from that aspect.

      However, I urge caution with this approach and strongly recommend a DMZ for both internal and external interfaces of the hypervisor VM network adapters for CCE because it provides the best form of protection to your network. Don’t forget these servers are internet facing (Edge) and therefore the most prone to external attack. Consider a vulnerability in some protocol, like the SSL one a while back, these servers would be prime targets. Should there be a successful attack that somehow enables an attacker to gain access to the Edge server (or any other internet facing server), perhaps to deploy a trojan or some other malware that can scan the network for peers to discover potential victims, deploying to a production network would give them access to your entire corpnet devices. Whereas in a DMZ you have two levels of protection. 1 the external DMZ is the most restrictive and hardest to penetrate. If they managed to get through that and the built-in SfB security, then you have the internal DMZ to fall back on. The process works the same way if the attack came from inside corpnet (from infected workstation etc).

      In my opinion, failing to deploy in DMZ is an immediate red flag and one that both myself or the company I work for (any company) cannot warranty and therefore it is a refusal from me to complete the work. If there was an attack and the customer lost data then who are they going to point the finger at? It won’t be themselves for ignoring the advice that’s for sure!

      Hope this helps

      Mark

      Like

      1. Thanks for your great insight into this matter, my concerns was regarding security, and it should be paramount. At the end of the day, rather safe than sorry is the best approach.

        Johnson

        Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s