Edge Server system requirements in Skype for Business Server 2015

Skype for Business Server 2015
 

마지막으로 수정된 항목: 2016-03-22

Summary: Learn about the system requirements for 에지 서버 in 비즈니스용 Skype 서버.

When it comes to your 비즈니스용 Skype 서버 에지 서버 deployment, these are the things you'll need to do for the server or servers that are in the environment itself, as well as planning for the environment structure. For more information on topology, DNS, certificates, and other infrastructure concerns, check out the environmental requirements documentation.

When discussing the 에지 서버 environment, we're referencing components that are, for the most part, deployed in a perimeter network (that's to say it's either in a workgroup or a domain that's outside your 비즈니스용 Skype 서버 domain structure).

Keeping that in mind, these are the components you're going to need to keep in mind for deploying your Edge successfully:

  • Edge Servers

  • Reverse proxies

  • Firewalls

  • 디렉터 (these are optional, and if they're included, they'll be located on your internal network)

  • Load Balancers (you can have UNRESOLVED_TOKEN_VAL(DNSLoadBalancing) or a UNRESOLVED_TOKEN_VAL(HLB) (HLB), but for a single 에지 서버, this isn't needed)

We have more detail on each of these below:

These are the 비즈니스용 Skypeservers deployed in your perimeter environment. Their role is to send and receive network traffic to external users for the services offered by your internal 비즈니스용 Skype 서버 deployment. To do this successfully, each 에지 서버 runs:

  • UNRESOLVED_TOKEN_VAL(nm_AccessEdgeService): Provides a single, trusted connection point for both outbound and inbound Session Initiation Protocol (SIP) traffic.

  • UNRESOLVED_TOKEN_VAL(nm_WebConfEdgeService): Enables external users to join meetings that are hosted on your internal Skype for Business Server environment.

  • UNRESOLVED_TOKEN_VAL(nm_AVEdgeService): Makes audio, video, application sharing and file transfer available to external users.

  • UNRESOLVED_TOKEN_VAL(nm_XMPPProxyService): Accepts and sends extensible messaging and presence protocol (XMPP) messages to and from configured XMPP Federated partners.

Authorized external users can use your 에지 서버 to connect to your internal 비즈니스용 Skype 서버 deployment, but otherwise, they provide no other access to your internal network for anyone.

note참고:
에지 서버 are deployed to provide connections for enabled 비즈니스용 Skype clients and other 에지 서버 (in federation scenarios). You can't connect from other end point client or server types. The XMPP Gateway server can allow connections with configured XMPP partners. But again, those are the only client and federation types that will work.

A UNRESOLVED_TOKEN_VAL(reverseproxy_nocaps) (RP) server has no 비즈니스용 Skype 서버 role, but is an essential component of an 에지 서버 deployment. A UNRESOLVED_TOKEN_VAL(reverseproxy_nocaps) allows external users to:

  • connect to meetings or dial-in conferences using simple URLs.

  • download meeting content.

  • expand distribution groups.

  • get user-based certificates for client certificate based authentication

  • download files from the UNRESOLVED_TOKEN_VAL(AddressBookSrv), or to submit queries to the UNRESOLVED_TOKEN_VAL(nm_AddressBookWQS).

  • obtain updates to client and device software.

And for mobile devices:

  • it lets them automatically discover 프런트 엔드 서버 offering mobility services.

  • it enables push notifications from Office 365 to mobile devices.

Our current UNRESOLVED_TOKEN_VAL(reverseproxy_nocaps) recommendations can be found on the Telephony Infrastructure for Skype for Business page. So your UNRESOLVED_TOKEN_VAL(reverseproxy_nocaps):

  • should be able to use transport layer security (TLS) that's introduced to your environment via public certificates to connect to the published external Web services of:

    • 디렉터 or 디렉터 풀

    • 프런트 엔드 서버 or 프런트 엔드 풀

  • needs to be able to publish internal Web sites using certificates for encryption, or publish them over an unencrypted means, if needed.

  • should be able to publish an internally hosted web site externally by using a fully qualified domain name (FQDN).

  • needs to be able to publish all the contents of your hosted web site. By default, you can use the /* directive, which is recognized by most web servers to mean "Publish all content on the web server." You can also modify the directive—for example, /Uwca/*, which means "Publish all content under the virtual directory Ucwa."

  • must require TLS connections with clients that request content from your published website.

  • has to accept certificates with subject alternative name (SAN) entries.

  • needs to be able to allow the binding of a certificate to a listener or interface through which the external web services FQDN will resolve. Listener configurations are preferable to interfaces. Many listeners can be configured on a single interface.

  • must allow for the configuration of host header handling. Often, the original host header sent by the requesting client must be passed transparently, instead of being modified by the UNRESOLVED_TOKEN_VAL(reverseproxy_nocaps).

  • should allow bridging of TLS traffic from one externally defined port (for example, TCP 443) to another defined port (for example, TCP 4443). Your UNRESOLVED_TOKEN_VAL(reverseproxy_nocaps) may decrypt the packet on receipt and then reencrypt the packet on sending.

  • should allow bridging of unencrypted TCP traffic from one port (for example, TCP 80) to another (for example, TCP 8080).

  • needs to allow configuration of, or accept, NTLM authentication, no authentication, and pass-through authentication.

If your UNRESOLVED_TOKEN_VAL(reverseproxy_nocaps) can address all the needs in this list, you should be good to go, but please keep in mind our recommendations at the link provided above.

You need to put your Edge deployment behind an external firewall, but we recommend having two firewalls, one external, and one internal between the Edge environment and your internal environment. All our documentation in our Scenarios will have two firewalls. We recommend two firewalls because it ensures strict routing from one network edge to the other, and doubles the firewall protection for your internal network.

This is an optional role. It can be a single server or a pool of servers running the 디렉터 role. It's a role found on the internal 비즈니스용 Skype 서버 environment.

The 디렉터 is an internal next hop server which receives inbound SIP traffic from the 에지 서버 that's destined for 비즈니스용 Skype 서버 internal servers. It preauthenticates inbound requests and redirects them to a user's home pool or server. This preauthentication allows you to drop unidentified user account requests.

Why does that matter? An important function for a 디렉터 is to protect UNRESOLVED_TOKEN_VAL(nm-StandardEdition-plr) and 프런트 엔드 서버 or UNRESOLVED_TOKEN_VAL(skype16_frontend_pool_plr) from malicious traffic, such as denial-of-service (DoS) attacks. If your network is flooded with invalid external traffic, the traffic stops at the 디렉터.

The 비즈니스용 Skype 서버 2015 scaled consolidated Edge topology is optimized for UNRESOLVED_TOKEN_VAL(DNSLoadBalancing) for new deployments, and we recommend this. If you need high availability, we recommend using a UNRESOLVED_TOKEN_VAL(HLB) for one specific situation:

  • Exchange UM for remote users using Exchange UM prior to Exchange 2013.

important중요:
It's vital to note that you can't mix load-balancers. In your 비즈니스용 Skype 서버 environment all interfaces must use either DNS or HLB.
note참고:
Direct server return (DSR) NAT isn't supported for 비즈니스용 Skype 서버 2015.

For any 에지 서버 running the UNRESOLVED_TOKEN_VAL(nm_AVEdgeService), these are the requirements:

  • Turn off TCP nagling for both internal and external ports 443 (nagling is the process of combining several small packets into a single, larger packet for more efficient transmission).

  • Turn off TCP nagling for the external port range 50000 - 59999.

  • Don't use NAT on your internal or external firewalls.

  • Your Edge internal interface must be on a different network than your 에지 서버 external interface, and routing between them must be disabled.

  • The external interface of any 에지 서버 running the UNRESOLVED_TOKEN_VAL(nm_AVEdgeService) must use publically routable IP addresses and no NAT or port translation on any of the Edge external IP addresses.

As with Lync Server 2013, 비즈니스용 Skype 서버 2015 doesn't have a lot of cookie-based affinity requirements. So you don't need to use a cookie-based persistence unless you're going to have Lync Server 2010 프런트 엔드 서버 or 프런트 엔드 풀 in your 비즈니스용 Skype 서버 environment. They would need cookie-based affinity in the configuration method recommended for Lync Server 2010.

note참고:
If you decide to turn cookie-based affinity on for your HLB, there won't be a problem doing so, even if your environment doesn't need it.

If your environment doesn't need cookie-based affinity:

  • On the UNRESOLVED_TOKEN_VAL(reverseproxy_nocaps) publishing rule for port 443, set Forward host header to True. This will ensure the original URL is forwarded.

For deployments that do need cookie-based affinity:

  • On the UNRESOLVED_TOKEN_VAL(reverseproxy_nocaps) publishing rule for port 443, set Forward host header to True. This will ensure the original URL is forwarded.

  • The UNRESOLVED_TOKEN_VAL(HLB) cookie must not be marked httpOnly.

  • The UNRESOLVED_TOKEN_VAL(HLB) cookie must not have an expiration time.

  • The UNRESOLVED_TOKEN_VAL(HLB) cookie must be named MS-WSMAN (this is the value that the Web services expect, and it can't be changed).

  • The UNRESOLVED_TOKEN_VAL(HLB) cookie must be set in every HTTP response for which the incoming HTTP request didn't have a cookie, regardless of whether a previous HTTP response on that same TCP connection had gotten a cookie. If your UNRESOLVED_TOKEN_VAL(HLB) optimizes cookie insert to only occur once per TCP connection, that optimization must not be used.

note참고:
It's typical for HLB configurations to use source-affinity and 20 minute TCP session lifetime, which is fine for 비즈니스용 Skype 서버 2015 and its clients, because session state is maintained through client usage, and/or application interaction.

If you're deploying mobile devices, your HLB must be able to load balance individual requests within a TCP session (in effect, you need to be able to load balance an individual request based on the target IP address).

important중요:
F5 HLBs have a feature called OneConnect. It ensures that each request within a TCP connection is individually load balanced. If you're deploying mobile devices, ensure your HLB vendor supports the same functionality. The latest iOS mobile apps require TLS version 1.2. If you need to know more, F5 provides specific settings for this.

Here are the HLB requirements for the (optional) 디렉터 and (required) 프런트 엔드 풀 웹 서비스:

  • For your internal 웹 서비스 VIPs, set Source_addr persistence (internal port 80, 443) on your HLB. For 비즈니스용 Skype 서버 2015, Source_addr persistence means that multiple connections coming from a single IP address are always sent to one server, to maintain session state.

  • Use a TCP idle timeout of 1800 seconds.

  • On the firewall between your UNRESOLVED_TOKEN_VAL(reverseproxy_nocaps) and your next hop pool’s HLB, create a rule to allow https: traffic on port 4443, from your UNRESOLVED_TOKEN_VAL(reverseproxy_nocaps) to your HLB. Your HLB needs to be configured to listen on ports 80, 443, and 4443.

 

Client/user location External web services FQDN affinity requirements Internal web services FQSN affinity requirements

비즈니스용 Skype Web App이란? (internal and external users)

Mobile device (internal and external users

No affinity

Source address affinity

비즈니스용 Skype Web App이란? (external users only)

Mobile device (internal and external users

No affinity

Source address affinity

비즈니스용 Skype Web App이란? (internal users only)

Mobile device (not deployed)

No affinity

Source address affinity

You define port monitoring on your UNRESOLVED_TOKEN_VAL(nm_HLB_plr) to determine when specific services are no longer available, due to hardware or communications failure. For example, if the 프런트 엔드 서버 service (RTCSRV) stops because the 프런트 엔드 서버 or 프런트 엔드 풀 fails, the HLB monitoring should also stop receiving traffic on the 웹 서비스. You should implement port monitoring on the HLB to monitor the following for your HLB external interface:

 

Virtual IP/Port Node Port Node Machine/Monitor Persistence Profile Notes

<pool>web_mco_443_vs

443

4443

Front End

5061

None

HTTPS

<pool>web_mco_80_vs

80

8080

Front End

5061

None

HTTP

We've covered 에지 서버 hardware and software requirements in our overall 비즈니스용 Skype 서버 2015의 서버 요구 사항 documentation.

We've covered 에지 서버 collocation in our 비즈니스용 Skype 서버 2015의 토폴로지 기본 사항 documentation.

 
표시: