Tuesday, February 21, 2017

Office 365- Hybrid Configuration with Skype for Business Online-Lync 2013

Recently, one of my customers want to do the pilot for the hybrid deployment of the Skype for Business online, currently, a customer running on Lync 2013 on premises. So just want to share my experience & process to deploy the hybrid environment for Skype for Business.

Hybrid connectivity between Lync 2013 server and Skype for Business online means users of a domain are split between using Lync 2013 server and Skype for Business online. Some of the domain users are homed on-premises, and some users are homed online.

Before moving forward we have to make sure our on-premises is matching requirement, following are:

Skype for Business client support

Before you decide to deploy hybrid deployment you have to check which client support for Skype for Business online. There are some differences in the features supported in Skype for Business clients, as well as the features available in on-premises and online environments. The following clients are supported with Skype for Business Online in a Skype for Business hybrid deployment:

Lync 2010
Lync 2013
Lync Windows Store app
Lync Web App
Lync Mobile
Lync for Mac 2011
Lync Room System
Lync Basic 2013

for more details click here Clients for Skype for Business Online

Topology Requirements

To configure your deployment for the hybrid with Skype for Business Online, you need to have the  Lync Server 2013 deployment with all servers running Lync Server 2013. For more details Lync Server 2013 Reference Topologies for Enterprise Hybrid Deployments

Requirements for Federation Allowed/Blocked Lists

The allowed domains list includes domains that have a partner Edge fully qualified domain name (FQDN) configured, following are the requirement to successfully configure a hybrid deployment:
Domain matching must be the same configuration on on-premises and Office 365 tenant.
The blocked domain list in the on-premises deployment must exactly match the blocked domain list on an online tenant.
The Allowed domains list in the on-premises deployment must exactly match the allowed domains list for your online tenant.
Federation must be enabled for the external communications for the online tenant, which is configured by using the Lync Online Control Panel.
If the partner discovery is enabled on the on-premises deployment, then open federation must be configured for your online tenant if the partner discovery is not enabled, then closed federation must be configured for your online tenant.

DNS Requirement

We have to make sure when we are creating the DNS records for hybrid deployments, all Lync external DNS records should point to the on-premises infrastructure, additionally, we have to ensure the DNS resolution described with following records in on-premises:
_sipfederationtls._tcp.     Edge Server (for all supported SIP domains resolving to Access Edge external IPs)
DNS A records               Internal corporate Network (for Edge Web Conferencing Service FQDN)

Firewall Considerations

Client on corporate network must be able to perform standard Internet DNS lookups, for more Office 365 URLs and IP address ranges

Port and protocol 

TCP 443
TCP 80 and 443
TCP 5061
RTP/TCP 50000-59999

Preparing the Network for a Lync Hybrid Deployment

The network requirements for a Lync hybrid deployment are similar to the requirements for a cloud-only deployment. However, there are several additional firewall port requirements compared to a cloud-only deployment, and there is at least one additional DNS requirement for the hybrid deployment, depending on the configuration. We need to do the Network Assessment before start any configuration, we can use Skype for Business Network Assessment tool. The Skype for Business Network Assessment Tool provides the ability to perform a simple test of network performance to determine how well the network would perform for a Skype for Business Online call.


We have to make sure we have following utilities installed and working smoothly to complete the tasks for configuring the Hybrid.
1. Active Directory Synchronization (AAD Connect).
2. Office 365 tenant with Skype for Business online enabled.
3. ADFS for single sign on.
4. Windows Power Shell for single sign on.
5. Microsoft online Services Sign-in Assistant.
6. Up to date CU for Lync Server on premises.

Following are steps involve

Add your domain and verify ownership
Install and Configure Active Directory synchronization
Install and Configure Active Directory Federation Services (AD FS)
Install and Configure Active Directory Federation Services Proxy (AD FS Proxy)
Configure Single Sign-on (SSO) with ADFS
Configure federation of Lync Server 2013 with Lync Online
Move user to Lync Online and test calls between Lync Online and Lync Onprem

Add your domain and verify ownership

Once you signed up Office 365, you will get the Office 365 Tenant account. From this account, you will add your domain. This will allow Microsoft to host the desired Office 365 services for you and will allow you to use you own domain, rather than the tenant domain account (@domain.onmicrosoft.com) default account.

The process should be quite easy and painless as long as you have access to the Microsoft Online Portal, with a Global Admin account, and access to your public facing DNS.

for step by steps you follow Adding and Verifying a Domain for the NEW Office 365

Install and Configure Active Directory synchronization
Install and Configure Active Directory Federation Services (AD FS)
Install and Configure Active Directory Federation Services Proxy (AD FS Proxy)

Office 365 uses the cloud-based user identity management service Azure Active Directory to manage users. You can also integrate your on-premises Active Directory with Azure AD by synchronizing your on-premises environment with Office 365. Once you set up synchronization you can decide to have their user authentication take place within Azure AD or within your on-premises directory.
For Step-by-Step Guide for AAD Connect Custom installation + Federation with AD FS click here.

Configure Single Sign-on (SSO) with ADFS

Once we complete the ADFS and ADFS Proxy setup, we can now configure SSO between the Onprem AD and O365's Azure AD. First, we have to download and install the Microsoft Azure Active Directory Module for Windows PowerShell on the ADFS computer. Once installed, open the module and run the following PowerShell commands to setup a trusted federation domain:

First, give the credential

$cred = get-Credential

connect online service

Connect-MsolService -Credential $cred

Now time to convert your domain to federated domain

Convert-MsolDomainToFederated -DomainName

time to verify the configuration

Get-MsolFederationProperty -DomainName

Now it's time to test single sign-on connectivity, we can use the Microsoft Connectivity Analyzer Click the Office 365 tab, click Microsoft Single Sign-On, and then click Next. Follow the screen prompts to perform the test.

Configure federation of Lync Server 2013

We must enable the federation to allow communications with Office 365, we can use Power Shell for performing all the steps:

Set-CSAccessEdgeConfiguration -AllowOutsideUser1 -UseDnsSrvRouting -AllowFederatedUses

Confirm the settings with the following command


Nest configure the provider Skype for Business online, first, we have to identify the existing suppliers


Remove the existing provider

Remove-CsHostingprovider -Identity "Skype for Business Online"

Verify again with the command


Now time to add the Skype for Business Online supplier with the following parameters:

New-CSHostingProvider -Identity SkypeforBusinessOnline -ProxyFqdn "fed.online.tech.com" -Enable $true -EnableSharedAddressSpace $true -hostOCSUsers $true -Verification level UseSourceVerification -Is local $false -AutodiscoverUrl https://webdir.online.tech.com/Autodiscover/AutodiscoverService.svc/root

Configuration of Office365

In the Skype Online Administration Center into your Office 365, validate that the federation is enabled in "Organization" – "External Communications".

Configure SharedSipAddressSpace

Before moving users from Lync Onprem to Lync Online, we need to configure the O365 tenant to share the SIP address space with the on-premises deployment. If this is not configured, we may see the following error message

Set-CsTenantFederationConfiguration -SharedSipAddressSpace $true

Move user to Skype for Business and Lync Onprem

Now we can proceed to use the Move-CsUser cmdlet in the Onprem Lync Management Shell: to move the user from Onprem to Online.

Move-CsUser -Identity -Target sipfed.online.tech.com -Credential $cred -HostedMigrationOverrideUrl

After the Move-CsUser command completes successfully with no errors, we can log into O365 Lync admin center to see the user is now homed online.

On the Onprem Lync Control Panel we can see the same user is specified as homed online

Happy Learning!

Thank you!