3. SfB with PSTN/EV Deployment Options
“Cloud PBX”
in Office 365
PSTN services
provided by
Microsoft
User homed on
‘Cloud PBX’ in
Office 365
PSTN via
On Prem CCE &
SBC
Skype for
Business Server
and PSTN
services 100%
on-premises
Online Hybrid On Premises
4. TDM PBX/IP-PBX &
Voicemail
Analog phones
Analog fax
machine
Local SIP
Carrier
PSTN
SIP Trunk
to ITSP #2
“Drop in” installation
Painless interconnect to
PBX and Skype for
Business O365, enabling
co-existence and simple
migration using AD
Legacy Support
Analogue and FAX
tightly integrated
SBC Functionality
Security & Demark
Protocol and transcoding
support
SIP Registrar
Standard SIP devices can
register and interconnect
CCE
Office 365
Microsoft Office and Exchange
Hybrid Benefit - Integration & Migration
5. 5
ITSP UK
Multi-Site, Multi-Country, Mixed Deployments
Multi-Site Deployments using Hybrid
• Meet local regulatory requirements
• Provide integration to each site’s needs
• Maintain or choose provider country by country
CCE
Office 365
Microsoft Office and Exchange
London
ITSP
Japan
CCE
TokyoPSTN
New York
6. 6 Confidential and Proprietary – NDA use only
• Set of 4 VMs (Domain Controller, Central Management Store,
Mediation and Edge server) installed on customer hardware
• Enables Cloud PBX users to use on-premises PSTN / PBX
resources
• Supports up to 50 or 500 concurrent calls
Microsoft Cloud
Connector Edition
(CCE) is software that
provides PSTN and
PBX connectivity
through Office 365
• Windows Server 2012 R2 ISO image (Standard or Data Center
edition)
• Local server administrator account with permissions to install /
configure Hyper-V on host servers
• Qualified SBC/Gateway (minimum of two recommended)
• Internet / Express Route connection for deployment
General Requirements
What is Microsoft Cloud Connector Edition (CCE)?
7. 7 Confidential and Proprietary – NDA use only
User and call control in O365
Mediation server and SBC/GW on
premise
Placed in DMZ
2 NICs’ one DMZ, other internal for media
One CCE per Tenant
Media is kept local provided the
recommended firewall rules are used
CCE Architecture
8. 8 Confidential and Proprietary – NDA use only
A Minimal Topology (minTop)
– The minimum components required to run a
Mediation server
No SBA
No local users / registrar
Could change in future releases
– Fixed set of 4 VM’s
– Automatically updates
– 100% managed through O365
No local administration other than deployment
– Independent from Company AD etc
Separate dedicated forest and DNS zone
CCE Virtual Machine Details
9. 9 Confidential and Proprietary – NDA use only
CCE is stateless
– Calls are load balanced across
multiple CCE’s in a site
– If the CCE goes down the calls
are re-built on the remaining
devices
– SBC/GW’s work in Active /
Active to CCE
High Availability
10. 10 Confidential and Proprietary – NDA use only
Each user is
configured with
“Gateway Affinity”
All calls will be made
and received through
the users home site,
even when traveling
Multiple Sites
11. 11 Confidential and Proprietary – NDA use only
Internal Firewall Rules
Source IP Destination IP Source Port Destination Port
Cloud Connector
Mediation component
SBC/PSTN Gateway Any TCP 5060**
SBC/PSTN Gateway Cloud Connector
Mediation component
Any TCP 5068/ TLS 5067
Cloud Connector
Mediation component
SBC/PSTN Gateway UDP 49 152 – 57 500 Any***
SBC/PSTN Gateway Cloud Connector
Mediation component
Any*** UDP 49 152 – 57 500
Cloud Connector
Mediation component
Internal clients TCP 49 152 – 57 500* TCP 50,000-50,019
(Optional)
Cloud Connector
Mediation component
Internal clients UDP 49 152 – 57 500* UDP 50,000-50,019
Internal clients Cloud Connector
Mediation component
TCP 50,000-50,019 TCP 49 152 – 57 500*
Internal clients Cloud Connector
Mediation component
UDP 50,000-50,019 UDP 49 152 -57 500*
Firewall Considerations
External Firewall Rules
Source IP Destination IP Source port Destination port
Any Cloud Connector
Edge External
Interface
Any TCP 5061
Cloud Connector
Edge External
Interface
Any Any TCP 5061
Cloud Connector
Edge External
Interface
Any Any TCP 80
Cloud Connector
Edge External
Interface
Any Any UDP 53
Cloud Connector
Edge External
Interface
Any Any TCP 53
Cloud Connector
Edge External
Interface
Any UDP 3478 UDP 3478
Any Cloud Connector
Edge External
Interface
TCP 50,000-59,999 TCP 443
Any Cloud Connector
Edge External
Interface
UDP 3478 UDP 3478
Cloud Connector
Edge External
Interface
Any TCP 50,000-59,999 TCP 443
12. From Skype for Business On Premise
to Cloud PBX with CCE
13. 13
Skype for Business On Premise
Confidential and Proprietary
Skype for Business
User
Skype for Business
User
Front-End role
PSTN PSTN GW
Sonus EDGE
Mediation role
Domain
Controller
Central
Management
Store (CMS)
EDGE role
Skype for Business
User
External
Firewall
14. 14
From OnPrem to Cloud Connector Edition
Confidential and Proprietary
Skype for Business
User
Skype for Business
User
Front-End role
PSTN PSTN GW
Sonus EDGE
Mediation role
Domain
Controller
Central
Management
Store (CMS)
EDGE role
Skype for Business
User
Domain
Controller
Skype for Business
Online user in
internal network
Skype for Business
Online user in internet
Skype for Business
Online infrastructure
External
Firewall
Internal
Firewall
Cloud PBX
16. 16 Confidential and Proprietary – NDA use only
Sonus Cloud Link Appliance
Independently tested, award winning low to mid-range capacity Session Border Controllers for enterprise
premise deployments
SBC 1000 & SBC 2000
CCE Offering
Up to 500 CCE sessions on a single
appliance
– COM Express module (“ASM”) with state of the art
server class CPU, memory, SSD
– SBC capacity up to 600 sessions
Unparalleled TDM and analog port options
– 16 PRI, 48 FXS in single appliance
– Rich PRI, FXS, FXO, BRI port mix
Easy configuration wizard to speed CCE
deployment
Secure architecture to minimize service
disruption
17. 17 Confidential and Proprietary – NDA use only
Sonus SBC 1000/2000
CCE ASM
SBC
Ethernet
Private protocol over
internal Ethernet
Web Server
WS2012 R2 Base OS
FXS FXO BRI PRI
How Does Sonus Cloud Link Work?
UX Comms runs on the base OS
– Deploys and manages the VM’s
– Provides information back to the SBC UI for operational status
UX
Comms
18. 19 Confidential and Proprietary – NDA use only
Sonus SBC 1000/2000
CCE ASM
SBC
Ethernet
Private protocol over
internal Ethernet
Web Server
WS2012 R2 Base OS
FXS FXO BRI PRI
Auto Update - Sonus Cloud Link CCE
4 VM’s are running on the previous release
Host CCE process downloads new VM’s
New VM’s are brought up – grace license. Old VM’s are shut down
V-Switch is moved to the new VM’s
UX Comms is notified about the update – UI is updated
UX
Comms X
19. 20
ASM CPU:
– 8 Cores, 16 thread “Broadwell” Xeon® CPU
for embedded platforms
– SSD 512GB HDD
• ASM Server blade CPU is LATEST Technology
• We offer 16 threads within the Broadwell CPU
• We can allocate enough vCPU threads to the Mediation server (Media Transcode for CCE)
• We allocate 1 x vCPU thread for the other 3 MV’s
• + 1vCPU x 4VM during Auto-Update = 16 vCPU threads
• Therefore we can SCALE correctly to the 500 sessions (vCPU threads to Mediation VM determines
this) even during auto-update – no performance impact during auto-update.
• No sharing of vCPU threads (Thread sharing between VM’s can have serious performance impact)
Application Solution Module (ASM) for Cloud Link Cloud Connector
Edition Deployments
23. 24
Non-Sonus Cloud Connector Edition Installation is Lengthy
* Source: https://blogs.technet.microsoft.com/nexthop/2016/05/11/cloud-connector-edition-smaller-hardware
Confidential and Proprietary
Installation understand process follows Microsoft®
Cloud Connector Edition installation instructions
– Get CCE bits (Hyper-V, CloudConnector.msi,
Windows Server ISO) on Host Server (~40 min)
– Create virtual switch adapter (5 min)
– Create VHD using CloudConnector.msi and
WS2012R2 ISO (4 hours)
– Complete an answer file (.ini) with customer
information (45 fields, 20 min)
– Create file share to host certificate and
configuration exchange between Host/VM and
HostHA1/HostHA2 (10 min)
– Import certificate for CCE EDGE (~45 min)
– Deploy the CCE VM on the host (2 hours)
– Configure gateway
– Activate your O365 tenant for hybrid capability
– Create a PSTN site to assign the user
Install procedure may take 7+ hours at every site (Increased OPEX)
24. 25
Sonus Cloud Link – CCE solution 6.1
Confidential and Proprietary
Faster deployment
CCE Setup Wizard
End User oriented
Partner oriented
HA support
Pre-loaded Package
Easy configuration template
More secure and reliable
Preconfigured firewall
Environment validator
Logs helper
25. 26
Sonus Cloud Link – CCE Setup Wizard
5 straightforward tabs to click through
Key configuration settings
– ASM Configuration
– Generate CSR or Import Signed CSR
Easily
– Configure CCE
Assign external IP addresses for
Mediation and Edge servers
Configure number of concurrent calls
Configure CCE High Availability (HA)
HA Master
HA Slave
Deploy CCE VM!
Sonus Cloud Link may reduce CCE install time by 5+ hours, with no additional
software downloads
Confidential and Proprietary
26. 27
Enhanced SBC Config Wizards
New SBC Cloud Connector Edition
template
Inherits information from CCE
– Minimizes time and errors
Customized for your CCE
deployment
Optimized for CCE performance
Optimized for CCE security
28. 29 Confidential and Proprietary – FOR INTERNAL INFORMATION PURPOSES ONLY
CCE – Network Architecture
External
Firewall
Internal
Firewall
29. 30 Confidential and Proprietary – FOR INTERNAL INFORMATION PURPOSES ONLY
CCE – Network Architecture
External
Firewall
Internal
Firewall
30. 32 Confidential and Proprietary – FOR INTERNAL INFORMATION PURPOSES ONLY
Cloud Tenant, Public Domain and DNS
An Office 365 Tenant with E5, or E3 + Cloud PBX option
Licenses
– Microsoft subscription
A Global or Skype Online Administrator Account on your
Office 365 Tenant
– Can be configured when creating your Office365 account
A public Domain Name associated with your Office 365
Tenant.
– From any vendor and associated on Office365 portal
A public IP for the CCE (Edge External Side).
– Delivered by customer IT or Internet Provider
A DNS Record on the Public Domain forwarding to this
public IP.
31. 33 Confidential and Proprietary – FOR INTERNAL INFORMATION PURPOSES ONLY
CCE Firewall
Internal firewall
– From Intern User to CCE
UDP/TCP 49 152 - 57 500
– From CCE to Intern User
TCP 50,000-50,019
UDP 50,000-50,019
External firewall
– From Public to CCE
TCP 5061
TCP 443
UDP 3478
– From CCE to Public
TCP 5061
TCP 80
UDP/TCP 53
UDP 3478
External
Firewall
Internal
Firewall
32. 34 Confidential and Proprietary – FOR INTERNAL INFORMATION PURPOSES ONLY
Certificate
A certificate (X509) is:
– An electronic “passport" signed by an Authority
– Allowing to exchange information securely over a network
– Using a Trusted Chain (PKI).
– Allowing to link a Public Key to an FQDN (or an email)
A certificate contains:
– The Name (FQDN) of the Authority that sign it
– A validity
Not Before
Not After
– The Name (FQDN or email) of the computer or user
– The public Key of the computer or user
41. 45
O365 Tenant organization
Confidential and Proprietary
HybridPSTN
Site
Tenant
HybridPSTN
Appliance
SiteName
FQDN EDGE
Update Managment
HybridPSTN
Appliance
HybridPSTN
Site
HybridPSTN
Appliance
CCE Hostname
Deployment state
Update state
User 2User 1
42. 46
O365 Tenant organization
Confidential and Proprietary
HybridPSTNSite and HybridPSTNAppliance are created
automatically when registering CCE during deployment
They can be display and managed from Office365 Tenant
Powershell:
All the HybridPSTNAppliance on a site are High Availability
– User will use randomly the HybridPSTNAppliance
All the HybridPSTNSite are independant
– If all the Appliance on a HybridPSTNSite are down, User assigned to
this HybridPSTNSite loses service
43. 47
Auto-Update – IMPORTANT!!
User configures the tenant HybridSite with time window
Can NOT be stopped – Default is ANYTIME!
Will be executed 1by1 on HA deployment
Windows Update
– Apply update VM
– Drain Call
– Reboot VM
– Apply Update Host
– Reboot Host
CCE Update
– Build a new set of 4 VM from scratch
– Once new set is ready, retire the previous version pack of VM
https://support.sonus.net/display/UXDOC61/Managing+Your+Office+365+Tenant
UPDATE!
Manual Windows OS Updates now
supported:
https://technet.microsoft.com/EN-
US/library/mt740658.aspx
44. 48
O365 Tenant Portal – Checking Update Status
Confidential and Proprietary
Basic information about Site and Appliance:
Basic User management: