RealConnect Service for Skype and Teams

October 31, 2018 by · Leave a Comment 

This article is one in a series of articles which covers Polycom’s Microsoft Azure-based video interoperability service for Skype for Business and Microsoft Teams meetings.  This Microsoft partner-provided service, commonly referred to as Cloud Video Interop (CVI), allows various standards-based Video Teleconferencing (VTC) endpoints to join scheduled Skype for Business and Teams meetings. While an earlier article outlined all of the different RealConnect models available this series will focus solely on the cloud-based service model of RealConnect. 

Existing and future articles in this series will be organized into three different topics:

RealConnect Service for Skype and Teams – an introductory article explaining the overall solution and the steps to activate the service for use with Skype for Business Online meetings and/or Teams meetings.  Another article covers the additional configuration required to support Skype for Business Server or Hybrid deployments with the service.

Polycom One Touch Dial Service – separate articles which explain this supplementary service for easily joining meetings on supported Polycom and Cisco VTCs.  This service enables the ability to simply select a ‘Join’ button on the endpoint to connect directly to a scheduled Skype for Business or Teams meeting.

Polycom Cloud Relay – a separate article that walks through the steps to install the Cloud Relay virtual server.  This on-premises server is only needed when configuring the One Touch Dial service to support Cisco standards-based video conferencing systems or when using the RealConnect service with Skype for Business Server deployments.


The original service offering is referred to as RealConnect for Office 365, but supports Skype for Business Online, Skype for Business Server, and Skype for Business Hybrid environments.  The recently released offering entitled RealConnect for Microsoft Teams added support for Microsoft Teams meetings.  Access to both services are provided together using the same consumption license, meaning that RealConnect can be used with any Skype and Teams meeting scheduled by any user in the organization.  A free 60-day trial license is available today for most Microsoft Office 365 tenants worldwide.  Availability can depend on the tenant type (public multitenancy versus various government clouds) and the region (some countries are not currently able to leverage this service).

The licensing consumption model is simply based on concurrent usage.  While the trial comes with 5 concurrent licenses nearly any number of licenses can be purchased as needed.  Regardless of the number of Skype and/or Teams meetings occurring at the same time, and regardless of the number of Skype or Teams participants, guests, or PSTN callers, only a VTC connecting into any of these meetings would consume a license and only while the call is active.  So, with a trial license as many as five different VTCs can use the service at one given time to join any number of scheduled Skype or Teams meetings.

Background

The heart of a Cloud Video Interop meeting that allows RealConnect to function is a scheduled Skype for Business or Microsoft Teams invitation.  In an organization which has enrolled and provisioned the service an enabled user’s scheduled meetings will natively include additional instructions (seen in the image below) for joining the meeting from any standards-based endpoint.  At minimum the provided calling option can be manually dialed from a VTC, but additional configuration like local speed dials, infrastructure dialing rules, or ideally the Polycom One Touch Dial service can be leveraged to provide a single ‘Join’ button on supported endpoints to place the call.

image

The RealConnect service is comprised of a number of Polycom-managed, Microsoft Azure-hosted virtual servers.  These globally deployed services can receive video calls over standards-based SIP or H.323 protocols and the connect that call into a Skype for Business or Teams meeting.  (This service does not connect Skype for Business meetings to Teams meetings.  Those are two completely separate Microsoft meeting platforms.)

This basic diagram shows two VTCs joining the same scheduled Microsoft Teams meeting.  (RealConnect for Skype for Business functions in the exact same manner.)

image

  • Each VTC which calls into the service will be routed to the logically closest Azure datacenter where Polycom services are deployed and the call will land on a dedicated transcoding MCU (B). 

  • The RealConnect service will then locate the target meeting, as identified by the Tenant ID, Conference ID and Domain provided in the call string (e.g. 123456.987654321@t.plcm.vc).

The Tenant ID is a globally unique string assigned to the tenant during service enrollment and is the same on every meeting scheduled by any user in the tenant; it never changes.  The Conference ID is dynamically created by the Microsoft scheduling services and is different for every scheduled meeting.  The Domain name in the call string will be one of three options denoting which of the three flavors of the service the call will be directed to: t.plcm.vc for Microsoft Teams meetings, v.plcm.vc for Skype for Business Online meetings, and h.plcm.vc for Skype for Business Server meetings.  (The original instance of the service was launched for Skype for Business and ‘v’ was used to denote ‘video’.  When support for Skype for Business Server/Hybrid deployments was later added then ‘h’ was used for ‘hybrid’.  As one can guess the ‘t’ refers to Teams in the latest iteration of the service.)

  • Now that the service has located the Microsoft meeting then the Polycom MCU (B) will connect to the Microsoft MCU (A), transcoding all video, audio, and content sharing sessions between standards-based codecs (e.g. H.264 AVC, H.239, BFCP, etc.) into Microsoft codecs (e.g. SVC, RDP, VBSS, etc).

  • When another VTC joins the same call, using the same call string, it will land on a different, dedicated Polycom MCU (C).  That MCU may reside in the same Azure datacenter or a completely different datacenter, depending on the geographical location of that VTC.  Either way, all the cascaded traffic will be routed within Microsoft’s global network to locate the same Teams (or Skype for Business) meeting.

The remainder of this article details the steps required to enable the service after purchase or enrollment in a trial, and should only be performed once calls into the service have been successfully tested and any optional components like the Cloud Relay have been deployed, or additional configuration like One Touch Dial has been completed.  This is especially important when working with a trial license as the 60-day period can disappear rather quickly when potentially dealing with firewall configuration changes or anything else which may take time to address in a production network.

So while this is the first article in the series it may very well be the last article used in the actual configuration, depending the timing of events and desired capabilities.  For example, supporting Polycom VTCs can be 100% cloud-based and thus the recommended route is to simply activate the service and then setup the endpoints for One Touch Dial, after validating connectivity to the services.

But if there are Cisco VTCs which need to leverage One Touch Dial then that service and the Cloud Relay should be dealt with first, before activating the service.  The same guidance goes for supporting Skype fir Business Server or Hybrid deployments. Essentially, any feature or topology which requires the Cloud Relay server means that one should always get that deployed and functioning before activating the service.  Understand that there is no requirement to activate the service first or last, this guidance is simply related to maximizing usability during the trial period.  If this is not a concern then performing the steps in this article to activate and configure the service is typically done first.


Activate Service

When service licenses are purchased (or a trial is issued) an automated email will be sent to the primary contact email address provided during the original order.  This email is sent from "licenseadmin@polycom.com" with the title "Polycom License notification email for Polycom for Order No. 0000000/domain.com" and includes a pair of attachments.  Both the .PDF and .TXT attachments include the 16 character license activation key which is tied specifically to the tenant domain for which it was ordered. (Meaning, for example, that if the exact license key shown in this article were to be used by another Office 365 tenant it would fail to apply.)

  • Open the mailbox for the account provided as part of the service order (e.g. jeff@msteams.net) and look for the email described above.  (If this email is not found than the order may not have been processed yet, which could takes 1-2 days.)

image

  • Download the attached text file (e.g.  1607678.txt) file or simply open the attachment and copy the license key to the clipboard. (The numeric order number is the name of the attachment.)

image

image

  • Enter the credentials of a Global Administrator account and then click Yes on the the Stay Signed in prompt which will simplify the configuration as different portals are accessed. (Any account with Global Administrator permissions in the Office 365 tenant can access this portal for service activation.)

image

  • Click each down arrow to expand the individual permission requests to review the additional details. Leave the Consent on behalf of your organization setting unchecked and then click Accept.

image

    This step is simply allowing the RealConnect service the rights required to insert service-related information into the tenant during the configuration process managed by the portal.

    Also Microsoft has recently changed these permissions request prompts to include a new option to accept the change on behalf of the entire organization, meaning that other users accessing the portal not receive this prompt.  As only the Global Administrator can access this portal than there is typically no added value in preemptively accepting these permissions for all other Global Administrators accounts which may potentially also decide to sign in to this portal for some reason.  And if another authorized account did sign in it would still be presented with this same prompt.)

    • Once successfully signed in to the portal then the current status should indicate that the account is inactive and no licenses are applied.  Click the Activate New License link.

    image

    • Enter the License Activation Key (e.g. C1937-5846-9980-3352) from the previously downloaded file (or paste it from the clipboard), accept the terms of service request, and then click Submit.

    image

    • If the license key is successfully applied then the page will refresh to display a host of new information.

    image

    As seen above this is a 60-day trial license of which the timer has now started, indicated by the End date.  Also the trial includes a limit of 5 concurrent VTC Call Licenses for use with any number of Skype for Business or Teams meetings at one time.  The remainder of the information above will be broken down in the remaining configuration steps.

    Now that the service has been activated for the tenant it would be a good time sign up for status alerts related to the service availability.

    image.

    image


    Enable RealConnect for Microsoft Teams

    Now that the license has been applied and the service is activated for this Office 365 tenant there are a few required one-time configuration steps to be performed.  The Teams Configuration section on the portal includes links to either perform or explain how to perform each of the required sections.  (If RealConnect will not be used with Microsoft Teams meetings then skip this section and advance to the Skype for Business configuration in the next section.)

    First, consent must be granted to Polycom to operate as a Cloud Video Interop service provider and allow Polycom’s bots used in the solution to join any Teams meetings scheduled by users in this tenant.  Secondly, in order to use the RealConnect service a user’s scheduled Teams meeting invitation must include additional instructions in the invitation for the VTCs to use.  Inclusion of these additional instructions are controlled by a set of PowerShell cmdlets which can be used to enable the functionality on either all users globally or on an individual  user-by-user basis.

    Grant Consent

    image

    • Click the "here" link at the bottom of the page and sign into Office 365 using the same Global Administrator account, if prompted.

    image

    • Click each down arrow to expand the individual permission requests to review the additional details.  Click Accept when ready.

    image

    If successful, then the consent page will refresh to report the results.

    image

    At this point a RealConnect for Microsoft Teams app has been added to the Office 365 tenant, which can be confirmed on the Microsoft Apps page at https://myapps.microsoft.com. Look for the Polycom RealConnect for Microsoft Teams app in the list.

    image

    Prepare PowerShell

    image

    The PowerShell Commands documentation page that opens will include each of the supported cmdlets.  These are not just examples as they include the exact parameters specific to this tenant so they can literally by copied and pasted directly into PowerShell to execute them.  Among the instructions is guidance for connecting to PowerShell Online Modules, enabling the service, enabling users, and controlling specific behaviors of the service.

    As explained in this recent article the Microsoft Teams cmdlets are included in the Skype for Business Online PowerShell Module, so that is the only module required to complete the following configuration steps.

    • Download and install the Skype for Business Online Windows PowerShell Module on the desired Windows workstation.

    • Open a new Windows PowerShell window and then enter the following commands.  These can all be copied and pasted in one single action.  Enter an administrator account’s User Principal Name when prompted in the PowerShell window, and then the password when  prompted in a separate pop-up window.

    Import-Module SkypeOnlineConnector
    $skype = New-CsOnlineSession
    Import-PSSession $skype

    image

    Enable Video Interop Service

    • Copy the command string under the "Configure Your Video Interop Service Policy" section which should match the example below everywhere except for the unique numeric string in the -TenantKey parameter.  Paste the text into PowerShell and execute.

    New-CsVideoInteropServiceProvider -Identity Polycom -AadApplicationIds a39192d4-7b9b-4c07-87d7-cbcd3fd97af7 -TenantKey "680450644@t.plcm.vc" -InstructionUri "https://dialin.plcm.vc/teams/?key=680450644&conf={ConfId}"

    image

    What this command has done is enabled Polycom as the Cloud Video Interop Service provider of choice for this tenant, defined the tenant’s unique numeric ID (TenantKey), defined the globally unique AzureAD application ID for the Polycom service bot (AadApplicationIds), and finally set the help URI which will appear on the Teams meeting invite of any enabled users (InstructionUri).

    Note that the -InstructionUri parameter can point to any URL, so if desired a custom-branded webpage can be created and hosted on any publicly available web server.  Simply replace the default URL with the URL of the custom website if this customization is desired, otherwise leave the default entry which points to a dynamic page specific to the tenant.

    Enable Users

    Unlike the Skype for Business configuration which will require an add-on license to be assigned to each user in the environment the Teams solution simply leverages a policy which can be enabled or disabled per user or for the entire tenant.

    The preferred method when testing or rolling out the service is to enable individual users instead of enabling every user at one time.

    • To enable individual user accounts simply use the Grant-CsTeamsVideo cmdlet as shown below, entering the User Principal Name for the desired user account as the target -Identity.  Standard PowerShell scripting can be used to run this command against specific lists of users in bulk in desired.

    Grant-CsTeamsVideoInteropServicePolicy -PolicyName PolycomServiceProviderEnabled -Identity jeff@msteams.net

    • Alternatively, to enable the service for every scheduled Teams meeting created by every user in the organization then simply execute the same cmdlet, but without specifying an identity.

    Grant-CsTeamsVideoInteropServicePolicy -PolicyName PolycomServiceProviderEnabled

      For verification purposes the following cmdlet can be used to list all users in the organization which have the service enabled for their Teams meeting invitations.

      Get-CsOnlineUser -Filter {TeamsVideoInteropServicePolicy -eq "Tag:PolycomServiceProviderEnabled"} | fl UserPrincipalName

      image

      Enable Lobby Bypass

      By default any VTCs joining a Teams meeting by way of RealConnect will automatically be placed directly into the meeting lobby, requiring another Teams attendee to manually admit them.  If this behavior is not desired then all VTCs can be allowed to automatically bypass the lobby and join the meeting directly.  Note that this change has no impact on other guests joining a Teams meeting, it only applies to VTCs joining via the RealConnect service.  Changing this setting will impact the behavior for all VTCs joining all Teams meetings as this is essentially a global on/off switch.

      • Enter the following cmdlet to enable the lobby bypass behavior.

      Set-CsVideoInteropServiceProvider -Identity Polycom -AllowAppGuestJoinsAsAuthenticated $true

      Note that in order for this feature to function the service provider configuration defined in an earlier step must have the correct service bot ID defined (-AadApplicationIds a39192d4-7b9b-4c07-87d7-cbcd3fd97af7).  If the provider was initially created without setting this parameter then it can be added to the same cmdlet as shown in the following example.

      Set-CsVideoInteropServiceProvider -Identity Polycom -AllowAppGuestJoinsAsAuthenticated $true -AadApplicationIds a39192d4-7b9b-4c07-87d7-cbcd3fd97af7

      Validate Configuration

      To confirm that the configuration was successfully completed sign in to Microsoft Teams using one of the accounts which was assigned to the service policy in the previous steps (e.g. jeff@msteams.net).

      • Create a new Teams Meeting using any supported method (Outlook, the Teams desktop application, a Teams mobile app, or even from Teams running in a web browser).  Confirm that the resulting meeting invitation now displays an additional section of instructions in the message body pertaining to the video interop service.

      image

      image

      At this point the configuration for Microsoft Teams is complete and the service is ready to be used with the Office 365 tenant.


      Enable RealConnect for Skype for Business Online

      Configuring RealConnect for Skype for Business addresses the same concepts as covered above in the Teams configuration, yet with a completely different methodology for enabling the service and users.  The steps in this section are only applicable to supporting Skype Meetings scheduled by Skype for Business Online users.  (Supporting RealConnect for Skype Meetings scheduled by Skype for Business Server users require a different configuration which is not in the scope of this article.)

      While the required permissions to utilize the service were already granted when first connecting into the portal, Polycom needs to also be established as a Cloud Solution Provider (CSP) via a partner relationship with the Office 365 tenant.  By default Microsoft grants all CSPs full delegated administrative rights to the tenant, which is in no way required (or even desired) for this service.  Thus those rights should be promptly removed, leaving only the Cloud Solutions Provider relationship.

      1. The Partner Relationship is required to insert the needed user licenses into the tenant.
      2. Delegated administrative permissions are not required and should be removed.

      While the Teams functionality leverages a basic policy setting to enable the service per user, the Skype for Business functionality uses the older Office 365 Add-On license model.  The Skype Configuration details below include an additional user license count which is completely separate from the base Call Licenses which are actually measured for concurrent usage of the service.  These additional Skype Outlook Licenses are simply entitlements which can be given to all users so that their Skype Meeting can be populated with the needed VTC details.  These are essentially included free with the service.

      Authorize Cloud Solutions Provider

      image

      • Click Sign In on the Cloud Solution Provider invitation.

      image

      • Select Yes to agree to the terms of delegated administration (this level of permissions is unneeded by the service and will be promptly removed) and then click Authorize CSP.

      image

      If completed successfully the following message will be displayed.

      image

      Otherwise the main page will be displayed with the updated Skype Configuration status now reflecting that the partner relationship has been established.  Note that it should also report "Delegated Admin Permission detected".

      • Click the View Microsoft Partner Relationship link which will open the Microsoft 365 admin center in a new tab and should go directly to the Settings > Partner Relationship menu.

      image

      • Click on the Polycom, Inc. entry to open that partner relationship.  (Note that the Relationship is described as "Cloud Solution Provider and Admin".)

      image

      • Click the Remove delegate admin button and then click Remove when prompted to confirm.

      image

      • Click Close to return to the Partner relationships page.  (Note that the "and Admin" portion is no longer shown in the description.)

      image

      Verify User Licenses

        

      image

      As soon as the licenses are applied to the tenant they will be listed here as "Skype Meeting Video Interop for Skype for Business".  It can take a little as a few minutes to as long as several hours before the licenses are applied to the tenant, so check back later if they do not yet appear.

      Enable Users

      Once the licenses have been assigned to the tenant and appear in the previous step then it is now possible to assign the service capability to specific user’s meetings.

      Note that the amount of Skype Meeting Video Interop licenses which appear in the tenant will exactly match the total number of core Office 365 user licenses currently in the tenant that include Skype for Business Online Plan 2 capabilities.  This essentially means that all Standalone, Business, and/or Enterprise licenses which include to ability for that user to schedule a Skype for Business Online Meeting are added together and an equal amount of video interop licenses are added to the tenant.  For example, a tenant with 25 E3 licenses, 100 E5 licenses, and 10 standalone SfB Online Plan 2 licenses would be be given 135 video interop user licenses.  This ensures that every user in the tenant is allowed to create meetings capable of using RealConnect.

      If additional Office 365 user licenses are added to the tenant in the future then simply sign-in to the Polycom RealConnect for Office 365 and Microsoft Teams portal which will trigger the service to recalculate the current user licenses and update the available amount to match.

      Assigning a license to a user can be performed using either the Microsoft 365 Admin Center or PowerShell, no differently than any other Office 365 license.

      • In the Microsoft 365 admin center browse to Users > Active Users and then select the desired user or users, and the click Edit for Product Licenses.  (If editing multiple users then select Add to existing product license assignments.)

      • Click on the slider next to Skype Meeting Video Interop for Skype for Business and then click Save.

      image

      Validate Configuration

      To confirm that the configuration was successfully completed sign in to Skype for Business using one of the accounts which was assigned to the service policy in the previous steps (e.g. jeff@msteams.net).

      • Create a new Skype Meeting using Outlook 2016 (Click-to-Run installations only) on a Windows or Mac workstation.  Confirm that the resulting meeting invitation now displays an additional section of instructions in the message body pertaining to the video interop service.

      image

      At this point the configuration for Skype for Business Online is complete and the service is ready to be used with the Office 365 tenant.

      Next Steps

      As outlined earlier depending on the existing topology, desired workflow, and available VTCs there may be a need to perform additional configuration steps.  The additional articles in this series are outlined in the beginning of this article.

      Managing Office 365 with PowerShell

      October 9, 2018 by · 2 Comments 

      This article is intended to share a streamlined approach for managing Office 365 services via PowerShell which are pertinent to the Microsoft UC platform, namely Exchange Online, Skype for Business Online, and Microsoft Teams.  Covered are a host of one-time installation steps needed to prepare a single workstation with the requisite software as well as the individual PowerShell cmdlets repeatedly used to invoke access to each service when management processes need to be run.

      Before jumping into how to connect a single PowerShell window to all of these UC-related services online it is important to understand the different services and what has changed over the years in terms of PowerShell behavior.

      Background

      There are several different articles available providing guidance for connecting to the various Microsoft Office 365 Online services via PowerShell.  They range from examples like an older blog post written specifically for Lync Online to new, updated guidance from Microsoft on how to access multiple services in a single console.  The older approaches utilized the original requirements of manually downloading and installing several different PowerShell modules via traditional Windows Installer packages which were created for connecting to services like Lync Online and Exchange Online.  There even use to be a separate download required simply to authenticate into Office 365 first using the original Organizational ID (Org ID) online authentication model.

      Now though, most of the various services in Office 365 are easier to connect to via PowerShell for management purposes, but they are still not all using the same methodology and installation processes.  While most are updated to use basically the same process there are a few outliers.  To access Exchange Online and/or the Office 365 Security & Compliance Center a completely different approach was used than the rest of the PowerShell modules used for managing services to Azure Active Directory (Azure AD), Skype for Business Online, or Teams.

      Of the more recent changes which improve upon and simplify the overall management experiences there are two primary concepts worth calling out.  One is the creation of a central repository for PowerShell resources and the other is the inclusion of Modern Authentication.  The newer PowerShell Gallery is now used to store and distribute various modules making installation and updates of future module version much easier.  Also by leveraging Modern Authentication each of these modules utilize the same approach for providing administrative credentials for access.

      The Modules

      Yet, as mentioned earlier not all of these services operate identically and there are even some overlapping modules used for accessing the core Office 365 service

      The following core modules are needed for managing any underlying Azure AD accounts or tenant components:

      • Microsoft Azure Active Directory Module for Windows PowerShell – This module contains the original set of *-Msol* cmdlets for managing Azure AD.  This is the older v1 PowerShell module referred to as MSOnline.
            
      • Azure Active Directory PowerShell for Graph – This module is the newer v2 module containing all of the *-AzureAD* cmdlets for managing Azure AD.   This is the newer v2 PowerShell module referred to as AzureAD.

      Microsoft currently recommends using the newer v2 module, but that does not currently include any of the cmdlets provided in the v1 module.  So, it is not feasible to simply use only the newer Azure AD module when it does not also include all the older functionality.  For many of the management tasks covered on this blog for services like Skype for Business it is still required to execute several MSOnline cmdlets, thus both the v1 and v2 would be leveraged.  In fact, only the v1 module is really needed in most of the currently documented Skype for Business configuration and management processes as they all utilize the -Msol cmdlets, and not the newer -AzureAD cmdlets.  If in the future some of that guidance is updated then make sure to leverage the appropriate modules.

      Luckily both of the cmdlets above can easily be installed form the PowerShell Gallery so inclusion of both is trivial and essentially there is no harm in loading an additional module into a PowerShell session even if no cmdlets from that module are executed.

      The following two modules are handled completely differently from the modules above though as they are not available via the PowerShell Gallery and must be installed through two separate manual processes.

      • Skype for Business Online PowerShell – This module contains all of the *-Cs* cmdlets originally added for managing Lync Online, now Skype for Business Online, and also includes UC-related Microsoft Teams management cmdlets.

      • Exchange Online PowerShell – This newer module with Modern Authentication support contains all of the cmdlets used for managing Exchange Online but these cmdlet names do not share a common naming convention for easy identification.

      Installation

      The following steps walk through importing or installing each individual PowerShell module and are required only once per workstation.  An up-to-date Windows 10 workstation was used which contains all of the prerequisite Windows components to successfully complete the process.  If any errors occur when using older versions of Windows then it may be needed to updated components like PowerShell or Windows Management Framework.

      MSOnline

      Installation of the first module will assume that no other PowerShell modules have ever been installed on the specific workstation and will prompt for the one-time installation of the NuGet Package Provider as well as ask to temporarily trust the PSGallery repository.

      • Launch Windows PowerShell as an administrator.

      image

      • Enter the following cmdlet to install the MSOnline module on the local workstation directly from the PowerShell gallery.

      Install-Module -Name MSOnline

      • When prompted to install the prerequisite NuGet provider enter "Y" to allow the installation.

      image

      • When prompted to install the untrusted repository enter "A" to allow the installation.

      image

      • To verify successful installation of the both the requisite NuGet and PSGallery components as well as the desired MSOnline module run the following cmdlets to list the installed PowerShell Package Providers, Repositories, and Modules.

      Get-PackageProvider

      image

      Get-PSRepository

      image

      Get-InstalledModule

      image

      Note that the PSGallery repository listed above is currently set as Untrusted.  While this is acceptable it will continue to trigger the ‘untrusted repository’ prompt seen earlier when attempting to install any other modules from the PowerShell Gallery.  At this point it may be preferred to configure this as a trusted repository on the specific workstation to further streamline additional module installation.  This is a completely optional step, but one that is typically recommended give the PowerShell gallery is a trusted Microsoft source.

      • Use the following PSRepository cmdlets to set the PowerShell gallery to trusted and then confirm that modification.

      Set-PSRepository -Name PSGallery -InstallationPolicy Trusted

      Get-PSRepository

      image

      Azure AD

      • In the same administrative PowerShell window issue the following cmdlet to install the AzureAD module. 

      Install-Module -Name AzureAD

      image

      If the PSGallery repository was not manually trusted using the optional step above then the step above will again prompt for access to the still untrusted repository in order to download the AzureAD module.  If this prompt appears enter "A" to allow it.

      • Use the Get-InstalledModule cmdlet again to verify that AzureAD module has been installed.

      Get-InstalledModule

      image

      Skype for Business

      image

      • If the installation fails with an error reporting an insufficient or missing version of the Visual C++ 2017 x64 runtime then download and install the latest version of the x64 redistributable package (e.g. vc_redist.x64.exe).

      • To verify successful installation open Apps & Features under the Windows System Settings and then search for ‘Skype’ to filter out of the list of installed programs to display the following results.

      image

      Exchange Online

      • Using Microsoft Edge (other browsers may not be compatible) sign-in to the Microsoft 365 Admin Center using an administrator account and then navigate to Admin Centers > Exchange to open the Exchange Admin Center in a new browser window.

        • Select Hybrid from the navigation pane and then click Configure under "The Exchange Online PowerShell Module supports multi-factor authentication. Download the module to manage Exchange Online more securely."

      image

        • Open the Microsoft.Online.CSE.PSModule.Client.application and then select Install when prompted.

      image

      • Once the module installation completes then simply close the Windows PowerShell window which was automatically opened.

      image

      At this point all four PowerShell modules have been installed on the workstation and the one-time setup is complete.


      Usage

      The following cmdlets can be issued individually to establish connections into each desired online service via PowerShell.  Due to the way that the Exchange module functions though it is critical to use the Exchange PowerShell module to start with as that module cannot be utilized in a standard PowerShell window.

      This approach leverages support for Modern Authentication throughout all four modules which does not utilize a single stored set of credentials.  Each connection will prompt for authentication in a separate window.

      Connecting to Online Services

      • Launch the Microsoft Exchange Online PowerShell Module which was just installed on the workstation in the previous step.

      image

      Connect-EXOPSSession

      image

      • Sign in using an administrative account for the tenant.

      image     image

        Once the session has been imported a warning may appear related to potentially unapproved verbs which can be ignored.

        • Connect to Azure AD using the Connect-MsolService cmdlet and enter the same administrator credentials when prompted.

        Connect-MsolService

        • Connect to Azure AD using the Connect-AzureAD cmdlet, again entering the same credentials if prompted.

        Connect-AzureAD

        • Connect to Skype for Business Online using the following cmdlets, providing the account username when prompted in-line and the account’s password when prompted by a separate window.

        Import-Module SkypeOnlineConnector

        $skype = New-CsOnlineSession

        Import-PSSession $skype

        If all commands were successful then the resulting PowerShell window should look something like this:

        image

        Testing Connectivity

        Issue the following four example cmdlets to test that each of the four modules are functioning properly with access to the online services.

        Get-Mailbox

        Get-MsolAccountSku

        Get-AzureADUser

        Get-CsOnlineUser

        Quick Reference

        The following can be inserted into a .ps1 file to create a basic batch process for connecting to all four services in succession. Due to the way that Modern Authentication does not allow token sharing between the various modules then the authentication prompts will still appears between each connection attempt.  Some of the Connect cmdlets support providing the User Principal Name in-line while others do not.  To attempt to incorporate these newer modules into custom scripts to further automate the process take a look at these other blog articles.

        Connect-MsolService
        Connect-AzureAD

        Connect-EXOPSSession -UserPrincipalName "jeff@jdskype.net"
        Import-Module SkypeOnlineConnector
        $skype = New-CsOnlineSession -UserName "jeff@jdskype.net"
        Import-PSSession $skype

        Make sure to execute the script after launching the Microsoft Exchange Online PowerShell Module, as that is the only PowerShell instance which is capable of using the Connect-EXOPSSession cmdlet.

        Displaying Teams in the Exchange Online Address Book

        July 3, 2018 by · 1 Comment 

        Microsoft has recently implemented a change in how Office 365 Groups are handled by default in Exchange Online.  Since the release of Microsoft Teams, which uses Office 365 Groups as the core membership list for individual Teams, when a user created a new team then the associated Office 365 Group was automatically Exchange-enabled with distribution group capabilities.  This meant that every single Team created in an organization would appear in the Exchange Online Address Book, thus offering the potential to rapidly clutter up the Global Address List.  This default behavior was hotly contested by the overall community and in response Microsoft has reacted by essentially reversing this, but not retroactively.

        Now when a new Office 365 Group or Team is created it will no longer appear in the Exchange Address Book, nor will it be displayed in the Outlook Groups section in the navigation pane.  This only applies to new groups though as no changes have been applied to any of the existing groups in Office 365 tenants today.

        So, this means that administrators need to understand how to address two potential issues: hiding all the existing groups if desired and unhiding individual new groups if desired.

        In order to programmatically hide all the existing groups from the address book and/or Outlook client navigation pane then the guidance in this article can be followed.  Yet when creating new teams and/or groups an additional configuration step will be required if it is desired to have them appear in Outlook. 

        Configuration

        This is a simple configuration change that is currently only available through a PowerShell cmdlet leveraging two different parameters.

        The preferred method for managing Exchange Online using PowerShell cmdlets now is to leverage Modern Authentication using the newer Microsoft Exchange Online PowerShell Module which can be initially installed from the Exchange Admin Center.

        Connect to Exchange Online PowerShell

        • Using a web browser Sign in to the Office Admin Center using an administrator account and then navigate to Admin Centers > Exchange to open the Exchange Admin Center in a new browser window.
        • Select Hybrid from the navigation pane and then click Configure under "The Exchange Online PowerShell Module supports multi-factor authentication. Download the module to manage Exchange Online more securely."

        image

        • Open the Microsoft.Online.CSE.PSModule.Client.application and then select Install when prompted.

        image

        The initial steps above are a one-time installation process per workstation.  For future sessions from the same workstation this PowerShell module is now installed locally and can be launched from the Microsoft Exchange Online Powershell Module desktop app.

        image

        • Once the installation is complete and the Windows PowerShell window appears use the Connect-EXOPSSession cmdlet to open a connection to the desired Exchange Online tenant.

        Connect-EXOPSSession -UserPrincipalName jeff@msteams.net

        image

        The -UserPrincipalName parameter used above is optional and if omitted then the following authentication prompt will ask for both the username and password.

        • Enter the password for the administrator account provided in the cmdlet above.

        image

        Edit Office 365 Group

        Use the following Exchange Online PowerShell cmdlets to independently control the behavior of the address book and Outlook navigation bar behavior for the desired group.

        • Use the Get-UnifiedGroup cmdlet to view the current display settings for all existing groups.

        Get-UnifiedGroup |ft DisplayName,HiddenFrom*

        image

        In this example a new Team named ‘Marketing Team‘ was recently created while the other two groups where originally created before Microsoft changed the behavior.  As seen above the new Office 365 Group for that Team has automatically been hidden from both the address book and Outlook clients.

        To reverse this for either or both behaviors issue the following Set-UnifiedGroup cmdlets as shown below.

        • To include the new group in the Exchange Online Outlook Address Book disable the -HiddenFromAddressListsEnabled parameter.

        Set-UnifiedGroup -Identity "Marketing Team" -HiddenFromAddressListsEnabled $false

        Note that this change will take time to propagate throughout the tenant.  While the Online Address Book will be updated almost immediately the Offline Address Book in Exchange Online can take 24-48 hours to reflect this change.

        • To include the new group in the Outlook client’s Groups navigation pane

        Set-UnifiedGroup -Identity "Marketing Team" -HiddenFromExchangeClientsEnabled:$false

        Notice that the cmdlet above is using a colon (:) as a separator between the parameter name and defined value.  For some reason this parameter (and not the others in this cmdlet) is defined in PowerShell as a switch and not a Boolean value and thus will not work with a space as a delimiter.  For the sake of simplicity a colon can be alternatively be used in place of a space in the Boolean parameters.

        Locating IDs in Azure AD

        June 21, 2018 by · 2 Comments 

        This article covers various methods for identifying the Directory ID and Object ID values for tenants and user accounts in Microsoft’s Office 365 environment.  These Universally Unique Identifiers (UUID) are assigned to the overall directory and each user individual account that exists in Azure Active Directory (AAD), whether the account was created in the cloud or was initially created on an Active Directory (AD) on-premises instance and was then synchronized to the cloud.

        The tenant identifier is referenced with different names depending on where the value is being retrieved from and it uses the same 32-character, dash-separated, hexadecimal format as the individual Object IDs use.  Also with the user accounts the term "Object ID" can refer to either/both the AzureAD account’s actual numeric identifier or the account’s UserPrincipalName (UPN) value.  So, for example, a valid Object ID for a user account could be ‘jeff@jdskype.net‘ and ‘e0d3ad3d-0000-1111-2222-3c5f5c52ab9b‘.  In essence a query using the Object ID (UPN) can be issued to return the Object ID (Numeric).

        In the event that a numeric identifier is be needed this article can be used as a quick reference for querying for the different values in a multiple ways.  Additionally the latter half of this article shows how to install either or both of the prerequisite PowerShell modules for managing Azure AD.

        Using the Admin Center

        The easiest option is to simply use the GUI-based admin centers available to Office 365 tenant administrators, but for repeated or bulk tasks PowerShell is usually the preferred route.  The Office 365 Admin Center includes an Azure AD specific administration console which can be used to browse for a specific user account and locate the Object ID value.

        Tenant (Directory ID)

        • Open the Office 365 Admin Portal and sign-in with an account in the desired tenant which has been delegated the appropriate administrative rights.

        • In the main menu on the left expand the Admin Centers section at the bottom and then click on the Azure Active Directory option to launch the console in a new browser window.

        • In the Azure Active Directory admin center menu select Azure Active Directory and then navigate to Manage > Properties.

        • The Directory ID field will be displayed as shown in the following screenshot.

        image

        User (Object ID)

        • Open the Office 365 Admin Portal and sign-in with an account in the desired tenant which has been delegated the appropriate administrative rights.

        • In the main menu on the left expand the Admin Centers section at the bottom and then click on the Azure Active Directory option to launch the console in a new browser window.

        • In the Azure Active Directory admin center menu select Users.

        • Browse to or search for the desired user and then click on the account name to view the user account’s Profile information.

        • The Object ID field will be displayed in the Identity section as shown in the following screenshot.

        image

        Using PowerShell Modules

        For quick reference purposes this portion is written out-of-order.  If the proper PowerShell modules have already been configured on a workstation or server then the following cmdlet should work as shown.  But if the required first-time setup for using PowerShell with Office 365 has not yet been completed then skip down to the Configuring PowerShell Modules section and then once complete return to the cmdlets shown here.

        AzureAD

        The newer Get-AzureAD cmdlet can be used to locate teh Object ID value and is the recommended cmdlet set to use by Microsoft.

        • Launch Windows PowerShell and issue the Connect-AzureAD cmdlet.  A separate authentication window will appear.

        Connect-AzureAD

        • Enter the credentials of an administrative account for the desired Office 365 tenant.  If authentication is successful then Tenant ID will automatically be displayed.

        image

        • Enter the following Get-AzureADUser cmdlet to locate the Object ID for a specific user account by searching against the account name.

        Get-AzureADUser -SearchString ‘jeff’

        image

        MSOnline

        If preferred the Get-MsolUser cmdlet can also be used to locate the Object ID value.

        • Launch Windows PowerShell and issue the Connect-MsolService cmdlet.  A separate authentication window will appear.

        Connect-MsolService

        • Enter the credentials of an administrative account for the desired Office 365 tenant.  If authentication is successful then some account and tenant information will be displayed.

        • Enter the following Get-MsolUser cmdlet to locate the Object ID for a specific user account by searching against the account name.

        Get-MsolUser -SearchString ‘jeff’ | ft UserP*,ObjectID

        image


        Installing PowerShell Modules

        In order to run the commands shown above the proper PowerShell module(s) must first be installed or imported.  This section covers the one-time setup for both the older and newer management modules.  These two options are provided via two different PowerShell modules available today for managing Azure AD objects: MSOnline and AzureAD.  These separate PowerShell modules must be installed or imported on a Windows workstation but the processes for doing so has changed over time.  The newer AzureAD module is the preferred method for managing Azure objects.

        Older guidance related to using the MSOnline PowerShell cmdlets outlined having to separately install the Microsoft Online Services Sign-In Assistant and Azure AD PowerShell modules but these steps are no longer required in most cases.  Firstly, all Office 365 tenants can now leverage Modern Authentication so the older sign-in assistant is not required.  Secondly, the needed PowerShell modules are available in the online PowerShell Gallery and can simply be imported when PowerShell 5.0 or newer is used.

        • To validate the version of PowerShell on the desired Windows system run the $PSVersionTable cmdlet in PowerShell.

        $PSVersionTable

        image

        For the purposes of the remainder of this article it is assumed that Windows 10 or Windows Server 2016 is being utilized, which both include PS 5.0 or newer depending on the applied Windows Updates.  Using an older version of PowerShell may require downloading and installing some modules manually.

        Azure Active Directory PowerShell 2.0

        As stated earlier Microsoft encourages customers to leverage the newer Azure Active Directory PowerShell module, so for any new workstation or server configuration then this is the preferred process.  Just as outlined above PowerShell 5.0 or newer is required to install the needed modules as shown below.  (If a PowerShell version older than 5.0 is being used then the latest version of the module can be installed manually by downloading the package from the PowerShell Gallery online.)

        • Launch Windows PowerShell as an administrator and then run the following cmdlet to install the latest version of the AzureAD module directly from the PowerShell Gallery (a working connection to the Internet to obviously required for this step to successfully complete).

        Install-Module AzureAD

        If this is the first time installing PowerShell modules from the PowerShell Gallery on the specific workstation or server then two additional confirmation prompts may appear.  By default Windows PowerShell does not trust NuGet galleries, nor the specific PSGallery.  To configure this trust manually the steps on this Microsoft article may be followed beforehand, but are not necessary as the trust can be overridden by responding to the following prompts during the package installation.

        • If the message "NuGet provider is required to continue" appears then enter "Y" to allow PowerShell to install the NuGet provider package.

        • If the message "untrusted repository" appears then enter "Y" to also trust the PSGallery package.

        image

        To validate that the installation was successful and to check on the version number of the installed module run the following two cmdlets in the same PowerShell window.  (Note that running the Get-Module cmdlet will not return any information without first running the Import-Module cmdlet.)

        Import-Module AzureAD

        Get-Module AzureAD

        image

        At this point a connection can be established to Office 365 via the AzureAD module to retrieve the Object ID as shown in the previous section.

        MSOnline PowerShell 1.0

        This approach leverages the older, but still available, MSOnline PowerShell module for Azure Active Directory management.  In order to utilize this command set the module must first be installed on a Windows workstation if it has not already been. While this module does include some options which are not currently available in the newer AzureAD module the Object ID can be queried in either as shown above.

        But if none of this has been setup then it’s recommended to simply leverage the newer AzureAD module shown in the previous section.

        • Launch Windows PowerShell as an administrator and then run the following cmdlet to install the latest version of the MSOnline module directly from the PowerShell Gallery (a working connection to the Internet to obviously required for this step to successfully complete).

        Install-Module MSOnline

        If this is the first time installing PowerShell modules from the PowerShell Gallery on the specific workstation or server then two additional confirmation prompts may appear.  By default Windows PowerShell does not trust NuGet galleries, nor the specific PSGallery.  To configure this trust manually the steps on this Microsoft article may be followed beforehand, but are not necessary as the trust can be overridden by responding to the following prompts during the package installation.

        • If the message "NuGet provider is required to continue" appears then enter "Y" to allow PowerShell to install the NuGet provider package.

        • If the message "untrusted repository" appears then enter "Y" to also trust the PSGallery package.

        image

        To validate that the installation was successful and to check on the version number of the installed module run the following two cmdlets in the same PowerShell window.  (Note that running the Get-Module cmdlet will not return any information without first running the Import-Module cmdlet.)

        Import-Module MSOnline

        Get-Module MSOnline

        image

        At this point a connection can be established to Office 365 via the MSOnline module to retrieve the Object ID as shown in the previous section.

        Hot-Desking and Common Area Phones in Skype for Business

        May 10, 2018 by · 20 Comments 

        This article is intended to explain the differences in new capabilities brought to both Skype for Business Online and the latest firmware releases for Polycom UCS-based IP phones.  While both Hot-desking and Common Area Phone (CAP) features were first provided in Lync Server these concepts are both handled quite differently in Office 365.

        Essentially the Hot-Desking topic discussed in this article is referring to existing functionality in Lync and Skype for Business Server that VVX phones now support, while the Common Area Phone topic is brand new functionality brought only to Skype for Business Online which VVX phones can leverage immediately.  These capabilities are available in the Polycom UCS family of devices starting with VVX phones in the recent 5.7.0 firmware release.

        It is important to understand that these Hot-desking and Common Area Phone (CAP) concepts are complimentary capabilities which are often confused with each other or incorrectly treated as one in the same.

        • Hot-desking provides a method for a ‘guest’ user to sign into a phone that is already registered with a ‘host’ user, without permanently signing out the original ‘host’ user.  Without this feature to switch user accounts on a phone a new user would have to completely sign out the current user, and to return that phone to the original state someone would have to manually sign back in again with the original user’s credentials.  Hot-desking allows the original credentials to stay cached in the phone to be used again to automatically re-register to Skype for Business.  This capability is nothing new to Skype for Business Server as hot-desking has been around since Lync Server 2010 and was added originally for Lync Phone Edition (LPE) devices.  
              
        • Common Area Phone (CAP) support refers to a new provisioning and licensing model specific to Skype for Business Online.  So this feature comes from both updates to the VVX firmware and new capabilities brought by Microsoft into Office 365.  Microsoft has added a new provisioning portal to be used in conjunction with accounts which have been assigned a new Office 365 license.  This new functionality is entirely different than the CAP implementation already in Lync/SfB Server platform.

        These are two distinctly different feature sets which can, but are not required to, be used in conjunction. Any user account type (standard or CAP) can be used in hot-desking scenarios, although there are some limitations today based on where the accounts are homed.  Some of this works only for Skype for Business Server users homed on-premises and other parts are only applicable to Skype for Business Online users.  These caveats are outlined in the following sections.

        Also it is still a recommended practice to disable device updates when registering phones to Skype for Business Online as Microsoft continues to publish older firmware versions.  At the time of posting this article UCS 5.7.1 is the most recent version available from Polycom, yet 5.6.0 is what is still being provided via the Device Update Service in Skype for Business Online .  So, after upgrading a phone to 5.7.x and configuring the features shown in this article the phone will automatically ‘update’ to the published, older version thus removing the new capabilities.

        Hot-Desking Support

        True hot-desking functionality has been added to the VVX platform to not just mimic what has been available in the Lync Phone Edition platform but to provide even more flexibility than what those older devices can do.  This capability is enabled by default in UCS starting in the 5.7.0 release (feature.HotDesking.enabled="1"), yet it is not usable unless hot-desking is also enabled on the Skype for Business platform that the phone is registered to.

        This added functionality now allows for two different sets of credentials to be registered on the same phone, but not at the same time.  A ‘host’ user account is signed in first, typically by an administrator, and then a ‘guest’ user account can be signed in later on, typically by an end-user.  When the guest user is either signed out, either manually by someone or automatically due to the configured hot-desking timeout, then the host user is automatically signed back into the phone used saved credentials.

        For Lync Server and Skype for Business Server deployments hot-desking behavior can be controlled as described in this older article, including enabling/disabling it at a global or custom level as well as controlling the timeout value.

        However, hot-desking is not currently available for Skype for Business Online, which can be confirmed by running the following Skype for Business Online PowerShell cmdlet.

        Get-CsClientPolicy | ft Identity,*hotdesk*

        image_thumb21

        Notice that the EnableHotdesking parameter is not set to ‘True’ in any of the available online client policies.

        In Skype for Business Hybrid environments it is possible for online users to sign in as the ‘guest’ as long as the ‘host’ account which is first registered on the phone is an on-premises user.  If an online user signs in first as the ‘host’ then hot-desking is not available for that account and thus no Guest soft key will appear on the phone.

        Usage

        Enabling Hot-desking for Lync or Skype for Business Server deployments is unchanged and either a CAP account or a regular user account can be used.

        When a Skype for Business Server-homed user account with an assigned policy that has Hot-desking enabled is registered to a phone then a Guest soft key will appear on the home screen.

        image

        Selecting the Guest bottom prompts to sign the Host user out fro the phone. 

        image

        After (temporarily) signing out the host user the phone automatically returns to the Sign In window so a user can then select the available method they want to use for signing in with their own credentials.  If no options are selected after about 30 seconds then the phone drops to the home screen where both the Guest and Host soft keys are displayed.  If still no sign-in actions are performed and the phone is left idle for about 3 minutes then it will automatically sign the Host user back into the phone and return to the previously registered state.

        But if a user signs in with a different account as a Guest then that account will stay registered on the phone until the HotdeskingTimeout value in their assigned Skype for Business client policy is reached, which is a default of 5 minutes.  At that threshold of inactivity the phone will automatically sign out the Guest account and sign the Host account back in.

        Common Area Phones in Skype for Business Online

        A mixture of new capabilities in the VVX firmware and new functionality in the Skype for Business Online platform now provides a new way to license and register online accounts for common area use-cases.

        The term Common Area Phone means two entirely different things when talking about Lync and Skype for Business Server deployments versus Skype for Business Online.

        • In server-based environments a Common Area Phone (CAP) account is a special type of user account which in essence is simply an Active Directory Contact Object that is enabled in Lync/SfB Server differently than standard AD User objects.  This model was first introduced in Lync Server 2010 with the advent of the Aries model family of the Lync Phone Edition platform and leverages only Certificate-based Authentication (TLS-DSK) via PIN Authentication and DHCP Options 43/120.  These accounts are not Exchange mailbox-enabled and thus address a simple goal: the ability to register a phone using generic credentials, provisioned and managed by an administrator, which is intended solely to provide basic ‘dial-tone’ features to a handset or conference phone.  These CAP accounts then also provide the hot-desking capability to the registered device so that a fully-featured user can temporarily sign-in with their own account.

        • With Skype for Business Online though the CAP terminology is completely different as this is currently related only to licensing and device provisioning.  A new, dedicated Office 365 license has been added to reduce the overall cost for common-use IP phones and a new Web Sign-in method specific to these common-area use cases as also been added.  There is no special account type like with the server platform as any standard online user account can be used with the new license, meaning that Exchange calendaring is available for phones registered using a CAP-enabled account.  Registering a phone to Skype for Business online is also completely different than the server-only PIN Authentication method.

        Also note that one major difference between the LPE and VVX device models is that in the LPE Aries family there existed the concept of a specific Common Area Phone model.  These were special models (e.g. Polycom CX500) which were designed only for use with CAP accounts (due to the lack of a USB-B port) but could still be used with any account which was enabled for PIN Authentication.  These devices cannot be registered with Skype for Business Online because PIN Authentication was never provided in Office 365.  (More importantly all LPE devices will cease to function with Office 365 on October 31st, 2018 when TLS 1.2 is enforced by Microsoft.)

        Comparatively the VVX phones which leverage the UCS platform software do not have these limitations.  Firstly, full user credentials can be entered directly into the phone or remotely without the need for USB, unlike LPE devices which can only use the standard authentication mode via USB-pairing to a PC.  Secondly, all VVX devices support the new Web Sign-in method that Skype for Business Online provided as a replacement for the older server-only PIN Authentication method.  Essentially any VVX phone model can ‘be’ a Common Area Phone in either server or online platforms.

        Licensing

        The new Common Area Phone license is simply a new subscription plan available in Office 365.  It is not a Skype for Business Add-on subscription like calling plans are as it does not go with an existing subscription plan; it replaces the need for other subscription plans.  As covered in this past article devices typically require the Skype for Business Online Plan 2 subscription at a minimum to perform most Skype for Business meeting-related functions.  As phones typically require PBX feature and PSTN connectivity then the additional cost of potential add-in licenses like Phone System (formerly Cloud PBX) can add up.  Alternatively Enterprise plans have been used in the past which include licenses for so many other unrelated Office 365 services.

        Thus the creation of a dedicated license provides the needed Skype for Business core licensing, Skype for Business Online (Plan 2), as well as a Phone System license.  No differently than the other Enterprise subscriptions this new license also does not include a Phone Calling plan; those must always be added at an additional cost.

        image

        As the Common Area Phone license includes a Skype for Business Online license then a separate Business or Enterprise license should not also be assigned to the same user as that would literally be a waste of money.

        It is important to understand that this subscription plan is simply a license and accounts provided this license will function in Skype for Business Online no differently than an account assigned to another plan that includes Skype for Business Online Plan 2 (e.g. Enterprise E3) or if the a standalone Skype for Business Online license itself is assigned directly to the user.  In essence the only difference here is the monthly cost for that user account.

        Provisioning Portal

        Microsoft has added a new portal to the existing Web Sign-in methodology which was added previously to address the lack of PIN Authentication support in Skype for Business Online.  The new provisioning process for Common Area Phones is almost identical to the previous Web Sign-in process used for regular users, but with a few distinct differences.

        • Instead of a user authenticating using their own account credentials an administrator will sign into the new provisioning site.  This allows that administrator to provision any phones using only the code provided by the phone, the password of the desired account is not required.  When the desired account is selected its password will automatically be reset to a unique, unknown value.

        • While this process was created for Common Area ‘accounts’ it is not limited to only accounts with the Common Area Phone license.  As mentioned before the new license functions no differently as the underlying Skype for Business Online Plan 2 is what drives the actual functionality.  Thus any user licensed for Skype for Business, be it through a standalone license, a Business plan, or Enterprise plan, can technically be provisioned on a phone by an administrator using this new portal.  Be aware that doing this on any user account will reset the password and effectively lock that user out of their own systems, thus this process should really only be used with accounts that are assigned to regular users.

        Acquire Common Area Phone Subscription

        The new licensing subscription can be purchased or trialed in the Office 365 Admin Center.

        • Sign-in to the Office 365 portal using an administrative account for the desired tenant and then open the Admin Center.

        • Browse to Billing > Subscriptions > Add Subscriptions and then expand the Other Plans section.

        • Locate and select the Common Area Phone option and select either Buy Now or Start Free Trial.

        image

        • Once the new plan has been purchased or selected for a 30-day trial then navigate to Billing > Subscriptions to validate that the new plan has been added to the tenant.

        image

        The screenshot above indicates that the tenant used in this article is currently in an existing trial period which includes 25 licenses for 30 days. (One licensee has already been assigned and the trial is nearing expiration in this example tenant.)

        Assign Common Area Phone License

        At this point either a new account can be created for the device or an existing account can be enabled with the license.  For the purposes of this article a new account will be created and enabled.

        • Create a new user account (e.g. kitchen@jdskype.net) in the Office 365 Admin Center and assign a Common Area Phone license, and if applicable, a Calling Plan.

        image

        Configure Phone

        In order to provision a device using the Common Area Phone model a Polycom VVX running at least 5.7.0 USC firmware is required.  The following steps were performed on a VVX 601 running version 5.7.1.2205.

        • Press the Home button on the phone and navigate the followings menus: Settings > Advanced > Enter Admin Password (default is ‘456’) > Administration Settings > Common Area Phone Settings.

        • Set the CAP and CAP Admin Mode settings both to Enabled.

        image_thumb17

        • Press the back arrow and then select Save Config.

        The two settings above perform two different tasks.  The CAP setting simply enables the Common Area Phone feature on the device but does not provide for a way to sign in directly on the phone.  This is by design, to prevent end-users from attempting to provision a phone using their own standard accounts.  Yet, to register the phone to Skype for Business directly from the handset it must also have the CAP Admin Mode enabled.  Without this setting turned on then no Sign In button will appear on the phone and it can only be registered remotely or via a provisioning platform.

        The CAP (but not the CAP Admin Mode) setting can also be changed remotely using the Web Configuration Utility (Settings > Skype for Business Settings > Common Area Phone Settings).

        image

        Once back at the main screen the Sign In button will appear if the CAP Admin Mode setting was enabled directly on the phone.  At this point the unregistered phone will display a "CAP is enabled" message on the main screen.  (If the phone was already registered to Skype for Business then it may report that device lock is disabled or alter other options previously available.)

        image_thumb30

        If the phone is left alone in this mode too long then the following message will appear, indicating that it is not currently registered.

        image_thumb31

        Register Phone

        • To register the phone using the new process select the Sign In soft key to show the available sign-in options.

        image_thumb19

        • Select the Web Sign-in (CAP) option and the resulting screen will display.

        image_thumb33

        Note that while this screen looks identical to the previous Web Sign-in process the provided URL is actually different.  The standard Web Sign-in process for regular users to self-provision a phone is http://aka.ms/sphone where the new admin provisioning portal is http://aka.ms/skypecap.

        • Using a web browser on any Internet-connected PC or mobile device go to http://aka.ms/skypecap as instructed above to complete the provisioning process.      
               
        • Sign in using a tenant administrator account for the Office 365 tenant to access the Tenant Admin Common Area Phone Provisioning Portal. Do not sign in with the credentials of the user account which is to be assigned to the specific phone.
              
        • Enter the partial (e.g. ‘k‘) or complete (e.g. ‘kitchen‘) account name or SIP URI (e.g. kitchen@jdskype.net) to search for the desired CAP account.  The example below shows a less-specific search that returns all matches (wildcard characters are not valid).
                
        • Deselect the Search for Common Area Phones only setting as this option is not currently functional and will return no results, regardless of the user type. (This article will be updated when the behavior of this setting is fixed.)

        • Enter the alphanumeric code provided by the phone into the Pairing Code field adjacent to the desired account name and then click Provision.

        image_thumb37

        At this point the phone will automatically proceed to sign-in and the provisioning is complete.  As noted earlier the account’s password will have been automatically changed to a unique, unknown value during the process so to use this same account again with anything other than a Common Area Phone the password would need to be reset by an administrator.

        Note that this new Common Area Phone feature set in Skype for Business Online is not yet fully featured and still has some additional capabilities not yet delivered.  Given the focus on Microsoft Teams it is hard to say if and when this feature set will become complete at it is currently only applicable to Skype for Business Online.

        Q2 2018 Skype and Teams UG Meetings

        May 9, 2018 by · 1 Comment 

        The next round of quarterly Skype and Teams Users Group meetings has been announced and scheduled starting this month.

        image_thumb2

        Latest News

        This quarter we welcome Boston to the Skype and Teams User Group family. This brings the national total up to 22 regional events per quarter approaching nearly 100 meetings a year!

        Event Details

        This quarter’s events will be conducted in our typical multi-session format:

        Session 1: Enterprise Connect Recap – In this session, we will get you up to speed on all the important announcements that occurred at Enterprise Connect 2018.   This will include announcements from all our sponsors and Microsoft.  If you missed anything, this is your chance to catch up!

        Session 2: Microsoft Teams Roadmap Update – In this session, we take a look at several of the updates to the Roadmap, as well as other changes that may not be clearly called out on the Roadmap. At the rate that Teams is ramping up, this session is a definitely a great way to get caught up!

        Session 3: Open Discussion – In feedback from previous sessions, the Open Discussions are always really popular sessions. Given the large amount of news and changes over this last quarter, we felt that taking a bit of time in the Q2 Meeting to openly discuss would be very beneficial to all. Bring your thoughts and questions!

        Industry Experts will be on-site to deliver these presentations and help answer any questions related to Skype for Business.  Food, beverages and additional door prizes will be provided courtesy of the Skype for Business Users Group and its official sponsors.


        Western U.S.

        Central U.S.

        Southern U.S.

        Eastern U.S.


        For a full schedule of regional events the Skype and Teams Users Group Meetups page lists all planned event locations with links to the associated registration page for each regional group.  For anyone who is not yet a member and would like to participate simply visit the site listed above and register for your local group, this will automatically create a new user account for you to use again for all future event registrations..


        Chicago Event

        Continuing the recent schedule of alternating locations each quarter places our Q1 event back downtown in the Aon Building. 

        Food will be ready at 5:30pm so come early if you can to spend time socializing with the group before the presentations begin at 6:00pm.

        Date Location Address
        Tuesday, May 29th
        5:30PM – Food and Networking 
        6:00 PM – Presentation Kickoff
        Chicago Suburban Event Microsoft Midwest District Office
        3025 Highland Pkwy., Suite 300
        Downers Grove, IL 6051

        Polycom UCS 5.7 for VVX Phones

        April 29, 2018 by · 16 Comments 

        The latest release of the Polycom VVX 5.7 UCS firmware is available for Lync and Skype for Business (SfB) environments. This release includes some minor enhancements alongside a few major changes in look and behavior.

        For additional assistance with updating phones the following articles are provided as references.

        • Perform a Factory Reset – This is an optional, but recommended step when working with individual test devices for validating new firmware in an established deployment.

        • Deploy Software – Once testing is complete then this firmware can be added to the Lync or Skype for Business Device Update service for on-premises deployments.

        • Online Updates – For Skype for Business Online customers this update automatically be published once it has passed qualification.  Use this article to control this behavior if automatic updates are not desired.

        Upgrading a Phone

        This section will cover the basic steps to upgrade a single phone using the Polycom-hosted public server to directly download and apply the firmware to the phone.  In order to perform this process the phone’s internal web server must be enabled.  Depending on the selected Base Profile the web server may need to be manually enabled.

        Set Base Profile

        As explained in many earlier VVX articles the phone must be set to the proper Base Profile when registering to various SIP platforms.  Depending on the original purchasing SKU and/or current status of the phone it will be set to one of two options by default: Generic or Lync.  (Note that “Lync” base profile was renamed to “Skype” in version 5.5.1, but they function the same.)  When a VVX phone is set to Generic then the Web Configuration Utility will be enabled by default, but as this phone is or will be used with Lync/SfB environments it is best to set or confirm this parameter before doing anything else.

        • From any screen simply depress and hold the the following Multiple Key Combo (MKC) of: 1, 4, 9.

        • When prompted after 3 seconds enter the Admin password. (The default is “456”).

        • If the current value is set to Generic then select Skype and the phone will immediately reboot.  If Skype was already selected then simply hit the Home button to exit the menu.

        image_thumb6

        Enable Web Configuration Utility

        Back when UCS 5.3 was released a new default behavior was defined for the Lync (now Skype) base profile which automatically disabled the embedded web server.  This can be re-enabled on the VVX phone for testing or administration purposes if so desired.  To perform many of the steps in this article it must be enabled.

        • Press the Home key and navigate to the following menu: Settings > Advanced > Administration Settings > Web Server Configuration.

        • If not already configured then the Web Server parameter to Enabled and Web Config Mode to HTTP/HTTPS.  (If only encrypted connections are desired then set this to HTTPS Only).

        image_thumb8

        • Select the back arrow and choose Save Config to apply the changes and reboot the phone.

        • After the phone has rebooted press and hold (for 3 seconds) the following keys: 1, 4, 7.  This handy MKC brings up the Phone Details menu which can be used to quickly find useful information like the device’s assigned IP address or current firmware version.

        image_thumb10

        • Using a web browser connect to the IP address of the phone. (e.g. http://192.168.1.188).

        • Enter the Admin password (default is “456”) and verify that the Home page successfully loads.

        image_thumb43

        Update Firmware

        This phone must have access to the Internet in order to connect to the public hosted Polycom update server and perform the update described in this section.

        • Using the Web Configuration Utility browse to the Utilities > Software Upgrade menu and make sure that Polycom Hosted Server is selected as the Server Type.

        • Click Check for Updates which should be followed by a response of “Successfully fetched available software from the Polycom Hosted server.”

        • Select the desired firmware version number (e.g. 5.7.1.2205) and then click Install.  The currently installed version will be displayed in blue with older versions in red and newer versions in green.

        image

        • Confirm the action to reboot the phone and trigger the update.  Once the phone completes the update process it will return to whatever registration state it was in before the update. 

        The following sections outline any Skype for Business related enhancements from previous firmware versions which may change the phone’s behavior or user experience.

        Hot-Desking and Common Area Phone Support

        The two most important features added in this release are complimentary capabilities which are often confused with each other.  This separate blog article covers these new features in detail.

        Manual BToE Pairing

        The available Better Together over Ethernet (BToE) feature set has previously been limited to pairing a phone with only the workstation that is wired directly into the phone’s uplink port.  With support for a new manual procedure the phone and PC can now be paired over any routable IPv4 network.

        • Install the latest version (3.7) of the Polycom Better Together over Ethernet Connector application on the desired Windows PC.

        • On the unregistered phone that is to be paired with the PC press the Home button and navigate to Settings > Features > BToE PC Pairing to check the current BToE pairing status.

        image

        The Pairing Mode will be set to Auto by default which is used only for physical Ethernet uplinks.

        • To utilize the new functionality change the Pairing Mode to Manual and then take note of the supplied Pairing Code (e.g. nOiD11kg)

        image

        • Open the Polycom BToE Connector on the PC, deselect Auto Mode and then enter the Pairing Code.

        image

        This pairing code is essentially the phone’s IP addressed hashed into an alphanumeric string, thus there is no discovery process being invoked.  The workstation is essentially being told exactly what host IP to connect to find the phone and initiate pairing.  If for some reason the phone’s IP address is changed then pairing will be lost and need to be manually reestablished.

        As long as the workstation has routable TCP/IP connectivity to the phone and the following ports are open on any firewalls which may sit between them then the pairing functionality should work no differently than before as these are the same communications used previously in the directly-connected Automatic implementation.


        Description Type PC Direction Phone
        Pairing and secure communications TCP Dynamic –> 22
        Discovery Packet Broadcasts UDP 2081 <– 2081
        Streaming Audio UDP 24802 <–> 24802


        BToE Widget

        A new parameter, which is enabled by default, controls the addition of a new Home menu option called BToE.  This menu option provides a shortcut to the BToE menu which is normally found under Settings > Features > BToE PC Pairing.

        image

        SILK Audio Codec Support

        Support for leveraging the SILK audio codec with Skype for Business clients is now available in four specific sampling frequencies (8 kHz, 12 kHz, 16 kHz, and 24 kHz).  The new codec options are not enabled by default, which can be confirmed by reviewing the Settings > Codec Priorities using the Web Management UI.

        Note that only the Polycom VVX 501 and VVX 601 models currently support the SILK codec.

        image

        As originally pointed out in this article the Skype for Business client which support SILK only utilize the 16kHz and 8kHz versions, so when it is only really necessary to enable the SILK (16 kHz) and SILK (8 kHz) codecs in the phone.  While there is no single-best codec ordering for all applications one recommendation would be to mimic the ordering that the Skype for Business clients utilize, which can be accomplished placing the wideband SILK codec above G.722 and the narrowband SILK codec below the G.711 codecs as demonstrated below.

        image

        The codec’s implementation is highly customizable and all of the new parameters made available to control various encoder options can be modified using the phone’s Web Management UI from the Settings > Codec Profiles > Audio page.

        image

        Additionally all the configuration parameters which control the settings above can be found in the UCS Administrators Guide 5.7.0 documentation here.

        Phone Number Display

        The defined Tel URI for the registered Skype for Business account is now displayed on the Home and Lock screens of VVX 300 and up models. 

        image

        image

        This feature was enabled by default starting in 5.7.0 and the later 5.7.1 release added the following two configuration parameters to control the display behavior.


        Parameter Value Description
        up.DIDFormat NumberAndExtension (Default) Displays the DID and any defined extension. 
        For example "tel:+15551237890;ext=7890"
        appears as +15551237890 x7890
        NumberOnly Displays only the DID and will omit any defined extension from also appearing.
        up.showDID AllScreens (Default) The DID number appears on all available screens.
        None Is hidden on all available screens.
        LockedScreen Appears only on the Lock screen.
        StatusScreen Appears only on the Status/Idle screen.
        IncomingOSD Appears only on the Incoming On Screen Display (OSD).
        LockedScreenIncomingOSD Appears only on the Lock and Incoming OSD screens.
        LockedandStatusScreen Appears only on the Lock and Status screens.
        StatusScreenIncomingOSD Appears only on the Status and Incoming OSD screens.


        Web Proxy Auto Discovery (WPAD) Support

        The VVX phones are now compatible with Proxy Auto Configuration (PAC) files which can be provided via a provisioning server, DHCP, or DNS-A.  Once the configuration information is discovered the phones can then authenticate using either Digest or NTLM authentication methods to a web proxy server.  This scenario is mostly applicable to connecting to Skype for Business Online and/or Exchange Online.

        Related diagnostic information can be located via the phone’s Web Management UI on the Diagnostics > Skype for Business Status page under the Web Proxy Auto Discovery (WPAD) section.

        image

        What is RealConnect?

        February 26, 2018 by · 20 Comments 

        Over the years this blog has covered the general topic of interoperability between the various Microsoft Communications Server UC platforms and industry standards-based video conferencing equipment found all over the world.  These Video TeleConferencing (VTC) systems are in no way a legacy platform as although the standards have been around for a long time there are several manufacturers producing new products based on the same open standards.

        Thus the idea of interoperability between those platforms and the Lync/Skype for Business platforms, both on-premises and online, continues to be a popular topic.  While much has changed over time in terms of workflows and feature capabilities the overall need is no less important than before.  And as the Polycom RealConnect approach has grown more flexible with various methods of deliverability the scope has also grown to cover numerous different topologies.  This article is intended to explain not only the core of the RealConnect workflow but compare in detail the different topologies along with specific requirements and procurement guidance.

        Background

        Interoperability is hardly a foreign concept throughout this blog. Several past articles have covered older offerings and how they worked back with earlier Office Communicator and Lync versions. RealConnect as a concept was also covered back in early 2015 as a step away from traditional singular MCU methods of meeting in the middle for cross-platform conferences.

        Each of these articles are detailed and cover several scenarios including newer cloud offerings like Skype for Business Online, so for a fuller understanding of the overall story it is recommended to give them each a read before moving on here. But if one is already familiar with the concepts and terminology used throughout then by all means read on.

        Most importantly, RealConnect is not the name of an individual product or service offering. It is a name that has been used to describe a patented simplistic workflow which can bring any standards-based VTC into a Lync or Skype for Business meeting.

        This workflow is defined by its unique behavior of three specific concepts: Scheduling, Joining, and Cascading

        • Scheduling – Primarily all meetings are scheduled using the Skype for Business Outlook plugin no differently than the normal Microsoft workflow.  A new meeting is created using Outlook and enabled as a Skype Meeting using the standard Office plug-in. There are no changes to this process and no additional software plugins required at the end-user level.  After introducing a RealConnect solution to an existing Lync or Skype for Business deployment the users do not change how they book meetings and resources in any way.

        image

        • JoiningThe second concept is the fact that multiple different manufacturer’s VTCs can leverage a simple One Touch Dial approach to join the scheduled meeting just like other native Lync or Skype for Business clients and devices, eliminating the need to manually enter any complex dial strings used in traditional H.323 or SIP conferencing platforms.  (This is an optional, yet desirable capability as the VTCs can always be dialed into the meetings using traditional H.323 or SIP methods.)

        image     image

        • CascadingThe third is that the solution utilizes a cascading of two conference bridges, or Multipoint Control Units (MCU) so that the meeting is in essence two separate conference platforms working in concert to appears as one.  The standards-based side is run on a traditional Polycom virtual or physical MCU while the Microsoft UC side runs on a Lync or Skype for Business Front End Server on Skype for Business Online. Audio, video, and content sharing streams are transcoded between the bridges (this cascading behavior is sometimes incorrectly referred to as ‘barbelling’).  Additional information like participant lists, conference controls, and more are also shared between the two platforms.

             image

          As discussed in other articles the benefits of the above workflow far outweighed past methods of trying to bend the Microsoft workflow to match legacy conferencing experiences which for the most part were no natively user friendly.  The ease-of-use inherent in the Microsoft platforms need not be hamstrung anymore and thus the RealConnect story immediately resonated on several levels.  The response was such that even partial facsimiles of this unique workflow were eventually brought to market in the form of Acano’s Dual-Homed offering (which is now part of Cisco Meeting Server) and Pexip’s Infinity solution.  These other solutions lack the vendor-neutral approach providing ubiquitous one-touch join, some advanced features, and official Microsoft support across multiple deployment topologies that RealConnect has.

          With the growing cloud consumption of a Microsoft UC platform which was originally designed for on-premises server deployments the next steps were to provide RealConnect into more environments by addressing hybrid and cloud-only topologies.  This is where the story started to become more complicated as with so many different offerings how is one to clearly understand which, if any are applicable to their specific environment?  Or what happens if that environment is in flux and is slowly, or rapidly, migrating from one scenario to another?

          The easy answer is that RealConnect can be utilized in any possible configuration of Skype for Business and Exchange topologies from on-premises server deployments, to hybrid configurations, to cloud-only Office 365 tenants.

          Solution Offerings

          As mentioned RealConnect is not a product but instead a workflow provided by leveraging core Polycom products.  The existing products can be consumed in one of two ways: either as on-premises server deployments or simply as a cloud service.  Throughout this article the traditional method of deploying and managing physical and/or virtual server components on-premises is referred to as Polycom Servers where the overall cloud offering is referenced as the Polycom Service.

          Today the cloud service offers only some of what the on-premises deployment does.  The entire RealConnect workflow and capabilities are provided, but not all of the additional standards-based video capabilities that come with the Polycom Servers unrelated to RealConnect.  So where the cloud service can provide meeting interoperability between standards-based devices and the Microsoft UC platforms it does not provide VTC registration and management, call routing, firewall transversal, or any of the other services available with the larger Polycom Server offering.  To summarize, outside of RealConnect there are vast differences between the server and service models, but RealConnect itself is nearly identical between the two models.

          Polycom Servers

          As mentioned there are many different Polycom servers which provide a range of capabilities across various platforms.  Among these are four core components that provide the RealConnect workflow. These are individual on-premises server installations, some of which started as hardware appliances and were later also released as virtual servers, while others have been virtual servers since their inception.  At this point all the components covered below are available as software, where the MCU component could alternatively be deployed as hardware if desired.

          The full RealConnect experience is provided by leveraging four unique on-premises components which will be referred to as thePolycom Core’ throughout this article:

          • Workflow Server is an optional application server which can host several different Polycom application-based solutions.  For RealConnect this server has two potential purposes: hosting the One Touch Dial (OTD) application for VTCs and/or supporting connectivity to Skype for Business Online meetings.
                 
          • Distributed Media Appliance (DMA) is a core component which, for the purposes of RealConnect, primarily handles the signaling between each component and an on-premises Lync or Skype for Business Server Front End server or pool.  The DMA also provides for VTC endpoint registration and manages Polycom MCUs.

          • Collaboration Server (a.k.a. Real Media eXperience, RMX) is the aforementioned MCU which handles all of the media transcoding between standards-based VTCs and the streams coming from and going to the Lync/SfB MCU.  This MCU transcodes audio and video sessions between various protocols like H.264 AVC and X-H264UC.  Where the DMA could be referred to as the brains of the conferencing operation the RMX is the heart, doing the majority of the work.

          • ContentConnect (a.k.a. Content Sharing Server or CSS) is an additional software-only MCU that was created solely to transcode content sharing sessions between standards-based protocols like H.239 and Binary Floor Control Protocol (BCFP) into Microsoft’s sharing protocols like Video-based Screen Sharing (VbSS) and Remote Desktop Protocol (RDP).

          image

          Essentially what the Polycom Core provides is a platform for a VTC to register to via H.323 and/or SIP and then place a call over either protocol directly to a standards-based MCU which will then connect to the associated Lync/SfB meeting MCU and bi-directionally transcode audio, video, and content sharing streams.  Additionally a user can start the scheduled meeting from within the reserved conference room by simply tapping on or selecting a ‘Join Meeting’ button.

          These components are also part of the larger Collaboration Infrastructure family (also referred to as the RealPresence Platform) which includes additional optional servers that handle various other standards-based conferencing tasks outside of what is needed for the RealConnect experience.  The entire suite is sold using a simple licensing model called Polycom RealPresence Clariti, with the exception of Workflow Server which is purchased separately and deployed by qualified consulting services.  Endpoint management, call routing, firewall traversal, and other needs can be met by the entire suite that goes above and beyond the core RealConnect interoperability workflow discussed in this article.

          Polycom Service

          This offering of RealConnect utilizes an in-place globally redundant cloud deployment in the Microsoft Azure cloud.  At the time of posting this article RealConnect is available as a service in multiple countries worldwide by leveraging a deployment hosted by Microsoft and managed by Polycom in five Azure datacenters across the planet.

          As this is a cloud offering then the individual components are essentially irrelevant, but understand that it is not just the Polycom Core server components shown above dropped into Azure virtual machines.  This service offering was created by essentially pulling apart those components and rewriting a lot of code, creating new components, and basically building an entirely new cloud architecture designed for cloud scale and availability.  The Internet-facing perimeter includes a few entry points which provide connectivity for accessing the Polycom web portals for service provisioning and configuration tasks, signaling services for VTC calls, and load balanced MCU IPs for media negotiation.

          The main difference between these offerings though is that for on-premises server deployments the MCU cascading is 1:1 where a single Polycom MCU connects to a meeting on a single SfB MCU.  Once that cascade is established then SfB clients and VTCs each have one native entry-point into that meeting.  But with the cloud offering every single VTC will be routed to a dedicated Polycom virtual MCU sized appropriately for a single VTC connection.  All of these individual MCUs then connect back to the same SfB MCU hosting the meeting, essentially creating 1:n cascades.  This architecture allows for the VTCs to connect to the closest available Polycom MCU regardless of where the SfB Meeting is actually hosted, reducing transit time over the Internet as much as possible.

          image

          Although the primary components of this solution are cloud-based, as with any cloud solution there is sometimes a requirement for an on-premises application to handle some specific communications between the cloud services and certain on-premises components or clients.

          One scenario where this is evident is with One Touch Dial.  In the earlier on-premises server model the Workflow Server that hosts the OTD application provides the meeting invitation locally to both Polycom and compatible Cisco endpoints. But in the cloud model the solution is different as the Polycom and Cisco endpoints do not use the same methodology for Exchange compatibility.  This will be explained more further on in the article but for now understand that Polycom VTCs can go directly to the OTD Service running in Azure, but Cisco endpoints cannot; they require a local gateway to provide that connectivity.  Thus the cloud offering is made up of two components: the OTD Service running in Azure and the OTD application which must run on-premises and communicate directly with the Cisco VTCs.  In short if an environment has only Polycom VTCs then the on-premises application is not required, but the inclusion of any Cisco VTCs means that it is required if rolling out a one touch join experience is desired.

          To address the on-premises need the Polycom Cloud Relay was created.  The Cloud Relay is a lightweight virtual server available for download that Polycom cloud customers can self-deploy and then easily connect to the cloud.  It is available as either a VMware OVA or HyperV image and is essentially an on-premises gateway between various Polycom cloud services and whatever on-premises components are leveraged by the desired application.  Cloud Relay can host different applications for various Polycom service offerings and two of those are specifically related to RealConnect.  The first is One Touch Dial (OTD) as outlined in the previous paragraph, and the second is the RealConnect Hybrid application which will be explained in a later section.

          Topologies

          Now that the different offerings have been introduced and discussed the next step is to break down the various ways that RealConnect can be deployed or consumed.  As mentioned earlier there are no architectural limitations on the environment’s current or future state such as that either Lync Server 2013 or Skype for Business Server 2015 is deployed, and/or Skype for Business Online is involved.  Additionally any version of Exchange Server 2010 through 2016 is supported as well as Exchange Online.  Hybrid deployments of Exchange and/or Skype for Business are also supported in all RealConnect topologies.

          The following diagram offers a simplistic view of the various ways that RealConnect can be leveraged across four common scenarios. Understand that this is not a complete diagram of mandatory or optional components but is meant to depict where the two conferences are hosted in each by indicating only the MCU placements.  Dashed lines indicate signaling and media communications between each client/device and their respective native MCU, while the solid green lines indicate the cascading media sessions which travel between both MCUs.

          image

          Among the four individual topologies listed above the the On-Premises models utilize a Polycom server deployment for the primary meeting interoperability, whereas the Cloud models leverage the global Polycom services deployed in Microsoft Azure.

          RealConnect On-Premises

          The first two models both consist of the same Polycom core server software installation which would be integrated with an on-premises Lync Server 2013 or Skype for Business Server 2015 pool.  These models support providing the RealConnect experience to any meeting hosted in a Skype or Business Server, Hybrid, or Online environment.

          Skype for Business Server

          The simplest and original offering of RealConnect is a topology of all Polycom and Microsoft server components installed on-premises.

          image

          The Polycom Core includes the four on-premises servers described earlier that provide the RealConnect workflow, some of which are integrated with Lync or Skype for Business Server via the Trusted Application model.  The Polycom Edge represents an optional server called RealPresence Access Director (RPAD) which would support external VTCs attempting to join RealConnect meetings.

          Deployment is straightforward using the Trusted Application model between the DMA, RMX, and Lync/SfB Front End server/pool.  Signaling communications between each are encrypted over TLS 5061 in both directions.  Media communications for audio and video are directly between the RMX and Lync/SfB AVMCU and application sharing media is directly between the ContentConnect Server and the Lync/SfB ASMCU.  All media types utilize the standard Microsoft ports and protocols used by all other Lync and SfB clients.

          Also potentially included in the Polycom Core is the One Touch Dial (OTD) application by deploying an instance of Workflow Server on-premises.  This is an optional component here as if there is no need or ability to support this feature for meetings then it does not need to be deployed.  In regards to Exchange this deployment can leverage mailboxes stored in either Exchange Server or Exchange Online.  In hybrid Exchange deployments where some conference room mailboxes may reside in both locations then the OTD application would support two side-by-side configurations with 2 unique hostnames for VTCs to point to as their calendaring service.  One FQDN would be used by VTCs with their mailboxes hosted on a local Exchange Server while the other FQDN would be used by VTCs with their mailboxes hosted in Exchange Online.

          In this model the meeting invitations are unchanged and as long as Dial-In Conferencing has been enabled on the Lync/SfB Server then the audio Conference ID created by the Lync/SfB Server is also used as the video conference ID.

          image

          Users can either dial that conference ID from any VTC or select a "Join Meeting" button on the system if leveraging One Touch Dial.  This meeting invitation format is applicable to all RealConnect topologies except for one, which is explained later on.

          Skype for Business Hybrid & Online

          This topology uses the same on-premises Polycom Server components but extends supports to Skype for Business Hybrid and Online deployments where a meeting is running in Skype for Business Online..

          image

          This model functions a bit differently than when everything is installed on-premises across both sides.  In order to support interoperability with any Skype Meetings hosted in Office 365 a important requirements have been added:

          • Even if all Skype for Business users have been migrated to Skype for Business Online a single Front End Server and Edge Server must still be left on-premises to leverage the Trusted Application integration between the on-premises Polycom Core servers and Skype for Business Online.  (This Trusted Application model cannot be used directly with Office 365.)  This on-premises server installation can be either Lync Server 2013 or Skype for Business Server 2015.  An existing Split-Domain configuration can be utilized for permanent Hybrid deployments. Alternatively a new federated installation of Lync/SfB Server in a separate forest could be deployed for cloud-only deployments that do not currently have any on-premises servers. Cloud Connector Edition (CCE) cannot be used for this connectivity as that solution was only designed for telephony integration and does not support all the signaling and media negotiation needs for audio, video, and content sharing.
                 
          • The Workflow Server must be deployed as it is an integral part of how scheduled Skype Online Meetings are discovered and located for the the RealConnect cascades to be established with Skype for Business Online MCUs.  If this server is omitted then RealConnect would function only for meetings scheduled by on-premises Lync/SfB users; connectivity to Skype for Business Online meetings would not be possible.  (Even if there is no desire for One Touch Dial in a specific deployment the Workflow Server is still mandatory in this model for the reasoning above.)

          Otherwise the rest of the solution is the same as the full on-premises model.  Scheduling and joining meetings is no different between each and media flows are unchanged for on-premises user’s meetings.  For any online meetings the Polycom MCU will utilize the on-premises Edge Server to relay cascaded media streams to the proper Skype for Business Online MCU.

          Meeting invitations in this model are the same for all users regardless of whether they are homed on-premises or online and look identical to the example invitation shown in the previous topology.

          RealConnect Cloud

          The other two models are completely different from the first two as these instead leverage the Polycom Services available in the cloud. Just as with the server approach the services models can provide the RealConnect experience to any meeting hosted in a Skype or Business Server, Hybrid, or Online environment.

          Skype for Business Server

          In this model the Polycom services in the cloud communicate with an on-premises deployment of Skype for Business Server by way of the aforementioned Cloud Relay server.

          image

          The Cloud Relay server fills two roles today which are specific to RealConnect.  One of these is providing an on-premises application capable of bridging the signaling communications path between the Polycom Service in Azure to the Skype for Business Server deployment on-premises by way of the familiar Trusted Application model.  This RealConnect Hybrid application that runs on the Cloud Relay server is configured through Polycom customer portal once the Cloud Relay server has been deployed and connected to the cloud service. (Note that the usage of the word ‘Hybrid’ here refers to the pairing of Polycom cloud services and Skype for Business on-premises servers;  it is not referring to the Skype for Business Hybrid/Split-Domain deployment model.)

          The Cloud Relay is a prerequisite installation for this topology and the same deployed instance can also host the OTD application to handle the required on-premises TMS emulation for any Cisco VTCs.

          Again, the meeting invitations in this model are identical to each scenario discussed thus far as the solution continues to leverage the audio Conference ID as the traditional meeting number.

          Skype for Business Online

          This is the inverse of the full on-premises topology as now everything is hosted online in Microsoft’s Office 365 cloud.  The Polycom Services deployed in Azure are adjacent to the Skype for Business Online services in the same Office 365 datacenters.  Signaling and media connectivity between them is a direct and fast as possible, providing for a latency-free, robust route for cascaded meeting traffic.

          image

          While there are no Microsoft server components required on-premises their may still be a need for some standards-based infrastructure to still be installed on-premises, hence the "Optional H.323/SIP Infrastructure" object in the diagram above.  This potential need is due to the fact that a standard VTC is only provided access to RealConnect meetings in this model, it does not receive SIP or H.323 registration from the Polycom Service, configuration or firmware management, firewall traversal assistance and so on.  This optional infrastructure could be provided by Polycom’s RealConnect Access Suite (RCAS), which is basically the same things you get with Clariti minus the MCU.  These traditional on-premises management and routing functions could also be performed by existing infrastructure like Cisco VCS or Call Manager deployments.  The goal here is to simple allow a VTC to place a call off-network to the Internet and reach the MCUs hosted in Azure.

          Aside from conferencing services the other capability provided by this cloud offering is One Touch Dial.  But instead of leveraging Workflow Server it has been deployed in Azure as a service.  Polycom VTCs like the HDX and Group Series can connect directly to this cloud service as they natively support Exchange Web Services (EWS) and will retrieve meeting invitations automatically.

          But the same is not true for Cisco VTCs which support Cisco’s One Button To Push (OBTP) feature.  While this feature also leverages Exchange Server to access the meeting invitations sent to a conference room’s mailbox the retrieval method is different.  A Cisco VTC is designed to rely on a configured Cisco TelePresence Management Suite (TMS) server to retrieve the mail on its behalf and then push the message to it.  For RealConnect this requires the deployment of an on-premises gateway to handle opening outbound connections to the cloud service as well as being able to directly connect to local Cisco VTCs.  To address this need of deploying a lightweight OTD application locally a new virtual server called the Polycom Cloud Relay is utilized.

          The main difference between the aforementioned Workflow Server and this new Cloud Relay is that Workflow Server is a purchased professional services deployment of a virtual server that is designed for use with the on-premises Polycom Server model, but the Cloud Relay is a free, lightweight virtual server which can easily be self-deployed and is intended for anyone leveraging the cloud Polycom service offering.

          The difference in the meeting invitation format for this specific topology means that Skype for Business users who schedule meetings must be a using a supported Office 2016 Click-to-Run (C2R) version for either Windows or Mac.  As of February 2018 all release channels other than Deferred include the prerequisite code in the Outlook and Skype for Business clients to generate additional information in the meeting invitation required by VTCs to join the meeting.

          image

          The highlighted information above can be used to manually dial into a RealConnect meeting, but the One Touch Dial solution also parses this data to create the join button for supported VTCs.  Within this additional information a unique VTC Conference ID is created for every new meeting which is different from any audio Conference ID which may or may not already exist in the invite.

          The invitations for RealConnect look like the above for only this all cloud topology, meaning only when Skype for Business Online is used with the Polycom Service.  Notice that this invitation differs from the one shown previously because in the Skype for Business Online multitenant environment it is not possible to reuse individual audio conference ID for the purposes of video interoperability.  Also there needs to be no reliance on having an Audio Conferencing or Audio Conferencing Partner (ACP) licenses assigned to the scheduling user.  These requirements lead to the creation of new functionality put directly into the Office software by Microsoft which was only developed in the C2R model and not placed into the older MSI packages.

          Skype for Business Hybrid

          Providing RealConnect to a Skype for Business Hybrid deployment is different here in the Cloud topologies than outlined earlier in the On-Premises topologies.  While a single topology utilizing Polycom Servers supports both Skype for Business Hybrid and Online-only deployment methodologies when leveraging the Polycom Service a single model is not applicable; both models are used in conjunction.  As explained in the next section the licensing is the same so consuming both Cloud models is essentially transparent.  If Skype for Business users are migrated from server to online then the RealConnect experience is essentially unchanged, with the one exception related to the meeting invitation requirements and configuration outlined for Skype For Business Online users.

          Choosing a Solution

          After reviewing all of this information the next logical step is to outline which model or models can be utilized in a single environment.  Where some of these models can cover an entire topology others can be used together to address other potential needs.

          The following matrix lists which models support the various potential components in a Microsoft UC-enabled environment.


          RealConnect On-Premises RealConnect Cloud
          Skype for Business
          Server
          Skype for Business
          Hybrid, Online
          Skype for Business
          Server
          Skype for Business
          Online
          Exchange Server X X X X
          Exchange Hybrid X X X X
          Exchange Online X X X X
          Office 2013 X X X X
          Office 2016 X X X C2R Required
          Dial-In Conferencing Required Optional (Hybrid) Optional N/A
          Audio Conferencing N/A Recommended N/A Optional


          Given the few limitations above many environments will actually be able to choose from multiple topologies, so it becomes not a question of which can be used but instead which should be used.  That answer will depend largely where it video interoperability solution is most desired.  Some will prefer a cloud service whenever possible to reduce deployment complexity and lifecycle management, meanwhile others may be more concerned with controlling the conferencing communications end-to-end by selecting on-premises components across the board.

          Some key things to think about when making this decision include:

          • Where will the meeting MCU sit and what options are available to control the media delivery?  Using a full cloud service introduces the inherent latency and loss of Quality of Service capabilities of traversing the public Internet for some or all of the potential traffic.  This may be considered ‘good enough’ when balancing the business needs versus the business costs.  Obviously choosing to put one or both MCUs on-premises offers complete control of the available options in the respective platforms and is the model of choice when focusing on an ‘executive class’ experience

          • How are Skype for Business Hybrid environments used with the Polycom Service?  For Hybrid deployments where some Skype for Business users are homed on-premises with SfB Server yet others are homed in SfB Online then both topologies will essentially be consumed.  A single licensing model covers both of these topologies so where the users are homed does not matter as they can be migrated between at any time if desired.  The invitations will look different, as outlined in sections above and the users homed on-premises can utilize any version of Outlook.  It is the users homed in SfB Online which have the Office C2R requirement, so pay special attention to this if using RealConnect for SfB Server users who are scheduling meetings on version of Office other than 2016 C2R.  RealConnect will work from those users now but if they are migrated to SfB Online then it will stop working for their meetings until they are upgraded to the required Office software.

          • Does it matter where my Exchange mailboxes reside?  All topologies support all methods of Exchange mailbox storage.  The mailboxes for both the scheduling users and room resources can be stored on any arrangement of Exchange Server, Online or Hybrid configurations.  Polycom endpoints can utilize native Exchange Web Services connections over HTTPS (TCP 443) to access the OTD application running on a Workflow Server (in On-Premises topologies) or go directly to the OTD Service in Azure (for Cloud topologies).  Cisco endpoints obviously can only communicate with an on-premises Workflow Server or Cloud Relay server, depending on the selected topology.

          • What roles do Dial-In Conferencing and Audio Conferencing play in RealConnect?  For users homed on-premises the Skype for Business Server configuration would need Dial-In Conferencing enabled to insure that the requisite audio Conference ID is included in all invitations.  For SfB Online users the Audio Conferencing (formerly PSTN Conferencing) Skype add-in license controls that behavior.  RealConnect in the Cloud model has no reliance on the existence of audio conferencing information in the invitation, so it is irrelevant.  The Cloud model when used with Skype for Business Online user is unique though as the Audio Conferencing information is optional.  If the SfB Online user has been assigned an Audio Conference license then Workflow Server will utilize the existing audio Conference ID for VTC connectivity into RealConnect meetings.  But if the user is not licensed and thus has no audio Conference ID in their invitations then Workflow Server will dynamic create a unique ID for RealConnect to utilize.  The key here is that dynamically generated ID is only ever seen by the room resources which are booked in the meeting by utilizing the ‘Join Meeting’ button.  IT is not possible to inject that ID into the Skype Meetings invitation which was already sent to numerous possible other attendees.  In short, One Touch Dial configuration is a requirement for meetings created by SfB Online users without an audio Conference ID provided in their original Skype Meeting; ad-hoc numeric dialing would not be possible.

          Licensing

          Purchasing RealConnect is actually quite simple once the differences between the server and services approaches are understood. While there are several possibilities depending on the engagement it is very easy to break down the offerings into two categories.  Both will use an example company of 4000 Skype for Business users with 80 standards-based VTCs deployed throughout the environment.  A generous high-water mark of 25% concurrent VTC utilization will be used for the estimates shown below.

          Polycom Servers

          Both On-Premises topologies utilize the same Polycom Server components and thus can be purchased using the same RealPresence Clariti licensing model in addition to optional professional services engagements.

          • RealPresence Clariti – includes 3 of the 4 Polycom Core Server components for RealConnect.

          • Workflow Server – optional fourth component purchased through a professional services engagement.

          • SfB Server Deployment – another professional services engagement that includes deployment and potential remote management of a lightweight Skype for Business Front-End and Edge server components required for leveraging Skype’s Trusted Application integration with the Polycom Core.  (This is only applicable to supporting Skype for Business Online meetings and only if there is not already an existing Lync or SfB Server Hybrid deployment.)

          Clariti licenses are ‘per user’ in that a user essentially an active connection, meaning this is a concurrency-based licensing model. (The terms license, user, connection, and resource are all basically interchangeable here.)  Sizing exercises would include calculating the desired VTC concurrency limit and adding that the estimated meeting concurrency limit.  Connections are consumed both by every connected VTC and every cascaded meeting, where a VTC consumes a single license but each meeting cascade can consume 1, 2, or 3 licenses.  The first is for the initial cascade establishment itself and any number of audio and video streams.  The second would be dynamically consumed if and when application sharing content is active in the meeting.  A third license per cascade would be used if an optional Polycom MCU feature is enabled to show additional VTCs and/or Immersive Telepresence layouts in the panorama video stream in RealConnect meetings.

          So, if 20 VTCs are all in the same RealConnect meeting at the same time then the solution would need to include 23 licenses (20 VTCs + 3 for a single cascade) to support all potential workloads.  More realistically it is possible that those same 20 VTCs may instead be joining 10 different RealConnect meetings at the same time which may utilize up to 50 licenses (20 VTC + 30 for ten unique cascades).

          Polycom Services

          Both Cloud topologies share a single Enterprise-Wide Licensing (EWL) model.  This model is also concurrency based, similar to Clariti, but is even simpler to calculate the desired number of licenses.

          • Enterprise Wide License – allows consumption of the Polycom video interoperability service.

          • Cloud Relay – free virtual server to provide support for the One Touch Dial application (for Cisco VTCs) and/or support the RealConnect Hybrid application required when supporting Skype meetings hosted on an on-premises for Business Server.

          • RealConnect Access Suite – provides optional on-premises traditional video infrastructure components to handle any desired VTC managing and routing calls to the Azure-based Polycom Service.

          When using the services only the VTC connections are counted; there are no additional numbers that need to be figured in based on MCU cascading.  Calculating the number of required licenses requires estimating the same desired high-water mark of concurrent VTC utilization (e.g. a 25% target).  Thus, if at most 20 VTCs need to join meetings at the same then 20 licenses is all that needs to be purchased.  It does not matter if all of those VTCs are joining a single RealConnect meeting or 20 different concurrent meetings, due to the cloud service architecture the amount of cascades is irrelevant.  (By looking closer at the media flow diagram shown earlier in this article under the Polycom Service description one can see that every single VTC is assigned its own dedicated MCU resource which means that there will be multiple cascades when multiple VTCs join the same meeting, no differently than if they join separate meetings.)

          The limiting factor here then is that the purchased licenses control how many VTCs can concurrently connect to any of the meetings scheduled by any licensed user in the company.  Additional licenses can easily be purchased later on to increase that concurrency limit and added to instantly raise that that threshold.

          That covers the ability for VTCs to leverage the cloud video interoperability services in Azure, yet a RealConnect meeting must first be scheduled for that to happen.  To utilize RealConnect with these meetings scheduled by a Skype for Business Online user an additional Microsoft Office 365 license comes into play.  As covered earlier in this article any users homed in Skype for Business Online need to be running Office 2016 C2R in order to generate the required meeting information for VTCs to join, and the way that information is populated in the invitation is by programmatically checking the scheduling user’s current Office 365 licensing and looking for an assigned Skype Meeting Video Interop for Skype for Business add-in license, highlighted below.

          image

          This secondary Microsoft license ensures that the scheduling user’s own meetings can be joined by any VTC by including the video interoperability-specific details in the invite.  Enough of these licenses will be provided to allow all SfB Online users to be assigned one so that every user’s scheduled Skype Meetings will include the required meeting information for any VTCs to either dial in manually or configured VTCs to leverage One Touch Dial to connect to the meeting.  In this example although only 20 concurrency licenses may have been purchased this customer would still receive 4000 user licenses to cover all potential SfB Online users.

          Remember that while these Skype for Business add-in licenses are only applicable to Skype for Business Online users enough can be provided to address any Skype for Business Server users which will eventually be migrated to the cloud.  In the example above it could assumed that this environment may be using a Skype for Business Hybrid deployment and have to dat only migrated 264 users to Skype for Business Online while the remaining 3,736 users are still homed on Skype for Business Server.  As they are migrated to the cloud they can be assigned one of those available licenses and continue to leverage RealConnect for their Skype meetings which are now hosted online.

          Q1 2018 Skype and Teams UG Meetings

          February 26, 2018 by · Leave a Comment 

          The next round of quarterly Skype and Teams Users Group meetings has been announced and scheduled starting this month.

          image

          Latest News

          A year year brings a couple new national sponsors to the user group in AVST and Embrava.

          Event Details

          This quarter’s events will be conducted in our familiar two-session format:

          Session 1: Advanced Phone System Capabilities – In this session, we will cover the more advanced features and capabilities of Phone System, including updated Call Queues & Auto Attendants, Call Plan & Phone Number management, Number Porting procedures, custom Dial Plans & Calling Policies, & more.

          Session 2: Bots & Development Capabilities in Microsoft UC  – In this session, we will learn about working with Bots in Microsoft Teams, how Bots can be used, Telehealth Templates, & other emerging Development opportunities within the Office 365 UC realm.

          Industry Experts will be on-site to deliver these presentations and help answer any questions related to Skype for Business.  Food, beverages and additional door prizes will be provided courtesy of the Skype for Business Users Group and its official sponsors.


          Western U.S.

          Central U.S.

          Southern U.S.

          Eastern U.S.


          For a full schedule of regional events the Skype and Teams Users Group Meetups page lists all planned event locations with links to the associated registration page for each regional group.  For anyone who is not yet a member and would like to participate simply visit the site listed above and register for your local group, this will automatically create a new user account for you to use again for all future event registrations..


          Chicago Event

          Continuing the recent schedule of alternating locations each quarter places our Q1 event back downtown in the Aon Building. 

          Food will be ready at 5:30pm so come early if you can to spend time socializing with the group before the presentations begin at 6:00pm.

          Date Location Address
          Tuesday, March 20th         
          5:30PM – Food and Networking 
          6:00 PM – Presentation Kickoff
          Chicago Downtown Event Microsoft Technology Center         
          200 East Randolph Drive, Suite 300
          Chicago, IL 60601

          Polycom Group Series with Skype for Business Online

          December 11, 2017 by · 11 Comments 

          A past article covered several facets of registering and using a Polycom RealPresence Group Series video conferencing system with Skype for Business 2015 Server deployments. In that article it was mentioned that support for Skype for Business Online was imminent.

          That support arrived this past summer in the form of official Microsoft qualification of the Group Series platform for Skype for Business Online, as reflected on the Skype for Business Solutions Catalog.

          The guidance in the previous on-premises-focused article is basically no different whether the Group Series is registering to Skype for Business Server or Online.  Updating the firmware, enabling the required Options Key, most of the configuration, and validating the overall experience are the same.  That article should continue to be used to gain an in-depth understanding of the scenarios, where this shorter article will focus on the minor differences when registering a Group Series endpoint directly to Skype for Business Online.  It is recommended to read through the previous article first to gain the foundational understanding of using a Group Series with Skype for Business.

          Requirements

          The prerequisite listed in this section only apply to registration with Skype for Business Online.  Some details are the same when using the Group series with an on-premises Skype for Business 2015 Server deployment while others are different or unique to Office 365 registration (e.g. Microsoft licensing).

          Software

          When official qualification and support was attained back in June the minimum required firmware version for support was release 6.1.1.  As of the posting of this article the latest Group Series software release is currently up to 6.1.4, although the more recent releases have not gone through the same qualification program.  This does not indicate that the newer releases are not supported, only that not every minor release needs to be requalified.  Requalification will happen with future major updates; for example when 6.2 is eventually released that version will go through the Microsoft qualification process. The most impactful result of becoming an officially qualified release is that Microsoft will then post that specific version in the Skype for Business Online Device Update service, allowing any registered devices to automatically receive and apply the new firmware directly, just as qualified IP phones have supported for some time.  Other manual or programmatic update processes can still be used to apply the desired version of firmware even if that is not what the device update currently has published.

          The newer minor releases are typically recommended though as they include additional hotfixes as well as one important change which is explained in the previous article and in the official Polycom Release Notes for the 6.1.2 release.  With the original 6.1.1 release in order to successfully register the Group Series to a Skype for Business Online account there must be a paired RealPresence Touch Panel which is configured with the Skype UI enabled.  The Additional Settings section of the previous article covers this configuration. 

          But with 6.1.2 and later releases this is no longer a prerequisite as support was added for using the supplied remote control or when controlling the Group Series through third-party customized devices like Creston or AMX room control panels.  The preferred in-room experience which most closely matches the rest of the Skype for Business meeting room devices out there today though is still provided by using the RealPresence Touch Panel with the Skype UI enabled, so it is still recommended to go this route when possible.

          Licensing

          As with any device that is registering to Skype for Business Online, be it a phone or video system, a licensed Office 365 account is required.  This can be a standard Skype for Business user or a special Meeting Room account.  Generally it is best practice to use the latter which affords the registered device some unique capabilities and behaviors, but it is not a requirement.  This previous article focusing on Online Meeting Room Accounts covers in detail the different configuration options and guidance around each.

          On the Polycom side the only license that is required is the aforementioned Skype for Business Interoperability License Options Key which is covered in the previous Group Series article linked at the beginning of this page.  As explained in that article the license is not required to successfully register to Skype for Business, but without it no other protocol or codec support is enabled, thus there would be no ability for the Group Series to handle video calls, meetings, content sharing, etc.  This is critical information when troubleshooting call failures on a registered system.

          On the Microsoft side see this companion article which attempts to explain the nuances of the Office 365 licensing options and which would be ideal or at least sufficient for various use-cases.

          This example account has been assigned an Office 365 Enterprise E3 license.

          image

          Expanding that E3 license shows all of the Office 365 services provided within it, including the critical Skype for Business Online plan.

          image

          At this point the desired account is sufficient to attempt registering the Group Series to Office 365.

          SIP Registration

          The detailed registration configuration steps outlined in the previous article are all applicable here.  The same general concepts are unchanged including best practices on username formats and guidance on using automatic configurations.

          The main difference is how to manually configure the target registration servers.  With on-premises deployments these are server names which would need to be known to an administrator or manually discovered.  But with the single world-wide Office 365 offering of Skype for Business Online there is a defined hostnames for the different services which can always be used in the event that autodiscovery is not working for some reason.

          Automatic Discovery

          The preferred method of SIP registration is to simply leverage autodiscovery as outlined in the previous article.  In most cases this will be sufficient to successfully locate and register to the online services, following the same guidance as provided for use with Skype for Business Server.

          Manual Configuration

          In the event that the automatic process does not result in a successful registration than the first step is to take the automatic discovery process out of the equation.  This can easily be done by hardcoding the target server in the configuration.  But what is this target’s name?

          This Microsoft support article details the various DNS records published for Skype for Business Online which provide registration, federation, and discovery services.  The DNS record information shown in the following table was taken from that article.


          Type Service Protocol Host Name Destination
          SRV _sip _tls <DomainName> sipdir.online.lync.com
          SRV _sipfederationtls _tcp <DomainName> sipfed.online.lync.com
          CNAME sip.<DomainName> sipdir.online.lync.com
          CNAME lyncdiscover.<DomainName> webdir.online.lync.com


          It is also very easy to query for these defined destination hostnames for Skype for Business Online tenants.

          • Using Windows PowerShell or a Command Prompt issue the following nslookup command with the desired domain name of the Office 365 tenant (e.g. jdskype.net) to resolve the published Service Locater (SRV) record.

          nslookup -q=srv _sip._tls.jdskype.net

          image

          • Also issue this nslookup command with the desired domain name of the Office 365 tenant (e.g. jdskype.net) to resolve the published Alias (CNAME) record.

          nslookup sip.jdskype.net

          image

          In both instances the same Fully Qualified Domain Name (FQDN) of sipdir.online.lync.com was returned.  It would be a good idea to simply just commit this FQDN to memory at this point as this single hostname can be used to register any SIP client or device directly to Skype for Business Online from anywhere in the world.

          Understand that this process should result in the above names for pure online-only tenants, while any hybrid deployments of Skype for Business should have been configured by their administrators to properly point to the on-premises service (e.g. Edge and Reverse Proxy).  In hybrid deployments these on-premises servers will then redirect any client registration attempts for accounts which are actually homed online.  For this reason it becomes important to understand how to manually, and forcefully, point a device directly to Skype for Business Online using the above hardcoded hostnames.  Otherwise when troubleshooting a registration failure it may not be possible to resolve the issue if the device is unable to negotiate the discovery process and/or redirection correctly.  Pointing the device directly to the cloud registration servers, even in a Hybrid deployment, will often result in a successful registration by bypassing any on-premises components.  Obviously this requires that the SfB account that the device is registering as is hosted online, which is the entire point of this article.

          Armed with this newly discovered information it is now time to enter the manual configuration and attempt registration.

          • Using the Group Series web management interface navigate to the Admin Settings > Network > IP Network menu, or simply search for “sip” and then select the SIP result.

          • Expand the SIP section click Enable SIP if it is not already enabled.

          • Change the SIP Server Configuration to Specify.

          • Set the Transport Protocol to TLS.

          • In the Sign-In Address field enter the SIP URI of the desired Lync or Skype for Business user account (e.g. gs500@jdskype.net). 

          • In the User Name field enter the User Principal Name (UPN) of the same account (e.g. gs500@jdskype.net).  In online-only tenants the user account’s SIP URI and UPN should be the same, but that may not be the case if the AD accounts where originally migrated .  (The legacy NetBIOS format of “DOMAIN\username” cannot be used with Office 365 accounts.)

          • Click the Password box to expand the Enter Password and Confirm Password fields.  Enter the user account’s password in each field.

            • In the Registrar Server field enter the string "sipdir.online.lync.com:443".  It is important to include the :443 suffix after the hostname as the Group Series will attempt TLS registration by default to port 5061 which would not be correct.  The Skype for Business Online server will only accept registration attempts destined for port 443.

            • The Proxy Server field should be left blank.  Registration can still work if the exact same value as the Registrar Server field is entered but this is redundant and normally should not be populated.  Unlike some standard SIP platforms the Microsoft SIP platform contains the proxy and registrar services in the same server roles.  (This field is not used for pointing to an outbound web proxy server, that is configured in a different section.)

          • Set the Registrar Server Type to Microsoft.       
                  
                 
          • Finally click Save to attempt to sign in.

          image

          Address Book Registration

          Nothing here is any different than when dealing with Skype for Business Server, so the directions in the previous article are applicable here as well.

          • Set the Server Type to Microsoft.

          • In the Domain Name field enter the SIP domain for the the currently registered user’s environment (e.g. jdskype.net).

          The Registration Status will  initially continue to be displayed as “Registration Failed” but within 30 seconds or less the status should update to Registered.

          Calendar Registration

          In the other article it was stated that the Group Series has supported Exchange Online mailboxes for some time now, so again nothing new to see here.  Same guidance and instructions as was previously covered; default to using the auto discovery process first and if that fails then the following configuration example outlines the manual settings.

          This Microsoft support article outlines the various FQDNs for Exchange Online services, with the important hostname being outlook.office365.com which is used to access Exchange Web Services online by the Group Series.

          image

          Next Page »