RealConnect for Clariti

March 15, 2019 by · 3 Comments 

Several previous articles on this blog have gone into details on the Polycom RealConnect video interoperability solution for Lync and Skype for Business meetings.  Most recently this article attempted to clarify all the different models available to various Polycom video infrastructure and Microsoft Skype for Business deployments across on-premises installations, cloud offerings, and hybrids of both.

As a refresher the entire Polycom RealConnect solution falls into two main categories: RealConnect for Clariti and the RealConnect Service.  This article will focus on the available models which leverage a traditional on-premises deployment of standards-based infrastructure included in the Polycom RealPresence Clariti licensing model.

Two recent advances have occurred in the RealConnect solution set:

  1. The expansion of RealConnect to include support for Microsoft Teams meetings.  This compatibility was initially launched last year in the RealConnect Service to support connecting standards-based Video TeleConferencing (VTC) endpoints into Microsoft Teams meetings, and is now also available in the RealConnect for Clariti model which allows on-premises video meetings to be cascaded into Microsoft Teams meetings.

  2. The introduction of an simplified deployment model for supporting Skype for Business Online meetings in RealConnect for Clariti.  Previously in order to support Skype for Business Online meetings the Polycom infrastructure components required that at minimum a single Lync or Skype for Business Front End server/pool and a single Edge server/pool remained on-premises.  That is no longer the case via the introduction of a light-weight, stateless application which now allows for all components of Lync or Skype for Business to be removed.

Infrastructure

The core Polycom Server infrastructure components which are provided within the Clariti licensing model have been covered in a previous article, so refer to it for a deeper understanding of the overall solution and what each server is and does.  As a brief summary though, the Polycom Servers used throughout some or all of the RealConnect for Clariti architectures are as follows:

  • Distributed Media Appliance (DMA) is a core component which, for the purposes of RealConnect, primarily handles the signaling between each component and an on-premises Lync or Skype for Business Server Front End server or pool.  The DMA also provides for VTC endpoint registration and manages the Polycom Multipoint Control Unit (MCU).

  • Collaboration Server (RMX) is the aforementioned MCU which supports both standards-based and Microsoft-specific media codecs.  In some models it performs the transcoding duties between the standards-based media and the Microsoft media streams coming from and going to the Lync/SfB MCU.

  • ContentConnect Solution (CCS) is an additional software-only MCU that was created solely to transcode content sharing sessions between standards-based protocols like H.239 and Binary Floor Control Protocol (BCFP) into Microsoft’s sharing protocols like Video-Based Screen Sharing (VBSS) and Remote Desktop Protocol (RDP).

There are also two additional Polycom Servers which are not included as part of the Clariti licensing.

  • Workflow Server (WS) is an application server which can host several different Polycom application-based solutions.  For RealConnect this server has two potential purposes: primarily performing Skype meeting discovery tasks as well as hosting the optional One Touch Dial (OTD) application for VTCs.  Installation and configuration of this server is provided via paid professional services engagements.

  • Cloud Relay (CR) is similar to the Workflow Server except that is a lightweight, freely available virtual server image which, once imported into a VMware or Hyper-V host, is used to connect to Polycom and/or Microsoft services in Azure.  This server can be utilized for multiple capabilities in RealConnect alone, as well as for other Polycom services, like some endpoint management tasks unrelated to RealConnect.  For the purpose of RealConnect for Clariti though it is used to house a Microsoft SIP adapter which handles signaling communications between the DMA/RMX/CCS components and Skype for Business Online.

Topologies

There are currently 4 different topologies available wit RealConnect for Clariti which provide the RealConnect experience for Microsoft meeting platforms: Skype for Business Server, Skype for Business Hybrid, Skype for Business Online, and Microsoft Teams.

image

Skype for Business Server

This is the original deployment model for RealConnect, first introduced with Lync Server 2013, and continues to be supported today through Skype for Business Server.  This solution is based on the core video infrastructure running on DMA, RMX, and CCS which performs the necessary translation between standards-based and Skype for Business protocols and codecs.

image

The basic call flow for the first VTC attempting to call into a Skype meeting hosted on the Skype for Business Server is as follows:

  1. A VTC that is registered (via SIP or H.323) to the DMA places a call to the numeric Audio Conferencing ID included in the Skype meeting (e.g. 789456) over the endpoint’s preferred dialing protocol.

  2. The DMA parses its preconfigured Dialing Rules and through a process of elimination determines that dialed string (e.g. 789456) is not another registered endpoint or a statically defined traditional Virtual Meeting Room (VMR) and then attempts to check with any configured external SIP peers.

  3. Using Microsoft SIP over a secure TLS outbound connection via an established Trusted Application Pool configuration with the Skype for Business Front End server the DMA asks if there is a Skype meeting with that Audio Conferencing ID.  If one exists then the server responds to the DMA with the Skype Meeting URL (e.g. https://meet.msteams.net/jschertz/ABCD1234).

  4. The DMA then dynamically creates a new VMR using the conferencing ID (e.g. 789456) on the RMX and then directs the VTC to establish media with the RMX.  These media sessions are utilizing standards-based protocols and codecs like Advanced Video Coding (AVC), various audio codecs, and potentially content sharing sessions over H.239 or Binary Floor Control Protocol (BFCP).

  5. The DMA also instructs the RMX to place an outbound call from that same VMR into the resolved Skype for Business meeting.  The RMX establishes a native Microsoft media session with the Audio Video Multipoint Control Unit (AVMCU) running the Skype for Business Front End server.  These media sessions can utilize Scalable Video Coding (SVC) via the X-H264UC protocol, RealTime Video (RTV), and a host of common audio codecs.

  6. The DMA similarly instructs the CCS to establish a connection to the Application Sharing Multipoint Control Unit (ASMCU) on the Skype for Business Front End server.  The media sessions can support SVC desktop sharing over Video-Based Screen Sharing (VBSS) and Remote Desktop Protocol (RDP).

At this point the cascaded RealConnect meeting has been established and any additional VTCs attempting to join the same meeting will be connected directly to the active VMR.

Skype for Business Hybrid

Once on-premises deployments of Lync and Skype for Business Server began connecting to Lync and Skype for Business Online tenants an updated solution was required to support RealConnect for meetings hosted by users homed online.  Supporting these split-domain hybrid environments required a wholesale change in the way that Lync/Skype Meetings were discovered and connected to as compared to when simply working with only an on-premises deployment.

The Polycom Workflow Server was thus introduced to tackle this new workflow which would provide a solution for supporting meetings scheduled by not only server-homed Lync/Skype users but also any online-homed users which had been migrated to the cloud.  Whereas in the Skype for Business Server model the DMA dynamically performs the meeting discovery when the VTC places the call, in this model the meeting discovery happens prior to the call being placed.  In fact, the Workflow Server handles this after the meeting is scheduled, but before any endpoints attempt to connect.  Thus, when a Skype meeting is scheduled by a client that meeting invitation must pass through Workflow Server in order for RealConnect to be available for that meeting.  Typically this is not an issue as a meeting room needs to be invited to leverage the One Touch Dial workflow.  But in order to insure that an unscheduled VTC can join, even when manually dialing a provided audio conferencing ID in the meeting then there are two basic methods available.  Either by instructing users to always invite a special, dedicated resource mailbox to all Skype meetings (crude, yet effective) or by defining an Exchange Transport Rule (supported in both Exchange Server or Exchange Online) which identifies Skype meetings and automatically sends a copy of the message to a single dedicated resource mailbox (more elegant).  In either approach the Workflow Server is configured to monitor that mailbox and thus will be aware of every Skype meeting scheduled in the organization, where it will scrub the email for the meeting URL and then proactively provide it to the DMA.

image

Thus, the basic call flow for the first VTC joining a meeting hosted in Skype for Business Online is similar to the previous model, except for the fundamental difference in the initial Skype meeting discovery process.

  1. A Skype meeting is scheduled in the environment and the invitation is seen by Workflow Server within a matter of minutes.  Workflow Server identifies the embedded Skype Meeting URL and then either records the existing Audio Conference ID or dynamically creates a unique ID (if the Skype meeting invite does not include any Audio Conferencing details) which is used only for the DMA to generate a new VMR number.

  2. The Workflow Server takes this information and then sends it to the DMA, essentially instructing it to create a static VMR using the provided ID and Skype Meeting URL.

  3. Now, when a DMA-registered VTC attempts to join this Skype meeting the DMA will recognize that the call matches a VMR already defined in its own database which includes the destination Skype Meeting URL.

  4. From this point on the remainder of the call setup is nearly identical to what happens in the Skype for Business Server model explained earlier.  The only difference is that now outbound media sessions for online meetings can cascading directly to MCU resources in Skype for Business Online.  Meetings hosted by the on-premises MCU for server-hosted users are still cascaded in the same fashion as in the previous section, and in either case the same transcoding workloads are still all occurring on the Polycom Servers on-premises.

Skype for Business Online

Providing the RealConnect solution for environment using only Skype for Business Online requires the most on-premises Polycom components of any of the RealConnect modes.  This is because not only is the heavy lifting still all being performed by Clariti itself (communicating directly to Microsoft components via MS-SIP and transcoding audio, video, and content sharing media streams), but now in the absence of any on-premises Lync/Skype for Business Server the Polycom Server components require something local to communicate with via Microsoft SIP.

The core components of DMA, RMX, and CCS perform the same roles as in the previous topologies.  The Workflow Server is still required here as it is in the hybrid topology to handle Skype meeting discovery and population into the DMA database.  The main difference is that the Cloud Relay (CR) server is now added to host a Microsoft SIP gateway and provide the needed communication link between the Polycom Servers and Skype for Business Online.

Previously the Polycom Servers would each communicate using Microsoft-SIP directly to the local Lync/Skype for Business Front End Server/Pool via the standard Trusted Application model.  Recently that architecture has changed to allow the removal of all on-premises Skype for Business servers.  The Cloud Relay allows this by hosting a small Microsoft SIP adapter which the Polycom Servers instead communicate with as a bridge to Skype for Business Online.  Note that this is only signaling traffic and no media traverses the Cloud Relay.  Media will go directly from the RMX and CCS to MCU resources in Skype for Business Online, typically across the public Internet, into the Microsoft Azure Cloud.  The Cloud Relay provides additional assistance here by also using its default connectivity to resident Polycom Services in Azure (which are a core part of the separate RealConnect Service, but incur no additional licensing cost here) in order to leverage media-establishment by way of ICE/STUN/TURN components.  Again, this communication is limited to signaling, meaning that ICE instructions are provided by the service but the actual media communications are directed toward the Skype for Business Online Edge services in the cloud.

image

Microsoft Teams

Providing a solution into Microsoft Teams meetings with RealConnect for Clariti is the simplest and lightest (in terms of required on-premises components) of any model to-date.  This is because the bulk of the work has been shifted to the cloud, adjacent to the Microsoft Teams services.  Whereas for Skype meetings the Polycom infrastructure is dealing with all the translation and transcoding on-premises, that workload is all handled for Teams meetings by the Polycom RealConnect Service in the Azure cloud.  The main reason for this difference is that the CVI solution provided by Microsoft requires partners to use components resident in Azure that communicate directly into Teams, which Microsoft provides in the way of SDKs and bots.  So, in this model the Clariti components are simply cascading standards-based calls up into the RealConnect service in Azure, which in turn handles the signaling translation and media transcoding workloads with Teams.

As can be inferred from the following diagram the overall call flow is equally simplified from the Skype for Business models discussed earlier.  The only technical requirement in this topology is that the DMA is running at least version 10.0.0.2 which includes new Dial Rule functionality for cascading into Teams meetings.  None of the other Polycom Servers shown in the previous diagrams are required for supporting Teams meetings.

image

In regards to the call flow The primary difference between Skype and Teams here is that Polycom Servers do not need to perform and meeting discovery, as the Teams meeting invitations already include all the necessary standards-based details.  This information is provided in the original Teams meeting as described in this article.

  1. A VTC places a call to the SIP or H.323 address provided in the Teams meeting invitation (e.g. 123456.321654987@t.plcm.vc).

  2. The DMA parses its preconfigured Dialing Rules and finds a match for the destination domain of "*.plcm.vc" on a specific dial rule.  It then dynamically creates a new VMR using the Video Conferencing ID extracted from the dial string (e.g. 321654987) and then directs the VTC to establish the call with the RMX.

  3. The DMA also places an outbound, standards-based SIP or H.323 call to the original dial string (e.g. 123456.321654987@t.plcm.vc) which is the Polycom RealConnect Service.  It then instructs the RMX to establish outbound media connections from the local VMR (321654987) to the target meeting in the cloud, using standards-based media protocols and codecs.

  4. The single cascade between the VMR on the RMX and an MCU in the RealConnect Service is then relayed in the Microsoft Teams meeting through the CVI gateway services to provide audio, video, and any screen sharing media between platforms.

Once the cascade has been established then any additional VTCs calling into the same meeting will be directed to connect to the active VMR on the RMX.

Realistically though most organizations will need to support RealConnect for both Skype and Teams meetings for some time to come.  This means that multiple models would be used in conjunction, one of the Skype models depending on the type of Skype deployment, and the Teams model.  Due the fact that the architectures are completely different, yet both leverage the core Clariti components of DMA and RMX then a single deployment can easily support any of the Skype and Teams scenarios simultaneously.  What this also means for all deployments is that over time as Skype meetings are replaced by Teams meetings then the overall footprint of Polycom infrastructure components can systematically be removed as they are no longer needed.

Licensing

As Skype for Business Meetings are handled completely by Clariti then licensing is already included in the Clariti model.  But for supporting Teams meetings where some of the work is performed by the cloud service then an additional concurrent-use licensing fee is required.  These low-lost licenses are supplementary to the base Clariti concurrent licenses and would be acquired at a 2:1 ratio.  Meaning if an organization was licensed for 10 Clariti concurrent licenses, then no more than 5 of the additional service licenses would be purchased.  This one-half calculation comes from the fact a single Teams meeting being joined by a single VTC will consume two Clariti concurrent licenses to stand up the call.  One license is used to connect the VTC to the RMX, and a second license to consumed to cascade that VMR on the RMX to the RealConnect Service.

For example, take an environment with 10 Clariti licenses and 5 VTCs.  If all VTCs were to connect to five different Teams meetings at the same point in time the RMX would be at full capacity by the 5th meeting (5 VTCs + 5 cascades = 10 Clariti licenses consumed), which is the high-water mark. Because a maximum of 5 meetings can be cascaded into the RealConnect service, then 5 RealConnect for Clariti service licenses are required at most for this environment.

image

Yet in the event that all 5 VTCs were to join the same Teams meeting then the RMX would only be using 6 Clariti licenses (5 VTCs + 1 cascade = 6) and only a single RealConnect for Clariti service license would be consumed.

image

Verifying Users Enabled for CVI

March 13, 2019 by · Leave a Comment 

This brief article includes a few tips on how to verify which Office 365 user account have been enabled to use a partner-provided Cloud Video Interop (CVI) solution, like the Polycom RealConnect Service.

When initially configuring an Office 365 tenant for CVI one of the final steps is to enable user accounts for the service.  The steps to do so though are different between Skype for Business and Microsoft Teams.

Note that in order to perform the PowerShell commands shown in this article one or more PowerShell Online modules will need to be setup on the workstation, if not already configured.  One potentially confusing concept in this article to pay extra attention to is that in order to check the Teams configuration the Skype for Business Online PowerShell Module is used (this module contains both Skype and Teams cmdlets), yet to check the Skype configuration the Azure Active Directory (v1) module is used.  This is because Teams uses a simple user setting via a policy while Skype leverages Office 365 add-on licenses.

Microsoft Teams

To enable the service for users on their own scheduled Microsoft Teams meetings the configuration is straightforward.  A simple PowerShell cmdlet would have been used to enable either individual users or the entire tenant globally.

  • Open Windows PowerShell and connect to the Skype for Business Online PowerShell module using the following cmdlets, but replacing the highlighted portion with the username of an administrative account in the target Office 365 tenant.  Enter the account password when prompted.

Import-Module SkypeOnlineConnector
$skype = New-CsOnlineSession -UserName "jeff@msteams.net"
Import-PSSession $skype

image

Verify Service Configuration

Get-CsVideoInteropServiceProvider

image

Verify User Configuration

The preferred methodology for initially enabling users with RealConnect for Teams is to grant a policy to specific user accounts versus enabling the entire tenant wholesale.  This approach is more common with initial testing and is often used with a small amount of select accounts.

The Get-CsTeamsVideoInteropServicePolicy cmdlet can then be used to identify if the preferred provider has been enabled globally for all users or not.

  • As the service must be turned on in a tenant this can be confirmed by validating that the ProviderName parameter on the global policy is assigned to the default setting of DefaultProvider.

Get-CsTeamsVideoInteropServicePolicy

image

Note that the DefaultProvider value in the Global policy above is the ProviderName for the ServiceProviderDisabled option.

  • Alternatively if the cmdlet results return one of the provider names (e.g. Polycom) then this indicates that the service has been enabled for every user in the organization, at the global level.

Get-CsTeamsVideoInteropServicePolicy

image

Note that the DefaultProvider value in the Global policy above is the ProviderName for the Polycom option.  In this case the environment has previously been configured to enable RealConnect for Teams with all user’s scheduled Teams meetings.

But for environments still using the default disabled policy setting then individual user accounts would need to have been enabled.  In order to identify these account the Get-CsOnlineUser cmdlet results can filtered to output only accounts which have the TeamsVideoInteropServicePolicy parameter set to the desired value. 

  • Enter the following command to list only users which are enabled for the Polycom RealConnect Service for Microsoft Teams.

Get-CsOnlineUser -Filter {TeamsVideoInteropServicePolicy -eq "PolycomServiceProviderEnabled"} | Select-Object DisplayName, UserPrincipalName, TeamsVideoInteropServicePolicy

image

In this example the Polycom service is being used, so the value to search for is ‘PolycomServiceProviderEnabled‘.  Currently other possible parameter values are ‘BlueJeansServiceProviderEnabled‘, ‘PexipServiceProviderEnabled‘, or ‘ServiceProviderDisabled‘.

  • Alternately, this cmdlet can be used to list all accounts in the tenant regardless of the policy parameter value.

Get-CsOnlineUser | Select-Object DisplayName, UserPrincipalName, TeamsVideoInteropServicePolicy

image

In the event that the TeamsVideoInteropServicePolicy has been previously set to a specific provider globally, then the individual user’s policy setting will operate in the standard policy relationship.  This means that any users with no value currently on their parameter will use the Global policy setting, but if the user’s parameter is set to a different value then the user-specific value will take precedence over a different, globally assigned value.

CVI User Status TeamsVideoInteropServicePolicy
Tenant User
Disabled ServiceProviderDisabled null (or) ServiceProviderDisabled
Enabled ServiceProviderDisabled <PartnerName>ServiceProviderEnabled
Enabled <PartnerName>ServiceProviderEnabled null (or) <PartnerName>ServiceProviderEnabled
Disabled <PartnerName>ServiceProviderEnabled ServiceProviderDisabled

In the event that the tenant is globally enabled yet it is desired to return to the default configuration to instead manage user enablement individually then this is a simple procedure.

  • Execute the following cmdlet to return the global policy the ServiceProviderDisabled setting.

Grant-CsTeamsVideoInteropServicePolicy -PolicyName ServiceProviderDisabled

Skype for Business

Unlike Microsoft Teams there is no option to simply globally enable the service on all users in a tenant for Skype meetings.  User configuration in Skype for Business is handled by assigning an Office 365 add-on license entitled "Skype for Business Video Interop for Skype for Business".

image

Because this solution is user-license based then enough licenses must be provided in the tenant and they must all be manually assigned to existing user accounts, as well as added to new user accounts as they are created in the environment.

License entitlement is performed automatically through the Cloud Solutions Provider relationship with the partner and one license will automatically be added to the tenant for every existing qualifying user license that exists in the tenant (e.g. Business Essentials, Enterprise E5, etc).  For example, the tenant used in this article currently contains 20 Enterprise E1 licenses and 4 Enterprise E3 licenses, hence the total of 24 Video Interop licenses.

image

Given that Microsoft licenses are the components which enable the service for users then it is trivial to list all users in the tenant via PowerShell which are assigned a specific license.

  • Open Windows PowerShell and connect to the Azure Active Directory PowerShell module using the Connect-MsolService cmdlet.  When prompted enter the credentials of an administrative account for the Office 365 tenant.

Connect-MsolService

image

  • Enter the following command to parse all user accounts and list only those with an assigned license containing the string ‘Video’.

Get-MsolUser | Where-Object {($_.licenses).AccountSkuId -match "Video"} |ft UserPrincipalName,DisplayName,Licenses

image

The output above lists any user accounts currently assigned a VIDEO_INTEROP license.

RealConnect Service Network Communications Explained

March 5, 2019 by · 5 Comments 

Multiple recent articles covering Cloud Video Interop for Microsoft Skype for Business and Teams meetings have introduced several Polycom services which are all resident in Microsoft’s Azure cloud.  When leveraging these services it may not be clear as to exactly where they are hosted and what are the best practices for connecting to them effectively and securely.   This article will outline the related services and where they reside with generic firewall guidance.

Service Overview

The core interoperability service addresses a simple, singular purpose: to receive inbound calls over either SIP or H.323 protocols from any standards-based Video TeleConferencing (VTC) system capable of communicating with Microsoft Azure datacenters, and then connect those calls into a Skype for Business or Microsoft Teams Multipoint Control Unit (MCU).  This traffic can be routed over the Internet or optionally via an established and correctly configured Express Route connection.  The service is comprised of several different pools of resources covering a variety of tasks, but the primary concepts are the perimeter load balancers which handle the initial inbound calls and the multiple pools of transcoding gateways which will handle the actual video calls.

In reality the RealConnect service today is actually two side-by-side solutions which are essentially identical in both deployment and overall operation.  Because of the vast difference in the Skype for Business and Microsoft Teams platforms it is not possible to use the exact same set of cloud resources to provide video interoperability into both types of meetings.  Thus two separate solutions are provided within the same service offering: one to provide interoperability into Skype Meetings hosted by Skype for Business Online and Skype for Business Server and another to provide interoperability into Microsoft Teams meetings.

Basic Architecture

The following diagrams are over-simplistic representations of the services as they are intended to highlight just a few simple concepts: communication routing and call redirection.  The RealConnect Service only answers calls from endpoints using standards-based signaling protocols SIP and H.323 negotiates media session over standards-based media codecs like H.264 Advanced Video Coding (AVC) and H.239 or BFCP content sharing, for example.

Skype for Business only deals with its native clients and devices which speak the Microsoft implementation of SIP signaling (MS-SIP) and handle Microsoft implementations of media codecs like H.264 SVC (X-H264UC), RealTime Video (RTV), Remote Desktop Sharing (RDP) and Video-based Screen Sharing (VBSS).

  • Communications between the RealConnect service gateways and Skype for Business Online are contained within the Microsoft Azure datacenter network.

image

  • Communications between the RealConnect service gateways and Skype for Business Server deployments are between the Azure datacenters and location of the Skype for Business Front End servers, using deployed Edge servers if applicable.

image

The Microsoft Teams platform directly handles a simpler list of native clients, devices, and protocols.  While SIP has been replaced by MNP24 as the primary signaling protocol, some of the same media codecs have been borrowed from Skype for Business like SVC for video and VBSS for desktop and application sharing.

image

A regional load-balanced IP address serves as the ingress for a call.  The gateways handle the majority of the heavy lifting by performing actual translation and transcoding between the various standards-based systems and the Skype for Business and Microsoft Teams systems. 

  1. The initial call from a VTC is first routed to a load balancer in the the logically closest datacenter based on latency at the time of the call.

  2. The load balancer immediately responses to the inbound call by redirecting the VTC at an available gateway in the same datacenter, if available.  If the pools in the same datacenter are not able to handle the call (e.g. offline or at-capacity) then an available pool in the next closest datacenter will be offered.

  3. Once the call is established on a dedicated gateway in Azure that gateway will then communicate with the Skype or Teams platform to join the meeting and handle translation and transcoding of the signaling and media.

For the service to be reachable by VTCs which are typically located within an enterprise network behind one or more firewalls then outbound traffic over specific ports must be allowed to reach the various load balancers and gateways deployed world-wide.  Given this inherent level of availability and resiliency it is important to allow outbound traffic to all locations.  If traffic is only allowed to geographically-close datacenters then in the event of a partial service outage a call redirected to another datacenter may be blocked.

Locations

At the time this article was posted there are four worldwide Azure regions which host the RealConnect Service. There are separate sets of load balancers and gateways specific to connecting into Skype for Business meetings than for connecting into Microsoft Teams meetings, but both sets are deployed side-by-side in the the same Azure datacenters today.

  1. The South Central US datacenter, also referred to as ussouth, located in Texas.
  2. The West US 2 datacenter, also referred to as uswest2, located in Washington.
  3. The West Europe datacenter, also referred to as europewest, located in Netherlands.
  4. The Australia Southeast datacenter, also referred to as australiasoutheast, located in Victoria.

As pointed out earlier, the initial connection into the service will be directed to the best available resource at the time.  This determination is made by measuring latency and then providing a DNS response pointing to the appropriate load balancer.  The Azure Speed Test site can be used as a handy reference for displaying live network latency statistics from a specific location to any of these datacenters.  At this point in time the South Central US location will likely be where any calls placed from this location will be directed to, but with an average latency that close then it could be either of the U.S. locations at any given time.

image

Connectivity

As previously stated, the RealConnect service currently exists as two side-by-side deployments to handle calls into either a Skype for Business or Microsoft Teams meeting.  There is no mixing of these conferencing platforms and each is driven by unique Outlook meeting invitations.  So what is essentially a single service includes separate ingress points for Skype and Teams purposes.  This can be demonstrated by performing simple nslookup commands on the three different Fully Qualified Domain Names (FQDN) used today: v.plcm.vc, h.plcm.vc, and t.plcm.vc.

  • Perform a nslookup against the FQDN used to join Skype for Business Online meetings: v.plcm.vc

C:\>nslookup v.plcm.vc
Server:   UnKnown
Address:  192.168.1.1

Non-authoritative answer:
Name:     jazz-prod-scus.plcm.vc
Address:  13.85.8.48
Aliases:  v.plcm.vc
          prod-plcm.trafficmanager.net

  • Perform a nslookup against the FQDN used to join Skype for Business Server meetings: h.plcm.vc

C:\>nslookup h.plcm.vc
Server:   UnKnown
Address:  192.168.1.1

Non-authoritative answer:
Name:     jazz-prod-scus.plcm.vc
Address:  13.85.8.48
Aliases:  h.plcm.vc
          prod-plcm.trafficmanager.net

  • Perform a nslookup against the FQDN used to join Microsoft Teams meetings: t.plcm.vc

C:\>nslookup t.plcm.vc
Server:   UnKnown
Address:  192.168.1.1

Non-authoritative answer:
Name:     teams-prod-scus.plcm.vc
Address:  23.100.126.112
Aliases:  t.plcm.vc
           prod-plcm-teams.trafficmanager.net

These results indicate that the Skype for Business platforms (Online and Server) use the same destination IP, while Teams uses a different IP.  This underscores the two separate deployments in the same service: one for Skype meetings and one for Teams meetings.

Note that the resolved IP addresses may not match those shown above as these lookups were run a computer in central North America.  Attempts to resolve these FQDNs in other parts of the world will likely return different results, indicating the global nature of the services availability.

Network Communications

In an environment configured to allow the required standards-based traffic outbound to any destination on the Internet this service will function as designed without any additional configuration.  The availability and resiliency are automatic.  But in many enterprise networks some or all of the required firewall ports may not be opened, and thus an understanding of what traffic needs to go where can help when configuring firewall policies

Ports and Protocols

The requirements listed in the following table are from the RealConnect service documentation, but have been reformatted and labeled to clearly show which ranges are required if only needing to support outbound calls over one standards-based protocol.  To support calls on both signaling protocols simply allow traffic outbound to all of the following destination ports.

Protocol Ports Protocol Type Purpose
SIP 5060 TCP Signaling SIP Signaling
5061 Secure SIP Signaling
15001-16000 Media BFCP content sharing media
SIP H.323 20002-30001 UDP Media
H.323 1719 Signaling H.225 RAS signaling
1720 TCP Q.931 signaling
10001-13000 H.245 signaling

If planning to only support one protocol then note the overlap in the center of the table where SIP and H.323 calls will share the same range or ports for most, but not all potential media session.  For H.323 calls all outbound media (audio, video, and H.239 content sharing) will utilize destination ports in the 20002-30001 UDP range.  For SIP calls that same port range can be used for audio and video, but content sharing using Binary Floor Control Protocol (BFCP) will need to be able to reach destination ports in the service over the 15001-16000 UDP range.

Destinations

Now that the types of traffic and destination ports are known the next obvious step is where to allow this traffic traverse.  The simple option is to allow this traffic outbound from any trusted network to the public Internet.  Doing this will allow calls to always reach the service, regardless of the resolved and referred addresses.  But more commonly enterprise networks are not this open and require defined subnetworks or small ranges of IP addresses to be configured on firewalls.

Polycom has provided a simple way to query for the active IP addresses utilized by the service in the event that outbound traffic cannot be allowed from an enterprise network out to to any destination on the Internet.  Instead of adding the several hundred different subnetworks used in the global Azure datacenter network a list of about 20 IP address can be configured.  Given that these services are spread out over a large area and Azure datacenters contain hundreds of discontiguous subnets it is not really worth the effort of defining the subnetwork as almost every IP address at this moment is in a different subnet.

Make sure to actually perform the nslookup commands as guided and use the real-time results.  Do not use the actual list of IP addresses shown in this article as some will likely change and new addresses may be added as the service grows.  The examples below will not be updated to reflect future changes.

If the RealConnect service will be used for joining both Skype for Business and Team meetings then all IPs for both deployments in the service should be configured as allowed destinations in a firewall policy.    (The following results has been colored-coded to indicate which portion of the service each belongs to for illustrative purposes.)

  • To locate all IP addresses in all regions used for Skype for Business and Microsoft Teams solutions simply perform an nslookup against edge-global.plcm.vc

C:\>nslookup edge-global.plcm.vc
Server:   UnKnown
Address:  192.168.1.1

Non-authoritative answer:
Name:     
edge-global.plcm.vc
Addresses: 104.45.16.73
           13.77.5.248          
           40.127.74.66
           23.101.236.249
           104.214.224.168
           23.100.126.112
           40.91.214.133          
           13.85.8.48
           40.127.71.243
           52.191.165.159
           13.66.242.170
           40.124.6.108
           52.171.141.90
           13.66.206.244
           13.77.56.231
           23.101.74.190
           104.40.177.169
           13.66.192.127          
           40.127.69.62
           52.178.95.62
           104.215.77.58
           13.70.181.113
           13.80.96.87
           13.77.175.139
           13.65.254.254
           52.178.95.48          
           52.246.253.13

The response above is essentially a concatenated list of both deployments.  Alternatively firewall access lists can be limited to allow outbound traffic to only the IP addresses associated with the desired conferencing platform.  The following FQDNs can be used to identify the Skype half of the service from the Teams half.

  • If only Skype for Business meetings will be supported, then use only the subset of IP addresses returned for edge-sfb.plcm.vc.

C:\>nslookup edge-sfb.plcm.vc
Server:   UnKnown
Address:  192.168.1.1

Non-authoritative answer:
Name:     
edge-sfb.plcm.vc
Addresses: 52.178.95.48
           104.40.177.169
           13.66.192.127
           52.246.253.13
           52.178.95.62
           13.65.254.254
           23.101.236.249          
           40.91.214.133
           13.85.8.48
           13.66.242.170
           13.77.5.248
           52.171.141.90
           13.70.181.113

  • If only Microsoft Teams meetings will be supported, then use only the subset of IP addresses returned for edge-teams.plcm.vc.

C:\>nslookup edge-teams.plcm.vc
Server:   UnKnown
Address:  192.168.1.1

Non-authoritative answer:
Name:     
edge-teams.plcm.vc
Addresses: 13.80.96.87
           23.101.74.190
           13.77.56.231
           13.77.175.139
           104.45.16.73          
           40.127.74.66
           40.127.69.62
           52.191.165.159
           23.100.126.112
           40.127.71.243
           104.214.224.168
           40.124.6.108
           13.66.206.244          
           104.215.77.58

Any firewall policies created to control traffic via destination cannot actual use any FQDNs outlined in this article, only the actual IP addresses (or their subnets) can be used.  There are two different reasons for this:

  1. The FQDNs used to place calls (e.g. *.plcm.vc) are only leveraged in the initial call to reach the regional load balancer.  As mentioned earlier and demonstrated in the next section the call redirection process will attempt a connection to a referred IP address which would not match a rule configured for only the domain name.  The gateways in the service do not even have defined FQDNs, and would not matter if they did as the redirection process does not leverage DNS.

  2. The FQDNs used to list the IP addresses (e.g. edge-*.plcm.vc) are only for reference and no calls are ever placed using these.  Thus adding them to a firewall policy would serve no functional purpose. 

Additionally it is common for firewall configurations to not allow the use of domain names for egress traffic, either by solution limitation or corporate policy.  This mainly has to do with the insecurity inherent in DNS where the name resolution process can easily be spoofed.

Example Call

This section will walk through placing a SIP call from a VTC (Polycom Group Series 500) to a Microsoft Teams meeting in order to demonstrate the call handling.  Additionally the behavior will be dissected to explain what is happening in each step.  The following SIP messages are trimmed down to only show the pertinent information, and the test call was placed over TCP for easy access to the logs.  Normally these calls would be placed over TLS in ensure that the signaling traffic is encrypted over the Internet.

  • A SIP call is placed to 000000.116058723@t.plcm.vc which is used to join the Teams meeting call directly.  This was placed manually but is the exact same dial string used when selecting the ‘Join’ button on the calendar invite.

  • The endpoint will resolve the domain t.plcm.vc using DNS and receive an IP address from Azure Traffic Manager based on the Performance Traffic-Routing method.  This measures the latency between the endpoint and each Azure datacenter hosting Polycom RealConnect services to determine the best location to route the call.

C:\>nslookup t.plcm.vc
Server:   UnKnown
Address:  192.168.1.1

Non-authoritative answer:
Name:     teams-prod-scus.plcm.vc
Address:  23.100.126.112
Aliases:  t.plcm.vc
          prod-plcm-teams.trafficmanager.net

The endpoint in this example is located in Chicago and the returned IP address of 23.100.126.112 would likely be from a US-based Azure datacenter, but it does not have to be.  To determine which datacenter the call is being directed to there are few clues in the response.  Firstly, the DNS A Name record returned for that IP address includes “scus” which is short-hand for South Central United States, which incidentally was the site with the lowest recorded latency shown earlier in this article.

This is an assumption though based on the name, so it would be better to confirm by reviewing the latest version of the Microsoft Azure Datacenter IP Ranges documentation.  By downloading the XML file and searching for a match against that IP there is currently only one possible subnet which could contain that IP address: 23.100.120.0/21.  (For addresses with multiple matches a simple subnet calculator can be used to determine the correct subnet for the desired IP address.)  In the XML file the 23.100.120.0/21 subnet is listed under the ussouth region, indicating which region that IP address is currently assigned.  (Microsoft updates this documentation often as the subnets and locations do change over time, so it is possible that the IP address in this example does not appear in the same region at some point in the future.)

  • Now that the endpoint has a destination address to connect to it will establish an outbound TCP connection to the resolved IP address and if successful will send a SIP INVITE message sent to the SIP address.  (The SDP information included in the invitation denotes the internal IP address of the endpoint.)

|>>- SEND OVER [TCP] MSG -> NET   2217 bytes  to 23.100.126.112[:5060] sock 101——–>>|
INVITE sip:680450644.114347572@t.plcm.vc SIP/2.0
Via: SIP/2.0/TCP 192.168.1.163:5060;branch=z9hG4bK1166153661-1012
Allow: INVITE,BYE,CANCEL,ACK,INFO,PRACK,COMET,OPTIONS,SUBSCRIBE,NOTIFY,MESSAGE,REFER,REGISTER,UPDATE
From: sip:192.168.1.163;tag=plcm_1166153715-1012;epid=82170146F81DCV
To: <sip:680450644.114347572@t.plcm.vc>
Call-ID: 1166153290-1012
CSeq: 1 INVITE
User-Agent:PolycomRealPresenceGroup500/6.2.0
Content-Type: application/sdp
o=GroupSeries 1140207171 0 IN IP4 192.168.1.163
c=IN IP4 192.168.1.163

    • The endpoint receives an informational 100 TRYING response from the server.  Note the external public IP (22.33.44.55) of the endpoint network address translation has been changed in this article to hide the actual public IP used during the call..

|<<- RECV OVER [TCP] MSG <- NET   301 bytes  from 23.100.126.112[:5060] sock 101 ——–<<|
SIP/2.0 100 Trying
CSeq: 1 INVITE
Call-ID: 1166153290-1012
From: <sip:192.168.1.163>;tag=plcm_1166153715-1012;epid=82170146F81DCV
To: <sip:680450644.114347572@t.plcm.vc>
Via: SIP/2.0/TCP 192.168.1.163:5060;branch=z9hG4bK1166153661-1012;received=22.33.44.55;rport=38955

  • The endpoint also receives a redirection from the server in the form of a 302 MOVED TEMPORARILY response.  This instructs the endpoint to place a new call to the address provided in the Contact field.

|<<- RECV OVER [TCP] MSG <- NET   452 bytes  from 23.100.126.112[:5060] sock 101 ——–<<|
SIP/2.0 302 Moved Temporarily
CSeq: 1 INVITE
Call-ID: 1166153290-1012
From: <sip:192.168.1.163>;tag=plcm_1166153715-1012;epid=82170146F81DCV
To: <sip:680450644.114347572@t.plcm.vc>;tag=3c2129ac
Via: SIP/2.0/TCP 192.168.1.163:5060;branch=z9hG4bK1166153661-1012;received=22.33.44.55;rport=38955
Contact: <sip:680450644.114347572-dd80d7cd7c09a20e-2a8a2888be675193@104.215.77.58:5060;transport=tcp>;expires=15

As seen above, the new call has an updated SIP address including a new destination located at 104.215.77.58.  What has happened here is that the initial call resolved to the single load-balanced IP address for the entire region (in this case ussouth).  Once the call is accepted the load balancer will redirect the endpoint to another load-balanced IP address which sits in front of the pool of gateways.  Thus the initial call is connecting to a server which only handles SIP and H.323 signaling protocols.  Note that while in most cases the referred address will be in the same datacenter as the original connection, it is possible for the endpoint to be redirected to a different data center to complete the call.  This could occur in the event of a partial service outage, for example.  This is why it is important to configure premises firewalls to correctly handle outbound VTC traffic for both signaling and media communications to all possible destinations in all available datacenters, and not just those in the same region as the endpoints are located.

  • The endpoint transmits an Acknowledgement (ACK) message to let the server know that it received and understood the redirection command.  This will be the last SIP message to use the current Call-ID value.

ACK sip:680450644.114347572@t.plcm.vc SIP/2.0
Via: SIP/2.0/TCP 192.168.1.163:5060;branch=z9hG4bK1166153661-1012
From: sip:192.168.1.163;tag=plcm_1166153715-1012;epid=82170146F81DCV
To: <sip:680450644.114347572@t.plcm.vc>;tag=3c2129ac
Call-ID: 1166153290-1012
CSeq: 1 ACK

  • At this point the endpoint opens a new TCP connection to the referred IP address and sends a new SIP INVITE with a new SIP address, complete with a new Call-ID value.  It is important to note that the new call is using an IP address instead of the domain name in the original call.  This underscores the need to define any destination hosts via IP and not by domain names in firewall policies.

|>>- SEND OVER [TCP] MSG -> NET   2293 bytes  to 104.215.77.58[:5060] sock 101——–>>|
INVITE sip:680450644.114347572-dd80d7cd7c09a20e-2a8a2888be675193@104.215.77.58 SIP/2.0
Via: SIP/2.0/TCP 192.168.1.163:5060;branch=z9hG4bK1166557684-1012
From: sip:192.168.1.163;tag=plcm_1166557738-1012;epid=82170146F81DCV
To: <sip:680450644.114347572-dd80d7cd7c09a20e-2a8a2888be675193@104.215.77.58>
Call-ID: 1166557282-1012
CSeq: 1 INVITE
User-Agent:PolycomRealPresenceGroup500/6.2.0
o=GroupSeries 1873749625 0 IN IP4 192.168.1.163
c=IN IP4 192.168.1.163

  • The endpoint receives a standard 180 RINGING response from the server.  (Depending on factors like latency and loads a 100 TRYING message may also be received prior to the Ringing response.)

|<<- RECV OVER [TCP] MSG <- NET   568 bytes  from 104.215.77.58[:5060] sock 101 ——–<<|
SIP/2.0 180 Ringing
To: <sip:680450644.114347572-dd80d7cd7c09a20e-2a8a2888be675193@104.215.77.58>;tag=8B02E52E-20DFDF35
Via: SIP/2.0/TCP 192.168.1.163:5060;branch=z9hG4bK1166557684-1012;received=22.33.44.55;rport=33779
CSeq: 1 INVITE
Call-ID: 1166557282-1012
From: <sip:192.168.1.163>;tag=plcm_1166557738-1012;epid=82170146F81DCV
User-Agent: Polycom Teams Gateway_00/master-85176_8032-2111-2142-6362-9349-7552-48

Note that the User-Agent field is now included in responses from the server, indicating that this is call into the Microsoft Teams service. (Calls into the Skype for Business service will be identified with “Polycom/Polycom Soft MCU” as the User-Agent value.)

  • The endpoint receives a 200 OK message from the server along with the server’s SDP information to begin establishing the media sessions.

|<<- RECV OVER [TCP] MSG <- NET   2114 bytes  from 104.215.77.58[:5060] sock 101 ——–<<|
SIP/2.0 200 OK
To: <sip:680450644.114347572-dd80d7cd7c09a20e-2a8a2888be675193@104.215.77.58>;tag=8B02E52E-20DFDF35
Via: SIP/2.0/TCP 192.168.1.163:5060;branch=z9hG4bK1166557684-1012;received=22.33.44.55;rport=33779
CSeq: 1 INVITE
Call-ID: 1166557282-1012
From: <sip:192.168.1.163>;tag=plcm_1166557738-1012;epid=82170146F81DCV
Content-Type: application/sdp
User-Agent: Polycom Teams Gateway_00/master-85176_8032-2111-2142-6362-9349-7552-48
o=- 1551111425 1551111425 IN IP4 172.30.0.24
s=Polycom Teams Gateway
c=IN IP4 104.215.77.58

At this point it is common to see additional ACK, INVITE, TRYING, RINGING, and OK messages as the call negotiates.  Sometimes this can occur quickly and other times a handful of seemingly redundant messages will flow between the endpoint and server as call and media negotiations are attempted, but the initial redirection will always occur first.

Creating Microsoft Teams Rooms Accounts

February 3, 2019 by · 10 Comments 

This article revisits the topic of creating accounts which are used by Microsoft Teams Rooms (MTR), formerly known as the Skype Room System (SRS) v2 platform.  The guidance in this article is applicable to creating online accounts for any natively supported device, from Polycom VVX and Trio phones, to the various Skype Room System offerings from Logitech, Crestron, Polycom, HP, and others.

The directions in this article are performed with an Office 365 tenant utilizing Exchange Online, Skype for Business Online, and Microsoft Teams.  For Server or Hybrid scenarios where the account and/or mailbox is stored on-premises a slightly different process will need to be utilized which is essentially the same as what has been used since the advent of the original Lync Room System platform.

Account Configuration

The majority of the configuration is performed in PowerShell in order to create and modify the account.  While the account configuration for meeting room devices is unique, these are still at the core an Active Directory User Object which has been mailbox-enabled in Exchange as a Room type of resource mailbox.  These are not new concepts and the underlying configuration has followed this arrangement for a long time.

Connect PowerShell

For more details on using Windows PowerShell to connect to and manage the various Office 365 services online refer to this previous article.  The installation steps in that article must be first be to prepare a Windows workstation with the proper software and modules to connect to each online service remotely via PowerShell.  Once that installation has been completed, or if it has previously been taken care of on the workstation then continue on with the following steps.

  • Search for and launch the previously installed Microsoft Exchange Online Powershell Module.

image

  • Execute each of the following cmdlets to connect to each service required to complete the account configuration.  Enter the credentials of an account with administrative rights to the Office 365 tenant when prompted by each service.  (Note that all five lines below can be copied and pasted into the PowerShell window at once.)

Connect-EXOPSSession
Connect-MsolService
Import-Module SkypeOnlineConnector
$skype = New-CsOnlineSession
Import-PSSession $skype

image

Select Account License

When creating a new account via PowerShell the desired location and licensing information will need to be provided.  If this information is already known then this step can be skipped.

  • Execute the following Get-MsolAccountSku cmdlet to list all available licenses in the current tenant.

Get-MsolAccountSku

image

Record the desired AccountSkuId parameter value (e.g. jschertz:ENTERPRISEPREMIUM) for the desired primary license to be assigned to the room system account.  As discussed in past articles the license assigned to this account will need to include at minimum Skype for Business Online Plan 2 and/or Microsoft Teams, but often Business Premium or Enterprise plans are used.  In December 2018 Microsoft introduced a new Meeting Room Office 365 license subscription specifically for devices, so these licenses are ideal for devices like Microsoft Teams Rooms.

In this article the Meeting Room license (e.g. jschertz:MEETING_ROOM) will be used.  Also take note that this tenant includes Calling Plan add-on licenses (jschertz:MCOPSTN2) which will be assigned to the account.  This is an optional step but provides additional functionality to the room systems by allowing PSTN calls to and from the room.  Because the new Meeting Room license

Define Variables

In order to streamline this process by allowing for a simple copy/paste of most cmdlets then the next step is to define a host of variables which will be used throughout the various steps.  Enter the following lines to set the variables to the desired value for each item.

  • Set the desired identity (User Principal Name (UPN), SMTP address, SIP URI, etc.) of the new account as the $newRoom variable.
  • Select an appropriate display name for the account as the $name variable.
  • Define a new, valid password as the $pwd variable.
  • Enter the desired license name which was discovered in the previous section as the $license variable.
  • Enter the valid 2-letter country code for the appropriate location where this account will be used as the $location variable.

$newRoom="mtr@msteams.net"
$name="Microsoft Teams Room"
$pwd="Password!23"
$license="jschertz:MEETING_ROOM"
$location="US"

image

Create New Account

This step will create a new account in Azure Active Directory and simultaneously mailbox-enable the account in Exchange Online as a Room resource mailbox.  It also sets the password defined in the previous section and then enables the account for authentication.

  • Run the following New-Mailbox cmdlet to create the new account.

New-Mailbox -MicrosoftOnlineServicesID $newRoom -Name $name -Room -RoomMailboxPassword (ConvertTo-SecureString -String $pwd -AsPlainText -Force) -EnableRoomMailboxAccount $true

image

It is recommended to wait about 30 seconds after the mailbox has successfully been created before attempting to run the commands in the next section, otherwise errors may occur.

Configure Account

The following steps will be used to configure the additional requisite and recommended options on the account and mailbox.

  • After waiting 30 seconds run the following Set-MsolUser cmdlet to disable password expiration and set the UsageLocation.

Set-MsolUser -UserPrincipalName $newRoom -PasswordNeverExpires $true -UsageLocation $location

image

  • Run the following Set-MsolUserLicense cmdlet to assign the appropriate Office 365 license to the new account.

Set-MsolUserLicense -UserPrincipalName $newRoom -AddLicenses $license

image

  • Run the following Set-Mailbox cmdlet to set the Outlook MailTip which appears when sending meeting invitations to the room mailbox.

Set-Mailbox -Identity $newRoom -MailTip "This room is equipped to support Teams and Skype Meetings"

image

  • Run the following Set-CalendarProcessing cmdlet to configure how meeting invitations are processed by Exchange for this mailbox. 

Set-CalendarProcessing -Identity $newRoom -AutomateProcessing AutoAccept -AddOrganizerToSubject $false -RemovePrivateProperty $false -DeleteComments $false -DeleteSubject $false -AddAdditionalResponse $true -AdditionalResponse "Your meeting is now scheduled and if it was enabled as a Teams or Skype Meeting will provide a seamless click-to-join experience from the conference room." 

image

It is especially important that the -DeleteComments and -DeleteSubject settings are applied correctly, otherwise invitations may appear on the meeting room device but without the "Join" button needed to connect to the meeting.  These two parameters are set to $true by default when creating a room mailbox through normal methods, thus they must be manually set to $false as shown here.

Enable Meeting Room

These steps are required to enable the account for use with Skype for Business and/or Microsoft Teams.  It is recommended to wait at least 5 minutes after initially creating the account before attempting to enable the account as a meeting room in Skype for Business Online, due to replication intervals.  Sometimes it can take even longer (have seen up to 15 minutes) before this step will successfully complete.

  • Run the following Get-CsOnlineUser cmdlet to list the assigned SIP registrar(s) for all Skype-enabled accounts in the tenant.

Get-CsOnlineUser |ft RegistrarPool

image

The results above indicate that all accounts in the tenant are in the same pool (e.g. sippoolblu2a05.infra.lync.com). 

  • After waiting several minutes run the following Enable-CsMeetingRoom cmdlet, replacing the RegistrarPool value with the FQDN returned in the previous step to enable the new room account.

Enable-CsMeetingRoom -Identity $newRoom -SipAddressType "EmailAddress" -RegistrarPool "sippoolblu2a05.infra.lync.com"

image

If the previous cmdlet returns an error of "Management object not found for identity" then the account enablement has not yet been completed in the cloud.  Wait a few more minutes before attempting to run this cmdlet again.

Configure Enterprise Voice

If the room account will also require PBX and PSTN capabilities then the following steps can be used to enable the account appropriately.  For Microsoft Teams either Direct Routing or Calling Plans can be utilized to provide PSTN services to the account.  The tenant in this example currently has an available Calling Plan license which will be used for this purpose.

  • Run the following Set-CsMeetingRoom cmdlet to enable the account for Enterprise Voice

Set-CsMeetingRoom -Identity $newRoom -EnterpriseVoiceEnabled $true

image

  • Assign the appropriate Microsoft Calling Plan license (.e.g MCOPSTN2) to the room account using the following cmdlet.

Set-MsolUserLicense -UserPrincipalName $newRoom –AddLicenses "jschertz:MCOPSTN2"

image

At this point the account configuration is complete and can be used with a meeting room device.

Device Configuration

For the purposes of this article the Polycom + HP SRS Microsoft Teams Room solution will be used to test the account configuration, but these instructions are identical for any of they qualified solutions available today from various Microsoft partners.

The account information can be added to a Microsoft Teams Room device either during the initial setup process by simply booting up the device and following the setup screens, or by selecting the Settings icon in the lower-right corner of the control interface’s default screen.

  • If performing first-time setup then accept the Microsoft Software License Terms and select Next.

image

After accepting the license, or if performing the configuration on a previously configured system, then the User Account screen will appear.

image

  • In the Skype sign-in address field enter the identity selected for the room account which was created (e.g. mtr@msteams.net) and then complete the Password fields.

image

The Exchange address field will have automatically populated with the same value entered above and should not be changed given the account configured for this unit has the same value for its account name, SIP URI, and SMTP address.

The Domain\username (optional) field should be left blank.  This field is only needed in the event that the account’s SIP URI does not match the account’s UPN and/or legacy account name.  In those situations this field should be used to provide UPN (username@domain.com) or the legacy account name (DOMAIN\username).

  • In the Supported meeting mode menu select the Skype for Business and Microsoft Teams (default) option.

The Supported meeting mode setting is a newer setting which was added last year once support for Microsoft Teams was introduced to the product.  This setting essentially controls which meeting platform(s) can be used as well as which will be used as the default.  The available options are:

  1. Skype for Business only
  2. Skype for Business and Microsoft Teams (default)
  3. Skype for Business (default) and Microsoft Teams

This platform currently defaults to the Skype for Business only option which means that calls and meetings with Microsoft Teams users will not work and the interface will not provide a "Join" button for any Microsoft Teams meetings seen on the device’s calendar.  To enable support for Microsoft Teams meetings then either of the other two settings must be selected.  The difference in the other two options is that while they both support joining Skype and Teams meeting invitations the "(default)" portion in the name indicates which platform will be used when the New Meeting and Dial Pad options on the home interface.

The Bluetooth Beaconing setting is also enabled by default, although at the time of posting this article that capability has not yet been made generally available to Microsoft Teams users.  While the beaconing setting and functionality has been appearing in the Microsoft Teams Room software for several release at the point the pairing functionally is not yet available in the desktop or mobile Microsoft Teams clients.  This capability is due to be available soon though so it can be left in the default On state.

  • Once the User Account configuration is correct then select Next and advance through the remaining screens by modifying any desired Features or Theming options, or select Save and Exit if simply reconfiguring the account on an existing system.

The system will return to its ready state and the interface should appear similar to the following image.  Note that until the new account is invited to a meeting the interface will not show any calendaring information along the left-hand side.

image

This new account was immediately invited to both a scheduled Skype Meeting as a Teams Meeting as indicated by the small Skype and Teams icons on associated calendar entry.

Also, because the account in this example was enabled with a base license which includes a Phone System add-on license as well as the proper Enterprise Voice configuration then the Dial Pad option is shown.  The New Meeting option will trigger the creation of a new Microsoft Teams meeting when inviting another participant based on the previous selection of Skype for Business and Microsoft Teams (default) as the Supported Meeting mode setting.

Polycom OTD Service with Cisco Endpoints

January 26, 2019 by · 3 Comments 

This article about the Polycom One Touch Dial (OTD) service is another in a series which covers Polycom’s RealConnect service, a Microsoft Azure-based video interoperability service for Skype for Business and Microsoft Teams meetings.

Before performing any configuration steps in this article it is recommended to first review the Polycom One Touch Dial Service article to gain an understanding of how the services work and why the configuration differs between Polycom and Cisco endpoints.

Exchange Configuration

This section will walk through creating a new service account, followed by the initial OTD service portal configuration.  Then a Cloud Relay server will need to be deployed (covered in a separate article) and a single Cisco endpoint added to the OTD portal.  By contrast this configuration is more involved than the basic configuration for Polycom endpoints due to the Cisco endpoint not acting like a native Exchange calendaring client.

Prepare PowerShell

The following environment preparation steps are performed using Windows PowerShell to connect to multiple online modules.  The workstation used to perform these commands may need to have some initial setup steps performed to access these modules.  Only the Exchange Online PowerShell and MSOnline modules needs to be installed to support the cmdlets in this article.

  • Follow the steps in the Managing Office 365 with PowerShell article and then connect to both Exchange Online and the MSOnline modules as instructed.  (There is no need to connect to the AzureAD or Skype for Business modules.)

Connect-EXOPSSession
Connect-MsolService

image

Create Mailbox

This step may not be required as typically a mailbox already exists for a conferencing room space that is represented in Outlook to book as a resource.  If a new mailbox needs to be created for a specific VTC then the following steps can be used to create an Exchange Room Mailbox using PowerShell.

For this article a new resource mailbox will be created for use with a single Cisco endpoint.

  • Run the following New-Mailbox command to create a new resource mailbox of Room type, updating the red text with the desired unique ID, Alias, Name, and Password.

New-Mailbox -MicrosoftOnlineServicesID vtc2@msteams.net -Alias "vtc2" -Name "VTC 2 (Cisco)" -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String "P@s5w04d" -AsPlainText -Force)

image

If a replication failure warning appears it can safely be ignored as it is just reporting that the new mailbox will take some time to be created and replicated within Exchange Online.  The following configuration steps can be performed immediately.

If needed, repeat this process to create a room mailbox for every Cisco VTC which will be used with OTD service.

Configure Mailbox

With either the new mailbox created above or an existing mailbox the following commands will ensure that the mailbox is correctly configured.  Depending on how existing resource mailboxes were created these parameters may already be set correctly, but sometimes the existing settings will purge the meeting invitation contents to save on mailbox storage.  Without that data included in the room’s copy of the invite then OTD has no information to process and then no ‘Join’ button would appear on the invited VTC.

  • Run the following Set-CalendarProcessing command against the new mailbox as identified by the Identity parameter.  Leave all other parameters at the documented vales, aside from the -AdditionalResponse setting which can be customized to include any message.

Set-CalendarProcessing -Identity vtc2@msteams.net -AutomateProcessing AutoAccept -AddOrganizerToSubject $false -AllowConflicts $false -DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false -AddAdditionalResponse $true -AdditionalResponse "This room is enabled for One Touch Dial with Polycom RealConnect"

image

If needed, repeat this process for every room mailbox (new or existing) that is (or will be) associated with a supported VTC to leverage OTD.

Create Service Account

For environments leveraging Exchange Online this account will require an appropriate Office 365 license.  At minimum an Exchange Online Kiosk license is the lowest-cost option that provides the necessary mailbox, but any Exchange Online, Business, or Enterprise license is more than adequate.  This service account must have a mailbox even though its own mailbox is never actually used throughout the OTD process.  Exchange can only delegate mailbox permission to other mailbox-enabled accounts, hence the need for a license.

  • Using the same process as outlined in the first section connect to both Exchange Online and the MSOnline PowerShell modules and then execute the Get-MsolAccountSku cmdlet to list all available license options currently applied to the Office 365 tenant.

Get-MsolAccountSku

image

The example tenant in this article has available Enterprise E5 licenses (ENTERPRISEPREMIUM), which is clearly overkill for this requirement.  As suggested above a less expensive option of Exchange Online Kiosk (EXCHANGEDESKLESS) can be used instead. 

  • Run the following New-MsolUser command to create a new user account which will be used by the OTD service to connect to Exchange over Exchange Web Services.  Update the red text in the example below with the desired Display Name, User Principal Name, Usage Location (appropriate two-letter country code), License Assignment, and Password.

New-MsolUser -DisplayName "OTD Service Account" -UserPrincipalName "otd@msteams.net" -UsageLocation "US" -LicenseAssignment "jschertz:EXCHANGEDESKLESS" -Password "P@s5w04d" -PasswordNeverExpires $true -ForceChangePassword $false

image

Delegate Mailbox Permissions

In order to use the new service account to access each and every resource mailbox it will need to be delegated the appropriate permissions to each mailbox.  The only rights this account requires is Read access to just the Calendar folder in each mailbox.

  • Run the Add-MailboxPermission command by providing the Identity of the desired source mailbox, as well as the User Principal Name of the newly created service account.

Add-MailboxFolderPermission -Identity "vtc2@msteams.net:\Calendar” -User “otd@msteams.net” -AccessRights “Reviewer”

image 

If needed, repeat this process to delegate permissions for each room mailbox’s Calendar to the single service account.

Verify Mailbox Permissions

Once all mailboxes are configured the following optional cmdlet can be used to report which mailboxes in the entire organization the service account has access to.

Run the following command to query every mailbox in the organization to verify if the service account has the needed Reviewer permissions to the Calendar folders of the room mailbox.

Get-Mailbox | ForEach-Object {Get-MailboxFolderPermission $_":\Calendar" -User "otd@msteams.net" -ErrorAction SilentlyContinue |ft Identity,FolderName,User,AccessRights}

image

Cloud Relay Deployment

As the Cloud Relay server is used by various services and it not meant only for providing One Touch Dial to Cisco endpoints located on private networks then this portion warrants a separate, complete article.

  • Refer to the Polycom Cloud Relay article to complete the installation and successful pairing of at least one Cloud Relay virtual server in the same routable private network as where the desired Cisco VTC is located.

Service Provisioning

This section covers the service-side configuration for connecting the OTD service to the target Exchange environment.

Configure One Touch Dial Service

To begin the provisioning process the Polycom One Touch Dial portal will need to be utilized.  As explained in the first article of this series the overall RealConnect service order/trial process would have included providing the email address of an administrative contact.  That supplied email address will have been specifically enabled by Polycom to access the OTP portal for the specific tenant enabled for the service.

image

  • Click the Sign in with Microsoft button and then enter the credentials of the account which was originally whitelisted for access to the OTD portal (e.g. jeff@msteams.net).

image

The first time that an authorized user signs into the portal a prompt will appear requesting permission for the Polycom app to sign in on behalf of and read the user’s profile information and data.

  • Review the requested permissions and then click the Accept button.  (If the "Consent on behalf of your organization" option appears it can be ignored as each user account authorized for the OTD portal will receive this same one-time prompt.  If desired, an administrator can select this option now and other accounts will not receive this prompt when they first sign in.  The behavior of the service is not impacted either way.)

image

If this is the first time the portal has been accessed it may report that no devices have been configured.

image

Endpoint Configuration

Now that the OTD service has been connected to the Exchange environment with the service account the first Cisco VTC can be configured.

  • Connect to the Cisco endpoint’s web management interface and verify that XMLAPI Mode is enabled.  This is required in order for the service to push the meeting invitations directly to the VTC.

image

  • Return to the One Touch Dial portal, select the Devices menu, and then click on the Connect a Device button.

image

  • Select the desired Cisco device option from the list (e.g. C SX DX EX MX Models).

image

  • In the General Information section enter a descriptive Name for the device (e.g. VTC2).
  • In the Calendaring section enter the VTC’s associated resource mailbox in the Calendaring Email field (e.g. vtc2@msteams.net).

  • In the Connection section select the appropriate configuration option.  If the Cisco VTC is assigned a public IP address and is directly reachable from the Internet (an unlikely and not recommended scenario) then select the Directly to Polycom One Touch Dial option.  For the typical use-case of the VTC being located on an internal network with a private IP address select the Via Polycom Cloud Relay option and enter the IP address of the Cisco endpoint (e.g. 172.31.16.76).

  • In the Credentials section enter an administrator username and password for the Cisco endpoint (e.g. admin).

image

  • Click Connect to save the configuration and then note the reported status will likely initially show as Pending.

image

  • Select the Devices menu and wait for the status to update to Connected.

image

At this point the Cisco VTC should show any meetings which have been scheduled on the room mailbox.  The Join button will be displayed prior to the scheduled meeting and trigger a call to the RealConnect service to join a Skype or Teams meeting.

image

Polycom Cloud Relay

December 1, 2018 by · 2 Comments 

This article is the third in a series which covers Polycom’s RealConnect service, a Microsoft Azure-based video interoperability service for Skype for Business and Microsoft Teams meetings.

  1. RealConnect Service for Skype and Teams – introduces the overall solution and the steps to activate the service for use with Skype for Business Online meetings and/or Teams meetings.  (A future article will cover the additional configuration steps required to support Skype for Business Server or Hybrid deployments with the service.)
         
  2. Polycom One Touch Dial Service – explains what this ancillary service is, how it works, and provides detailed configuration steps for using it with Polycom VTCs.  (A future article will cover the configuration for Cisco VTCs.)      
         
  3. Polycom Cloud Relay – outlines the purpose of this component, how it works, and then walks through the steps for deploying a Cloud Relay virtual server on-premises.  This on-premises server is an optional component to the RealConnect service, only needing to be deployed when using Skype for Business Server and/or supporting Cisco endpoints with the One Touch Dial service.

The Polycom Cloud Relay is a relatively new component which was born out of the need to provide a lightweight server to handle various supportive tasks for multiple cloud services needs.  Essentially, when moving a solution or workflow from an on-premises server into a hosted service across the public Internet some capabilities may not be able to function entirely in the cloud.  To address this sometimes an on-premises relay may be required to facilitate some forms of communication.

This server’s primary function is to sit inside enterprise firewalls and open secure outbound connections to various Polycom services running in Microsoft Azure datacenters, meanwhile relaying messages from the cloud over to certain local resources.  The Cloud Relay thus must sit on the private internal network like most other internal servers and not in a perimeter network to perform its duties.  This component is a lightweight virtual machine based on Cent OS which is provided free of charge to Polycom customers in both VMware (.OVA)  and HyperV (.VHD) formats.  By itself the server is useless as it must be paired with a customer tenant utilizing one or more licensed Polycom services.

Background

Understand that the Cloud Relay in and of itself really does nothing other than ‘phone home’ and wait for instructions.  When it is first brought online and configured on the local network it will then immediately attempt to connect to a handful of hardcoded Fully Qualified Domain Names (FQDNs) which point to several services running across multiple Azure datacenters.  If these connections are successfully established then the new relay will then sit indefinitely in a holding pen, waiting to be manually integrated into a specific Polycom cloud tenant.  Once this pairing step is completed by an administrator then the correct relay will be permanently linked to that tenant and begin pulling down any provisioned services which have already configured in the tenant.  This includes the automatic download of any apps associated to the configuration, which are essentially docked into the Cloud Relay.

So in short, this relay is something that is simply brought online the first time using the local console and then from that point forward all management and configuration is performed through the appropriate Polycom cloud portal.  Configuration changes and even software updates to the individual apps are all automatic.  Currently the Cloud Relay itself is not updated so when new versions of the server image are released it would require the deployment of a new image, or replacement of the existing.  But the majority of the various Polycom service offering’s features and functionality comes from the individual apps which are automatically updated as stated.

Once these apps have been pushed down to the relay then it can start to perform its duties, whatever those may be.  Currently the Cloud Relay is used to perform several functions, most of which are applicable to the RealConnect service, but not all.  For example the Polycom Device Management Service (PDMS) cloud offering leverages the Cloud Relay for some optional device management capabilities.  But as this series of CVI articles is focused on the RealConnect service then the two applicable roles that the Cloud Relay serves is:

  1. To relay meeting invitations originating from Exchange Online or Exchange Server resource mailboxes that the Polycom One Touch Dial service needs to process and deliver to Cisco endpoints.  Obviously if a Cisco VTC is sitting on an internal private network then it would not be possible to open a connection from the cloud directly to that endpoint without establishing a 1:1 static NAT through a corporate firewall, which is a poor and an unused practice.  So the Cloud Relay is used to receive that invitation from the cloud service and then establish a local connection directly to the Cisco endpoint to relay the message.
  2. To relay signaling messages from the Polycom RealConnect service to an on-premises Skype for Business Front End Server/Pool to establish the required connectivity to support RealConnect meetings in the cloud.  This communications path is used by the cloud service to identify and locate the proper Skype Meeting URI for a given scheduled Skype meeting.  The cloud service will then establish a media cascade to the meeting running on the Skype for Business Server through the normal media route via the Skype Edge Server/Pool.  Note that the Cloud Relay only relays signaling, absolutely no media traverses the relay so the processing and bandwidth requirements are very little.

For high-availability and redundancy multiple relays can be deployed and integrated with the same tenant.  The majority of communications are from the cloud to the relay so resiliency is inherent and failover is automatic as the service will communicate to all available relays.  For the few scenarios where any messages originate from a customer’s network the redundancy behavior can be controlled by the local configurations options like Round Robin DNS, Geo-DNS, or DNS Load Balancing.

Workflow

While the Cloud Relay is handling multiple functions the main portion of its communications are always the same.  It will attempt to securely open several outbound connections to Polycom services in Azure, all over two ports: 443 and 5671.  In many environments outbound access to the Internet over 443 is open from any trusted network to untrusted networks and the majority of the traffic transverses here.  But the less-common Advanced Messaging Queueing Protocol (AMQP) traffic leveraged by the Microsoft Azure Service Bus over port 5671 can often be blocked by corporate firewalls and will need to be allowed outbound.

image

Communications from the Cloud Relay to the various Polycom Services are based on establishing secure connections to hardcoded FQDNs which, based on geography, will be directed to the nearest Azure datacenter where the services happen to be resident.

As outlined in the official documentation the Cloud Relay will resolve and then attempt to connect to the following FQDNs via TCP over port 443:

  • api-global.plcm.cloud
  • api-orion.plcm.cloud
  • logging.plcm.vc
  • aquadevacr-plcm365.azurecr.io

Additionally the Cloud Relay will need to establish connectivity to the Azure Service Bus via TCP over port 5671:

  • servicebus.plcm.vc

All of these connections are established outbound and no ports need to be opened for inbound connections.  (The official documentation does reference opening TCP 22 inbound from the Internet but that is only for remote SSH connectivity in the event that Polycom support needs to connect directly to the Cloud Relay console during a support call.  Do not actually open this port during deployment.)

The role of the Cloud Relay is to provide a  two-way communication path with the cloud services by opening the outbound connection and then keeping that connection open for the cloud to send information down as needed.  In the event that outbound connections to the Internet are limited by firewall policy then there are two configuration options typically leveraged. Firstly the FQDNs above can be entered into firewall policies to allow the outbound traffic.  But often domain names are not allowed in firewall policies and only IP addresses and subnetworks may be allowed via defined IT policies.  As service in Azure can sometimes change IP address or subnetworks it is recommended to subscribe to service alerts in the case that any IP addresses will be changed in future upgrades or maintenance routines.

With the prerequisite communications to the cloud successfully established the Cloud Relay will download the configuration and apps needed to further establish local communications with any on-premises Skype for Business Servers, Cisco VTCs, or (in the case of PDMS) Polycom IP phones like the VVX and Trio.

  • For communications with a Skype for Business Front End Server/Pool the Cloud Relay will need to be able to open a connection over TLS 5061 using an assigned server certificate .  The additional configuration for this outside of the prerequisite Cloud Relay deployment is covered in a separate article in this series, which is mentioned at the top of this article.
  • For communications with a Cisco VTC the Cloud Relay will need to be able to open a connection to the Cisco device over port 443 (or 80).  This additional configuration is also provided in a separate article describe at the start of this article.

The remainder of this article will walk through the deployment of a single Cloud Relay into an existing VMware ESXi server.


Management Portal

Before attempting to deploy the Cloud Relay it is necessary to access the associated Polycom management portal, if that has not already been done.  This article assumes that the portal has not yet been accessed for the tenant, so if it already has then simply skip to the next section.

The Cloud Relay is managed inside of the Polycom Cloud Service Administration portal which is a web portal hosted in Azure.  After purchasing licenses or requesting a trial license the administrative contact email provided in the order will have automatically been sent two emails.  One email includes the license number for the order (which was covered in this article) and the other email includes instructions to activate the account’s access to the management portal.

  • Locate the email originally sent by cloud-service-team@polycom.com entitled "Welcome to Polycom Cloud Service Administration".

image

  • Click the Activate Your Account button in the body of the email.

image

Unless this link is utilized shortly after first receiving the email the invitation will likely have expired by now.  If that is the case this connection attempt will have triggered a new automated email to be sent with a fresh activation link, as explained in the following screenshot.

image

  • Return to the same account’s mailbox and look for a new email from the same sender and with the same subject line.  Click the Activate Your Account link in this new message.
  • This time the Activate Account screen should appear asking to define a password for this account. Enter the name associated with the email address, create a new password, and then click Submit.

image

This has created a new Enterprise administrator account locally within the Polycom management portal’s database.  It is recommended to add at least one additional administrator account, but instead of creating more local accounts it is recommended to enable authentication with Office 365.

  • Enter the new password which was just created and click Sign In.

image

  • Select the Administration section at the portal’s home screen.

image

  • From the navigation menu select Authentication Providers and then click the Office 365 option under Built-In Authentication Providers.

image

  • Click Enable under the Create Provider section.

image

The Office 365 option will now be shown in color to indicate that it has been enabled.

image

  • From the navigation menu select Users.

image

Note that the current administrator’s Sign In Account is shown as "Enterprise and Local".  This indicates that if that local account matches the User Principal Name of a valid Office 365 account then that account can also be used now to sign into the portal.  Essentially there are two separate accounts with the same name available to use: one that is stored in the service’s own database (Local) and one that is available via Office 365 authentication (Enterprise).  This is important to understand that if the two accounts have the same password then signing into the portal may seem transparent, but if different passwords are used then it could be confusing.  This is why it is recommended to simply use Office 365 authentication from this point forward, both for the original account and any others which are added.

The following steps are optional and can be skipped over if adding a second administrator account is not desired.

  • Click Add to add another existing Office 365 account in the tenant as an administrator.

image

  • Enter the desired user’s User Principal Name (e.g. steve@msteams.net) and select the appropriate User Role options.  Having a spare full administrator account is recommended, so select all roles, but leave the Sign In Account set to Enterprise Only and then click Save.

image

At this point access to the management portal has been enabled and secured.  After deploying the Cloud Relay server this portal will be used again to complete the configuration.

Deploy Cloud Relay

The next series of steps will include downloading the Cloud Relay software from the Polycom Support site, importing the virtual machine in ESXi, and then configuring the Cloud Relay.  As mentioned earlier this Cloud Relay will be setup on a VMware ESXi server, but these steps may differ based on the virtual server platform and version.  As this section will be familiar to anyone accustomed to managing virtual server systems then the directions in this section will be brief.

Download Software

  • Go to the Polycom Cloud Relay support page and download the current version of the desired software (e.g. OVA Image for HyperV).

image

  • Save the file locally on the same workstation where the ESXi management console will be opened.

Import Virtual Machine

  • Connect to the ESXi server using the web management console and sign in.
  • Select Virtual Machines from the Navigator and then click Create/Register VM.
  • Select the option to Deploy a virtual Machine from an OVF or OVA file.
  • Enter a name for the virtual machine (e.g. CloudRelay1) and then click the select files option and locate the .OVA file previously downloaded to the local computer (e.g. polycom-cloud-relay-1.1.2-64805.ova).
  • Select the desired Datastore, Network Mapping, and Disk Provisioning options.
  • Review the selections and then click Finish to start the process of uploading the OVA file and establishing the virtual machine.

Configure Virtual Machine

  • Once the import process has completed successfully select the new virtual machine in the management console and verify that it has been started.  If not, start the VM.
  • Open the Console and then login into the Cloud Relay using the default username ‘polycom‘ and password ‘polycom‘.

The OS will require that a new password is created.  Pay close attention to the prompts as the existing password will be requested again before asking for the new password.

  • Re-enter the default password of ‘polycom‘ one more time and then enter a new password and confirm the new password.

image

  • Accept the End User License Agreement to advance to the management console’s main menu.

image

  • Select the Configure menu.

image

  • Choose the Configure Network menu and then select the eth0 interface.
  • Select Static address setup and then enter the appropriate IP Address, Network Mask, and Default Gateway and then select OK.

image

  • Once the network server finishes restarting verify the correct settings are displayed onscreen and then select Change Host Name and enter the desired host name for the Cloud Relay (e.g. cloudrelay1).

image

  • Select Configure DNS and enter the appropriate DNS settings for the local network.

image

  • Select Configure NTP and enter the appropriate NTP settings for the local network.

image

  • Exit to the main menu and select Tools.

image

  • Select the Connectivity option.

image

  • Review the connectivity test results to verify that each individual test results in a SUCCESS status and no errors are reported.

image

Note that the 61% value shown in the screenshot above does not mean that only 61% of the tests passed successfully.  This is simply the ASCII interface indicating that only 61% of the results are currently shown on the screen.

  • Use the down-arrow to scroll through the remainder of the results.

image

As mentioned earlier in the article pass special attention to the last connectivity check to the service bus (polycom-nimbus.servicebus.windows.net) over port 5671 which might be blocked by a firewall.  If all tests have passed successfully then move on to the next step, otherwise check any local DNS configuration or firewall policies to resolve any outbound connectivity issues to the Azure datacenter.

Integrate Cloud Relay

    • Return to the main menu and select the Integrate option.

image

The cloud connector services will be started and then a Registration Code will be displayed on the screen.  Record this code and play close attention as due to the console font the zeros (0) and eights (8) can look similar.  For example, the following code is 03777724 but at first glance almost appears to start with an 8.

image

image

    Because the Office 365 authentication integration was configured in the first section of this article there is now a new sign-in option available.

    image 

    • Click the Sign in with Microsoft Office 365 button and, if prompted, select Accept on the permissions request from Polycom Cloud Service Authentication app.

    image

    • Select the Register Devices section.

    image

    • Select the Cloud Relay option and then click Add.

    image

    • In the Registration Code field enter the code provided by the Cloud Relay in the earlier step (e.g. 03777724) and then enter the Device Name (e.g. CloudRelay1) and then click Save.

    image

    The Cloud Relay should now appear in the list, but notice that the Status icon will initially be displayed in gray.

    image

    Wait for a few second and if the deployment was performed correctly then the status should automatically update to a green icon to indicate a successful pairing of the Cloud Relay to this tenant.

    image

    • Return to the Cloud Relay console and select the Application Status option from the main menu.

    image

    At this point the individual components should all be listed as running with no errors reported.

    image

    Additionally the Tools > Application Logs menu can be used to view diagnostic logs for the various components.

    image

    Now that a Cloud Relay has successfully been deployed any additional configuration to support One Touch Dial for Cisco endpoints or RealConnect with Skype for Business Server can be completed.

    Polycom One Touch Dial Service

    November 28, 2018 by · 19 Comments 

    This article is the second in a series which covers Polycom’s RealConnect service, a Microsoft Azure-based video interoperability service for Skype for Business and Microsoft Teams meetings.

    1. RealConnect Service for Skype and Teams – introduces the overall solution and the steps to activate the service for use with Skype for Business Online meetings and/or Teams meetings.  (A future article will cover the additional configuration steps required to support Skype for Business Server or Hybrid deployments with the service.)
           
    2. Polycom One Touch Dial Service – explains what this ancillary service is, how it works, and provides detailed configuration steps for using it with Polycom VTCs.  (A future article will cover the configuration for Cisco VTCs.)      
           
    3. Polycom Cloud Relay – outlines the purpose of this component, how it works, and then walks through the steps for deploying a Cloud Relay virtual server on-premises.  This on-premises server is an optional component to the RealConnect service, only needing to be deployed when using Skype for Business Server and/or supporting Cisco endpoints with the One Touch Dial service.

    The specific term "One Touch Dial" (or its initialism "OTD") is not new.  It has been used for several years to describe various concepts throughout Polycom solutions: a workflow, an action, a server, an application, and now a service.  To offer some clarity, OTD started as an application which provided a simple meeting joining experience to Polycom and Cisco VTCs for on-premises RealConnect meetings.  This application is one of several custom applications which runs on an a dedicated on-premises server called the Polycom Workflow Server.  This server is used only with the traditional RealConnect deployment model which utilizes on-premises Polycom MCUs.

    More recently the OTD functionality was put into Microsoft Azure for use with the RealConnect service.  Yet, not 100% of what OTD does can be put into the cloud.  The on-premises version of OTD essentially operates as both a Microsoft Exchange Web Services (EWS) proxy and an emulator of the Cisco Telepresence Management Suite (TMS), at a Calendaring level only.  Each of those roles are needed to support both Polycom and Cisco endpoints.  Polycom endpoints (like the Group Series, HDX, Trio, etc) all operate as native EWS clients and will automatically retrieve meeting invitations by routinely polling the appropriate Exchange Server or Exchange Online, which is essentially a ‘pull’ operation.  So regardless of the location of the endpoint it is easy for these devices to open a new connection to a server over HTTPS 443.

    On the other hand, Cisco endpoints that natively support One Button To Push (OBTP) do not operate using the same approach.  These endpoints are effectively dumb and rely on another server (TMS) to retrieve meeting invitation emails on their behalf, which are then relayed to the endpoint.  Given that this ‘push’ operation can not typically be performed from an Internet-based service down to a host sitting on a private network behind firewalls then the relay would need to also exist within the same routed internal network. Thus, the Polycom Cloud Relay is utilized as this relay.  Meaning that while most of the operation of the original OTD application was placed into Azure as a service, the TMS emulator portion is provided as an applet which resides on the on-premises Cloud Relay virtual server.

    Workflow Explained

    This simple diagram depicts how the OTD service works for both types of supported endpoints.

    image

    The OTD service acts as an EWS proxy and will fetch the mailbox contents on behalf of the endpoint.  This middle-man step is required as OTD’s primary function is to scan the invitation, looking for RealConnect-enabled meeting invitations.  When am applicable Skype for Business or Teams meeting invitation is found then it reformats the outgoing copy to match what the associated endpoint expects to see to enable the ‘Join’ button to appear and operate correctly on the endpoint.  As the required formatting is different between Polycom and Cisco endpoints then OTD will handle this accordingly.

    • Polycom VTCs communicate directly with the OTD service currently hosted in Microsoft Azure, so when the endpoint performs a routine mailbox check it will connect to the OTD service to trigger the process.  OTD processes the messages and then passes it on to the Polycom endpoint.  To the endpoint this process is transparent and looks like a regular EWS message exchange.
    • Cisco VTCs do not initiate this process though; the environment configuration drives this.  The OTD service itself will monitor mailboxes associated with Cisco endpoints and routinely check for new messages. If any are found then it will push the message down to the Cloud Relay (which has previously established an ongoing secure two-way connection to the OTD service) and then the Cloud Relay will act as a TMS Calendaring service and relay the message to the target Cisco VTC over the local network.  The connection from the relay to the VTC is first attempted securely via HTTPS, but if connectivity over TCP 443 is not available then it will failback to attempting to connect via HTTP over TCP 80.

    Note that while the diagram above depicts Exchange Online as the mailbox location the OTD service also supports on-premises Exchange Server environments.  As long as Exchange Web Services has been published externally in a deployment then the service can leverage the external EWS FQDN to connect to the server and access the required mailboxes.

    image

    Thus the OTD service can be used with Exchange Server, Hybrid, or Online topologies.  For the articles in this series a standard Microsoft Office 365 tenant is being used so Exchange Online mailboxes will be leveraged for all configuration steps.

    Overview

    There are several different configuration options available to provide One Touch Dial capabilities to Skype for Business Server, Online, and Teams meetings which are enabled for RealConnect.  Polycom endpoints support multiple options, but to support Cisco endpoints there is only one possible configuration.

    Pass-Through Authentication

    Polycom endpoints can by default simply leverage pass-through authentication via the OTD service to access the requested mailbox in Exchange.  The required credentials are stored on the endpoint and are used to authenticate through the OTD service (as a proxy) into Exchange. Pass-through authentication can be used with the actual mailbox account’s credentials or a shared service account if desired.

    This method of using the mailbox’s own credentials on the endpoint configuration is the easiest and requires no configuration in the OTD portal, but it may not be possible in environments where resource mailboxes are disabled in Active Directory.  An alternative approach is to utilize a service account to authenticate to Exchange in the event that the resource mailboxes themselves are not enabled for authentication, which is common (and the default) behavior for Exchange resource mailboxes.  The service account model can be configured to use either pass-through or proxy authentication models.

    • With pass-through authentication a single service account is created and then delegated permissions to all applicable resource mailboxes.  The service account credentials are entered in each endpoint alongside the SMTP address of the desired resource mailbox for a given endpoint. The same service credentials are used on every endpoint for accessing each unique resource mailbox.

    image_thumb[16]

    Proxy Authentication

    The OTD service must first be configured to leverage this model as a service account is used alongside manual endpoint configuration in the portal.  To provide One Touch Dial to any supported Cisco endpoints this option is required; pass-through authentication is not applicable.  Polycom endpoints can also use this option if the credentials of the service account are to be known and managed only by IT staff with access to the OTD portal while a different set of local credentials which are known by support staff will be used on the endpoints themselves.  This is a less common approach but does offer flexibility in larger deployments with separate teams managing different components of the overall solution.

    • For proxy authentication the same service account is created and then delegated permissions to all applicable resource mailboxes but is instead stored directly in the OTD portal configuration.  Then unique credentials are manually generated in the OTD portal for each newly configured device, to be used for that endpoint’s local configuration.  The OTD service will act as an authentication proxy, using the local set of credentials for connections from endpoint to the OTD service, and the service account for all communications between itself and Exchange.

    image_thumb[19]

    This remainder of this article covers the multiple configuration options available to Polycom VTCs. A separate article outlines the configuration for Cisco VTCs which require additional steps and as well as the deployment of a Cloud Relay server on-premises.


    There are two general configuration models available for One Touch Dial:

    1. The first is a standard configuration which leverages autodiscovery to locate resource mailboxes stored in Exchange Online that have been correctly configured to allow authentication using their own credentials.  This approach does not require any configuration on the One Touch Dial portal.  As stated, this model only works with Exchange Online mailboxes.  For Exchange Hybrid environments as long as the VTC’s mailbox is stored in Exchange Online this configuration can be used.
    2. The second, more complex configuration option is required when accessing room mailboxes stored on an Exchange Server as a service account will be required alongside configuration of the One Touch Dial portal to connect to the external Exchange Web Services using that service account.  This model is also required when using the proxy authentication model with Exchange Online mailboxes.

    Standard Configuration

    This section will walk through creating or validating the required Exchange mailbox and then configuring a single Polycom Group Series endpoint to leverage the OTD service.  For this method to be viable the resource mailbox (new or existing) will need to be hosted in Exchange Online and enabled for authentication.  If that is not possible or not allowed by enterprise policies then skip to the next section covering the Service Account Configuration methods.

    As explained earlier, there is no need to first sign in to the One Touch Dial portal and perform any service configuration steps when using Polycom endpoints.  The service will automatically leverage Exchange Autodiscover to locate the source mailbox in Exchange Online.

    Prepare PowerShell

    The following environment preparation steps are performed using Windows PowerShell to connect to multiple online modules.  The workstation used to perform these commands may need to have some initial setup steps performed to access these modules.  Only the Exchange Online PowerShell and MSOnline modules needs to be installed to support the cmdlets in this article.

    • Follow the steps in the Managing Office 365 with PowerShell article and then connect to both Exchange Online and the MSOnline modules as instructed.  (There is no need to connect to the AzureAD or Skype for Business modules.)

    image

    Create Mailbox

    This step may not be required as typically a mailbox already exists for a conferencing room space that is represented in Outlook to book as a resource.  If a new mailbox needs to be created for a specific VTC then the following steps can be used to create an Exchange Room Mailbox using PowerShell.

    For this article a new resource mailbox will be created for use with a single Polycom Group Series endpoint.

    • Run the following New-Mailbox command to create a new resource mailbox of Room type, updating the red text with the desired unique ID, Alias, Name, and Password.

    New-Mailbox -MicrosoftOnlineServicesID "vtc1@msteams.net" -Alias "vtc1" -Name "VTC 1 (Polycom)" -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String "P@s5w04d" -AsPlainText -Force)

    image

    If a replication failure warning appears it can safely be ignored as it is just reporting that the new mailbox will take some time to be created and replicated within Exchange Online.  The following configuration steps can be performed immediately.

    If needed, repeat this process to create a room mailbox for every Polycom endpoint which will be used with OTD service.

    Configure Mailbox

    Using either the new mailbox created above or an existing mailbox the following commands will ensure that the mailbox is correctly configured.  Depending on how existing resource mailboxes were created these parameters may already be set correctly, but sometimes the existing settings will purge the meeting invitation contents to save on mailbox storage.  Without that data included in the room’s copy of the invite then OTD has no information to process and then no ‘Join’ button would appear on the invited VTC.

    • Run the following Set-CalendarProcessing command against the new mailbox as identified by the Identity parameter.  Leave all other parameters at the documented vales, aside from the -AdditionalResponse setting which can be customized to include any message.

    Set-CalendarProcessing -Identity "vtc1@msteams.net" -AutomateProcessing AutoAccept -AddOrganizerToSubject $false -AllowConflicts $false -DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false -AddAdditionalResponse $true -AdditionalResponse "This room is enabled for One Touch Dial with Polycom RealConnect"

    image

    If needed, repeat this process for every room mailbox (new or existing) that is (or will be) associated with a supported VTC to leverage OTD.

    Configure Endpoint

    The following steps are used to perform the calendar setup directly on the Polycom Group Series with the newly created and configured resource mailbox.

    • Connect to the web management interface on the Group Series endpoint and then navigate to the Admin Settings > Calendaring Service menu.
    • If not already enabled click the checkbox next to Enable Calendar Service.

    • Enter the Email address (e.g. vtc1@msteams.net), User Name (e.g. vtc1@msteams.net), and Password for the desired resource mailbox.  (Leave the Domain field blank as the User Principal Name format is used in the User Name field which already includes the domain name.)

    image

    • In the Microsoft Exchange Server field enter the Polycom One Touch Dial service FQDN of otd.plcm.vc and then click Save.

    image

    After saving the configuration the Registration Status will typically read either Not Connected or Registration Failed for up to 30 seconds while it is attempting to sign-in via Exchange Web Services.  Once successful the status will automatically update to Registered.

    image

    If the mailbox has been invited to any scheduled meetings then the connected endpoint will now display those invitations on the calendar.

    image

    Furthermore, If any of those meetings are Skype for Business or Teams meetings scheduled by a user enabled for the RealConnect service then the Join button will be displayed, providing the simple One Touch Dial experience used to connect the endpoint directly into the scheduled meeting.  The following Call Statistics details from the Group Series show a successful H.323 video call into the RealConnect for Microsoft Teams service (as denoted by the t.plcm.vc domain name in the call string).

    image

    At this point the standard setup is complete for any Polycom endpoints which are not natively registered to Skype for Business.  In fact the Group Series used in this article was reset to factory defaults just prior to this configuration and the meeting was successfully joined simply by placing an H.323 video call after configuring the calendar.


    Service Account Configurations

    The configuration above simply uses the service’s default capabilities to automatically locate the source mailbox in Exchange Online via standard autodiscover processes.  The mailbox credentials are stored on the endpoint and provided to the OTD service which uses pass-through authentication to connect to the mailbox and then process the invite.  The same automatic process can be used with a service account, given that pass-through authentication is utilized (Option 1).  Yet for proxy authentication (Option 2) some additional configuration is required to create new sets of credentials for each device as well as connect OTD to the Exchange organization and store the service account credentials.

    Create Service Account

    Both options outlined above can utilize the same single service account (e.g. otd@msteams.net), so perform these steps to create the new account and delegate permissions to the resource mailboxes accordingly for either option.

    This service account must have a mailbox even though its own mailbox is never actually used throughout the OTD process.  Exchange can only delegate mailbox permission to other mailbox-enabled accounts, hence the need for the license.

    • Using the same process as outlined in the first section connect to both Exchange Online and the MSOnline PowerShell modules and then execute the Get-MsolAccountSku cmdlet to list all available license options currently applied to the Office 365 tenant.

    Get-MsolAccountSku

    image

    The example tenant in this article has available Enterprise E5 licenses (ENTERPRISEPREMIUM), which is clearly overkill for this requirement.  As suggested above a less expensive option of Exchange Online Kiosk (EXCHANGEDESKLESS) can be used instead.  (As seen above the single Kiosk license in this tenant has already been assigned to another user, so for the purposes of this article one of the free E5 licenses will be used.)

    • Run the following New-MsolUser command to create a new user account which will be used by the OTD service to connect to Exchange over Exchange Web Services.  Update the red text in the example below with the desired Display Name, User Principal Name, Usage Location (appropriate two-letter country code), License Assignment, and Password.

    New-MsolUser -DisplayName "OTD Service Account" -UserPrincipalName "otd@msteams.net" -UsageLocation "US" -LicenseAssignment "jschertz:ENTERPRISEPREMIUM" -Password "P@s5w04d" -PasswordNeverExpires $true -ForceChangePassword $false

    image

    Delegate Mailbox Permissions

    In order to use the new service account to access each and every resource mailbox it will need to be delegated the appropriate permissions to each mailbox.  The only rights this account requires is Read access to just the Calendar folder in each mailbox.

    • Run the Add-MailboxPermission command by providing the Identity of the desired source mailbox, as well as the User Principal Name of the newly created service account.

    Add-MailboxFolderPermission -Identity "vtc1@msteams.net:\Calendar” -User “otd@msteams.net” -AccessRights “Reviewer”

    image

    If needed, repeat this process to delegate permissions for each room mailbox’s Calendar to the single service account.

    Verify Mailbox Permissions

    Once all mailboxes are configured the following optional cmdlet can be used to report which mailboxes in the entire organization the service account has access to.

    Run the following command to query every mailbox in the organization to see all mailboxes the target account has been assigned permissions to.

    Get-Mailbox | ForEach-Object {Get-MailboxFolderPermission $_":\Calendar" -User "otd@msteams.net" -ErrorAction SilentlyContinue |ft Identity,FolderName,User,AccessRights}

    image

    This completes the requisite environment configuration and now the One Touch Dial Service can be setup and enabled.

    Option 1: Pass-through Authentication

    The first option available to use the service account requires no additional configuration.  Simply use the service account’s username and password in the endpoint’s calendar configuration while still pointing to the desired.

    • Connect to the web management interface on the Group Series endpoint and then navigate to the Admin Settings > Calendaring Service menu.
    • Enter the Email address of the associated resource mailbox (e.g. vtc1@msteams.net), but provide the service account’s User Name (e.g. otd@msteams.net), and Password for the desired resource mailbox.  (Leave the Domain field blank as the User Principal Name format should be used in the User Name field which already includes the domain name.)

    • In the Microsoft Exchange Server field enter the Polycom One Touch Dial service FQDN of otd.plcm.vc and then click Save.

    image

    After saving the configuration the Registration Status will typically read either Not Connected or Registration Failed for up to 30 seconds while it is attempting to sign-in via Exchange Web Services.  Once successful the status will automatically update to Registered.

    • Check the endpoint’s calendar to verify any previously scheduled meetings are now displayed, and if any are a Skype for Business or Microsoft Teams meeting created by a RealConnect-licensed scheduler then a Join button should also appear.

    image

    In the example above a daily reoccurring Teams Meetings has been scheduled and the VTC1 mailbox was previously invited.

    • Select the Join button on the Group Series to connect to the scheduled meeting.

    As this example meeting is a Team Meeting hosted in a tenant where the lobby bypass for VTCs has been enabled then the call connected directly into the empty meeting.  Reviewing the call statistics shows the standards-based call (in this case SIP) matches the information shown in the original invitation.

    image

    Option 2: Proxy Authentication

    The second option here will require additional configuration.  The OTD service portal will be leveraged to store the service account credentials as well as define a second set of credentials to be used on the endpoint.  This approach uses two separate accounts for adhering to any IT policies related to knowledge of service account credentials being delineated among different teams. Essentially and administrator can configure the overall solution while help desk personnel can be given only the local credentials which will only function through the proxy.  They cannot be used to access the source mailbox directly in Exchange.

    image

    • Click the Sign in with Microsoft button and then enter the credentials of the account which was enabled for access (e.g. jeff@msteams.net).

    image

    The first time that an authorized user signs into the portal a prompt will appear requesting permission for the Polycom app to sign in on behalf of and read the user’s profile information and data.

    • Review the requested permissions and then click the Accept button.  (If the "Consent on behalf of your organization" option appears it can be ignored as each user account authorized for the OTD portal will receive this same one-time prompt.  If desired, an administrator can select this option now and other accounts will not be prompted when they first sign in.  The behavior of the service is not impacted either way.)

    image

    • Click on the Calendars section and then click Connect next to the appropriate Exchange option.  (Office 365 is used for connectivity to resource mailboxes hosted in Exchange Online and Exchange is used for connectivity to Exchange Server deployments.  As this article is utilizing Exchange Online mailboxes then the Office 365 option will be selected.)

    image

    • Select Connect with Service Account.  (It is not recommended to utilize the Application approach given that permissions to more than just what was specifically delegated would be granted to the OTD service in the selected tenant.)

    image

    When the Connect with Service Account option is selected a Microsoft login window will appear.  This authentication prompt is used to store the service account credentials into the OTD portal so it is important to enter the correct information here.

    • Enter the username and password of the service account which was created earlier (e.g. otd@msteams.net) aa

    image     image

    • Review the requested permissions and then click the Accept button.

    image

    If successful the connection status for Office 365 will display the name of the account currently being used to communicate with Exchange Online.

    image

    • Select Devices from the navigation menu and then click the Connect a Device button.

    image

    • Select the appropriate endpoint; in this example click the RealPresence Group Series button.
    • In the Calendaring Email field enter the email address of the resource mailbox for the desired endpoint (eg. vtc1@msteams.net), enter a descriptive name in the Name field (e.g. VTC1), and then click Create.

    image

    The next window will display a set of automatically generated credentials to use on the associated endpoint to authenticate to the OTD service with.  The username is randomly selected and cannot be changed or customized.  The password can be reset in a later step if desired.

    • Click on the Copy to Clipboard button and then paste the details into a new text file for later use.

    image

      • Connect to the web management interface on the Group Series endpoint and then navigate to the Admin Settings > Calendaring Service menu.
      • In both the Email and User Name fields enter the email address created by the portal in the previous step (e.g. gsaoclxiohed@otd.plcm.vc).

      • Leave the Domain field blank as it is not used for this configuration.

      • Enter the password as provided in the previous step (e.g. Is1ofyLAv1).

      • In the Microsoft Exchange Server field enter the Polycom One Touch Dial service FQDN of otd.plcm.vc and then click Save.

    image

    After saving the configuration the Registration Status will typically read either Not Connected or Registration Failed for up to 30 seconds while it is attempting to sign-in via Exchange Web Services.  Once successful the status will automatically update to Registered.

    RealConnect Service for Skype and Teams

    October 31, 2018 by · 6 Comments 

    This article is the first in a series which covers Polycom’s RealConnect service, a Microsoft Azure-based video interoperability service for Skype for Business and Microsoft Teams meetings. 

    1. RealConnect Service for Skype and Teams – introduces the overall solution and the steps to activate the service for use with Skype for Business Online meetings and/or Teams meetings.  (A future article will cover the additional configuration steps required to support Skype for Business Server or Hybrid deployments with the service.)
           
    2. Polycom One Touch Dial Service – explains what this ancillary service is, how it works, and provides detailed configuration steps for using it with Polycom VTCs.  (A separate article covers the additional configuration for Cisco VTCs.)
           
    3. Polycom Cloud Relay – outlines the purpose of this component, how it works, and then walks through the steps for deploying a Cloud Relay virtual server on-premises.  This on-premises server is an optional component to the RealConnect service, only needing to be deployed when using Skype for Business Server and/or supporting Cisco endpoints with the One Touch Dial service.

    This Microsoft partner-provided service, commonly referred to as Cloud Video Interop (CVI), allows various standards-based Video Teleconferencing (VTC) endpoints to join scheduled Skype for Business and Teams meetings. While an earlier article outlined all of the different RealConnect offerings available this series will focus solely on the cloud-based service model of RealConnect.

    The original service offering is referred to as RealConnect for Office 365, but supports Skype for Business Online, Skype for Business Server, and Skype for Business Hybrid environments.  The recently released offering entitled RealConnect for Microsoft Teams added support for Microsoft Teams meetings.  Access to both services are provided together using the same consumption license, meaning that RealConnect can be used with any Skype and Teams meeting scheduled by any user in the organization.  A free 60-day trial license is available today for most Microsoft Office 365 tenants worldwide.  Availability can depend on the tenant type (public multitenancy versus various government clouds) and the region (some countries are not currently able to leverage this service).

    The licensing consumption model is simply based on concurrent usage.  While the trial comes with 5 concurrent licenses nearly any number of licenses can be purchased as needed.  Regardless of the number of Skype and/or Teams meetings occurring at the same time, and regardless of the number of Skype or Teams participants, guests, or PSTN callers, only a VTC connecting into any of these meetings would consume a license and only while the call is active.  So, with a trial license as many as five different VTCs can use the service at one given time to join any number of scheduled Skype or Teams meetings.

    Background

    The heart of a Cloud Video Interop meeting that allows RealConnect to function is a scheduled Skype for Business or Microsoft Teams invitation.  In an organization which has enrolled and provisioned the service an enabled user’s scheduled meetings will natively include additional instructions (seen in the image below) for joining the meeting from any standards-based endpoint.  At minimum the provided calling option can be manually dialed from a VTC, but additional configuration like local speed dials, infrastructure dialing rules, or ideally the Polycom One Touch Dial service can be leveraged to provide a single ‘Join’ button on supported endpoints to place the call.

    image

    The RealConnect Service is comprised of a number of Polycom-managed, Microsoft Azure-hosted virtual servers.  These globally deployed services can receive video calls over standards-based SIP or H.323 protocols and the connect that call into a Skype for Business or Microsoft Teams meeting, where that meeting is hosted.  Note that the service does not connect Skype for Business meetings to Teams meetings in any way, those are two completely separate Microsoft meeting platforms.  The service essentially provides up to three different solutions which can all be leveraged simultaneously.

    image

    This basic call flow diagram shows two VTCs joining the same scheduled Skype for Business or Microsoft Teams meeting.

    image

    • Each VTC which calls into the service will be routed to the logically closest Azure datacenter where Polycom services are deployed and the call will land on a dedicated transcoding MCU (B). 

    • The RealConnect service will then locate the target meeting, as identified by the Tenant ID, Conference ID and Domain provided in the call string (e.g. 123456.987654321@t.plcm.vc).

    The Tenant ID is a globally unique string assigned to the tenant during service enrollment and is the same on every meeting scheduled by any user in the tenant; it never changes.  The Conference ID is dynamically created by the Microsoft scheduling services and is different for every scheduled meeting.  The Domain name in the call string will be one of three options denoting which of the three flavors of the service the call will be directed to: t.plcm.vc for Microsoft Teams meetings, v.plcm.vc for Skype for Business Online meetings, and h.plcm.vc for Skype for Business Server meetings.  (The original instance of the service was launched for Skype for Business and ‘v’ was used to denote ‘video’.  When support for Skype for Business Server/Hybrid deployments was later added then ‘h’ was used for ‘hybrid’.  As one can guess the ‘t’ refers to Teams in the latest iteration of the service.)

    • Now that the service has located the Microsoft meeting then the Polycom MCU (B) will connect to the Microsoft MCU (A), transcoding all video, audio, and content sharing sessions between standards-based codecs (e.g. H.264 AVC, H.239, BFCP, etc.) into Microsoft codecs (e.g. SVC, RDP, VBSS, etc).

    • When another VTC joins the same call, using the same call string, it will land on a different, dedicated Polycom MCU (C).  That MCU may reside in the same Azure datacenter or a completely different datacenter, depending on the geographical location of that VTC.  Either way, all the cascaded traffic will be routed within Microsoft’s global network to locate the same Teams (or Skype for Business) meeting.

    The remainder of this article details the steps required to enable the service after purchase or enrollment in a trial, and should only be performed once calls into the service have been successfully tested and any optional components like the Cloud Relay have been deployed, or additional configuration like One Touch Dial has been completed.  This is especially important when working with a trial license as the 60-day period can disappear rather quickly when potentially dealing with firewall configuration changes or anything else which may take time to address in a production network.

    So while this is the first article in the series it may very well be the last article used in the actual configuration, depending the timing of events and desired capabilities.  For example, supporting Polycom VTCs can be 100% cloud-based and thus the recommended route is to simply activate the service and then setup the endpoints for One Touch Dial, after validating connectivity to the services.

    But if there are Cisco VTCs which need to leverage One Touch Dial then that service and the Cloud Relay should be dealt with first, before activating the service.  The same guidance goes for supporting Skype fir Business Server or Hybrid deployments. Essentially, any feature or topology which requires the Cloud Relay server means that one should always get that deployed and functioning before activating the service.  Understand that there is no requirement to activate the service first or last, this guidance is simply related to maximizing usability during the trial period.  If this is not a concern then performing the steps in this article to activate and configure the service is typically done first.


    Activate Service

    When service licenses are purchased (or a trial is issued) an automated email will be sent to the primary contact email address provided during the original order.  This email is sent from "licenseadmin@polycom.com" with the title "Polycom License notification email for Polycom for Order No. 0000000/domain.com" and includes a pair of attachments.  Both the .PDF and .TXT attachments include the 16 character license activation key which is tied specifically to the tenant domain for which it was ordered. (Meaning, for example, that if the exact license key shown in this article were to be used by another Office 365 tenant it would fail to apply.)

    • Open the mailbox for the account provided as part of the service order (e.g. jeff@msteams.net) and look for the email described above.  (If this email is not found than the order may not have been processed yet, which could takes 1-2 days.)

    image

    • Download the attached text file (e.g.  1607678.txt) file or simply open the attachment and copy the license key to the clipboard. (The numeric order number is the name of the attachment.)

    image

    image

    • Enter the credentials of a Global Administrator account and then click Yes on the the Stay Signed in prompt which will simplify the configuration as different portals are accessed. (Any account with Global Administrator permissions in the Office 365 tenant can access this portal for service activation.)

    image

    • Click each down arrow to expand the individual permission requests to review the additional details. Leave the Consent on behalf of your organization setting unchecked and then click Accept.

    image

      This step is simply allowing the RealConnect service the rights required to insert service-related information into the tenant during the configuration process managed by the portal.

      Also Microsoft has recently changed these permissions request prompts to include a new option to accept the change on behalf of the entire organization, meaning that other users accessing the portal not receive this prompt.  As only the Global Administrator can access this portal than there is typically no added value in preemptively accepting these permissions for all other Global Administrators accounts which may potentially also decide to sign in to this portal for some reason.  And if another authorized account did sign in it would still be presented with this same prompt.)

      • Once successfully signed in to the portal then the current status should indicate that the account is inactive and no licenses are applied.  Click the Activate New License link.

      image

      • Enter the License Activation Key (e.g. C1937-5846-9980-3352) from the previously downloaded file (or paste it from the clipboard), accept the terms of service request, and then click Submit.

      image

      • If the license key is successfully applied then the page will refresh to display a host of new information.

      image

      As seen above this is a 60-day trial license of which the timer has now started, indicated by the End date.  Also the trial includes a limit of 5 concurrent VTC Call Licenses for use with any number of Skype for Business or Teams meetings at one time.  The remainder of the information above will be broken down in the remaining configuration steps.

      Now that the service has been activated for the tenant it would be a good time sign up for status alerts related to the service availability.

      image.

      image


      Enable RealConnect for Microsoft Teams

      Now that the license has been applied and the service is activated for this Office 365 tenant there are a few required one-time configuration steps to be performed.  The Teams Configuration section on the portal includes links to either perform or explain how to perform each of the required sections.  (If RealConnect will not be used with Microsoft Teams meetings then skip this section and advance to the Skype for Business configuration in the next section.)

      First, consent must be granted to Polycom to operate as a Cloud Video Interop service provider and allow Polycom’s bots used in the solution to join any Teams meetings scheduled by users in this tenant.  Secondly, in order to use the RealConnect service a user’s scheduled Teams meeting invitation must include additional instructions in the invitation for the VTCs to use.  Inclusion of these additional instructions are controlled by a set of PowerShell cmdlets which can be used to enable the functionality on either all users globally or on an individual  user-by-user basis.

      Grant Consent

      image

      • Click the "here" link at the bottom of the page and sign into Office 365 using the same Global Administrator account, if prompted.

      image

      • Click each down arrow to expand the individual permission requests to review the additional details.  Click Accept when ready.

      image

      If successful, then the consent page will refresh to report the results.

      image

      At this point a RealConnect for Microsoft Teams app has been added to the Office 365 tenant, which can be confirmed on the Microsoft Apps page at https://myapps.microsoft.com. Look for the Polycom RealConnect for Microsoft Teams app in the list.

      image

      Prepare PowerShell

      image

      The PowerShell Commands documentation page that opens will include each of the supported cmdlets.  These are not just examples as they include the exact parameters specific to this tenant so they can literally by copied and pasted directly into PowerShell to execute them.  Among the instructions is guidance for connecting to PowerShell Online Modules, enabling the service, enabling users, and controlling specific behaviors of the service.

      As explained in this recent article the Microsoft Teams cmdlets are included in the Skype for Business Online PowerShell Module, so that is the only module required to complete the following configuration steps.

      • Download and install the Skype for Business Online Windows PowerShell Module on the desired Windows workstation.

      • Open a new Windows PowerShell window and then enter the following commands.  These can all be copied and pasted in one single action.  Enter an administrator account’s User Principal Name when prompted in the PowerShell window, and then the password when  prompted in a separate pop-up window.

      Import-Module SkypeOnlineConnector
      $skype = New-CsOnlineSession
      Import-PSSession $skype

      image

      Enable Video Interop Service

      In order to properly configure the service make sure that proper Microsoft-assigned TenantKey is being used for this step.  The command can be copied directly from the PowerShell Commands page on the portal.  (Do not copy the command directly from this blog article as it includes the TenantKey for msteams.net in the example.)

      • On the PowerShell Commands page highlight and copy the entire command under the Configure Your Video Interop Service Policy section.

      image

      • Paste and execute the command into the PowerShell window.  Note that the command will look identical to the following example, except for the the highlighted numeric string indicating the unique TenantKey for the tenant being configured.

      New-CsVideoInteropServiceProvider -Identity Polycom -AadApplicationIds a39192d4-7b9b-4c07-87d7-cbcd3fd97af7 -TenantKey "680450644@t.plcm.vc" -InstructionUri "https://dialin.plcm.vc/teams/?key=680450644&conf={ConfId}"

      image

      What this command has done is enabled Polycom as the Cloud Video Interop Service provider of choice for this tenant, defined the tenant’s unique numeric ID (TenantKey), defined the globally unique AzureAD application ID for the Polycom service bot (AadApplicationIds), and finally set the help URI which will appear on the Teams meeting invite of any enabled users (InstructionUri). 

      Note that the -InstructionUri parameter can point to any URL, so if desired a custom-branded webpage can be created and hosted on any publicly available web server.  Simply replace the default URL with the URL of the custom website if this customization is desired, otherwise leave the default entry which points to a dynamic page specific to the tenant.

      Enable Users

      Unlike the Skype for Business configuration which will require an add-on license to be assigned to each user in the environment the Teams solution simply leverages a policy which can be enabled or disabled per user or for the entire tenant.

      The preferred method when testing or rolling out the service is to enable individual users instead of enabling every user at one time.

      • To enable individual user accounts simply use the Grant-CsTeamsVideo cmdlet as shown below, entering the User Principal Name for the desired user account as the target -Identity.  Standard PowerShell scripting can be used to run this command against specific lists of users in bulk in desired.

      Grant-CsTeamsVideoInteropServicePolicy -PolicyName PolycomServiceProviderEnabled -Identity jeff@msteams.net

      • Alternatively, to enable the service for every scheduled Teams meeting created by every user in the organization then simply execute the same cmdlet, but without specifying an identity.

      Grant-CsTeamsVideoInteropServicePolicy -PolicyName PolycomServiceProviderEnabled

        For verification purposes the following cmdlet can be used to list all users in the organization which have the service enabled for their Teams meeting invitations.

        Get-CsOnlineUser -Filter {TeamsVideoInteropServicePolicy -eq "Tag:PolycomServiceProviderEnabled"} | fl UserPrincipalName

        image

        Enable Lobby Bypass

        By default any VTCs joining a Teams meeting by way of RealConnect will automatically be placed directly into the meeting lobby, requiring another Teams attendee to manually admit them.  If this behavior is not desired then all VTCs can be allowed to automatically bypass the lobby and join the meeting directly.  Note that this change has no impact on other guests joining a Teams meeting, it only applies to VTCs joining via the RealConnect service.  Changing this setting will impact the behavior for all VTCs joining all Teams meetings as this is essentially a global on/off switch.

        • Enter the following cmdlet to enable the lobby bypass behavior.

        Set-CsVideoInteropServiceProvider -Identity Polycom -AllowAppGuestJoinsAsAuthenticated $true

        Note that in order for this feature to function the service provider configuration defined in an earlier step must have the correct service bot ID defined (-AadApplicationIds a39192d4-7b9b-4c07-87d7-cbcd3fd97af7).  If the provider was initially created without setting this parameter then it can be added to the same cmdlet as shown in the following example.

        Set-CsVideoInteropServiceProvider -Identity Polycom -AllowAppGuestJoinsAsAuthenticated $true -AadApplicationIds a39192d4-7b9b-4c07-87d7-cbcd3fd97af7

        Validate Configuration

        To confirm that the configuration was successfully completed sign in to Microsoft Teams using one of the accounts which was assigned to the service policy in the previous steps (e.g. jeff@msteams.net).

        • Create a new Teams Meeting using any supported method (Outlook, the Teams desktop application, a Teams mobile app, or even from Teams running in a web browser).

        Confirm that the resulting meeting invitation now displays the additional section of instructions in the message body pertaining to the video interop service.  Note that this additional video conferencing device details may not immediately appear in new meetings, as the configuration can take several hours (routinely up to 8) to be enabled across Microsoft’s cloud service.  Also make sure to restart both Outlook and the Teams client on the workstation if the details are still not appearing.

          image

          image

          At this point the configuration for Microsoft Teams is complete and the service is ready to be used with the Office 365 tenant.


          Enable RealConnect for Skype for Business Online

          Configuring RealConnect for Skype for Business addresses the same concepts as covered above in the Teams configuration, yet with a completely different methodology for enabling the service and users.  The steps in this section are only applicable to supporting Skype Meetings scheduled by Skype for Business Online users.  (Supporting RealConnect for Skype Meetings scheduled by Skype for Business Server users require a different configuration which is not in the scope of this article.)

          While the required permissions to utilize the service were already granted when first connecting into the portal, Polycom needs to also be established as a Cloud Solution Provider (CSP) via a partner relationship with the Office 365 tenant.  By default Microsoft grants all CSPs full delegated administrative rights to the tenant, which is in no way required (or even desired) for this service.  Thus those rights should be promptly removed, leaving only the Cloud Solutions Provider relationship.

          1. The Partner Relationship is required to insert the needed user licenses into the tenant.
          2. Delegated administrative permissions are not required and should be removed.

          While the Teams functionality leverages a basic policy setting to enable the service per user, the Skype for Business functionality uses the older Office 365 Add-On license model.  The Skype Configuration details below include an additional user license count which is completely separate from the base Call Licenses which are actually measured for concurrent usage of the service.  These additional Skype Outlook Licenses are simply entitlements which can be given to all users so that their Skype Meeting can be populated with the needed VTC details.  These are essentially included free with the service.

          Authorize Cloud Solutions Provider

          image

          • Click Sign In on the Cloud Solution Provider invitation.

          image

          • Select Yes to agree to the terms of delegated administration (this level of permissions is unneeded by the service and will be promptly removed) and then click Authorize CSP.

          image

          If completed successfully the following message will be displayed.

          image

          Otherwise the main page will be displayed with the updated Skype Configuration status now reflecting that the partner relationship has been established.  Note that it should also report "Delegated Admin Permission detected".

          • Click the View Microsoft Partner Relationship link which will open the Microsoft 365 admin center in a new tab and should go directly to the Settings > Partner Relationship menu.

          image

          • Click on the Polycom, Inc. entry to open that partner relationship.  (Note that the Relationship is described as "Cloud Solution Provider and Admin".)

          image

          • Click the Remove delegate admin button and then click Remove when prompted to confirm.

          image

          • Click Close to return to the Partner relationships page.  (Note that the "and Admin" portion is no longer shown in the description.)

          image

          Verify User Licenses

          image

          As soon as the licenses are applied to the tenant they will be listed here as "Skype Meeting Video Interop for Skype for Business".  It can take a little as a few minutes to as long as several hours before the licenses are applied to the tenant, so check back later if they do not yet appear.

          Enable Users

          Once the licenses have been assigned to the tenant and appear in the previous step then it is now possible to assign the service capability to specific user’s meetings.

          Note that the amount of Skype Meeting Video Interop licenses which appear in the tenant will exactly match the total number of core Office 365 user licenses currently in the tenant that include Skype for Business Online Plan 2 capabilities.  This essentially means that all Standalone, Business, and/or Enterprise licenses which include to ability for that user to schedule a Skype for Business Online Meeting are added together and an equal amount of video interop licenses are added to the tenant.  For example, a tenant with 25 E3 licenses, 100 E5 licenses, and 10 standalone SfB Online Plan 2 licenses would be be given 135 video interop user licenses.  This ensures that every user in the tenant is allowed to create meetings capable of using RealConnect.

          If additional Office 365 user licenses are added to the tenant in the future then simply sign-in to the Polycom RealConnect for Office 365 and Microsoft Teams portal which will trigger the service to recalculate the current user licenses and update the available amount to match.

          Assigning a license to a user can be performed using either the Microsoft 365 Admin Center or PowerShell, no differently than any other Office 365 license.

          • In the Microsoft 365 admin center browse to Users > Active Users and then select the desired user or users, and the click Edit for Product Licenses.  (If editing multiple users then select Add to existing product license assignments.)

          • Click on the slider next to Skype Meeting Video Interop for Skype for Business and then click Save.

          image

          Validate Configuration

          To confirm that the configuration was successfully completed sign in to Skype for Business using one of the accounts which was assigned to the service policy in the previous steps (e.g. jeff@msteams.net).

          • Create a new Skype Meeting using Outlook 2016 (Click-to-Run installations only) on a Windows or Mac workstation.  Confirm that the resulting meeting invitation now displays an additional section of instructions in the message body pertaining to the video interop service.

          Note that this additional video conferencing device details may not immediately appear in new meetings, as the configuration can take several hours (routinely up to 8) to be enabled across Microsoft’s cloud service.  Also make sure to restart both Outlook and the Skype for Business client on the workstation if the details are still not appearing.

            image

            At this point the configuration for Skype for Business Online is complete and the service is ready to be used with the Office 365 tenant.

            Next Steps

            As outlined earlier depending on the existing topology, desired workflow, and available VTCs there may be a need to perform additional configuration steps.  The additional articles in this series are outlined in the beginning of this article.

            Managing Office 365 with PowerShell

            October 9, 2018 by · 6 Comments 

            This article is intended to share a streamlined approach for managing Office 365 services via PowerShell which are pertinent to the Microsoft UC platform, namely Exchange Online, Skype for Business Online, and Microsoft Teams.  Covered are a host of one-time installation steps needed to prepare a single workstation with the requisite software as well as the individual PowerShell cmdlets repeatedly used to invoke access to each service when management processes need to be run.

            Before jumping into how to connect a single PowerShell window to all of these UC-related services online it is important to understand the different services and what has changed over the years in terms of PowerShell behavior.

            Background

            There are several different articles available providing guidance for connecting to the various Microsoft Office 365 Online services via PowerShell.  They range from examples like an older blog post written specifically for Lync Online to new, updated guidance from Microsoft on how to access multiple services in a single console.  The older approaches utilized the original requirements of manually downloading and installing several different PowerShell modules via traditional Windows Installer packages which were created for connecting to services like Lync Online and Exchange Online.  There even use to be a separate download required simply to authenticate into Office 365 first using the original Organizational ID (Org ID) online authentication model.

            Now though, most of the various services in Office 365 are easier to connect to via PowerShell for management purposes, but they are still not all using the same methodology and installation processes.  While most are updated to use basically the same process there are a few outliers.  To access Exchange Online and/or the Office 365 Security & Compliance Center a completely different approach was used than the rest of the PowerShell modules used for managing services to Azure Active Directory (Azure AD), Skype for Business Online, or Teams.

            Of the more recent changes which improve upon and simplify the overall management experiences there are two primary concepts worth calling out.  One is the creation of a central repository for PowerShell resources and the other is the inclusion of Modern Authentication.  The newer PowerShell Gallery is now used to store and distribute various modules making installation and updates of future module version much easier.  Also by leveraging Modern Authentication each of these modules utilize the same approach for providing administrative credentials for access.

            The Modules

            Yet, as mentioned earlier not all of these services operate identically and there are even some overlapping modules used for accessing the core Office 365 service

            The following core modules are needed for managing any underlying Azure AD accounts or tenant components:

            • Microsoft Azure Active Directory Module for Windows PowerShell – This module contains the original set of *-Msol* cmdlets for managing Azure AD.  This is the older v1 PowerShell module referred to as MSOnline.
                  
            • Azure Active Directory PowerShell for Graph – This module is the newer v2 module containing all of the *-AzureAD* cmdlets for managing Azure AD.   This is the newer v2 PowerShell module referred to as AzureAD.

            Microsoft currently recommends using the newer v2 module, but that does not currently include any of the cmdlets provided in the v1 module.  So, it is not feasible to simply use only the newer Azure AD module when it does not also include all the older functionality.  For many of the management tasks covered on this blog for services like Skype for Business it is still required to execute several MSOnline cmdlets, thus both the v1 and v2 would be leveraged.  In fact, only the v1 module is really needed in most of the currently documented Skype for Business configuration and management processes as they all utilize the -Msol cmdlets, and not the newer -AzureAD cmdlets.  If in the future some of that guidance is updated then make sure to leverage the appropriate modules.

            Luckily both of the cmdlets above can easily be installed form the PowerShell Gallery so inclusion of both is trivial and essentially there is no harm in loading an additional module into a PowerShell session even if no cmdlets from that module are executed.

            The following two modules are handled completely differently from the modules above though as they are not available via the PowerShell Gallery and must be installed through two separate manual processes.

            • Skype for Business Online PowerShell – This module contains all of the *-Cs* cmdlets originally added for managing Lync Online, now Skype for Business Online, and also includes UC-related Microsoft Teams management cmdlets.
            • Exchange Online PowerShell – This newer module with Modern Authentication support contains all of the cmdlets used for managing Exchange Online but these cmdlet names do not share a common naming convention for easy identification.

            Installation

            The following steps walk through importing or installing each individual PowerShell module and are required only once per workstation.  An up-to-date Windows 10 workstation was used which contains all of the prerequisite Windows components to successfully complete the process.  If any errors occur when using older versions of Windows then it may be needed to updated components like PowerShell or Windows Management Framework.

            MSOnline

            Installation of the first module will assume that no other PowerShell modules have ever been installed on the specific workstation and will prompt for the one-time installation of the NuGet Package Provider as well as ask to temporarily trust the PSGallery repository.

            • Launch Windows PowerShell as an administrator.

            image

            • Enter the following cmdlet to install the MSOnline module on the local workstation directly from the PowerShell gallery.

            Install-Module -Name MSOnline

            • When prompted to install the prerequisite NuGet provider enter "Y" to allow the installation.

            image

            • When prompted to install the untrusted repository enter "A" to allow the installation.

            image

            • To verify successful installation of the both the requisite NuGet and PSGallery components as well as the desired MSOnline module run the following cmdlets to list the installed PowerShell Package Providers, Repositories, and Modules.

            Get-PackageProvider

            image

            Get-PSRepository

            image

            Get-InstalledModule

            image

            Note that the PSGallery repository listed above is currently set as Untrusted.  While this is acceptable it will continue to trigger the ‘untrusted repository’ prompt seen earlier when attempting to install any other modules from the PowerShell Gallery.  At this point it may be preferred to configure this as a trusted repository on the specific workstation to further streamline additional module installation.  This is a completely optional step, but one that is typically recommended give the PowerShell gallery is a trusted Microsoft source.

            • Use the following PSRepository cmdlets to set the PowerShell gallery to trusted and then confirm that modification.

            Set-PSRepository -Name PSGallery -InstallationPolicy Trusted

            Get-PSRepository

            image

            Azure AD

            • In the same administrative PowerShell window issue the following cmdlet to install the AzureAD module. 

            Install-Module -Name AzureAD

            image

            If the PSGallery repository was not manually trusted using the optional step above then the step above will again prompt for access to the still untrusted repository in order to download the AzureAD module.  If this prompt appears enter "A" to allow it.

            • Use the Get-InstalledModule cmdlet again to verify that AzureAD module has been installed.

            Get-InstalledModule

            image

            Skype for Business

            image

            • If the installation fails with an error reporting an insufficient or missing version of the Visual C++ 2017 x64 runtime then download and install the latest version of the x64 redistributable package (e.g. vc_redist.x64.exe).
            • To verify successful installation open Apps & Features under the Windows System Settings and then search for ‘Skype’ to filter out of the list of installed programs to display the following results.

            image

            Exchange Online

            • Using Microsoft Edge (other browsers may not be compatible) sign-in to the Microsoft 365 Admin Center using an administrator account and then navigate to Admin Centers > Exchange to open the Exchange Admin Center in a new browser window.
              • Select Hybrid from the navigation pane and then click Configure under "The Exchange Online PowerShell Module supports multi-factor authentication. Download the module to manage Exchange Online more securely."

            image

              • Open the Microsoft.Online.CSE.PSModule.Client.application and then select Install when prompted.

            image

            • Once the module installation completes then simply close the Windows PowerShell window which was automatically opened.

            image

            At this point all four PowerShell modules have been installed on the workstation and the one-time setup is complete.


            Usage

            The following cmdlets can be issued individually to establish connections into each desired online service via PowerShell.  Due to the way that the Exchange module functions though it is critical to use the Exchange PowerShell module to start with as that module cannot be utilized in a standard PowerShell window.

            This approach leverages support for Modern Authentication throughout all four modules which does not utilize a single stored set of credentials.  Each connection will prompt for authentication in a separate window.

            Connecting to Online Services

            • Launch the Microsoft Exchange Online PowerShell Module which was just installed on the workstation in the previous step.

            image

            Connect-EXOPSSession

            image

            • Sign in using an administrative account for the tenant.

            image     image

              Once the session has been imported a warning may appear related to potentially unapproved verbs which can be ignored.

              • Connect to Azure AD using the Connect-MsolService cmdlet and enter the same administrator credentials when prompted.

              Connect-MsolService

              • Connect to Azure AD using the Connect-AzureAD cmdlet, again entering the same credentials if prompted.

              Connect-AzureAD

              • Connect to Skype for Business Online using the following cmdlets, providing the account username when prompted in-line and the account’s password when prompted by a separate window.

              Import-Module SkypeOnlineConnector

              $skype = New-CsOnlineSession

              Import-PSSession $skype

              If all commands were successful then the resulting PowerShell window should look something like this:

              image

              Testing Connectivity

              Issue the following four example cmdlets to test that each of the four modules are functioning properly with access to the online services.

              Get-Mailbox

              Get-MsolAccountSku

              Get-AzureADUser

              Get-CsOnlineUser

              Quick Reference

              The following can be inserted into a .ps1 file to create a basic batch process for connecting to all four services in succession. Due to the way that Modern Authentication does not allow token sharing between the various modules then the authentication prompts will still appears between each connection attempt.  Some of the Connect cmdlets support providing the User Principal Name in-line while others do not.  To attempt to incorporate these newer modules into custom scripts to further automate the process take a look at these other blog articles.

              Connect-MsolService
              Connect-AzureAD

              Connect-EXOPSSession -UserPrincipalName "jeff@jdskype.net"
              Import-Module SkypeOnlineConnector
              $skype = New-CsOnlineSession -UserName "jeff@jdskype.net"
              Import-PSSession $skype

              Make sure to execute the script after launching the Microsoft Exchange Online PowerShell Module, as that is the only PowerShell instance which is capable of using the Connect-EXOPSSession cmdlet.

              Displaying Teams in the Exchange Online Address Book

              July 3, 2018 by · 1 Comment 

              Microsoft has recently implemented a change in how Office 365 Groups are handled by default in Exchange Online.  Since the release of Microsoft Teams, which uses Office 365 Groups as the core membership list for individual Teams, when a user created a new team then the associated Office 365 Group was automatically Exchange-enabled with distribution group capabilities.  This meant that every single Team created in an organization would appear in the Exchange Online Address Book, thus offering the potential to rapidly clutter up the Global Address List.  This default behavior was hotly contested by the overall community and in response Microsoft has reacted by essentially reversing this, but not retroactively.

              Now when a new Office 365 Group or Team is created it will no longer appear in the Exchange Address Book, nor will it be displayed in the Outlook Groups section in the navigation pane.  This only applies to new groups though as no changes have been applied to any of the existing groups in Office 365 tenants today.

              So, this means that administrators need to understand how to address two potential issues: hiding all the existing groups if desired and unhiding individual new groups if desired.

              In order to programmatically hide all the existing groups from the address book and/or Outlook client navigation pane then the guidance in this article can be followed.  Yet when creating new teams and/or groups an additional configuration step will be required if it is desired to have them appear in Outlook. 

              Configuration

              This is a simple configuration change that is currently only available through a PowerShell cmdlet leveraging two different parameters.

              The preferred method for managing Exchange Online using PowerShell cmdlets now is to leverage Modern Authentication using the newer Microsoft Exchange Online PowerShell Module which can be initially installed from the Exchange Admin Center.

              Connect to Exchange Online PowerShell

              • Using a web browser Sign in to the Office Admin Center using an administrator account and then navigate to Admin Centers > Exchange to open the Exchange Admin Center in a new browser window.
              • Select Hybrid from the navigation pane and then click Configure under "The Exchange Online PowerShell Module supports multi-factor authentication. Download the module to manage Exchange Online more securely."

              image

              • Open the Microsoft.Online.CSE.PSModule.Client.application and then select Install when prompted.

              image

              The initial steps above are a one-time installation process per workstation.  For future sessions from the same workstation this PowerShell module is now installed locally and can be launched from the Microsoft Exchange Online Powershell Module desktop app.

              image

              • Once the installation is complete and the Windows PowerShell window appears use the Connect-EXOPSSession cmdlet to open a connection to the desired Exchange Online tenant.

              Connect-EXOPSSession -UserPrincipalName jeff@msteams.net

              image

              The -UserPrincipalName parameter used above is optional and if omitted then the following authentication prompt will ask for both the username and password.

              • Enter the password for the administrator account provided in the cmdlet above.

              image

              Edit Office 365 Group

              Use the following Exchange Online PowerShell cmdlets to independently control the behavior of the address book and Outlook navigation bar behavior for the desired group.

              • Use the Get-UnifiedGroup cmdlet to view the current display settings for all existing groups.

              Get-UnifiedGroup |ft DisplayName,HiddenFrom*

              image

              In this example a new Team named ‘Marketing Team‘ was recently created while the other two groups where originally created before Microsoft changed the behavior.  As seen above the new Office 365 Group for that Team has automatically been hidden from both the address book and Outlook clients.

              To reverse this for either or both behaviors issue the following Set-UnifiedGroup cmdlets as shown below.

              • To include the new group in the Exchange Online Outlook Address Book disable the -HiddenFromAddressListsEnabled parameter.

              Set-UnifiedGroup -Identity "Marketing Team" -HiddenFromAddressListsEnabled $false

              Note that this change will take time to propagate throughout the tenant.  While the Online Address Book will be updated almost immediately the Offline Address Book in Exchange Online can take 24-48 hours to reflect this change.

              • To include the new group in the Outlook client’s Groups navigation pane

              Set-UnifiedGroup -Identity "Marketing Team" -HiddenFromExchangeClientsEnabled:$false

              Notice that the cmdlet above is using a colon (:) as a separator between the parameter name and defined value.  For some reason this parameter (and not the others in this cmdlet) is defined in PowerShell as a switch and not a Boolean value and thus will not work with a space as a delimiter.  For the sake of simplicity a colon can be alternatively be used in place of a space in the Boolean parameters.

              Next Page »