Plan hybrid connectivity between Skype for Business Server and Skype for Business Online

Summary: Read this topic to learn how to plan hybrid connectivity between Skype for Business Server and Skype for Business Online. Setting up hybrid connectivity is the first step in deploying many Skype for Business hybrid solutions.

This topic provides an overview, and describes the infrastructure and system requirements you'll need to configure hybrid connectivity between your existing on-premises Skype for Business Server deployment—with users who were created in your on-premises Active Directory—and Skype for Business Online.

This topic contains the following sections:

After you have read this topic and are ready to deploy, see Deploy hybrid connectivity between Skype for Business Server and Skype for Business Online. The deployment topics provide step-by-step guidance for setting up hybrid connectivity between your on-premises deployment and Skype for Business Online.

(For information about configuring your Lync Server 2013 or Lync Server 2010 deployment for hybrid, see Lync Server 2013 hybrid.)

Overview

Hybrid solutions enable you to move your users to the cloud based on your schedule and business need. This topic focuses on hybrid connectivity between an on-premises deployment of Skype for Business Server and Skype for Business Online. This connectivity allows you to have some users homed on-premises and some users homed online.

This type of deployment is sometimes referred to as "split domain"—meaning users of a domain, such as contoso.com, are split between using Skype for Business Server on premises and Skype for Business Online as follows:

  • Users who are homed on premises interact with on premises Skype for Business servers

  • Users who are homed online interact with Skype for Business online services

  • Users from both environments can collaborate with each other by using Instant Messaging, participating in conference calls, VoIP calls, and so on

  • Azure Active Directory Connect is used to synchronize your on-premises directory with Office 365

The on-premises Active Directory is authoritative, which means that you must do the following to ensure that on-premises and online users are discoverable to one another:

  • All users should be created in the on-premises Active Directory first, and then synchronized to Azure AD.

  • If your users are homed on premises for Skype for Business, then you need to enable them for Skype for Business on premises.

  • If your users are homed on premises, but want to take advantage of some online features, such as Skype Meeting Broadcast, you need to assign them a Skype for Business Online plan 2 license.

  • If your users are homed in Skype for Business Online, once their account is synchronized to Azure AD, you need to assign them a Skype for Business Online plan 2 license.

  • After Skype for Business Online users are assigned a license, you need to enable them for Skype for Business or for Enterprise Voice on premises. For more information, see Enable the users for Enterprise Voice on premises. For more information about hybrid voice requirements, see Plan Phone System in Office 365 with on-premises PSTN connectivity in Skype for Business Server.

You'll learn more about Active Directory configuration in the sections that follow. But first, an overview of the terminology and acronyms used in the diagrams below, and in many of the hybrid connectivity topics:

  • PSTN - Public Switched Telephone Network

  • PBX - Private Branch Exchange phone system

  • Phone System - Microsoft's Cloud PBX phone system offering

  • Trunk - Telephony line that connects PBXs to the PSTN—A trunk might use Session Initiation Protocol (SIP)—A Voice over Internet Protocol (VoIP)—or the older Time-Division Multiplexing (TDM) technology

  • SBC - Session Border Controller - Device that serves as a firewall and router in telephony networks. For example, provides security, connectivity, interoperability, and Quality of Services.

  • PSTN gateway - A device that serves as a router in telephony networks, capable of doing most of what an SBC can do except security and NAT traversal.

The following diagram shows a Skype for Business "split domain" hybrid configuration. Users A and B are homed online but are discoverable by on-premises users; users C and D are homed on premises, but are discoverable by online users.

SfB Hybrid connectivity - split domain

You might also be familiar with the term "hybrid voice"—which refers to on-premises voice trunks that provide functionality to users homed in the cloud. Hybrid voice enables migration to the cloud while preserving on-premises voice configuration. If you already have a Skype for Business Server deployment, the first step to enable hybrid voice is to configure a split domain environment.

For example, assume your company has a large mobile field support organization that requires minimal PBX voice, but extensive smart phone use. You might choose to move these users to the cloud to take advantage of Microsoft's Phone System in Office 365 (Cloud PBX). If your company also has a large on-premises call center that requires advanced, complex contact center software as part of your on-premises PBX, you might choose to leave these users on premises. Users homed online and on premises both have PSTN connectivity through your on-premises deployment.

The following diagram shows a Skype for Business hybrid voice deployment:

SfB split domain with Cloud PBX

For more information about setting up a hybrid voice solution with your Skype for Business Server deployment, see Plan Phone System in Office 365 with on-premises PSTN connectivity in Skype for Business Server.

You can also configure hybrid deployments for integration with on-premises Exchange and SharePoint, or with Microsoft Office 365 applications, including Exchange Online and SharePoint Online. You can also configure a hybrid voice solution that does not require a full Skype for Business Server deployment by using Cloud Connector Edition. For more information about all Skype for Business hybrid solutions and planning your move to the cloud, see Skype for Business hybrid solutions.

Infrastructure requirements

To implement and deploy hybrid connectivity between Skype for Business Server and Skype for Business Online, you must configure the following in your environment:

  • A single on-premises deployment of Skype for Business Server or Lync Server that is deployed in a supported topology. See Topology requirements in this topic.

  • A Microsoft Office 365 tenant with Skype for Business Online enabled.

    Note

    You can use only a single tenant for a hybrid configuration with your on-premises deployment.

  • Skype for Business Server 2015 administrative tools. (If you are using Lync Server 2013 or Lync Server 2010, you can use the Lync Server 2013 administrative tools. For more information, see Lync Server 2013 hybrid.)

  • Azure Active Directory Connect to synchronize your on-premises directory with Office 365. For more information, see Connect Active Directory with Azure Active Directory.

    To support Single Sign-on with Office 365 so that users can use the same login credentials as they do for on premises, you can use the password sync features of Azure Active Directory (AAD) Connect. You can also use Active Directory Federation Services (AD FS) for single sign-on with Office 365.

  • Enabled federation between your on-premises Skype for Business deployment and your Office 365 tenant. Federation allows users in your on-premises deployment to communicate with Office 365 users in your organization. For more information, see Configure federation with Skype for Business Online.

  • Enabled shared Session Initiation Protocol (SIP) address space. A SIP address is a unique identifier for each user on a network, similar to a phone number or an email address. Before you try to move users from on-premises to Skype for Business Online, you'll need to configure your Office 365 tenant to share the Shared Session Initiation Protocol (SIP) address space with your on-premises deployment. For more information, see Configure federation with Skype for Business Online.

Multi-forest support

Users can access Skype for Business functionality in another forest if the following requirements are met:

  • Users are properly synchronized into the forest that hosts Skype for Business: In hybrid configurations, this means that users must be synchronized as disabled user objects.

  • The forest hosting Skype for Business must trust the forest containing the users.

For details on multi-forest hybrid scenarios, see Configure a multi-forest environment for hybrid Skype for Business.

Exchange co-existence

To support co-existence with Exchange, keep the following in mind:

  • The best practice is to move the user's mailbox to Exchange Online before moving the user's Skype for Business home.

  • Users with Exchange mailboxes on premises are supported with following known limitations:

For details on co-existence with Exchange Server, including support criteria and limitations in various combinations of on-premises and online, see Feature support in Plan to integrate Skype for Business and Exchange.

Administrator credentials

When you are asked to provide your administrator credentials, use the username and password for the administrator account for your Office 365 tenant. You will also use these credentials when you configure Azure Active Directory for federation, directory synchronization, single sign-on, and moving users to Skype for Business Online.

Skype for Business Online PowerShell

Administrators now have the ability to use Windows PowerShell to manage Skype for Business Online and their Skype for Business Online user accounts. To do this, you must first download and install the Skype for Business Online Connector Module from the Microsoft Download Center. For more information on downloading, installing, and using the Skype for Business Online Connector Module, and for detailed information on using Windows PowerShell to manage Skype for Business Online, see Using Windows PowerShell to manage Skype for Business Online.

Skype for Business client support

There are some differences in the features supported in clients, as well as the features available in on-premises and online environments. The following clients are supported with Skype for Business Online in a hybrid deployment:

  • Skype for Business

  • Lync 2013

  • Lync 2010

  • Lync Windows Store app

  • Lync Web App

  • Lync Mobile

  • Lync for Mac 2011

  • Lync Room System and Skype for Business Room System

  • Lync Basic 2013

  • Microsoft Surface Hub

Before you decide where you want to home users in your organization, you should review the Desktop client feature comparison for Skype for Business to determine the client support for the various configurations of Skype for Business Server. See also:

Topology requirements

To configure your deployment for hybrid with Skype for Business Online, you need to have one of the following supported topologies:

  • A Skype for Business Server 2015 deployment with all servers running Skype for Business Server 2015.

  • A Lync Server 2013 deployment with all servers running Lync Server 2013.

    For hybrid voice connectivity, the Edge Server that is designated as Federation Edge must be Skype for Business 2015, the Edge also requires a Skype for Business Server backend. You might have a pool with no users on it.

  • A Lync Server 2010 deployment with all servers running Lync Server 2010 with the latest cumulative updates.

    • The federation Edge Server and next hop server from the federation Edge Server must be running Lync Server 2010 with the latest cumulative updates.

    • The Skype for Business Server 2015 or Lync Server 2013 Administrative Tools must be installed on at least one server or management workstation.

  • A mixed Lync Server 2013 and Skype for Business Server 2015 deployment with the following server roles in at least one site running Skype for Business Server 2015:

    • At least one Enterprise Pool or Standard Edition server

    • The Director Pool associated with SIP federation, if it exists

    • The Edge Pool associated with SIP federation

  • A mixed Lync Server 2010 and Skype for Business Server 2015 deployment with the following server roles in at least one site running Skype for Business Server 2015:

    • At least one Enterprise Pool or Standard Edition server

    • The Director Pool associated with SIP federation, if it exists

    • The Edge Pool associated with SIP federation for the Site

  • A mixed Lync Server 2010 and Lync Server 2013 deployment with the following server roles in at least one site running Lync Server 2013:

    • At least one Enterprise Pool or Standard Edition server in the site

    • The Director Pool associated with SIP federation, if it exists in the site

    • The Edge Pool associated with SIP federation for the site

Federation Allowed/Blocked Lists requirements

The Allowed domains list includes domains that have a partner Edge fully qualified domain name (FQDN) configured. These are sometimes referred to as allowed partner servers ordirect federation partners. You should be familiar with the difference between Open Federation and Closed Federation, referred to as partner discovery andallowed partner domain list, respectively, in on-premises deployments.

The following requirements must be met to successfully configure a hybrid deployment:

  • Domain matching must be configured the same for your on-premises deployment and your Office 365 tenant. If partner discovery is enabled on the on-premises deployment, then open federation must be configured for your online tenant. If partner discovery is not enabled, then closed federation must be configured for your online tenant.

  • The Blocked domains list in the on-premises deployment must exactly match the Blocked domains list for your online tenant.

  • The Allowed domains list in the on-premises deployment must exactly match the Allowed domains list for your online tenant.

  • Federation must be enabled for the external communications for the online tenant, which is configured by using the Skype for Business Online Control Panel.

DNS settings

When creating DNS records for hybrid deployments, all Skype for Business external DNS records should point to the on-premises infrastructure. For details on required DNS records, please refer to DNS requirements for Skype for Business Server 2015.

Additionally you need to ensure that the DNS resolution described in the following table works in your on-premises deployment:

DNS record
Resolvable by
DNS requirement
DNS SRV record for _sipfederationtls._tcp.<sipdomain.com> for all supported SIP domains resolving to Access Edge external IP(s)
Edge server(s)
Enable federated communication in a hybrid configuration. The Edge Server needs to know where to route federated traffic for the SIP domain that is split between on premises and online.
Must use strict DNS name matching between the domain in the user name and the SRV record.
DNS A record(s) for Edge Web Conferencing Service FQDN, e.g. webcon.contoso.com resolving to Web Conferencing Edge external IP(s)
Internal corporate network connected users' computers
Enable online users to present or view content in on-premises hosted meetings. Content includes PowerPoint files, whiteboards, polls, and shared notes.

Depending on how DNS is configured in your organization, you may need to add these records to the internal hosted DNS zone for the corresponding SIP domain(s) to provide internal DNS resolution to these records.

Firewall considerations

Computers on your network must be able to perform standard Internet DNS lookups. If these computers can reach standard Internet sites, your network meets this requirement.

Depending on the location of your Microsoft Online Services data center, you must also configure your network firewall devices to accept connections based on wildcard domain names (for example, all traffic from *.outlook.com). If your organization's firewalls do not support wildcard name configurations, you will have to manually determine the IP address ranges that you would like to allow and the specified ports.

For more information, see Office 365 URLs and IP address ranges.

Port and protocol requirements

In addition to the port requirements for internal communication, you must also configure the following ports to enable hybrid connectivity:

Protocol TCP or UDP Source IP Destination IP Source Port Destination Port Notes
SIP (MTLS)
TCP
Access Edge
Office 365
Any
5061
Signaling
SIP (MTLS)
TCP
Office 365
Access Edge
Any
5061
Signaling
STUN
TCP
A/V Edge
Office 365
50000-59999
443
Open for audio, video, application sharing sessions
STUN
TCP
Office 365
A/V Edge
50000-59999
443
Open for audio, video, application sharing sessions
STUN
UDP
A/V Edge
Office 365
3478
3478
Open for audio, video sessions
STUN
UDP
Office 365
A/V Edge
3478
3478
Open for audio, video sessions

For more information about port and firewall planning for Edge Server, see Edge Server environmental requirements in Skype for Business Server 2015. See also Port and protocol requirements for servers and the Protocol workloads diagram.

User accounts and data

In a hybrid deployment, any user that you want to home online must first be created in the on-premises deployment, so that the user account is created in Active Directory Domain Services. You can then move the user to Skype for Business Online, which will move the user's contact list.

When you synchronize user accounts between your on-premises deployment and online tenant using AAD Connect, you need to synchronize the AD accounts for all Skype for Business or Lync users in your organization, even if users are not moved to online. If you do not synchronize all users, communication between on-premises and online users in your organization may not work as expected.

Important

All user management, including user moves between on-premises and Skype for Business Online, must be done using the latest installed version of the administrative tools. The administrative tools must be installed on a separate server that has connect access to the existing on-premises deployment and to the Internet. The cmdlet to move users from your on-premises deployment to Skype for Business Online, Move-CsUser, must be run from the administrative tools connected to your on-premises deployment. For more information about moving users, see Move users from on premises to Skype for Business Online.

Important

If the user was created by using the online portal for Office 365, the user account will not be synchronized with on-premises Active Directory, and the user will not exist in the on-premises Active Directory. If you have already created users in your online tenant, and want to configure hybrid with an on-premises deployment, see Move users from online to on premises.

Note

If you are currently a Skype for Business Online customer who has users enabled for Skype for Business Online who have not been enabled in an on-premises deployment, see Move users from Skype for Business Online to on premises.

You should also consider the following user-related issues when planning for a hybrid deployment.

  • User contacts The limit for contacts for Lync Online users is 250. Any contacts beyond that number will be removed from the user's contact list when the account is moved to Lync Online.

  • Instant Messaging and Presence User contact lists, groups, and access control lists (ACLs) are migrated with the user account.

  • Conferencing data, meeting content, and scheduled meetings This content is not migrated with the user account. Users must reschedule meetings after their accounts are migrated to Lync Online.

User policies and features

  • In a hybrid environment, users can be enabled for Instant Messaging and conferencing (meetings) either on premises or online, but not both simultaneously.

  • Client support Some users may require a new client version when they are moved to Skype for Business Online. For Office Communications Server 2007 R2, users must be moved to a Skype for Business Server or Lync Server 2013 pool prior to migration to Skype for Business Online.

  • On-premises policies and configuration (non-user) Online and on-premises policies require separate configuration. You cannot set global policies that apply to both.