Johan Delimon 26/04/2016 BE-COM E-COMMUNICATIONS EVENT THE INNER WORKINGS OF SKYPE FOR BUSINESS: NETWORKING.

Slides:



Advertisements
Similar presentations
Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.
Advertisements

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Enabling Secure Internet Access with ISA Server
Lync /11/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
UC403: Lync & Network Interaction
Guide to Network Defense and Countermeasures Second Edition
Lync Deep Dive: Edge Media Connectivity with ICE Thomas Binder UC Voice Architect – MCS Voice Center of Excellence Microsoft Corporation EXL412.
NAT/Firewall Traversal April NAT revisited – “port-translating NAT”
STUN Date: Speaker: Hui-Hsiung Chung 1.
SIP Traversal over NAT Problems and Solutions Mr. Ting-Yun Chi May 2,2006 (Taiwan,NICI IPv6 R&D Division)
January 23-26, 2007 Ft. Lauderdale, Florida An introduction to SIP Simon Millard Professional Services Manager Aculab.
1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID STUN, TURN and ICE Cary Fitzgerald.
externalinternal SIP Proxy a w.
STUN Tutorial Jonathan Rosenberg Chief Technology Officer.
Lync Deep Dive: Edge Media Connectivity with ICE Bryan Nyce UC Voice Architect – MCS Voice Center of Excellence Microsoft Corporation EXL412.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Module 5: Configuring Access to Internal Resources.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 14: Troubleshooting Remote Connections.
Chapter 9: Troubleshooting and Repairing Networking.
SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.
Secure Telephony Enabled Middle-box (STEM) Maggie Nguyen Dr. Mark Stamp SJSU - CS 265 Spring 2003 STEM is proposed as a solution to network vulnerabilities,
Secure Remote Access & Lync Ilse Van Criekinge
1 Enabling Secure Internet Access with ISA Server.
Johan Delimon MCM Lync Server / MVP Lync Server Ordina Belgium Tommy Clarke MCSM Lync Server / MVP Lync Server.
Access Gateway Operation
NAT Traversal Speaker: Chin-Chang Chang Date:
Ewan MacKellar Steve Moore. Get to know what is normal! - Build a repository of network captures and Snooper logs showing what takes place in.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
0Gold 11 0Gold 11 LapLink Gold 11 Firewall Service How Connections are Created A Detailed Overview for the IT Manager.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Module 12: Routing Fundamentals. Routing Overview Configuring Routing and Remote Access as a Router Quality of Service.
1 TAC2000/ LABORATORY 117 Outline of the Hands-on Tutorial  SIP User-Agent Register Register Make calls Make calls  Fault-Finding Tools Observe.
Quintum Confidential and Proprietary 1 Quintum Technologies, Inc. Session Border Controller and VoIP Devices Behind Firewalls Tim Thornton, CTO.
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Internet Ethernet Token Ring Video High Speed Router Host A: Client browser: REQUEST:http//mango.ee.nogradesu.edu/c461.
11.59 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
IP Security IP sec IPsec is short for Internet Protocol Security. It was originally created as a part of IPv6, but has been retrofitted into IPv4. It.
Application Layer Khondaker Abdullah-Al-Mamun Lecturer, CSE Instructor, CNAP AUST.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
1 Firewalls Types of Firewalls Inspection Methods  Static Packet Inspection  Stateful Packet Inspection  NAT  Application Firewalls Firewall Architecture.
Simon Millard Professional Services Manager Aculab – booth 402 The State of SIP.
Module 5 Planning and Deploying Message Transport in Microsoft® Exchange Server 2010.
Module 10: How Middleboxes Impact Performance
An analysis of Skype protocol Presented by: Abdul Haleem.
Integrating and Troubleshooting Citrix Access Gateway.
Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.
IT-Pro59 Optimize your Network for Skype for Business.
Module 10: Windows Firewall and Caching Fundamentals.
Interactive Connectivity Establishment : ICE
Vakhtang Assatrian Asia Communications TSP Lead, Microsoft Architecture options for implementing Skype for Business PRD32 7.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
Vakhtang Assatrian Asia Communications TSP Lead, Microsoft
Securing Access to Data Using IPsec Josh Jones Cosc352.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
The Secrets of Media Flows in Skype for Business
Microsoft /25/ :33 AM BRK4007 Troubleshoot media flows in Skype for Business across online, server and hybrid Thomas Binder Senior Program.
Understanding Media Flows in Microsoft Teams and Skype for Business
Module Overview Installing and Configuring a Network Policy Server
IP Security IP sec IPsec is short for Internet Protocol Security. It was originally created as a part of IPv6, but has been retrofitted into IPv4. It works.
Securing the Network Perimeter with ISA 2004
Implementing TMG Server Publishing
1Y0-253 Exam Implementing Citrix NetScaler 10.5 for App and Desktop Solutions
Lesson #10 MCTS Cert Guide Microsoft Windows 7, Configuring Chapter 10 Configuring Network and Firewall Settings.
Firewalls Routers, Switches, Hubs VPNs
Request for Comments(RFC) 3489
09 | Configuring Lync Online
Presentation transcript:

Johan Delimon 26/04/2016 BE-COM E-COMMUNICATIONS EVENT THE INNER WORKINGS OF SKYPE FOR BUSINESS: NETWORKING

Johan Delimon idelimon BVBA / / Skype for Business MVP / MCSM Communications / Skype4B Architect

(SIP) Session Initiation Protocol & (SDP) Session Description Protocol Microsoft Ignite 2015 (Chicago, US)

SIP Primer Configuration & Settings SDP Primer Internal Only Calls External Calls / Cloud Connector Agenda

INVITE (+SDP) 180 Ringing 200 (+SDP) OK ACK INVITE (+SDP) 180 Ringing 200 (+SDP) OK ACK

Session Initiation Protocol SIP has no secrets (Everything is visible) Client or Server Logging (Office 365) Snooper is your friend

PrecedenceLocation or Method of Setting 1Skype for Business in-band provisioning 2HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Office\15.0\Lync 3HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\15.0\Lync 4Skype for Business - Options dialog box in Skype for Business Client Configuration Settings, Skype for Business

SUBSCRIBE SIP/2.0 Content-Type: application/vnd-microsoft-roaming-provisioning-v2+xml Provisioning SFB Client Policies & Settings In-Band Provisio ning

Provisioning SFB Client In-Band Provisio ning

Office 365 Port Configuration for SFB Clients Service Default Port Range Default Ports Customized Port Range Custom Ports Minimum Custom Ports Type Audio K Custom Video K Custom Application Sharing K Custom File Transfer K Custom

SERVICE KrFykWklySMEr01LKV9wAA SIP/2.0 Content-Type: application/msrtc-media-relay-auth+xml Provisioning SFB Client MRAS = Media Relay Authentication Service MRAS

(MRAS) Media Relay Authentication Service MRAS

Client does not connect to EDGE FE connects to EDGE TCP Port 5062 If FE no TCP 5062 to EDGE then Client shows Limited External Calling (MRAS) Media Relay Authentication Service

INVITE ( +SDP ) 180 Ringing 200 ( +SDP ) OK ACK INVITE ( +SDP ) 180 Ringing 200 ( +SDP ) OK ACK

SDP Offer (INVITE) SIP Message Body = SDP SIP Message Body = SDP Content Type Application/sdp

SDP Offer (INVITE) SIP Message Body = SDP SIP Message Body = SDP Content Type Application/sdp

SDP Response (200) SDP

SDP Details (filtered) Audio Call, Encryption & Codec Priority Candidates

IP Address & Port combination to send Media Stream 3 Candidate Types Host = End Point IP STUN/Reflexive = Public IP of Firewall TURN/Relay = Edge Server IP Candidates DMZ Router Edge ICE Client ICE Server ❶ Host Candidate – Likely to fail ❷ STUN / Reflexive Candidate ❸ TURN / Relay Candidate – Edge Relay ❶ ❷ ❸

Candidates Host Candidates TURN / Relay EDGE Server Candidates STUN / Reflexive Candidates

RE-INVITE & Final Information

RE-INVITE & Final Information (Continued)

Inside Only

Default Media Port Ranges Skype for Business Client Enterprise Pool Port : Port : 0 Port : 1024 Default Audio Port Range Default Video Port Range Default App Sharing Port Range Default File Sharing Port Range Default Audio Port Range Default Video Port Range Default App Sharing Port Range Port : Port : Port : Port : 0

Custom Media Port Ranges Port : Port : 0 Port : 1024 Default Audio Port Range Default Video Port Range Default App Sharing Port Range Port : 0 Port : Port : Port : Port : Custom Audio Port Range Custom Video Port Range Custom App Sharing Port Range Custom File Sharing Port Range Skype for Business Client Enterprise Pool

Custom Configuration on the SFB Servers Service Default Port Range Default Ports Customized Port Range Customized Ports Type Application Sharing Custom Audio Default Video Default

Custom Media Port Ranges Port : Port : 0 Port : 1024 Custom Audio Port Range Custom Video Port Range Custom App Sharing Port Range Custom File Sharing Port Range Default Audio Port Range Default Video Port Range Custom App Sharing Port Range Port : Port : Port : Port : Port : 0 Skype for Business Client Enterprise Pool

Custom Configuration of the SFB Clients Service Default Port Range Default Ports Customized Port Range Custom Ports Minimum Custom Ports Type Audio K Custom Video K Custom Application Sharing K Custom File Transfer K Custom

Office 365 Media Port Ranges Port : Port : 0 Port : 1024 Custom Audio Port Range Custom Video Port Range Custom App Sharing Port Range Custom File Sharing Port Range Default Audio Port Range Default Video Port Range Custom App Sharing Port Range Port : Port : Port : Port : Port : 0 Skype for Business Client Enterprise Pool

Office 365 Configuration of the SFB Clients Service Default Port Range Default Ports Customized Port Range Custom Ports Minimum Custom Ports Type Audio K Custom Video K Custom Application Sharing K Custom File Transfer K Custom

Client does not connect to EDGE for MRAS FE connects to EDGE to get MRAS Credentials and passes to Client TCP Port 5062 (FE to EDGE) STUN/TURN/ICE EDGE = TURN (Relay Packets only No Termination of Media) EDGE Candidates and Routing/Tunneling MRAS Credentials used to Authenticate to EDGE in SRTP packets MRAS / EDGE

MRAS Credentials (Sign-In) Candidate Discovery (STUN/TURN) Candidate Exchange (SDP) Candidate Connectivity Checks (ICE) Candidate Promotion (RE-INVITE) Direct over Relay UDP over TCP STUN/TURN/ICE Process

Inside Only with Edge Configured

Inside Only with Servers

Full Cone NAT Source IP Source Port Public IP Public Port Destination IP Destination Port User A IPUser A PortFW IPFW Port User A User B User C

Address Restricted NAT Source IP Source Port Public IP Public Port Destination IP Destination Port User A IPUser A PortFW IPFW PortUser B IP User A User B User C

Address & Port Restricted NAT Source IP Source Port Public IP Public Port Destination IP Destination Port User A IPUser A PortFW IPFW PortUser B IPUser B Port User A User B User C

NAT Types

External User on Public Internet

External User behind Firewall

All External behind Firewall

External VPN User

SFB through VPN Tunnel

VPN Split Tunnel & Block Ports

Internal Clients (One Way Blocked by FW) Internal External Clients (FW allows to Internet) Tunneling Mode Optimized Federated Call Path DNS Load Balanced EDGE Pool Special Media Flow Scenario’s

EDGE High Port Range TCP 443 UDP

Special Scenario’s

Edge High Port Ranges in Federated Scenario

Cloud Connector x Office 365 Cloud Connector

ICE - Edge Media Connectivity in Lync

Microsoft Office Protocol Documents Microsoft Lync Server 2010 Resource Kit Microsoft Lync Server 2013 Resource Kit Tools Microsoft Lync Server 2013 Debugging Tools Microsoft Network Monitor Microsoft Message Analyzer Network Planning, Monitoring, and Troubleshooting with Lync ServerNetwork Planning, Monitoring, and Troubleshooting with Lync Server TechED US Recording : Meetings and Media: The Detailed ViewTechED US Recording : Meetings and Media: The Detailed View Download RTP.opn to display correct codecs in Message AnalyzerDownload RTP.opn to display correct codecs in Message Analyzer Learn more & Tools

Q&A THANKS TO OUR SPONSERS