The Secrets of Media Flows in Skype for Business

Slides:



Advertisements
Similar presentations
The leader in session border control for trusted, first class interactive communications.
Advertisements

Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.
Lync /11/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
UC403: Lync & Network Interaction
©2012 ClearOne Communications. Confidential and proprietary. COLLABORATE ® Video Conferencing Networking Basics.
NETW-250 Troubleshooting Last Update Copyright Kenneth M. Chipps Ph.D. 1.
Guide to Network Defense and Countermeasures Second Edition
Lync Deep Dive: Edge Media Connectivity with ICE Thomas Binder UC Voice Architect – MCS Voice Center of Excellence Microsoft Corporation EXL412.
January 23-26, 2007 Ft. Lauderdale, Florida An introduction to SIP Simon Millard Professional Services Manager Aculab.
1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID STUN, TURN and ICE Cary Fitzgerald.
Lync Deep Dive: Edge Media Connectivity with ICE Bryan Nyce UC Voice Architect – MCS Voice Center of Excellence Microsoft Corporation EXL412.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 14: Troubleshooting Remote Connections.
SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Secure Telephony Enabled Middle-box (STEM) Maggie Nguyen Dr. Mark Stamp SJSU - CS 265 Spring 2003 STEM is proposed as a solution to network vulnerabilities,
1 Enabling Secure Internet Access with ISA Server.
Course 201 – Administration, Content Inspection and SSL VPN
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
NAT Traversal Speaker: Chin-Chang Chang Date:
Chapter 6: Packet Filtering
Ewan MacKellar Steve Moore. Get to know what is normal! - Build a repository of network captures and Snooper logs showing what takes place in.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Windows 7 Firewall.
Call Control with SIP Brian Elliott, Director of Engineering, NMS.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Existing PBX Existing Phone Handsets Numbering Plan to digit Internal extensions 9 for an outside line 3 digits.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Access Control List (ACL)
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Simon Millard Professional Services Manager Aculab – booth 402 The State of SIP.
An analysis of Skype protocol Presented by: Abdul Haleem.
Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.
Security fundamentals Topic 10 Securing the network perimeter.
IT-Pro59 Optimize your Network for Skype for Business.
Interactive Connectivity Establishment : ICE
Access Control List (ACL) W.lilakiatsakun. Transport Layer Review (1) TCP (Transmission Control Protocol) – HTTP (Web) – SMTP (Mail) UDP (User Datagram.
Johan Delimon 26/04/2016 BE-COM E-COMMUNICATIONS EVENT THE INNER WORKINGS OF SKYPE FOR BUSINESS: NETWORKING.
HIP-Based NAT Traversal in P2P-Environments
CompTIA Network+ Certification Exam
Security fundamentals
Voice Performance Measurement and related technologies
Microsoft /25/ :33 AM BRK4007 Troubleshoot media flows in Skype for Business across online, server and hybrid Thomas Binder Senior Program.
CompTIA Security+ Study Guide (SY0-401)
LESSON Networking Fundamentals Understand TCP/IP.
ExpressRoute for Office 365 Training
Understanding Media Flows in Microsoft Teams and Skype for Business
Contents Software components All users in one location:
Lab A: Planning an Installation
Module Overview Installing and Configuring a Network Policy Server
Securing the Network Perimeter with ISA 2004
5 | Understanding Network Controls and Solutions
ExpressRoute for Office 365 Training
3 | Analyzing Server, Network, and Client Health
Implementing TMG Server Publishing
Introduction to Networking
CompTIA Network+ Certification Exam
Lesson #10 MCTS Cert Guide Microsoft Windows 7, Configuring Chapter 10 Configuring Network and Firewall Settings.
CompTIA Security+ Study Guide (SY0-401)
ExpressRoute for Office 365 Training
Skype P2P communication
Multimedia and Networks
Process-to-Process Delivery:
Firewalls Routers, Switches, Hubs VPNs
Firewalls Chapter 8.
Cloud Security AWS as an example.
Office 365 – How NOT to do it UKNOF43.
09 | Configuring Lync Online
Presentation transcript:

The Secrets of Media Flows in Skype for Business Johan Delimon

To speakers: please leave this slide in To speakers: please leave this slide in. We would appreciate if you could give a shout out to our sponsors for helping us making this event possible.

Johan Delimon idelimon BVBA / johan@delimon.be / @jdelimon / Skype for Business MVP / MCSM Communications / Skype4B Architect

(SIP) Session Initiation Protocol & (SDP) Session Description Protocol Microsoft Ignite 2015 (Chicago, US) http://bit.ly/1cq6jXX

Agenda SIP Primer Configuration & Settings SDP Primer Internal Only Calls External Calls / Cloud Connector

(SIP) Session Initiation Protocol Primer

This is the CALL This is just the Media SIP DIALOG MEDIA 180 Ringing INVITE (+SDP) linda@contoso.com ACK 200 (+SDP) OK INVITE (+SDP) linda@contoso.com SIP DIALOG 180 Ringing 200 (+SDP) OK ACK MEDIA

Session Initiation Protocol SIP has no secrets (Everything is visible) Client or Server Logging (Office 365) Session Initiation Protocol Snooper is your friend

Provisioning SFB Client In-Band Provisioning

Office 365 Port Configuration for SFB Clients Service Default Port Range Default Ports Customized Port Range Custom Ports Minimum Custom Ports Type Audio 1024-65535 64K 50000-50019 20 Custom Video 50020-50039 Application Sharing 50040-50059 File Transfer

(MRAS) Media Relay Authentication Service

(MRAS) Media Relay Authentication Service Client does not connect to EDGE FE connects to EDGE TCP Port 5062 If FE no TCP 5062 to EDGE then Client shows Limited External Calling

Session Description Protocol (SDP)

Description of the Media Description of the Media SIP DIALOG This is the CALL INVITE (+SDP) linda@contoso.com 180 Ringing 200 (+SDP) OK ACK INVITE (+SDP) linda@contoso.com 180 Ringing 200 (+SDP) OK Description of the Media Description of the Media ACK This is just the Media MEDIA (RTP)

Content Type Application/sdp SDP Offer (INVITE) Content Type Application/sdp SIP Message Body = SDP

SDP Response (200) SDP

SDP Details (filtered) Audio Call, Encryption & Codec Priority Candidates Codecs

Candidates 3 Candidate Types Host = End Point IP IP Address & Port combination to send Media Stream 3 Candidate Types Host = End Point IP STUN/Reflexive = Public IP of Firewall TURN/Relay = Edge Server IP Internet Internet Router DMZ ❷ ❶ Edge ICE Client ICE Server ❸ ❶ Host Candidate – Likely to fail ❷ STUN / Reflexive Candidate ❸ TURN / Relay Candidate – Edge Relay

Candidates Host Candidates TURN / Relay EDGE Server Candidates STUN / Reflexive Candidates

RE-INVITE & Final Information

Media Flow Scenario’s Internal

Inside Only (No EDGE Server)

Default Media Port Ranges Skype for Business Client Port : 1024 Enterprise Pool Default Audio Port Range 49152-57500 Default Video Port Range 57501-65535 Default App Sharing Port Range 49152-65535 Default Audio Port Range 1024-65535 Default Video Port Range 1024-65535 Default App Sharing Port Range 1024-65535 Default File Sharing Port Range 1024-65535 Port : 0 Port : 0

Custom Media Port Ranges Skype for Business Client Port : 40801 Port : 1024 Enterprise Pool Default Audio Port Range 49152-57500 Default Video Port Range 57501-65535 Default App Sharing Port Range 49152-65535 Custom Audio Port Range 50000-50020 Custom Video Port Range 60000-60020 Custom App Sharing Port Range 45000-45020 Custom File Sharing Port Range 30000-30020 Port : 0 Port : 0

Custom Configuration on the SFB Servers Service Default Port Range Default Ports Customized Port Range Customized Ports Type Application Sharing 49152-65535 16383 40803-49151 8348 Custom Audio 49152-57500 Default Video 57501-65535 8034

Custom Media Port Ranges Skype for Business Client Port : 40803 Port : 1024 Enterprise Pool Default Audio Port Range 49152-57500 Default Video Port Range 57501-65535 Custom App Sharing Port Range 40803-49151 Custom App Sharing Port Range 5000-5020 Custom File Sharing Port Range 6000-6020 Custom Audio Port Range 4000-4020 Custom Video Port Range 8000-8020 Port : 0 Port : 0

Custom Configuration of the SFB Clients Service Default Port Range Default Ports Customized Port Range Custom Ports Minimum Custom Ports Type Audio 1024-65535 64K 5350-5389 40 20 Custom Video 5390-5429 Application Sharing 5430-5469 File Transfer 5470-5509

Office 365 Media Port Ranges Skype for Business Client Port : 40803 Port : 1024 Enterprise Pool Default Audio Port Range 49152-57500 Default Video Port Range 57501-65535 Custom App Sharing Port Range 40803-49151 Custom Audio Port Range 50000-50019 Custom Video Port Range 50020-50039 Custom App Sharing Port Range 50040-50059 Custom File Sharing Port Range 50040-50059 Port : 0 Port : 0

Office 365 Configuration of the SFB Clients Service Default Port Range Default Ports Customized Port Range Custom Ports Minimum Custom Ports Type Audio 1024-65535 64K 50000-50019 20 Custom Video 50020-50039 Application Sharing 50040-50059 File Transfer

Media Flow Scenario’s Internal w EDGE Server

MRAS / EDGE Client does not connect to EDGE for MRAS FE connects to EDGE to get MRAS Credentials and passes to Client TCP Port 5062 (FE to EDGE) STUN/TURN/ICE EDGE = TURN (Relay Packets only No Termination of Media) EDGE Candidates and Routing/Tunneling MRAS Credentials used to Authenticate to EDGE in SRTP packets

STUN/TURN/ICE Process MRAS Credentials (Sign-In) Candidate Discovery (STUN/TURN) Candidate Exchange (SDP) Candidate Connectivity Checks (ICE) Candidate Promotion (RE-INVITE) IPv4 before IPv6 Direct over Relay UDP over TCP

Inside Only with Edge Configured

Inside Only with Servers

NAT Traversal

Full Cone NAT User B User A User C Source IP Port Public Destination IP Destination Port User A IP User A Port FW IP FW Port

Address Restricted NAT User B User A User C Source IP Port Public Destination IP Destination Port User A IP User A Port FW IP FW Port User B IP

Address & Port Restricted NAT User B User A User C Source IP Port Public Destination IP Destination Port User A IP User A Port FW IP FW Port User B IP User B Port

NAT Types https://en.wikipedia.org/wiki/Network_address_translation#Full-cone_NAT

Media Flow Scenario’s External

External User on Public Internet

External User behind Firewall

All External behind Firewall

External VPN User

SFB through VPN Tunnel http://blogs.technet.com/b/nexthop/archive/2011/11/15/enabling-lync-media-to-bypass-a-vpn-tunnel.aspx

VPN Split Tunnel & Block Ports http://blogs.technet.com/b/nexthop/archive/2011/11/15/enabling-lync-media-to-bypass-a-vpn-tunnel.aspx

CQM Tagged Traffic Elementri Target Criteria Actions Media Path - VPN 100 VPN Stream Count IF VPN Streams > 1% of external streams: GREEN: VPN streams <= Target YELLOW: VPN streams > Target RED: VPN streams > 2X Target Verify VPN users report poor call quality Implemement alternative options to media over VPN like split tunneling Look at Endpoint_2_VPN to gauge impact Repeat until GREEN and then Maintain Media Path - Relay N/A Internal Relay Stream Count and NetworkMOS GREEN: <= 1% of wired P2P streams YELLOW: > 1% wired P2P streams RED: YELLOW and Avg OverallAvgNetworkMOS < 3.5 Identify problematic subnets - look at TopIssues tab or Endpoint_2_Relay Remediate firewall configurations preventing P2P media streams Implement processes to maintain optimal network configurations Repeat until GREEN and then Maintain Media Transport TCP Stream Count and NetworkMOS GREEN: <= 1% of wired P2P streams YELLOW: > 1% wired P2P streams RED: YELLOW and Avg OverallAvgNetworkMOS < 3.5 Identify problematic subnets - look at TopIssues tab or Endpoint_3_Transport Remediate firewall or other network element configurations preventing UDP streams Implement processes to maintain optimal network configurations Repeat until GREEN and then Maintain

CQM Problem Sessions TCP 443 UDP 3478 50000 59999

Special Media Flow Scenario’s Internal Clients (One Way Blocked by FW) Internal External Clients (FW allows to Internet) Tunneling Mode Optimized Federated Call Path DNS Load Balanced EDGE Pool with NAT

EDGE High Port Range TCP 443 UDP 3478 50000 59999

Different EDGE Pool Associations TCP 443 UDP 3478 50000 59999 TCP 443 UDP 3478 50000 59999

DNS Load Balanced EDGE Pool with NAT TCP 443 UDP 3478 50000 59999 TCP 443 UDP 3478 50000 59999 Firewall MUST allow hairpin: public IP to public IP

Edge High Port Ranges in Federated Scenario

OPCH – Split Domain Hybrid

Cloud Connector Cloud Connector 192.168.0.228 Office 365 84.192.185.170 100.64.64.140 100.64.64.145 66.198.181.71 134.170.115.x 100.64.64.141

Office 365 w Proxies Skype for Business Online Microsoft Network

Office 365 Network Skype for Business Online Global Microsoft Network NOAM EMEA APAC

Network performance requirements to connect to Skype for Business Online The following diagram illustrates one-way audio flow in a conference from one Skype for Business participant to another.

Network performance requirements to connect to Skype for Business Online The following diagram shows breakdown of components and network segments of a Skype for Business Online PSTN call:

Network performance requirements from your network Edge to Microsoft network Edge Metric Target Latency (one way) < 30ms Latency (RTT) < 60ms Burst packet loss <1% during any 200 ms interval Packet loss <0.1% during any 15s interval Packet inter-arrival Jitter <15ms during any 15s interval Packet reorder <0.01% out-of-order packets

Network EDGE to O365 Skype for Business Online Microsoft Network

Network Performance requirements from a Skype for Business client to Microsoft network Edge Metric Target Latency (one way) < 50ms Latency (RTT or Round-trip Time) < 100ms Burst packet loss <10% during any 200ms interval Packet loss <1% during any 15s interval Packet inter-arrival Jitter <30ms during any 15s interval Packet reorder <0.05% out-of-order packets

SFB Client to O365 Skype for Business Online Microsoft Network

Updated IP & Port Ranges Purpose Source | Credentials Source Port Destination Destination IP Destination Port Required: Audio, Video, & Desktop sharing Client Computer | Logged on user TCP/UDP 50,000-50019, TCP/UDP 50,020-50039, & TCP/UDP 50,040-50059 *.lync.com Skype for Business IP ranges. TCP 443, UDP 3478, 3479, 3480, & 3481, TCP/UDP 50,000-59,999 Updated IP ranges and ports for Skype for Business Online ‎https://techcommunity.microsoft.com/t5/Skype-Operations-Framework-Skype/Updated-IP-ranges-and-ports-for-Skype-for-Business-Online/ba-p/47470 Skype for Business Online has a significant infrastructure, so while we have started with these changes, it will take some time to be completed. We strongly recommend to open the IP subnets and ports today, to avoid any negative impact to connectivity. New ports: While this might take a little bit more time than the new IP ranges, we will leverage the following ports for media traffic in addition to the existing ports: UDP 3479 UDP 3480 UDP 3481

Media Flows in SFB & ICE - Edge Media Connectivity in Lync 2013 https://channel9.msdn.com/events/Lync-Conference/Lync-Conference-2014/NETW401 https://channel9.msdn.com/Events/Ignite/2016/BRK4007

Learn more & Tools Microsoft Office Protocol Documents Microsoft Lync Server 2010 Resource Kit Microsoft Lync Server 2013 Resource Kit Tools Microsoft Lync Server 2013 Debugging Tools Microsoft Network Monitor Microsoft Message Analyzer Network Planning, Monitoring, and Troubleshooting with Lync Server TechED US Recording : Meetings and Media: The Detailed View Download RTP.opn to display correct codecs in Message Analyzer

We would like to extend a big thank you to our sponsors, without whom this event would not be possible.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.