Plan and configure Hybrid Voice in Skype for Business and Office 365–Ignite 2017 Summary

An oldie but definitely a goodie from Ignite 2017 presented by Nikolay Muravlyannikov and Carolyn Blanding. I Stumbled across this session and thought ive write up a summary on the session.

Keep in mind this is Hybrid Voice with Skype for Business and not Teams and was presented before Microsoft Teams Direct Routing was announced. For more info on Direct Routing check it out here


This is a session presented at Ignite by Nikolay Muravlyannikov Senior Program Manager in SfB and Carolyn Blanding Senior Supportability Program Manager.

Session can be found here


Starts with raise of hands for Hybrid Voice and also Nikolay asks if anyone is interested in Hybrid Voice for Teams and seems there was no hands raised and then Nikolay mentions this wont be covered in this session.

Lets start with quick intros from the speakers


Works with TAP customers and provide feedback to developers, Big thanks for feedback from TAP customers and program participants.


delivers telephony services for SfB and Microsoft Teams.

Session Objectives – Lets set the expectations for the session


This session is built in mind that the product has been to market for over 1 year now. How its different from session presented last year.

  • Product more than 1 year to market
  • well over 1000 active deployments
  • Practical stuff from what has been learned over the last years from Microsoft and partners

This session will cover practical stuff and how hybrid voice can be relevant and migration paths from pbx to phone system based on real examples, review architectures and experiences.

If your deploying first time you should be well equipped with this session.

Briefly touch on Hybrid voice options for teams but not in details. Next year go deeper in hybrid voice for teams.

Start with overview and then go deeper into Hybrid Voice


Lets start with Common telephony terminology , this would be used across traditional pbx platforms, cisco / avaya etc


  • PSTN  – Global network of global interconnected wires that delivers telephony calls
  • PBX or Phone System – connects phone within company and provide calling features, Group call, team calls etc
  • Trunk – Telephony line to connect PBX to PSTN, TDM or SIP
  • SBC – provide routing and protection for SIP based telephony, benefits deliver on the same wire as other traffic, internet or private, can be firewall or router. Do security inspection, DDOS, translate different protocols. Good book on SBCs from Microsoft Partner Sonus called SBC for dummies.
  • PSTN Gateway – serves as router but not as security.


Two separate PBXs

  • on premises – Enterprise Voice, Lync Server 2010, 2013, SfB 2015. Trunk must be customer provided and connected to servers direct or via certified SBC / gateway.
  • Cloud – SfB Online, PBX is now called Cloud PBX after Sept 2017 its called Microsoft Phone System

Two options for telephony

– Buy SIP trunk (Calling Plans) from Microsoft and Microsoft provides your Phone system. You port your telephone numbers to Microsoft or buy new numbers. You buy Microsoft Phone system with Calling Plans. (previously known as PSTN Calling)

– Connect your own Trunk via your own SBC/Gateway which is paired to Microsoft Phone System using SfB Server 2015 or Cloud Connector Edition (CCE) this is hybrid voice!

Hybrid voice allows you to connect your own trunks to Phone System.

2nd important part of Hybrid voice is interoperability !!


This is where we need to interop with existing systems / devices such as contact centres or analog devices! Pagers, lift phones, factory phones, fax etc.

Microsoft couldn’t provide functionality that your current Contact centre has such as skilled based routing then you can keep Call centre and use Hybrid Voice and keep contract centre users on premises and move other users.

Hybrid Voice


This slide show i can deliver voice on net without touching the PSTN network. So calls between SfB users and third party pbx’s are routed via the SBC and not the PSTN.


Avaya, Cisco, Mitel PBX examples

imageStarting Point is the PBX

imageConnected via SBC (or directly without SBC is an option as well) to the PSTN Network (For Migration an SBC is recommended)

imageInbound route for assigned telephone numbers to your PSTN (SIP Trunks / ISDN), these all route to SBC then SBC route to PBX.

imageThe PBX owns a range of numbers for all users and device types. ( This is a common setup for customers)

How to more to Microsoft Phone System and do gradual migration ?


You connect same SBC to Microsoft Phone System, you need to deploy either CCE if new custoemr or existing confoigure your SfB Server Pool.

Next change voice routing on SBC so telephone numbers route to SfB and not PBX and move users to Phone System, im not porting numbers in this scenario.


Deploy SfB client or phones, create new route on SBC/gateway and now send to CCE / SfB Server and then onto Microsoft Phone System.

Migrate 10 users then another 10 then 1000 users this is gradually migration and again minimise PBX footprint.

Some services i can also move from the PBX such as analog devices and connect to SBC via Analog Terminal adaptors from AudioCodes / Sonus now Ribbon)


then move the analog devices to the ATA and update the SBC routing to route analog devices to the SBC and then to ATA.


Then remove analog numbers from PBX and that leaves only the call /contact centre numbers with skilled based routing.

You have minimised the footprint of the PBX and should reduce costs


Architecture and Traffic Flow



The traffic from SBC must be trusted for Phone System

Pair on premises Edge with Online Edge and keep media local.


Pairing – CCE is made up of 4 virtual machines and is a scripted deployment. By deploying CCE one of the lines in the .CloudConnector.ini file is specify from which IP the traffic to this mediation server from this ip the traffic is trusted we can use TCP or TLS, Mediation server now trusts SBC via Edge to O365. This can also be a Skype for Business Server 2015 deployment as well.

CCE is to setup hybrid relationship and where teh trusted edge is.

Now the trusted relationship for the SBC and the cloud is complete.

Second reason for devices on premises is keep media local


First lets look at Media flow

here we have Mediation server and edge server, CCE or full pool, SBC paired to PSTN network on left side.


User places call to +431610640, the call goes to Phone System (Cloud PBX) for reverse number lookup and check does that number exist to any SfB users ?


1000 users likely to have 100 on concurrent calls for PBX

moving to skype you would see reduced to 1/10 instead of 1/100 by doing RNL it can save on number of PSTN trunks.

If RNL matches a number then it converts the call from PSTN to VOIP and starts runing


If no match with RNL then next step is to check the user voice policy.

If the users voice policy is BusinessVoice then route via Calling Plans (Microsoft PSTN)


If its matchs Hybrid Voice and route to Hybrid Voice Edge


route to Hybrid Voice Edge


Edge Server to Mediation


This is still SIP Signalling an we get the media candidate of the SBC

get media candidate, mediation server checks client internal or external and its where media bypass will come into play


The way its checks direct is a special webservice and get a bypass id and if client id can query it its internal and if its not then its external. If client can not provide bypass id its treated as external.

Also for media bypass we have to check the SfB client version, if not bypass


If condition matches then we provide the direct candaiate of SBC.



Media goes direct to SBC and onto PSTN. New feature and save on number of mediation server


support up to 500 sim calls on one mediation if not media bypass. If media bypass it depends on number of clients using the supported media bypass client version 16.0.7870.2020 or above!

Mac not supported on SfB mac or mobile client or users outside on internet, these user types and where and how connecting would mean how much hardware / no of mediation servers you need.



If no media bypass the process is simple, client is not on supported SfB Client version, two ip addresses are provided to the client, the internal IP of mediation server and external ip of Edge server

image > image

SfB client does connectivity to both IPs, if client can reach mediation then the call will go mediation server > SBC > PSTN

the other address would be the external edge server address if cant connect to internal mediation server ip, one example be windows SfB client on non supported client version for Media Bypass


What if client is external and is connection outside of the internal network.


We provide two ip address as candidates to the external client


client will check internal ip of mediation serfer and fail and check external of edge and be successful and media will go client > Edge > Mediation > SBC > PSTN


When planning number of CCEs or SfB Pools you need to consider media bypass and number of version that can support and how many maybe external or internal.

So this is the call flow now lets talk about CCE, CCE is four VMs and can support up to 16 CCEs per pstn site , a pstn site is a logical combination or association of to users to a cce that associated an sbc location.

For example i build CCE for Amsterdam SBC and build SBC for Seattle and associate users to a pstn site either Amsterdam or Seattle


This is basic media flow and will help you plan and dont forget about media bypass and no of users that cant use media bypass.

Architecture and Migration Path


Real life example


CCE is each location, Vienna site is shown above as single site but there could be 30 sites in total, if in each and every site theres an SBC you build two CCEs per site, two sbcs and two PSTN for redundancy. There is no other survivability options.

So that works and provide HA but its not best option for customers with large number of sites, 30 sites, two CCEs per site, licencing for Windows. Sonus and AudioCodes provide CCE as an appliance and can help reduce price but still expensive in price and management. Mixed review on this setup.

Fortanuately what we ended up doing at the same time is centralising the number of SIP trunks, most customers want to centralise sip trunks and not have 200 gateways and bring sip trunks in one or two locations.


Just need couple of SBCs and use internal Wide Area network to route traffic to / from datacentres, you deploy CCE and this option helps save money on hardware deployed in branches.


Before we centralised we used to have PBX in each and every location and manage them. We centralised everyting in two cities and removed 12 pbx and sbc’s.

THis case works for a lot of customers and most effective solution for CCEs. You need make sure your WAN connectivity can route PSTN traffic. PSTN goes to PSTN > SBC > WAN > Client.


But there’s also countries where centralising sip trunk is not an option this is mostly regulatory

We still deploy centralised CCE but with decentralised SIP trunks, Here we keep local gateway in local countries but it will transverse the WAN two times


Go to centralised CCE and then to local gateway. This helps to preserve local connectivity and save on CCEs, but requires to transverse WAN two times.

To summarise we review Microsoft telephony solutions, understand call flow and considerations to keep in mind for CCE with media bypass and typical scenarios.

Hybrid voice story for teams, current story is deploy something from Microsoft and we hear feedback and we need CCE for two reason and for Microsoft Teams we used different authentication and use this chance to remove elements. Moving to Teams we will introduce private connection to Teams via SBC. All SBCs with CCE you can connect to Teams. more details next year. Dont panic !

This wasn’t in the Ignite session but was recently announced 12th March 2018 and is called Direct Routing for Microsoft Teams here some details


back to the ignite session now.


first lets look at terminology


OPCH – means using SfB Server 2015 software on premises

CCE – using Cloud Connector Edition and this is the software edition running on premises


We still misconfiguration during setup and then management issues


Certificate Configuration – Almost always the certificates

SAN name missing for supported sip domain. SIP SAN is used for authentication. must be used. Import tools for CCE check this.

Alot of issues is the certificate train is not trusted or key is missing and causes issues.

The CCE Edge services can not start.

One tip is use the digicert window certificate utility! I use this. request and process certificate on the same machine.

Once you have valid certificate you need to import it


second to certificate we see firewall and proxy issues



Host server needs to talk to the internal VMs and does this via powershell session, if host is blocked and scrpts wont run and we will see CCEs cant connect to the VM becuase something is blocking it.

90% of the time a proxy server is the way and there isn’t expectations.

We need to add the CCE management subnet and corporate subnets to the proxy Winhttp bypass list use netsh to do that.


Call out here! we need to corporate network switch v2 or higher.

The methodology before over management switch caused issues and this was connected and disconnected not this is corporate switch.

Sometimes no ip address range on network adaptor on the same IP as the corp network. Network adaptor assigned to corporate switch needs an ip address to ensure routing.


Office 365 tenant config

for OPCH we have the hybrid wizard today has reduced concerns.

Slide is broken here Carolyn says


Missing mediation server settings in Office 365 for CCE. Online needs to understand how to route on prem.

P 2 P call escalate to PSTN call escalation

this is caused by a missed step.

Create hybrid mediation server configuration on the tenant for every mediation server we deploy for CCE.

Use this cmdlet to confirm. Always run and check this is configured for mediation servers in your Office 365.

Client logs would show 404 error.


P2P to PSTN call escalation also fail is shared sip address is set to false this must be set to true!


Quite a few things can go wrong with DNS

Deck include impacts and diagnostics.

This one is big when Edge server cant resolve SRV


Let talk about the flow

We have inbound call from PSTN to mediation server and the call is for and hits edge server and edge needs to look up sip federation srv record if it cant resolve it and wont know how to route the call. It fails a lot as Edge cant resolve external DNS.

you can use pinpoint DNS now.

504 server timeout will be displayed



This hit a large customer running alot of CCE in centralised deployment, all was fine and feedback was it works !

next day outbound calling failing for all users

Onboarding more users to CCE, then they added a new CCE appliance and outbound calls were failing

they missed updating topology with the new appliance

Next one


Customer added deep packet inspection on external firewall for edge server


For CCE we encrypt local cache passwords with admin password of the admin user account that was signed in when CCE was deployed. if that password changes we cant decrypt the file.


if we miss updating topology outbound calls will fail because edge server cant reach mediation server.

Edge server cant route the call as every edge server in CCE must be able to route to every mediation server and it must know about them.  Every server needs to know about every server in the topology.


Stretched pool not recommended or supported across different subnet and can see this problem with routing.


if inbound calls are to fail but outbound work its because edge server tries to connect to Office 365 and cant complete ssl handshake as tls traffic is blocked by deep packet inspection.

check by browsing to url from edge server if you don’t get certificate pop it means its being blocked.


User configuration issues – large customer expanding hybrid voice and new users online and how to get users online


Here we have an OPCH user on premises using Enterprise Voice

Move them to online

Dial pad missing and inbound not working.

their line uri is missing because we need to Enterprise Voice enable them and phone number is synced online, but this needs

Needs to be ran for OPCH users or CCE users to sync the phone number


LineURI must be E.164 or calls will fail


If outbound calls are failing there a voice policy needs assigning.

Only available via Management Shell.


wrap up.

Cloud PBX is now Microsoft Phone System

PSTN Calling is now Calling Plans


Q and A

Excited option to direct SBC to Teams

on Roadmap no details.

Why wasn’t this done before ? why CCE? a redesigned back end was required.


Question – TSP raising concern on existing deployment.

SBC with CCE should no be deployed in new solutions, all deployment should include OPCH ?

Why ?

Any likely hood SBA would be supported ?

Looking at some option but nothing certain. Redudant internet connection


CCE on Hyper V, supported for other platforms ?

Require support from vendors, microsoft own Hyper V and SfB.

If third party change media stack.


Regarding Migration of numbers out of order ?

– migrate 20 users from range 1000 –2000 but are not sequentially.

1. voice route for every number but sbc may have limited

2. Two voice routes on SBC, before you route go and query Active Directory

SBC caches info from AD so doesnt query each time.

Some SBC have text routes stored on SBC in csv.


No option to directly connect sip trunk to CCE ?

You can have direct certified SIP provider to CCE.


Media bypass – do you have to Microsoft certified SBC to support it ?

Qualified list of SBC is required.


Status on Call Queues for CCE ?

Release for hybrid voice later.

*** this is released now *****


In order to have SBC we need to disable deep packet inspection ?

Recommend to be disable on firewall for edge server.

SBC has a firewall built in, SBC provide firewall like functionality.


Plans for support for SBC in Azure

Azure not designed for real time traffic


Customer EV on Lync Server 2013, do we go 2015, 2019 or Teams ?

Option 1 – wait for Teams

Option 2 – change delivering services on prem to online. SfB On prem or Online, requires network planning.

Go to SfB Online now and when Teams and you are ready then move to Teams

Buy SBC now and more to Teams

Investments in on premises with SfB may be more than CCE!


Interop Skype with Teams – would SfB 2015 provide interop for chat with Teams



Existing client for SfB, alot of office in different countries, looking for voice solution?

Apart from licencing, do we need to configure global connectors on tenant or go at country level.

Depends on country level, stop by booth and we can look at it.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.