locked
How can I bypass the edge server requirement for external access? RRS feed

  • Question

  • My service provider did away with static IP addresses and I've been struggling to deploy a make things work; I deployed a cloud-hosted server to make a site-to-site tunnel straight to the local edge server and still I had no luck making it work. We connect over rock-solid fiber that can go for months without changing address, and when it does, Cloudflare updates DNS in seconds. Nevertheless it's still dynamic and Skype won't take only an FQDN.

    Even before that, when I could do it locally I couldn't make it work, the documentation is very confusing and ambiguous regarding the network setup. Even the planning tool is confusing.

    Using individual VPNs we can connect to the intranet to use the Front End but it kill batteries much faster, furthermore, our PBX which coincidentally also does IM and video is the it's the one that manages phone calls for Skype for Business to begin with AND it can be reached from outside without special proxies, tunneling, heavy firewalling and it's content with only an FQDN to work The only reason we got the [discounted but still] ridiculously expensive licensing for Skype back when we got it was because it uses Active Directory.

    Back then it was no big deal bc people sat at computers more often where Skype does better but now people barely use even laptops anymore, smartphones are the most obvious way to use Skype and we can't.

    How can I make the Front End work thinking clients are in a single zone no matter where they are? Can I just publish the internal DNS records and open all the necessary ports? I have an extra IP (dynamic too) that I could use just for Skype. I can put it into a DMZ and it if gets hacked so be it--I can always restore a snapshot. Would it work or is there something so special about the Edge that's so important to use it?

    Or, can I do something like adding NAT to incoming connections to trick Skype into thinking the traffic is internal? Could that work?

    This is Skype for Business 2015, the very early CUs, later CUs always broke access to it.

    Thanks.


    I bet you think this post is about you. Don't you…don't you. ♪

    Sunday, February 2, 2020 4:43 PM

All replies

  • Hi zvita!

    According to your description,do you mean you want to deploy mobility for Skype for Business Server?

    Based on my knowledge, you need to create an internal DNS record to support mobile users who’re connecting from within your organization’s network and an external(or public) DNS record to support mobile user who’re connecting from outside your organization.

    The following diagram illustrates the flow of mobile application web requests for the Mobility Service and for the Autodiscover service when using an internal and external DNS configuration.


    Besides, we also recommend you deploy Edge Server in your topology. There are four services that comprise Mobility for Skype for Business Server: UCWA, Mcx, Autodiscover service and Push notification service. An Edge Server is required for this functionality.

    You can learn more about how to plan, deploy and configure mobility for Skype for Business server as the following links:

    https://docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/mobility

    https://docs.microsoft.com/en-us/skypeforbusiness/deploy/deploy-and-configure-mobility

    Best Regards,
    Jimmy Yang

    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Monday, February 3, 2020 5:40 AM
  • Hi,
    I am checking the status of this case. Please let us know if you would like further assistance.
    Meanwhile, if the reply is helpful to you, please try to mark it as an answer to close the thread, it will help others who encounter the same issue and read this thread.
    Thank you for your understanding and patience!

    Best Regards,
    Jimmy Yang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Tuesday, February 11, 2020 11:10 AM
  • Sorry for the delay. New Answer notifications don't arrive for some reason.

    Anyway… I get what the Edge does…to some extent. The problem is that it asks for static IP addresses which I don't have. I can tunnel one from a cloud-hosted firewall but latency skyrockets.

    Is it possible to deploy the Edge Server with both interfaces being internal IP addresses (telling it not to NAT or telling it the NATted address is a RFC1918-type address) and let the firewalls handle the rest.

    Basically push the Edge more to like, the middle, if that makes sense.

    The local PBX which is a regular SIP server, only uses DNS, doesn't need to know its public address and don't need TURN. I have full-cone NAT but it's fine without it too. Why can't Skype do the same.

    Is there really nothing to be done? Does Skype really hardcodes the addresses in every packet? With so much bridging and jumping around from server to server, loose rules about CNAME vs A records and routing traffic via open-ended gateway-less interfaces it doesn't seem so, so it's rather frustrating that in a place where there's most likely to be a wildcard on many environments/deployments, a constant is needed.

    I get that Microsoft focuses on the big buildings out there but good enterprise software should not only be able to scale up but also scale down. SharePoint, Exchange, SQL Server, SCVMM, Skype and even Hyper-V still needing a disk to boot and they all share the same flaws…at least on this generation, 2015. :(


    I bet you think this post is about you. Don't you…don't you. ♪

    Wednesday, February 12, 2020 8:16 AM
  • Hi zvita,

    Based on my knowledge, Microsoft now provides only two options for Edge Server. You can directly configure the public IP address for Edge Server or you can configure private IP address for three external services, then use NAT to translate to public IP address.

    However, this does not mean that other plans are not feasible. Since we have not passed the official certification test, we are not sure whether it will affect the implementation of the fuction.

    Thanks for your understanding and patience. If there are any update on this case, please contact to us.

    Best Regards,
    Jimmy Yang

    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.
    Friday, February 14, 2020 8:48 AM