Not supported by SBC SWe Lite in this release.
You must follow these steps completely and in the order shown. Failure to do so increases the risk of node failure.
In this section...
SBC Edge supports new deployment with CCE 2.1.0 in Release 6.1.5.
Before this release, if your CCE auto-updates to CCE 2.1.0:
For details on troubleshooting, see Troubleshooting Cloud Connector 6.1.2.
The following diagram shows typical CCE deployment scenarios on a PSTN site. The PSTN site is a combination of Cloud Connector instances, deployed at the same location, and with common PSTN gateways pool connected to them. PSTN sites allow you to:
Provide connectivity to gateways that are closest to your users.
Allow for scalability by deploying multiple Cloud Connector instances within one or more PSTN sites.
Allow for high availability by deploying multiple instances of Cloud Connector within a single PSTN site.
CCE Deployment Scenarios
Scenario 1 and Scenario 2 are covered in Configuring the SBC Edge for a Single CCE. This document contains steps for Scenario 3 and Scenario 4 .
A public domain name prepared and mapped with your Office 365 tenant (for example, "mydomain.com"). See Create an Office 365 Tenant. |
An entry on your public domain name that points to the fixed IP address of your SBC Edge (for example, myccesite1.mydomain.com" with an IP address of "nn.nn.mm.nn"). |
An Office 365 tenant with an E5 license or E3 + Cloud PBX. |
You must have the Global Administrator role for your O365 tenant account. |
A public certificate authority ready to sign a certificate for the SBC Edge. Important! Read the steps outlined in Certificate Requirements at Microsoft Technet. |
A properly configured firewall. See Ports and Protocols at Microsoft Technet. |
MANDATORY!
Latest System Release SBC Firmware and SbcComms Firmware Important!
|
Microsoft Cloud Connector Edition image on ASM recovery partition. |
We recommend deploying both Appliances on the same subnet with a resilient connection.
For the purposes of this document, the CCE is deployed in the following network:
Typical Deploments
In this best practice the router/firewall is configured with the following rules:
Internal Firewall Rules for CCE
Source IP | Destination IP | Source Port | Destination Port |
---|---|---|---|
Cloud Connector Mediation component – 192.168.210.123 & 192.168.210.117 | Internal clients | TCP 49 152 – 57 500* | TCP 50,000-50,019 (Optional) |
Cloud Connector Mediation component – 192.168.210.123 & 192.168.210.117 | Internal clients | UDP 49 152 – 57 500* | UDP 50,000-50,019 |
Internal clients | Cloud Connector Mediation component – 192.168.210.123 & 192.168.210.117 | TCP 50,000-50,019 | TCP 49 152 – 57 500* |
Internal clients | Cloud Connector Mediation component – 192.168.210.123 & 192.168.210.117 | UDP 50,000-50,019 | UDP 49 152 -57 500* |
External Firewall Rules for CCE
Source IP | Destination IP | Source Port | Destination Port |
---|---|---|---|
Cloud Connector Edge External Interface – 192.168.211.81 & 192.168.211.86 | Any | Any | TCP 5061 |
Cloud Connector Edge External Interface – 192.168.211.81 & 192.168.211.86 | Any | Any | TCP 80 |
Cloud Connector Edge External Interface – 192.168.211.81 & 192.168.211.86 | Any | Any | UDP 53 |
Cloud Connector Edge External Interface – 192.168.211.81 & 192.168.211.86 | Any | Any | TCP 53 |
Cloud Connector Edge External Interface – 192.168.211.81 & 192.168.211.86 | Any | TCP 50,000-59,999 | Any |
Cloud Connector Edge External Interface – 192.168.211.81 & 192.168.211.86 | Any | UDP 3478 | Any |
Cloud Connector Edge External Interface – 192.168.211.81 & 192.168.211.86 | Any | UDP 50,000-59,999 | Any |
Any | Cloud Connector Edge External Interface – 192.168.211.81 & 192.168.211.86 | Any | TCP 5061 |
Any | Cloud Connector Edge External Interface – 192.168.211.81 & 192.168.211.86 | Any | TCP 443 |
Any | Cloud Connector Edge External Interface – 192.168.211.81 & 192.168.211.86 | Any | TCP 50,000-59,999 |
Any | Cloud Connector Edge External Interface – 192.168.211.81 & 192.168.211.86 | Any | UDP 3478 |
Any | Cloud Connector Edge External Interface – 192.168.211.81 & 192.168.211.86 | Any | UDP 50,000 - 59,99 |
Host Firewall Rules - Internal or External Access
Source IP | Destination IP | Source Port | Destination Port |
---|---|---|---|
ASM | Any | Any | TCP 53 |
ASM | Any | Any | TCP 80 |
ASM | Any | Any | TCP 443 |
Make sure that CCE FQDN is resolving to the SBC Edge Public IP address. To do so, login to your DNS server and create the relevant entries.
Update the SBC Edge firmware to the latest release version.
Sonus recommends starting with a clean and empty configuration.
Ensure That the Node's FQDN is Correct
When configuring a secondary SBC Edge in your environment, make sure to have the secondarySBC Edge network interface is configured accordingly to be able to reach out to CCE's internal/corporate network.
If your ASM has been used previously, reinitialize it following the steps in Re-Initializing the ASM.
Confirm that the ASM is ready to deploy the CCE by following these steps.
Perform these steps on both SBC Edge systems.
Step | Action |
---|---|
1 | Login to the WebUI of the SBC Edge. |
2 | Click the Task tab, and then click Operational Status. |
3 | Verify that:
|
4 | Change the ASM Admin password:
|
Deploying the CCE on the SBC Edge consists of two steps:
Perform these steps on both SBC Edge systems.
Step | Action |
---|---|
1 | Login to the WebUI of each SBC Edge. |
2 | Navigate to Tasks > Setup Cloud Connector Edition. |
3 | Click the ASM Config tab and configure/verify the Network and IP settings of your ASM as shown below. |
4 | Click Apply. After receiving the activity status as successfully completed, click the Generate CSR tab. |
Configuring the ASM – CCE-1
Configuring the ASM – CCE-2
This process is required only if you don't have a public certificate for your deployment. If you already have a certificate, proceed to Import Certificate.
Perform these steps on only one of the SBC Edge systems.
Step | Action |
---|---|
1 | Login to the WebUI of one of the SBC Edge systems. |
2 | Navigate to Tasks > Setup Cloud Connector Edition > Generate CSR. |
3 | Generate the CSR as shown below with following information. Note: This example uses aepsite1.sonusms01.com and sip.sonusms01.com as common name and SAN To ensure creating a valid CSR for Cloud Connector Edition usage, please see the section "Certificate requirements" on https://technet.microsoft.com/en-us/library/mt605227.aspx . |
Generate CSR
Perform these steps on both SBC Edge systems.
Step | Action |
---|---|
1 | Login to the WebUI of each SBC Edge. |
2 | Navigate to Tasks > Setup Cloud Connector Edition and then click the Certificate and Key tab. |
3 | On SBC-1, click the Action drop-down list and select the appropriate option:
On SBC-2 select the certificate action applicable. For example, use Import PKCS12 Certificate and Key to import the pkcs certificate you exported on SBC-1, enter the password, select the relevant certificate file. |
4 | Click OK. |
5 |
|
Perform these steps on both SBC Edge systems.
Step | Action |
---|---|
1 | Login to the WebUI of each SBC Edge. |
2 | Open the Tasks tab and click Setup Cloud Connector Edition in the navigation pane. |
3 | Click the Configure CCE tab. |
4 | Configure all necessary information and then click OK.
Configuring the ASM – CCE-1
Configuring the ASM – CCE-2
Note: Enter the ASM's IP address in the HA Master IP Address field. The Slave uses the same root certification as the Master, and this location contains the shared folder that contains the Root CA of the Master. |
5 | After receiving the activity status as successfully completed, click the Prepare CCE tab to continue. |
You must verify (and possibly correct) the CCE Configuration INI File after configuring the CCE.
When deploying a High Availability (HA) systems, it is important to have Management IP Prefix unique on each HA system. For instance, if your HA Master CCE system has 192.168.213.x as the Management IP Prefix, you need to be sure to configure this attribute differently on HA Slave system. While doing this, also make sure that subnet that you are defining in this field does not conflict in your IP infrastructure.
Perform these steps on both SBC Edge systems.
Follow these steps to verify and correct values in the CCE Configuration INI File.
Step | Action |
---|---|
1 | Login to the WebUI of each SBC Edge. |
2 | Click the Configure CCE tab and then click Click to re-configure CCE application. |
3 | Click OK on the popup dialog box. |
4 | Click the Raw (INI) Config drop-down list, and select an option:
|
5 | Verify/correct the values in the CCE Configuration INI File and then click OK. |
Perform these steps on both SBC Edge systems.
Step | Action |
---|---|
1 | Login to the WebUI of each SBC Edge. |
2 | Open the Tasks tab and click Setup Cloud Connector Edition in the navigation pane. |
3 | Click the Prepare CCE tab. |
4 | Click the Prepare CCE button. A confirmation will request you to enter the password again for the new password. Only the Tenant credentials are already existing. The same password should be used on all Appliances in the site. Click OK as shown below. |
5 | To complete the deployment, continue with Activating the CCE. |
If you receive this error message:
Additional Information: Got an exception deploying CCE: Certificate Chain is broken. Root and Intermediate Certificate needs to be imported on ASM Operating System: A certificate chain could not be built to a trusted root authority.
...refer to Manually Loading the Root and Intermediate Certificates on the CCE
This step stores the Microsoft product keys, and activates the CCE VM (which is not yet activated).
Perform these steps on both SBC Edge systems.
Each CCE requires four VMs; each Microsoft Product Key activates two VMs.
Step | Action |
---|---|
1 | Login to the WebUI of each SBC Edge. |
2 | Open the Tasks tab and click Setup Cloud Connector Edition in the navigation pane. |
3 | Click the Activate CCE tab. |
4 | In Domain Controller and Central Management Store VM > Windows Product Key 1, enter the first Microsoft Product Key. To identify the Product Key, see Identify Microsoft Product Key. |
5 | In Under Mediation Server and Edge Server VM > Windows Product Key 2, enter the second Microsoft Product Key. To identify the Product Key, see Identify Microsoft Product Key. |
6 | Click Activate. |
7 | Access Tasks> Operational Status to verify Windows Activation. |
8 | To complete the deployment, continue with installing the Installing the CCE Appliance using Sonus Cloud Link Deployer. |
Activate the CCE
To identify the Microsoft Product Key:
If activation fails, check the following:
If you plan to use a proxy on the ASM Host to reach Office 365, you must add the Management network (192.168.213.0) into the exclusion list and specify proxy settings per machine rather than per user.
Using Sonus Cloud Link Deployer via Remote Desktop on the ASM Module:
Perform these steps on only one of theSBC Edge systems.
Step | Action |
---|---|
1 | Remote desktop to the ASM of the SBC Edge System 1. |
2 | Launch the Sonus Cloud Link Deployer from icon on the desktop. |
3 | Check the first two actions:
|
4 | Click Apply. |
5 | After successful execution, remote desktop to the ASM of the SBC Edge System 2. |
6 | Launch the Sonus Cloud Link Deployer from icon on the desktop. |
7 | Check the first two action.
|
8 | Click Apply. |
Registering the CCE Appliance - Master
Registering the CCE Appliance - Slave
Step | Action |
---|---|
1 | Remote desktop to the ASM of the SBC Edge System 1. |
2 | Launch the Sonus Cloud Link Deployer from icon on the desktop. |
3 | Check the last two actions:
|
4 | Click Apply. |
Install CcAppliance on HA Master Node
Step | Action |
---|---|
1 | Remote desktop to the ASM of the SBC Edge System 2. |
2 | Launch the Sonus Cloud Link Deployer from icon on the desktop. |
3 | Check the third action:
|
4 | Click Apply. The Installation time depends on the bandwidth between the Master and the Slave. |
5 | After configuring the SBC Edge for CCE, refer to Managing Your Office 365 Tenant to configure CCE update time and user. |
Install CcAppliance on the HA Slave Node
After the CCE is deployed, integrate the SBC Edge and allow calls from/to O365 clients. In this example, the following steps will set up the SBC Edge for:
SIP Provider (193.168.210.103) – SBC Edge (193.168.210.125) – CCE (mediation Server: 193.168.210.123) – O365 Cloud
Step | Action |
---|---|
1 | Login to the WebUI of SBC Edge-1. |
2 | Navigate to Tasks > SBC Easy Setup and then click the Easy Configuration Wizard. |
3 | Follow steps 1, 2, and 3 and then click Finish. The wizard configures the necessary settings for SBC Edge-1 and CCE integration, after which you can see all relevant configuration items in Settings tab. |
Building your SBC Edge-1 Configuration
Step | Action |
---|---|
1 | Login to the WebUI of SBC Edge-2. |
2 | Navigate to Tasks > SBC Easy Setup and then click the Easy Configuration Wizard. |
3 | Follow steps 1, 2, and 3 and then click Finish. The wizard configures the necessary settings for SBC Edge-2 and CCE integration, after which you can see all relevant configuration items in Settings tab. |
Building your SBC Edge-2 Configuration
With the preceding settings, an endpoint from the SIP provider side can dial the number of a Skype For Business (O365) client and reach out to it over SBC Edge. The call flow for this call is shown below:
Call Flow
Call Flow
Configuration changes to the CCE in the WebUI per Tasks > Setup Cloud Connector Edition> Configure CCE requires the CCE to be re-deployed.
Backup the Public Certificate per Tasks > Setup Cloud Connector Edition> Import Certificate.
If the CCE was previously deployed, previously installed information must be cleared in O365. To do so, follow the steps below:
Step | Action |
---|---|
1 | Remote Desktop to the ASM system |
2 | Connect the Office365 Tenant through a series of commands as follows: a. Execute the following command: Import-Module skypeonlineconnector $cred = Get-Credential b. When prompted, execute the credentials for O365 Admin Tenant. c. Execute the following command: $Session = New-CsOnlineSession -Credential $cred -Verbose Import-PSSession $session |
3 | Display all the Appliances assigned to your tenant, identify the Appliance you just re-initialized, and copy the identity into your clipboard.
|
4 | Execute the following command to remove the appliance:
|
5 | Execute the following command to verify that the appliance has been removed:
|
6 | This completes the cleanup. |
The ASM must be re-initialized with the image that contains the latest CCE software. To do so:
Step | Action |
---|---|
1 | Login to the WebUI of the SBC Edge. |
2 | Click the Task tab, and then click Reinitialize in the navigation pane. |
3 | Select the appropriate image from the drop-down list and then click Apply. |
Follow these steps if you need to update the O365 tenant admin password or account.
Step | Action |
---|---|
1 | On the WebUI, click Tasks and select the Prepare CCE tab (see Preparing the CCE). |
2 | Click Prepare CCE. |
3 | From the Password Setting drop down list, select Change Password. Keep the same passwords for the Edge Server, CCE Service and CA Backup File, but change the passwords for Tenant Account User and Tenant Account Password. |
4 | On Remote desktop, start the Sonus Cloud Link Deployer, and check Transfer Password from SBC to reset the credentials. |