Friday, November 9, 2018

Configuring Skype for Business Hybrid with GCC High Tenants

Configuring Skype for Business Hybrid with a GCC High Office 365 tenant is mostly the same, but it turns out that there are a few differences in terms of the DNS records and FQDNs that get set when running the PowerShell cmdlets. This brief posts walks you through the differences.


Differing DNS Records


When working with [U.S.] GOV tenants in Office 365, there are a couple different types of tenants that reflect varying levels of compliance & security requirements. Namely, there is:

  • Office 365 GCC
  • Office 365 GCC High and DoD
There are a number of compliance requirements that are met by each type of tenant, as can be guessed by the difference in names. Clearly, the Office 365 GCC High and DoD tenants meet a more strict set of requirements, as well as those that specifically target DoD entities.

There are several components to the architecture of these tenants that allow them to meet a more stringent set of requirements, and one of them is reflected by the difference in FQDNs and URLs that are used by endpoints to connect into these environments. Specifically, the Office 365 GCC High tenants (DoD is still being worked on) have a different list of required DNS records than your typical commercial tenant. While we are focusing on Skype for Business Online here, this also applies to Exchange Online.

The DNS records that are required for Skype for Business Online in a GCC High tenant are below:

CNAMEs
  • 'sip'
    • Points to: sipdir.online.gov.skypeforbusiness.us
  • 'lyncdiscover'
    • Points to: webdir.online.gov.skypeforbusiness.us
SRV
  • '_sip'
    • Points to: sipdir.online.gov.skypeforbusiness.us
    • Port: 443
    • Protocol: _tls
  • '_sipfederationtls'
    • Points to: sipfed.online.gov.skypeforbusiness.us
    • Port: 5061
    • Protocol: _tcp

Configuring Hybrid

As you can imagine, given the difference in the DNS records, you will want to slightly modify the PowerShell cmdlets that you use when setting up Hybrid for a Skype for Business environment that includes a GCC High tenant. Specifically, when running the New-CsHostingProvider cmdlet, you will want to do so like this, with the specified ProxyFqdn and AutoDiscoverUrl attributes:

New-CsHostingProvider -Identity SkypeforBusinessOnlineGov -ProxyFqdn -"sipfed.online.gov.skypeforbusiness.us" -Enabled $true -EnabledSharedAddressSpace $true -HostsOCSUsers $true -VerificationLevel UseSourceVerification -IsLocal $false -AutodiscoverUrl https://webdir.online.gov.skypeforbusiness.us/Autodiscover/AutodiscoverService.svc/root

The rest of the Hybrid configuration is pretty much the same. Next, when it comes to moving users via the Management Shell, you will modify the cmdlets like so:

Move-CsUser -Identity <user@domain.com> -Target sipfed.online.gov.skypeforbusiness.us -Credential $cred -HostedMigrationOverrideUrl https://admin1g.online.gov.skypeforbusiness.us/HostedMigration/hostedmigrationservice.svc.

So, to summarize, while I hate to seem like I am simplifying, we are pretty much putting 'gov.skypeforbusiness.us' anymore that 'lync.com' would typically show up in our Hybrid configuration process.

I hope this is able to save someone even a little bit of pain, somewhere. It seems like such a small thing, but if you are not aware of these differences, the errors that you will run into do not do a great job of letting you know where to start, and none of the "Configure Hybrid" documentation does a great job at calling out that there are differences for GCC High tenants.