You are here: Integration > Microsoft Lync / Skype for Business > On-prem Pexip Infinity configuration

Pexip Infinity configuration for an on-prem Lync / Skype for Business environment

This section describes the configuration required on the Pexip platform to integrate Pexip Infinity with an on-prem Lync / Skype for Business* environment.

As the Pexip Infinity Conferencing Nodes typically will reside on a private IP network for this type of Lync integration, the Conferencing Nodes will require access to a TURN server to ensure that RTP media (audio/video/presentation) can be exchanged with remote/external and federated Lync clients across firewalls/NAT. This TURN server is typically deployed outside the enterprise firewall or in a public DMZ.

Pexip Infinity is compatible with standards-based (RFC 5766) TURN servers such as Cisco VCS Expressway. TURN services are also offered by various commercial vendors, most of which will be compatible with Pexip Infinity. The Pexip Reverse Proxy and TURN Server features a built-in TURN server which can be used for this purpose. For more information, see Pexip Reverse Proxy and TURN Server.

* Note that where this documentation refers to "Lync", it represents both Microsoft Lync and Skype for Business unless explicitly stated otherwise.

Prerequisites

The deployment process assumes that the Management Node and the Conferencing Nodes have already been configured with basic settings, such as an IP address and NTP server, and that the Conferencing Nodes have already been configured with one or more Virtual Meeting Room aliases for the SIP domain to be used, such as meet@vc.example.com.

Providing all of the Conferencing Nodes in the application pool are all deployed in the same system location e.g. Europe, no additional clustering configuration is required on the Pexip platform.

Configuration summary

The Pexip Infinity configuration consists of the following steps, each described in more detail in the following sections:

  1. Assigning a server certificate to the Conferencing Nodes.
  2. Configuring a Lync / Skype for Business server per location.
  3. Configuring DNS records and DNS servers.
  4. Configuring the SIP TLS FQDN setting for the Conferencing Nodes.
  5. Configuring the Lync MSSIP domain.
  6. Configuring a TURN server per location (optional, but required for supporting external/federated Lync clients).
  7. Configuring a STUN server per location (optional, but required if the TURN server is not located outside of the enterprise firewall).

After completing the Pexip Infinity configuration, you must also perform the Lync / Skype for Business server configuration for an on-prem deployment.

Assigning a server certificate to the Pexip Infinity Conferencing Nodes

When integrating Pexip Infinity with an on-prem Lync environment, every Conferencing Node must be configured with a TLS server certificate which matches their respective FQDNs (Fully Qualified Domain Name), and the Lync servers must trust this certificate. Server certificates are typically issued by a Certificate Authority (CA) within the Lync environment itself (normally this will be the CA which was used to provide the Lync servers themselves with server certificates).

Full details are covered in Certificate creation and requirements for Lync / Skype for Business integrations.

Certificate requirements

In our example deployment, any of the Conferencing Nodes may communicate with the Lync environment. Calls from Lync to Pexip Infinity are routed from the FEP server/pool to any of the Conferencing Nodes in the application pool, and outbound calls from Pexip Infinity to Lync may be initiated by any Conferencing Node. To ensure that the Lync environment trusts these Conferencing Nodes, a certificate that is trusted by the Lync servers must be assigned to every node.

We recommend that you generate and use a single SAN certificate that encompasses all of the Conferencing Nodes in the application pool.

In the certificate:

  • the Common Name should be the common application pool FQDN
  • SAN (subject alternate name) entries must be included for every node in the pool, plus the common application pool FQDN.

Therefore, in our example, the commonName and altNames sections for the certificate to be installed on every Conferencing Node would be configured as:

commonName = eu-px.example.com
altNames = eu-px01.example.com, eu-px02.example.com, eu-px03.example.com, eu-px.example.com

Assigning the certificate to a Conferencing Node

To assign a server certificate and private key to a Conferencing Node:

  1. From the Pexip Infinity Administrator interface, go to Platform configuration > TLS certificates and for each Conferencing Node in turn, select Upload certificate.

    In our case we must do this for eu-px01.example.com, eu-px02.example.com and eu-px03.example.com:

  2. For both the Certificate file and associated Private Key file, select Choose File and browse to the location of the file you want to upload.
  3. When both files have been chosen, select Save. The certificate and private key will be pushed to the Conferencing Node in question automatically.

Uploading trusted CA certificates

If the server certificate has been issued by one or more intermediate CAs (Certificate Authorities), these intermediate certificates must be uploaded. You can upload them as a single-file bundle by going to Platform configuration > Trusted CA certificates and selecting Import.

See Certificates issued by intermediate CAs for more information.

Configuring a Lync / Skype for Business server per location

To allow internal Conferencing Nodes to call out to Lync clients you must define the target Lync servers. In our example deployment, a Lync FEP pool has been deployed in Europe with the pool address eu-lyncpool.example.com.

To instruct the Conferencing Nodes in the Europe system location to use the Europe-based Lync FEP pool, you must first define the Lync FEP pool on the Management Node, and then link it to the Europe location, as follows:

  1. Go to Call control > Lync servers and select Add Lync server:

  2. Complete the fields and select Save.

    In the example above, the Europe Lync server has been defined by its pool name FQDN eu-lyncpool.example.com.

    Note that the Lync server can be a Front End Server/Processor or a Director; it cannot be an Edge Server.

  3. To assign the new Lync server to the appropriate location, go to Platform configuration > Locations and select the Europe location.

  4. In the Lync server field, select the Europe Lync server from the drop-down list, and then select Save.

Configuring DNS records and DNS servers

DNS A-records

In DNS, ensure that the following records are configured:

  • An A-record for each Conferencing Node. In our example this would be 3 records with host names of eu-px01, eu-px02 and eu-px03, and that they each point to individual IP address of the node.
  • Another A-record per Conferencing Node. This time the host name of every record should be eu-px.example.com (the application pool name of the Conferencing Nodes), and again associate it with the IP address of each Conferencing Node. This step allows Lync to spread the traffic across all of the Conferencing Nodes.

Pexip Infinity DNS server configuration

Ensure that Pexip Infinity is configured to use DNS servers on the inside of the network (System configuration > DNS servers, and then assigned to each location via Platform configuration > Locations). This ensures that Pexip Infinity can resolve internal hostnames, which is mandatory for communicating with Lync on-prem.

If you omit this step and use an external DNS server instead, calls might drop after a few minutes when Pexip Infinity verifies that the remote side is still responding properly. This is because an external DNS server cannot resolve the internal hostname of the Lync FEPs.

Configuring the SIP TLS FQDN setting for every Conferencing Node

The SIP TLS FQDN setting for each Conferencing Node must be configured to reflect its DNS FQDN.

This is done on the Management Node, by going to Platform configuration > Conferencing Nodes, choosing each node in turn and populating the SIP TLS FQDN field.

The example above shows the SIP TLS FQDN for the eu-px01 Conferencing Node, which is set to eu-px01.example.com.

Ensure that each Conferencing Node is configured with its respective DNS hostname as the SIP TLS FQDN. Pexip Infinity will present this as being the server name, and it must match the name on the certificate installed on the node. Each Conferencing Node must have a unique SIP TLS FQDN.

Configuring the Lync MSSIP domain

You must specify the name of the SIP domain that is routed from Lync to Pexip Infinity for this deployment. This domain is inserted into the From header in outbound calls from Pexip Infinity to Lync, and ensures that Lync can route messages back to Pexip Infinity when, for example, initiating content sharing.

You specify this by going to Platform configuration > Global settings and configuring the Lync MSSIP domain setting:

This must be set to the same SIP domain as used by the static route from Lync to Pexip Infinity, which is vc.example.com in our example (see Creating a static SIP domain route and associating this route with a trusted application).

Configuring a TURN server per location (optional)

This configuration is optional, but required for supporting external/federated Lync clients.

To allow internal Conferencing Nodes to establish two-way media connectivity with remote/external and federated Lync clients across firewalls/NAT, media may be relayed via a TURN server. In our example, the TURN server has the IP address 203.0.113.5.

To instruct the Conferencing Nodes to use the TURN server, we must first define the TURN server on the Management Node, and then link it to the Europe location, as follows:

  1. Go to Call control > TURN servers and select Add TURN server:

  2. Complete the fields and select Save.
    In the example above, the TURN server has been defined by its IP address and Port, in addition to the Username and Password for our TURN user (which has already been created on the TURN server).
  3. Assign this TURN server to the appropriate location: go to Platform configuration > Locations and select the Europe location.
  4. In the TURN server field, select the Europe TURN server from the drop-down list, and then select Save.

Configuring a STUN server per location

This configuration is optional, but required if you need to relay media via a TURN server with external and federated Lync clients, but the TURN server is not located outside of the enterprise firewall. In this case, you will also need to configure separate STUN servers per location. This allows a Conferencing Node to discover its public NAT address, which is essential in Lync deployments.

Configuring STUN server addresses

To add, edit or delete STUN server connection details, go to Call control > STUN servers.

Note that Pexip Infinity ships with one STUN server address already configured by default: stun.l.google.com

Associating STUN server addresses with Conferencing Nodes

To associate a STUN server address with a Conferencing Node, you must configure the node's system location:

  1. Go to Platform configuration > Locations.
  2. Select the Conferencing Node's location.
  3. Select a STUN server and select Save.

All Conferencing Nodes in that location will use the nominated STUN server for conference calls.

© 2016 Pexip AS - software version 11