Beginning December 1, 2015, Microsoft will be officially rolling out a number of new features within Office365 that significantly enhance the Skype for Business workloads.  These features have been in preview form for a few months now, but December 1 marks the date where it becomes generally available (GA) for all tenants within Office365, across the entire globe.  What’s new, you ask?  Let’s take a quick look…

Cloud PSTN Conferencing

For years, on-premises Skype4B/Lync deployments could integrate a PSTN dial-in number to access meetings generated by Skype4B/Lync Server.  When Office365 initially came to the scene, PSTN dial-in number integration was only offered only through third-party Audio Conferencing Providers such as AT&T, PGi, or Intercall.  Those ACP providers offered a wide breadth of local numbers but the feature set was limited, required separate ACP administration, and required additional costs above and beyond your existing Microsoft licensing costs.
Starting today, Microsoft now offers the dial-in service natively and best of all, Microsoft is making it very attractive from a licensing perspective.  42 local dial-in numbers are currently available, spanning APAC, EMEA, LATAM, and NOAM, with more regions and countries coming online during CY 2016.  If you were looking for a reason to ditch your current dial-in provider and save on your TCO for conferencing, you should definitely take a look at what Microsoft is offering.

Skype Meeting Broadcast

For years, on-premises Skype4B/Lync deployments were limited to hosting meetings of up to 250 users in a single meeting.  Large Meeting support was added within Lync Server 2013 to allow up to 1,000 users in a single on-premises meeting, but that support came with certain limitations & restrictions that often made it not feasible to implement.  Office365 meeting support has always been limited to 250 users in a single meeting…until now.
Skype Meeting Broadcast is a component of Office365, Skype for Business Online, and Azure Media Services that lets you organize and host meetings of up to 10,000 attendees.  Skype Meeting Broadcast is primarily targeted for town-hall style events where there is a one-to-many presentation that may include audio, video, recording, Bing Pulse, Yammer, and PowerPoint deck sharing.  The service is offered digitally only, meaning you can only access the event through an HTML5 capable device – PSTN dial-in is currently not offered.  Skype Meeting Broadcast is free, which means you could easily enable this feature for your Office365 tenant and replace other broadcast services with Microsoft’s free offering!

Cloud PBX

Cloud PBX is actually a compilation of several topologies, one of which that has existed as far back as Lync Server 2010.  The differences in the various topologies isn’t always clearly communicated, but the basic tenant of Cloud PBX is that instead of using on-premises Skype4B/Lync servers for call control, you can utilize Office365 servers for call control.  The differences really boil down to whether you already have Skype4B/Lync servers on-premises and where you desire the PSTN access to come from.  I’ve tried to boil down the different options below:

Option 1 – You Have On-Premises Skype4B/Lync Servers and Want to Keep PSTN On-Premises

If you have existing servers, you can utilize Cloud PBX by using a feature called Cloud PBX with On-Premises PSTN Connectivity (aka – Hybrid Voice).  What this means is that you can move users to Skype4B Online, and still allow those users to access the PSTN through your existing on-premises Skype4B/Lync Server deployment and whatever IP-PBX or ITSP your deployment may be already connected to.  From the user’s perspective, nothing really changes (including your telephone number), but from an administrator perspective, you’ve offloaded users from your on-premises Skype4B/Lync Servers to Office365.  There are some feature limitations here so be sure to check out what is available and what is not to see if this solution is a good fit for your users.

Option 2 – You Have On-Premises Skype4B/Lync Servers and Want to Move PSTN to the Cloud

If you have existing servers and you want to deprecate your on-premises PBX environment, you can utilize Cloud PBX by using a feature called Cloud PBX with PSTN Calling.  What this means is that you can move users to Skype4B Online and allow those users to access the PSTN through Microsoft via Office365.  PSTN Calling requires you to port your PSTN numbers from your existing on-premises provider, such as AT&T, Sprint, Verizon, etc, to Microsoft or request new numbers from Microsoft and assign those new numbers to your cloud users.  The whole porting process is easily captured within the Office365 portal and can be centrally managed as such.  Administrators will rejoice in that you’ve offloaded users from your on-premises Skype4B/Lync Servers to Office365 and offloaded PSTN access from your on-premises infrastructure as well, but at the end of the day you still maintain the same seamless integration and communication between your on-premises users and your cloud users.  There are some feature limitations here so be sure to check out what is available and what is not to see if this solution is a good fit for your users and your environment.

Option 3 – You Have No On-Premises Skype4B/Lync Servers and Want to Keep PSTN On-Premises

Prior to a month ago, this wasn’t even an option, but the recently announced Cloud Connector Edition (aka – MinTop, or Minimum Topology) allows customers the ability to integrate on-premises IP-PBXs or ITSPs with their Cloud PBX users.  While Microsoft will say “no on-premises server deployment”, the reality is that this solution implements on-premises servers, just in a special and unique way.  This particular solution is still very new and has several feature restrictions that don’t make it viable for all organizations.  Based on what I’ve seen thus far, there is a very small set of organizations that may benefit from this approach, but due to the current technical restrictions of CCE, it may be a while before this becomes a truly viable solution.

Option 4 – You Have No On-Premises Skype4B/Lync Servers and Want to Move PSTN to the Cloud

If you don’t have existing servers and you want to deprecate your on-premises PBX environment, you can utilize Cloud PBX by using a feature called Cloud PBX with PSTN Calling.  This particular option is essentially the same as Option #2 above – port your numbers or obtain new ones from Microsoft.  Your reliance in this scenario is solely on Microsoft itself which will provide Skype4B services along with PSTN access, as there are no on-premises integrations required for this approach.  There are some feature limitations here so be sure to check out what is available and what is not to see if this solution is a good fit for your users and your environment.

Wrapping it Up

These new features significantly enhance the collaboration capabilities offered within Skype for Business Online and make Office365 attractive for a much larger audience.  If you were holding off on the cloud prior to now, these features may be the tipping point that gets you to start thinking “cloud first” instead of “on-premises first”.  All of these features will be enhanced over the coming months, so start thinking about your strategy to utilize these services to not only save yourself money, but improve collaboration across your organizations.

In a previous blog post I talked about how administrators and architects should place more emphasis on planning for application sharing bandwidth in their Skype4B deployments.  Armed with that information, the next logical progression of this blog series continues the focus on application sharing and discusses the available methods within Skype4B to manage and control the bandwidth requirements for application sharing.

General Methods of Controlling Bandwidth

Speaking broadly, there are typically two methods of controlling any sort of application bandwidth across enterprise networks.  Both methods are not mutually exclusive and can be used in concert with one another, but it is largely up to network engineers and the application engineers to work together to find the best solution for your environment.
Control the traffic at the network
For most of the network engineers out there, this is the “preferred method”.  Like controlling traffic on highways via “normal lanes” and “HOV lanes”, network traffic is separated, classified and handled in a manner that is configured by the network engineers to give preferential treatment (and bandwidth) to high priority traffic while giving normal treatment to non-priority traffic.  This is most generally referred to as Quality of Service (QoS).  QoS is typically seen in two forms:

• Differentiated Services – This is a QoS designation split into two layers of the OSI stack
  • Class of Service (CoS) – This is a Data Link Layer classification method whereby a 3-bit CoS field is included in Ethernet headers in a 802.1Q VLAN
  • Differentiated Services Code Point (DSCP) – This is a Network Layer classification method whereby a 6-bit DSCP value is included in the 8-bit Differentiated Services field within the IP headers of traffic
    • This is typically the more common QoS model and the preferred model today.
• Integrated Services – This is a QoS designation where the traffic specification part (TSPEC) and request specification part (RSPEC) help to define and classify the traffic into unique flows. This is not a common QoS model still in deployment.

In either case above, network engineers can control, on a per-hop basis, how each classification of traffic is treated along the entire network path.  While flexible and powerful, this method requires engineers to know all the various types of traffic on the network and to classify it accordingly (and ensure it is classified across all devices), which can be an arduous task and result in traffic being incorrectly classified.  In addition to the work required, as more and more applications move to SaaS available across the Internet, QoS is lost as the traffic leaves the corporate network and moves across the Internet which restricts QoS from being available from end-to-end.
Control the traffic through the application
For most of the application engineers out there, this is the “preferred method”.  Think of this as the “honor system” where some type of built-in application configuration tells the application to limit itself to X bandwidth when utilizing the network.  While undoubtedly easy to deploy, this method has no awareness of other traffic around it and no integration with network devices that send/receive traffic, which results in a more limited “one-size-fits-all” approach.

How does Skype4B fit in?

In almost all enterprise deployments, architects and engineers desire to identify the traffic produced by Skype4B and fit that traffic within the available enterprise network configurations.  Skype4B offers both of the configurations above and can be configured for one or both to suit the needs of the enterprise network.
Limit Application Sharing Bandwidth Within On-Premises Skype4B Conference Policies
This method is by far the easiest option to limiting application sharing bandwidth within Skype4B.  The only built-in method to control application sharing bandwidth is via the Conferencing Policies within Skype4B.  By default, the Global policy has no functional restriction on bitrate and is set to 50000.

Get-CsConferencingPolicy | select Identity,AppSharingBitRateKb | fl
If you decide to limit bandwidth, two approaches could be taken:

1. Alter the Global policy – while this approach is easiest, it will impact all users that don’t have a site or user policy assigned to them. As a result, you may limit users to an artificially low bandwidth in certain sites that have sufficient bandwidth.
2. Create a Site or User policy – this approach allows flexibility in deployment by tailoring bandwidth requirements to a per-site or a per-user basis. As a result, you can limit users in a low bandwidth site to a low bitrate while allowing users in high bandwidth sites to a higher bitrate.

Set-CsConferencingPolicy –Identity Global –AppSharingBitRateKb 1000

New-CsConferencingPolicy –Identity TestPolicy –AppSharingBitRateKb 1000
Limits of this approach
While the second option above is my preferred option for handling bandwidth natively within Skype4B, it does come with limits.  The biggest current limitation is that the AppSharingBitRateKb parameter is handled per-user and only is applicable to the presenter.  Where this becomes a challenge is with branch sites that have much lower bandwidth than other larger branch sites with high bandwidth.

In the figure above, when the user in Site B goes to share their desktop with the user in Site A, the effective limitation is based on the user in Site B.  With Site A limited to 1.5 Mbps, that could result in 67% of available bandwidth being consumed for a single desktop share.  When you add in the possibility of multiple users sharing desktops between the two sites, oversubscription of the 1.5 Mbps circuit becomes a very real risk.  Also of note is that this AppSharingBitRateKb behavior is applied both in P2P calls and within multiparty calls.
Impact of this approach with Lync for Mac
Through several of my deployments I’ve noticed there seems to be a significant difference with RDP performance on Mac OS clients, especially the Retina display models, when the AppSharingBitRateKb setting is reduced to a low value.  Interestingly enough, the low value doesn’t seem to impact Windows-based clients but users on Lync 2011 for Mac would report that application sharing was largely unusable.  In scenarios where there are Lync for Mac clients I would strongly suggest only using the Optimal numbers referenced in my previous post for the AppSharingBitRateKb setting.
Limit Application Sharing Bandwidth Within Skype4B Online Conferencing Policies
Sadly, this is a bit of a bait-and-switch option because it really isn’t an option at all.  Microsoft pre-creates and manages all conferencing policies within Skype4B Online and as a result you cannot create new policies or edit existing ones.  As a result of this any user accounts that are homed online are restricted to using the AppSharingBitRateKb value Microsoft has defined, which is currently 50000.  For all intents and purposes, the application sharing bandwidth is not restricted for Skype4B Online deployments so architects and engineers should carefully plan your network ingress/egress points to ensure sufficient bandwidth is available.  If bandwidth restrictions are required in Skype4B Online deployments, you must begin to examine QoS restrictions for each modality.
Limit Application Sharing Bandwidth for On-Premises Skype4B Deployments through QoS
There are a number of articles on the Internet that already talk about this overall process but it boils down to telling the Skype4B client to utilize certain port ranges for each modality and then configuring client/network devices to treat each modality in a certain way by dedicating queues (loosely equal to bandwidth) for each network hop.  The pre-requisite to all of this is that individual port ranges must be specified first.  The overall process of doing so consists of:

1. Configure port ranges for clients – Remember that each port range should be unique and not overlap. Additionally, you should have 20 ports per modality.
2. Configure port ranges for the MCUs – Remember that each port range should be unique and not overlap. Since MCUs handle modalities from multiple clients be very careful reducing the port numbers to a small number of ports per modality.  Best practices should be observed here and stick as closely to what Microsoft puts on TechNet.
3. Configure port ranges for Mediation Servers – Remember that the audio port range should be unique and not overlap any other server port ranges, such as video or application sharing. Since the Mediation Server handles all traffic to/from IP-PBXs and the PSTN, be very careful reducing the port numbers.  Best practices should be observed here and stick as closely to what Microsoft puts on TechNet.

Once port ranges are defined, the clients and servers will begin utilizing those ranges for each modality when communicating on the network.  With individual port ranges in use, architects can then begin to classify the traffic using QoS using two main methods:

1. Mark DSCP utilizing Group Policy based QoS policies on Windows clients and servers – This method is typically easiest but requires that access-layer switches trust DSCP markings coming from the endpoints. If switches aren’t configured for mls qos trust dscp, then DSCP markings will be stripped and classification is lost.
2. Mark DSCP utilizing class-map policies based off the port ranges per modality – This method requires more work to configure every access-layer switch across the enterprise to mark DSCP based on either source or destination port ranges, but is sometimes the only available option if network engineers choose not to trust client/server DSCP markings.

A typical DSCP/CoS classification of traffic is listed below:

Once you have calculated the expected application sharing bandwidth through the Lync Bandwidth Calculator for each site in your environment, network engineers can configure QoS queues appropriately to handle the expected traffic.
Limit Application Sharing Bandwidth for Online Skype4B Deployments through QoS
This method is similar to on-premises deployments but is limited because administrators cannot define the port ranges utilized for Online Skype4B deployments.  Microsoft has the following port ranges pre-created for clients that are homed Online:

Architects still have the option to utilize Group Policy based QoS policies or class-map policies, but those have two major limitations:

1. Having QoS in place mostly benefits P2P traffic – In this scenario the application sharing never leaves your corporate network so it can be controlled end-to-end.
2. Skype4B Meetings and multi-party communications lose QoS upon egressing to the Internet – In this scenario you can maintain QoS up to the point where the traffic leaves your network. This can be helpful on your network, especially for endpoints that may need to traverse the corporate WAN before egressing to the Internet, but you are still at the mercy of traffic patterns on the Internet for a great deal of the hops and thus cannot guarantee QoS end-to-end.

Despite not being able to maintain QoS end-to-end in an Online deployment, you can still classify the traffic into discrete queues to ensure the bandwidth is allocated for application sharing which in turn ensures that application sharing bandwidth doesn’t impact other traffic on your network.  Without reinventing the wheel, check out this blog post for information on configuring QoS for Online deployments.
The best option:  utilize both application limits and QoS
For every on-premises deployment out there you should absolutely be coordinating application limiting in concert with QoS.  In doing so you gain the following benefits:

1. Predictable application BW limits – by configuring the AppSharingBitRateKb parameter you ensure that a maximum amount of bandwidth will be requested by Skype4B clients
2. Predictable QoS queue utilization – by having expected bandwidth from the Skype4B team network engineers can map expected bandwidth consumption to available queues.
3. Better management through improved communication between network and application teams – this one may not seem obvious but the more the two teams talk the less chance there is of misconfiguration and the better the solution is for the end user.
   1. If queues become saturated, should the application reduce bandwidth (and potentially harm the end user performance) or should queues be increased or potentially both options?
   2. If network bandwidth increases at a site, are queues going to be increased and if so, how will that impact the configuration within the application?
   3. Based on usage patterns of existing sites, how should network engineers plan for bandwidth for new sites that come online?

Note:  There’s a number of other options here I’ve left out, but in every case the benefits are helpful to both the network team AND the application team.
For Online-only deployments, you should still utilize QoS even though you are limited in configuring the application.  Despite granular application control not being available, network engineers can still classify traffic and give a roughly-predictable utilization for each queue of traffic (application sharing included).
But what about Call Admission Control?
An astute reader would point out that Skype has Call Admission Control that can be used to restrict traffic as well, and you would be correct to say that additional control may be available.  Call Admission Control is only available for the following configurations:

1. On-premises deployments – CAC is currently not available for users that are homed Online
2. Audio/Video modalities – CAC is currently available for audio and video modalities only. Application sharing is not a supported CAC modality today.

If CAC is available for your deployment, configure it in tandem with your QoS configuration.  In fact, CAC is my preferred approach to bandwidth limits for audio and video modalities because it allows flexibility per-site AND includes reporting.  Conferencing Policy configurations of audio and video are applicable to each user regardless of where the user physically resides on the network, which can result in a user using more bandwidth than may be available if the user is travelling between sites.  Since application sharing currently isn’t supported in CAC today, architects need to utilize Conference Policies for the foreseeable future.

For many of the Skype for Business and Lync readers out there, you may think to yourself, “Hey, I’ve seen a similar title like that before…”, and you would be absolutely correct. During Lync Conference 2014, Lync MVP Jeff Schertz gave a fantastic presentation about “Video – What in the World Are You Doing to My Network” in which he gave a deep-dive into the impact of Lync’s new H.264 SVC video codec and how that impacts network bandwidth across the enterprise. While it is absolutely accurate that video can stress enterprise networks, the often forgotten (and sometimes neglected) truth is that app share traffic in Lync/Skype4B has a far greater impact (in my opinion) to impact overall bandwidth figures. What follows is my attempt not to reduce video planning but to place an equal (and maybe higher) importance on planning for application sharing bandwidth in Lync/Skype4B deployments.

Foundational Concepts of Application Sharing

Application Sharing has existed, in one form or another, since the Live Communications Server days and has received updates and/or changes with each iteration of the product (OCS, OCS R2, Lync 2010, Lync 2013). Some of those largest changes include:

• Migrating from the NetMeeting protocol (H.323 based) in LCS 2005 to RDP (ITU T.120 based) within OCS 2007 R2 (also Lync 2010/2013 and Skype for Business).
• Including formal meeting desktop sharing natively within Lync 2010 instead of relying on the LiveMeeting application.
• Adding a high performance P2P desktop sharing in Lync 2013.

As stated above, application sharing in the current iterations of the Microsoft UC stack are based off the Remote Desktop Protocol. IT administrators across the globe utilize RDP every day for connecting to servers and workstations and are, as a result, very familiar with the overall capabilities offered. At its core, RDP has the following characteristics:

• RDP is delivered over the Transmission Control Protocol (TCP).
• RemoteFX was added in recent RDP clients to enhance the RDP experience by offering User Datagram Protocol (UDP) delivery.
• Configurable performance parameters in the RDP Connection client.

Generally speaking, the RDP protocol is fast, flexible and sufficient to deliver screen sharing across a wide variety of environments. Lync/Skype4B architects should exercise caution however, as there are significant differences in how RDP works and how Lync/Skype4B utilize RDP.

Foundational Concepts of RDP within Lync/Skype4B

While RDP is the foundation of application sharing used within Lync/Skype4B, there are differences in how the UC clients utilize RDP vs how RDP may be available through applications like Remote Desktop Connection.
Lync/Skype4B utilizes application sharing over TCP only

• RDP is encapsulated into TCP-based RTP packets.
• TCP is a connection-based protocol.
  • Every single TCP conversation on a network involves a three-way handshake. This handshake is utilized to ensure the remote endpoint is ready to receive data and ultimately delays the start of data transfer at the expense of guaranteed readiness.
• TCP guarantees data delivery. If data is lost on transmission, the remote endpoint reports back to the sender that data needs to be re-sent – This behavior is great for data but is not ideal for real-time applications.
  • Due to the guaranteed delivery mechanisms of TCP, data is generally sent in “chunks” instead of being sent as a stream (in UDP). This behavior can lead to additional latency and slower performance.
• UC TCP communications can be multiplexed over a single port.
  • This allows Passive (Viewer) and Active (Presenter) to be done over a single port instead of requiring individual, unique ports in UDP.
• UC TCP communications can be firewall-friendly by utilizing RTP over TCP port 443 when direct connections between hosts aren’t available.
  • Despite this “friendliness”, beware of application layer firewalls that may try to intercept/manipulate traffic and cause failures in application sharing.

RDP performance isn’t “adjustable”
Almost every IT administrator has seen it within the normal Windows RDP Connection application – a tab called “Experience”. This configuration allows you to tailor the connection for the bandwidth available on your connection to best optimize performance of the RDP session. Lync/Skype4B, however, doesn’t get to take advantage of those configuration settings and instead is limited to utilizing the following protocols/configurations:

• MS-RDPBCGR
  • RDP encryption must be turned off.
  • RDP Bulk Data Compression must be turned off for data between Viewer and the MCU.
  • RDP Bulk Data Compression must be turned on for data between the Sharer and the MCU.
• MS-RDPEMC

So how does this impact my bandwidth estimations?

Microsoft (and many others) go to great lengths at describing bandwidth required for Lync/Skype4B but mainly restrict that description for audio/video related modalities:

• https://www.bing.com/search?q=lync+network+bandwidth

If you search for information on application sharing bandwidth, you’ll likely come up with very few pieces of information. That information is actually hidden within two pieces of official Microsoft documentation:

1. Lync 2010 and 2013 Bandwidth Calculator
2. Network Planning, Monitoring, and Troubleshooting Lync Server

In both pieces of documentation, Microsoft explicitly outlines bandwidth estimations for application sharing traffic:
Table 1 – Application Sharing Bandwidth Estimations

If you look at the info above, a few points can be made…
RDP bandwidth is variable in nature and can have a wide range of bandwidth requirements
There’s no denying that a static, non-moving screen won’t require much bandwidth, but movement of applications and refreshing of screens could require a dizzying 300% (or more) increase in bandwidth requirements. Don’t always assume the lower value is a hard-and-fast-rule – it’s really more an average towards the left side of the Bell Curve. Bandwidth above the average can (and will) occur.
Bandwidth requirements are most largely coupled to screen resolution
The higher the resolution, the more bandwidth required. Simple as that.
Screen resolutions continue to increase (4K or 8K screens, anyone?) and so too will bandwidth requirements
As users continue to receive laptops and/or monitors with 1080p (or better) resolutions, the likelihood of the lower resolutions being used lessens with each generation of products. It is difficult to argue that most users don’t at least have a 1680×1050 resolution today and even more difficult to argue that users won’t have higher resolutions in the future.
What makes it “Acceptable” vs “Optimal”?
Sadly, I cannot give an official answer on this but I can say through various rounds of testing these values that the “Acceptable” numbers provide a decent user experience whilst maintaining lower bandwidth. If you go much lower than those numbers, expect users to complain of slow refresh rates, jumpy application sharing, and/or wholly unusable application sharing sessions. If you want smooth application sharing, then you should plan for the “Optimal” numbers above.
What about that High Performance application sharing you talked about?
The bandwidth numbers above are all based off the basic frame rate of 2.5 fps that is default for all versions of Lync and Skype for Business. When Microsoft added the high performance application sharing capabilities they added the ability to allow a frame rate of up to 10 fps by enabling the appropriate policy configurations. This configuration allows very smooth and fluid sharing sessions but be prepared to pay for it – in my testing I regularly see up to 10 Mbps of bandwidth when the monitors are 1080p resolution.

How is Application Sharing different than Video?

While application sharing is similar to video, there are distinct differences in how the two modalities are implemented within Lync/Skype4B and thus two very different bandwidth patterns begin to emerge. The most obvious difference between the two is that different codecs are utilized, RDP vs H.264 SVC, which does have an impact on overall bandwidth numbers. Despite different codecs being a factor, the most significant difference is due to the intelligence the UC clients have when it comes to video.
P2P video bandwidth is directly proportional to the size of the call window on your screen. P2P application sharing bandwidth is directly proportional to the resolution of the sharer’s monitor.
By itself this may seem like a trivial difference but because Lync/Skype4B only requests sufficient bandwidth to fill the size of the video window, you end up very large differences in bandwidth consumption when the video window isn’t significantly altered and is left at default. For example, assume two users have 1080p monitors and initiate a video call to one another… In that scenario when users accept the video call the window starts out at a default size that will consume roughly 400-500 Kbps per video stream (per Table 2).
Table 2 – P2P Video Bandwidth Figures

Assuming the users never resize the video window, initiating an application share during that call will result in an additional 1 Mbps to fulfill 1080p resolution requirements and will vary from 1-3 Mbps during normal application sharing usage such as minimizing/maximizing windows on the actively shared screen (per Table 1). When you begin to compare the two modalities it becomes very obvious how application sharing bandwidth can easily surpass video bandwidth.
Multiparty video bandwidth is directly proportional to the number of users in the conference AND whether application sharing is utilized. Multiparty application sharing bandwidth is directly proportional to the resolution of sharer’s monitor.
Thanks to Jeff Schertz’s presentation it is possible to see that bandwidth changes significantly as more users are added to a video conference, and in most cases the bandwidth drops. The bandwidth reduction is, again, the result of the clients only requesting sufficient bandwidth to fill the size of the video window and due to the fact that each additional user must occupy the same screen real estate as the rest of the video streams which results in lower resolution streams being utilized.
Table 3 – Multiparty Video Bandwidth Figures

When application sharing is added to a conference, the video bandwidth numbers again change due to the changing proportions of screen real estate for each modality. When application sharing takes over the Gallery View video streams are moved to the top of the window and shrink due to the increased presence of the application share.
Figure 1 – Example of Gallery View with Application Sharing

In most scenarios involving application sharing within multiparty video conferences, you’ll see video resolutions and frame rates begin to change which results in video bandwidth taking a nosedive.
Table 5 – Multiparty Gallery View Video w/Application Sharing Bandwidth Figures

Note: I’m current conducting further testing on these numbers. Please consider these preliminary for the time being.
Assuming again that 1080p resolutions are available to end users, initiating an application share during that call will result in an additional 1 Mbps to fulfill 1080p resolution requirements and will vary from 1-3 Mbps during normal application sharing usage such as minimizing/maximizing windows on the actively shared screen (per Table 1). In certain conference sizes you can have application sharing dwarfing the video bandwidth requirements by 300-400%.
Video usage is a very subjective use case in most organizations. Application Sharing is far more common for most organizations.
In many organizations video simply isn’t that common. Sometimes that is because of technical limitations (such as perceived lack of bandwidth) whilst in other cases it is due to a user culture that simply doesn’t want to utilize video. More often than not I see organizations broadly adopting application sharing whereas video remains a very small deployment. This may change over time, especially with the new generation of Millennials entering the workspace, but the hard truth is that application sharing is used far more frequently in organizations and video is an afterthought or edge case.

Show us the math!

Where all of this becomes apparent is when you start computing numbers within the Lync Bandwidth Calculator. The calculator works off of the “Acceptable” numbers in the table above and includes complex calculations for how users handle video when in a multi-view configuration.
Peer-To-Peer
Assume that you have two branch sites and a separate data center site. Users in each site regularly exchange P2P traffic including audio/video/application sharing. Also assume that these users are huge fans of Lync/Skype4B and that 5% of users in each site are utilizing the features concurrently. Lastly assume that there’s about 300+ users in each site, which results in the numbers below:

61.7% of all bandwidth required is for application sharing! Additionally, that’s only using the Acceptable bandwidth calculation of 1 Mbps for the 1920×1200 resolution monitors the users have! If you start computing numbers based on the Optimal bandwidth calculation it becomes even more lopsided with the Application Share bandwidth tripling.
Conferences
Assuming the same scenario above, the numbers will change significantly when conferences are involved. Much of this deals with the fact that the Lync client and AVMCU actually use less bandwidth for video as each additional user is added to the conference and even less bandwidth when application sharing is invoked.
Assuming the same 300 user count at each site we end up with the numbers below:

74.3% of all bandwidth required is for application sharing! Additionally, that’s only using the Acceptable bandwidth calculation of 1 Mbps for the 1920×1200 resolution monitors the users have!  The large sucking sound on your network – it’s application sharing, not video.

You’ve proven your point, so now what?

I can’t overstate the importance of properly planning for application sharing bandwidth in addition to the rest of the bandwidth calculations required for Lync/Skype4B. As a result of this it’s important to begin asking the following questions:

• What’s the most common resolution of monitors deployed within your organization?
• Do we have sufficient bandwidth to support sharing with that resolution?
• Do we intend on utilizing Quality of Service with application sharing?
• How does our user culture view video vs application sharing?

Once you begin to answer the questions above you can begin to properly plan for bandwidth for application sharing. Many customers I work with are often surprised at the numbers because they are so focused on the fear about bandwidth requirements for video, but in reality video bandwidth is likely to be a lesser concern when compared to application sharing bandwidth. In a future article we’ll discuss methods you can utilize to help control application sharing bandwidth for both on-premises and Office365 deployments. Stay tuned!

It’s the typical issue all IT professionals face: a new system is designed, built and deployed to end users, but months down the road issues arise and administrators are faced with the overwhelming task of trying to find root cause to remediate issues. As an IT Pro (in a previous life) this is definitely something I can relate to and definitely pay attention to when discussing UC deployments with customers.  Today at Ignite Microsoft announced some very new and very needed features for your Skype4B deployments.  Admins rejoice!
Key Health Indicator Dashboard
 

Those that have been following along with Skype4B news, many people know that the Call Quality Dashboard (CQD) has been announced to big fanfare (and rightfully so).  A lesser known feature was unveiled today and that’s the Key Health Indicator Dashboard (the name isn’t finalized yet – so it may change!).  This feature is very analogous to CQD in that it will be a web-based dashboard that provides real-time monitoring of KHI counters on your entire Skype4B topology.  The dashboard will provide real-time data, drill down, heat maps and more.  For anyone who has looked at KHI data previously, you know it is a very manual process that required taking CSV’s and then interpreting the data after-the-fact.  The KHID will automate all of that and give you a single pane of glass to look at the server health statistics of your Skype4B environment.  Microsoft is still working on this feature but from what I’ve seen so far, it is a huge improvement for admins.
Key Health Indicator Spreadsheet
As stated above, trying to gather KHI data is a very laborious, manual process.  Creation of the CSV files with the perfmon data wasn’t so hard, but obtaining the MAX/AVG values and then importing that data into the KHI spreadsheet that Microsoft provided was entirely manual and time consuming, especially in environments that may have 20 or more servers.  With the new release of the KHI spreadsheet, the CSV import and statistics gathering has become completely automated through macros in the new Excel spreadsheet – hallelujah!  Additionally new insights into the data, such as Burst Counters, exist so that the data becomes more useful in identifying true issues and weeding out outliers that may occur during backup windows.
Third-Party Tool Integration
This can be stretched to many categories, including SDN, but it simply means that partners such as Nectar, EventZero, and Unify2 are providing solutions to make reporting and troubleshooting easier.  Microsoft has provided some powerful utilities with the CQD, SSRS Reports, and KHI, but it often times requires multiple places to look and difficult correlation to establish to try and troubleshoot and resolve issues.  These third-party utilities aim to provide a single pane of glass to the process and give you drill-down capabilities to help identify usage or why a user’s call failed or why jitter has increased on a certain network hop.  These utilities actually rely on the same KHI or CQD data that Microsoft provides, they just present the data in new and interesting ways to allow you to better gauge usage and resolve issues.
Call Quality Dashboard
This new feature has been known for a few months but was recently released for GA on May 4, 2015.  CQD simply takes the data that is already within your CDR and QoE databases and provides SQL Analysis Services to help slice and dice the data.  If you’ve gone through the Call Quality Methodology before, CQD now allows you to look at that data in real-time (well, your QoE and CDR databases aren’t quite real-time, but close) and manipulate the data in ways that are important to YOU.  If you find that a report offered within the SSRS reports isn’t quite enough for you, you can create a view within CQD that gives you the data you desire.  Additionally if there are troubleshooting metrics that aren’t displayed in a friendly manner within SSRS, you can easily extract that data through CQD.

I’ll admit that the title is a bit misleading because much of what existed (in regards to mobility) in Lync Server 2013 still exists in Skype for Business Server 2015.  Unfortunately there has not been a great leap forward in functionality….YET.  The “Yet” is there because there are HUGE improvements forthcoming in the Skype for Business mobile client release (and subsequent server release), which is expected sometime in Q3 CY 2015.  Looking forward to that release date, some of the information available through the Ignite conference about those future features are outlined below.
Mobile Device Management
Very limited MDM integration exists with Lync/S4B today.  Things like device posture checking or requiring encryption or requiring PIN codes for security simply are not available or enforceable by either the server or the client.  This will be changing in S4B/S4B-Online and the direction for the product will be to utilize the Microsoft Intune Service for all MDM functionality.  One of the big items that Intune will bring to the table is the concept of protected applications.  This was demo’d in the keybote where you couldn’t copy/paste text from a work-managed application into a non-work-managed application.  Some may view this as quasi-DLP funtionality, which it definitely is, but it is handled solely by Intune MDM policies.  Additionally, Microsoft will not be supporting or integrating any other MDM solution on the market into Skype for Business Server (or S4B Online).  Despite the “limitation” of only supporting Intune, the Intune service is hugely powerful and will continue to evolve and adapt.
If Intune is not utilized, Microsoft is adding a two new mobility policy settings in an upcoming CU:
Require an application PIN for the S4B mobile client
Require device encryption
Those two policy features will be configurable via the Set-CsMobilityPolicy cmdlet after the S4B mobility client is released.
Data Loss Protection
The DLP story for Lync/S4B today is lacking and third-party vendors have stepped up to try and fill the gap.  Lync Server 2013 and Lync 2013 clients today support IRM, in that they will not display via screen share a document that has been protected via IRM, but that is truly the limit of the DLP functionality.  Dynamic content inspection or compliance reporting or real-time IM analysis simply is not available in the solution – things that Exchange Server has had via Hub Transport rules and continues to grow with each product release.  That being said, the unfortunate news from Ignite is that DLP won’t truly be integrated into S4B mobile, at least not yet.  Microsoft has added loads of DLP improvements into the Office 2016 stack and Office365 service which impacts Exchange, SharePoint, and OneDrive, but the S4B client (and server) are sadly omitted.  The good news is that Microsoft is aware of this missing piece and is working with the product groups to add functionality in to future releases.  Things like dynamic content inspection and compliance reporting will be coming in future releases of the product, but the full picture is not known yet.
Authentication Improvements
In Lync Server 2013, the only way to get MFA for mobile clients was to utilize a feature called Passive Authentication.  It solved the problem of getting “MFA” but it actually introduced more problems by utilizing the feature – one of those problems was severely restricting capabilities of clients to integrate with Exchange Server.  Moving forward with S4B, Microsoft has announced that Azure Active Directory Authentication Library will be the desired solution for all MFA and in fact all authentication, period.  ADAL brings several important investments to the table:  powerful MFA configurations for conditional access are possible, it integrates tightly with AD-FS and most importantly, it will be supported across all server 2016 and client 2016 products.  No longer will you have one separate authentication piece for Lync/Skype and then another for the rest of the product portfolio.  If you are looking for a powerful authentication solution to handle not only Lync/S4B mobile, but all of your corporate applications, this is it.
 

With Microsoft officially announcing that they will be upgrading Office365 to utilize the Skype for Business back-end, administrators will need to begin to take actions to prepare themselves and their users for the impact of this update.
Note: Since Skype for Business (hereafter, S4B) hasn’t been released to GA yet, this information is still pre-release and subject to change!
A few important things you should begin planning for:
Skype for Business will be provided as an update package to existing Lync 2013 clients
S4B will still remain “lync.exe” from an executable perspective and maintain the same major version number as Lync 2013. This greatly helps admins because Windows QoS policies should not need to be re-tooled and application whitelists will not need to be updated. Microsoft has not yet set a release date on the client update but an official announcement is likely to come soon.
Can I use Lync 2013 with a S4B Server?
The simple answer to this is “Yes!”. Lync 2013 clients will absolutely work when your user account is homed to a S4B pool. Remember that any new features of a S4B pool will not be presented to your user account until you update your client software from the Lync 2013 UI.
How do I control the UI presented to users?
This is a multi-faceted answer but largely boils down to two major points:

1. If your Lync 2013 client has the latest S4B client update and your user account is homed on a S4B pool, upon first sign-in your client will automatically switch to the new S4B UI.
2. If your Lync 2013 client has the latest S4B client update and your user account is homed on a S4B pool, you can override the automatic UI behavior by setting the EnableSkypeUI parameter within the Client Policies.

The EnableSkypeUI parameter, when set to $FALSE, ensures that the Lync 2013 UI is always used by any clients connecting to a S4B pool. This parameter is the only method you can use to ensure that the new Skype UI is not presented to users and can be controlled in a targeted fashion to help organizations manage a staged rollout of the new UI. I’ve included a table below that describes the various different combinations of clients, servers, and resulting client UI:

Mailbox Location	Lync/Skype account location	Preparation Required
Online	Online	Yes
On-premises	Online	Yes
Online	On-premises	Yes
On-premises	On-premises	No*

How does this effect Lync Online users?
Microsoft exerts total control over all policies and pools within Lync Online and have begun notifying customers that pending S4B upgrades will be coming within the next 90 days. Some organizations may not be ready to begin rolling out the new S4B UI but because Microsoft controls the pool upgrade process within Office365, there are limited options in controlling the client UI. Lync Online customers cannot customize Client Policies and all current Lync Online policies have a value of NULL for the EnableSkypeUI parameter. With the EnableSkypeUI parameter being NULL, clients will invoke the new UI if they have obtained the latest client update. At the current time there is no other recourse for Lync Online customers to prevent the Skype UI from being displayed, other than restricting the rollout of the latest client updates. I do believe that Microsoft will begin publishing additional client policies to allow organizations to disable the Skype UI, but customers will need to keep examining available client policies within Lync Online to discover which policies will be available:
Get-CsClientPolicy | Select Identity,EnableSkypeUI
What else should I know?
Microsoft continues to update TechNet with information regarding the upcoming Office365 updates. I strongly urge customers to examine the TechNet website for additional information and as always, I’ll update this post (or create additional posts) to reflect new changes as they are announced!
4/1/2015 Update
Microsoft has officially announced that two Client Policies will be available for customers to control the rollout of the Skype UI within Office365:
Tag:ClientPolicyEnableSkypeUI
Tag:ClientPolicyDisableSkypeUI
I strongly urge customers to examine these policies as they may not contain the same settings, such as DisableSaveIM, as the Client Policy you may be using!
9/9/2015 Update
Microsoft now has the following client policies available for customers to control the rollout of the Skype UI within Office365:
Global
Tag:ClientPolicyDefaultPhotoDisableSkypeUI
Tag:ClientPolicyDisableSkypeUI
Tag:ClientPolicyEnableSkypeUI
Tag:ClientPolicyNoIMURLDisableSkypeUI
Tag:ClientPolicyNoIMURLPhotoDisableSkypeUI
Tag:ClientPolicyNoSaveIMNoArchivingDisableSkypeUI
Tag:ClientPolicyNoSaveIMNoArchivingNoIMURLDisableSkypeUI
Tag:ClientPolicyNoSaveIMNoArchivingNoIMURLPhotoDisableSkypeUI
Tag:ClientPolicyNoSaveIMNoArchivingPhotoDisableSkypeUI

When you install Lync 2013 and configure the back end for mirroring, a lot of things happen “under the hood” to configure the mirror (and witness, if applicable). Microsoft really has done a fantastic job of hiding the overall complexity of SQL mirroring through Lync topology builder, but suffice it so say, there are many SQL pieces that get configured and more than a few moving parts. Following the completion of the Lync back end install many companies choose to go back and perform some cleanup duties on the SQL servers. Depending on the company and the DBA, there could be lots of customization, or as I’ve encountered with most deployments, the DBAs usually just want to change the owner of the databases and mirroring endpoint that got created. The assumption by many (myself included) was that this would be a completely seamless and a benign change, but I learned during a recent deployment that it can result in SQL issues that 1) cause the mirror to stop functioning and 2) put both SQL servers in a state where databases could not be accessed on either server. Initially I thought this was something specific to the customer’s SQL configuration, but I was able to confirm this exact behavior in my lab so I knew that the issue could potentially be more widespread than I first thought. It took more than a few hours to figure out the root cause, but thankfully the fix is quick and easy. Read on for the exciting conclusion!
Note: While I expect this issue to be a “your-mileage-may-vary” type of issue, it did give me pause that I could re-create this in my lab, which is very simple and has no complexity. Some may experience this issue and others may not. If you do, the info below should save you some heartache.

Understanding SQL Mirroring

For those less familiar with the inner workings of SQL mirroring, Microsoft has some great information on TechNet that will help you better understand what we’re about to discuss. I highly suggest you read the TechNet documentation first before continuing on.
SQL mirror functionality relies on mirroring endpoints, configured within each SQL instance, to allow inter-server communication. There are two easy ways to view the mirror endpoints:
Option 1 – In SQL Management Studio, go to Server Objects>Endpoints>Database Mirroring

Option 2 – In SQL Management Studio, run this query:
select * from sys.database_mirroring_endpoints

In order to use the mirroring endpoint, logins must exist on the SQL server instance for the account that the SQL services are running under on the server. Just as a domain user account must be added to the logins to connect to a SQL server, so too must the account(s) that the SQL server instance are running under. The principal server will have logins for the mirror and witness, the mirror server will have logins for the principal and witness, and the witness server will have logins for the principal and mirror. In my lab the SQL instances are using the NETWORK SERVICE account on the server itself, so the domain computer accounts are logins within each SQL instance. If your environment uses dedicated domain user accounts to run SQL, then you would see the domain user accounts as logins within each SQL instance. For example, my principal server logins are shown below:


Additionally, the logins must be granted permissions to connect to the mirroring endpoint. Just as a domain user account must be granted access to a database to successfully connect, so too must accounts be given explicit access to consume the database mirroring endpoint. The permission required is a GRANT CONNECT permission, and this permission will match up with the logins on each server. The principal server will have GRANT CONNECT for the mirror and witness, the mirror server will have GRANT CONNECT for the principal and witness, and the witness server will have GRANT CONNECT for the principal and mirror. Remember that the permissions will always be granted to the account that SQL is running under. For example, I can use the following T-SQL query to examine the current permissions on my principal SQL server:
SELECT EPS.name, SPS.STATE,
CONVERT(nvarchar(38),
SUSER_NAME(SPS.grantor_principal_id))AS [GRANTED BY],
SPS.TYPE AS PERMISSION,
CONVERT(nvarchar(46),SUSER_NAME(SPS.grantee_principal_id))AS [GRANTED TO]
FROM sys.server_permissions SPS , sys.endpoints EPS
WHERE SPS.major_id = EPS.endpoint_id
ORDER BY Permission,[GRANTED BY], [GRANTED TO]

Lastly, the mirroring endpoint will have an owner who was the person that initially ran Lync topology builder and installed the databases. The owner will be that person’s domain user account and can be determined by the following T-SQL query:
SELECT [PrincipalName] = sp.name, [PrincipalId] = sp.principal_id, me.*
FROM sys.database_mirroring_endpoints me with(nolock)
inner join sys.server_principals sp with(nolock)
on me.principal_id = sp.principal_id

The Issue

As stated at the beginning of the post, my customer went through and changed the owner of the mirroring endpoint to SA as a part of post-installation clean-up. The process to change the owner is a very simple T-SQL command that must be run on each SQL server:
ALTER AUTHORIZATION ON ENDPOINT::mirroring_endpoint TO sa
After running that command, we verified that ownership had changed using the following T-SQL query:
SELECT [PrincipalName] = sp.name, [PrincipalId] = sp.principal_id, me.*
FROM sys.database_mirroring_endpoints me with(nolock)
inner join sys.server_principals sp with(nolock)
on me.principal_id = sp.principal_id

Initially we thought all was well, but when we began testing failover things broke down. We tested a hard failover by simply shutting down the SQL services on the principal and as expected the failover completed successfully. After turning on the SQL services on the principal following the failover, we ended up in a state where mirroring became broken and the Lync front end services couldn’t connect to the back end databases on either server. Looking at SQL Management Studio you could see that both servers thought they were the principal and mirroring was disconnected. We also tried restarting SQL services on the mirror and witness, but nothing helped. Nothing was working and it seemed that the servers, witness included, simply couldn’t talk to one another. When replicating these changes in my lab, I saw this (which was the same experience at my customer):

We were all pretty baffled by this (including the customer’s DBA) and after multiple attempts in my lab, I was able to track down what had occurred. For a reason unbeknownst to me, the ALTER AUTHORIZATION command removes the GRANT CONNECT permissions on the mirroring endpoint. Checking the permissions in my lab, I saw this:
SELECT EPS.name, SPS.STATE,
CONVERT(nvarchar(38),
SUSER_NAME(SPS.grantor_principal_id))AS [GRANTED BY],
SPS.TYPE AS PERMISSION,
CONVERT(nvarchar(46),SUSER_NAME(SPS.grantee_principal_id))AS [GRANTED TO]
FROM sys.server_permissions SPS , sys.endpoints EPS
WHERE SPS.major_id = EPS.endpoint_id
ORDER BY Permission,[GRANTED BY], [GRANTED TO]

Notice how the computer accounts have been removed. This little nugget turned out to be the proverbial “needle in a haystack”, as it allowed me to determine that the servers couldn’t connect because the permissions had been removed.

The Fix

After all the fuss, the fix was to simply add the GRANT CONNECT permissions back so that the servers could talk to one another again. Remember that the permissions will always be granted to account that SQL is running under. For example, in my lab I used the following T-SQL commands to restore the permissions:
Principal
GRANT CONNECT ON ENDPOINT::mirroring_endpoint TO [WIDGETS\PIA-SQL-BE02$]
GRANT CONNECT ON ENDPOINT::mirroring_endpoint TO [WIDGETS\PIA-SQL-BE03$]
Mirror
GRANT CONNECT ON ENDPOINT::mirroring_endpoint TO [WIDGETS\PIA-SQL-BE01$]
GRANT CONNECT ON ENDPOINT::mirroring_endpoint TO [WIDGETS\PIA-SQL-BE03$]
Witness
GRANT CONNECT ON ENDPOINT::mirroring_endpoint TO [WIDGETS\PIA-SQL-BE01$]
GRANT CONNECT ON ENDPOINT::mirroring_endpoint TO [WIDGETS\PIA-SQL-BE02$]
Note: If your environment uses domain user accounts for SQL services, make sure to apply the permission to the user accounts and not the computer accounts like I did above.
Once the permissions were in place and verified, mirroring automatically resumed and SQL Management Studio looked much happier:

At my customer we made the same changes (except we applied the permissions to the domain user accounts that SQL was running under) and ended up with the same result as my lab: SQL mirroring was again working. Additionally, the Lync services on the front ends could once again connect to the back end databases. All was once again well in my Lync world.

Conclusion

This is another example of hidden SQL “gotchas” that could cause major heartaches for Lync 2013 deployments using SQL mirroring functionality. It seems that SQL caches the original configuration (which is why mirroring initially worked after we changed it), but once SQL services are restarted it will use the new configuration (which is why it was broken afterwards). If you have SQL mirroring deployed I strongly urge you to double-check permissions if you change the owner of the DB endpoint and thoroughly verify failover following that change. If you don’t, you run the risk of an outage which is exactly what mirroring is supposed to avoid.
Lastly, if anyone out there, DBAs included, can explain why the ALTER AUTHORIZATION command would remove the permissions….I’m all mirrors….I mean ears.

For those that have deployed Lync 2013 alongside Office Web Apps 2013, we’ve all seen this seemingly innocuous check box:

Office Web Apps Server is deployed in an external network (that is, perimeter/Internet)
Over the past year I’ve never yet had a reason to check that box and honestly didn’t have a very good idea of what happens if you do. Office Web Apps is still becoming learned by Lync integrators and administrators, so not much information is available on the Internet on what occurs when that option is selected. “Curiosity killed the cat”, they say, but I survived and have a better understanding of Lync and Office Web Apps as a result.
Office Web Apps Background
Generally speaking, each Office Web Apps farm has two URLs configured – an internal URL and an external URL. For example, my lab environment has the following configuration:

InternalURL – https://owapool01-intweb.widgets.com
ExternalURL – https://owapool01-extweb.widgets.com
Note: Technically speaking, the two URLs could be exactly the same. I would advise against that approach, however, as it requires having to extend split-brain DNS to Office Web Apps.  Additionally, having distinct URLs keeps in-line with the general URL best practices/requirements for Lync Web Services in having separate and distinct URLs for internal web services vs external web services.
Within my Lync topology, I have configured the topology to have a single Office Web Apps server:

The discovery URL above is what Lync uses to obtain information from Office Web Apps on what URLs are available for the Lync Web Conferencing MCU and Lync clients to use for PowerPoint broadcasting. When the Lync Web Conferencing MCU starts up and all is well between your Lync and OWA (WAC) environments, you’ll see the following entry within the Lync Application event log:

Web Conferencing Server Office Web Apps Server (WAC) discovery has succeeded
Office Web Apps Server internal presenter page: https://owapool01-intweb.widgets.com/m/Presenter.aspx?a=0&e=true&
Office Web Apps Server internal attendee page: https://owapool01-intweb.widgets.com/m/ParticipantFrame.aspx?a=0&e=true&
Office Web Apps Server external presenter page: https://owapool01-extweb.widgets.com/m/Presenter.aspx?a=0&e=true&
Office Web Apps Server external attendee page: https://owapool01-extweb.widgets.com/m/ParticipantFrame.aspx?a=0&e=true&
The message above indicates that Office Web Apps discovery has completed and Lync can successfully use OWA (WAC) for PowerPoint broadcasting. An important note here is that the URLs above are not maintained within the Central Management Store. Once Lync completes the OWA (WAC) discovery, the URLs returned by Office Web Apps are maintained within memory only. If you were to change the OWA (WAC) farm URLs, you would need to restart the Lync Web Conferencing service before the changes would become effective for your clients.
Office Web Apps Location
If your Lync topology currently does not have the Office Web Apps Server is deployed in an external network (that is, perimeter/Internet) check box checked, when a PowerPoint broadcast is started by a Lync 2013 client, the Lync Server 2013 Web Conferencing service (Data MCU) hands out one of the four URLs above to the clients and offers only the URL that corresponds with the client location. Thus if I am an internal user I will receive only information regarding the internal URL. If I am an external user I will receive only information regarding the external URL. This can be confirmed by looking at the client UCCAPI logs:
ClientType=Lync;Build=15.0.4420.1017;ContentMCU=”sip:ethel.a.merman@widgets.com;gruu;opaque=app:conf:data-conf:id:SBMTGTNK”;ConferenceUri=”sip:ethel.a.merman@widgets.com;gruu;opaque=app:conf:focus:id:SBMTGTNK”;LocalFqdn=”PIA-WIN7-WK01.widgets.com”;Url=”https://owapool01-intweb.widgets.com/m/Presenter.aspx?a=0&e=true&WopiSrc=https%3A%2F%2Flyncpool01-intweb.widgets.com%2FDataCollabWeb%2Fwopi%2Ffiles%2F2-1-30CDE7F&access_token=AAMFENCpa_d_ZPtQon_XE5zcakwGEKpKzTdM7apF2LHn4iRQGciBENCpa_d_ZPtQon_XE5zcakyCArMGgyBvFooflH4vHS0Ow9tvt8Tb3fISHpC-QYmWss9wIMfT2IYIG7KV9zAC0QgIDURhdGFDb2xsYWJXZWI&<fs=FULLSCREEN&><rec=RECORDING&><thm=THEME_ID&><ui=UI_LLCC&><rs=DC_LLCC&>”
In the example above, I can confirm my internal client was only offered the internal URL for the Office Web Apps farm.
If you were to alter your Lync topology and check the Office Web Apps Server is deployed in an external network (that is, perimeter/Internet) check box, when a PowerPoint broadcast is started by a Lync 2013 client, the Lync Server 2013 Web Conferencing service (Data MCU) hands out only the external URL to the clients regardless of the client location. Thus if I am an internal user I will receive only information regarding the external URL. If I am an external user I will still receive only information regarding the external URL. This can be confirmed looking at the client UCCAPI logs:
ClientType=Lync;Build=15.0.4420.1017;ContentMCU=”sip:ethel.a.merman@widgets.com;gruu;opaque=app:conf:data-conf:id:67J3YH9C”;ConferenceUri=”sip:ethel.a.merman@widgets.com;gruu;opaque=app:conf:focus:id:67J3YH9C”;LocalFqdn=”PIA-WIN7-WK01.widgets.com”;Url=”https://owapool01-extweb.widgets.com/m/Presenter.aspx?a=0&e=true&WopiSrc=https%3A%2F%2Flyncpool01-extweb.widgets.com%2FDataCollabWeb%2Fwopi%2Ffiles%2F3-1-1A504B0&access_token=AAMFEFoLcM7OXe1QhLU__5hjkeQGEKpKzTdM7apF2LHn4iRQGciBEFoLcM7OXe1QhLU__5hjkeSCAordgyD3ue87wIfbYutqnANrU5dD0g0Ntk4Pb_eP6XJqJf8rh4YIZTjBiDIC0QgIDURhdGFDb2xsYWJXZWI&<fs=FULLSCREEN&><rec=RECORDING&><thm=THEME_ID&><ui=UI_LLCC&><rs=DC_LLCC&&gt
End Result
The overall result isn’t all that earth-shattering, but should definitely be understood by Lync administrators.
If your OWA (WAC) servers are in a perimeter DMZ with only an external URL specified, then make sure you select this option. Doing so ensures that all clients, regardless of location, utilize the external URL. Additionally, make sure you have all appropriate DNS records in place within your internal DNS zones if you chose to utilize this option.
Note: Technically you could have an internal OWA (WAC) server with only an external URL specified, and as a result could utilize the option above. Either way, I would again caution against this as it goes against best practices of maintaining separate URLs for internal vs external services.
If your OWA (WAC) servers are internal with both an internal URL and external URL specified, then I do not recommend selecting this option. By leaving it off, you let Lync Server handle the overall logic of which URLs get offered to clients. This method ensures that Office Web Apps operates in the same manner as the normal Lync pool web services.

My colleague, Jason Sloan, has a great blog post on some SQL mirroring issues he encountered during a recent Lync 2013 deployment that I highly recommend everyone read.  This post is intended as an addition to that list with an issue that I discovered during my own Lync 2013 SQL mirroring deployment.
Consider the following scenario:

• Lync is installed and the initial topology is published with only mirroring configured (no witness)
• At a later date (this could be weeks, days, or hours – it really does not matter the length of time) administrators decide to add a SQL witness for automatic failover of the SQL mirror
• A Lync administrator adds the witness configuration into the topology and publishes the changes
• Topology builder reports no errors and the Lync administrator assumes that all is properly configured for SQL automatic failover
• Despite no errors encountered in topology builder, SQL Management Studio reports that NO witness configuration has been completed and attempting automatic failover results in a SQL back end outage

I have been able reproduce the scenario above in my lab, thereby removing doubt that it was an “environment issue”, and determined that the root cause is in the overall order of the SQL mirror configuration and how topology builder acts in a given configuration scenario.  The bottom line (and thus, the “gotcha”) is this:
If you want to use SQL mirroring with a SQL witness, have all servers ready and initially publish the SQL mirror and SQL witness at the same time in topology builder to ensure proper activation and configuration.  If you add a SQL witness after SQL mirroring was initially published, topology builder publishes the new SQL server configuration into the topology but it does not actually make any SQL-related changes on the SQL mirror nodes or SQL witness server.  In the latter scenario, the witness can eventually be configured and used, but only by removing the mirroring functionality and then publishing it all again.

If you initially only configure and install SQL mirroring and then attempt to go back and add the mirroring witness, you’ll discover that nothing gets changed on the SQL principal or SQL mirror database properties after you publish your topology changes:

Notice how the Witness field is empty and that the Operating mode is set to High safety without automatic failover.  Examining the Lync Topology, however, indicates that the witness is configured and active:

After a few rounds of testing I determined the following steps were required to actually get the SQL witness configured within SQL in the scenario where the mirror was installed first and a witness is added later:
Open Lync topology builder and disable the SQL witness configuration from pool properties and publish the topology changes.
Note:  Do not disable the SQL mirror configuration.  Only remove the SQL witness configuration.

Run the uninstall-csmirrordatabase cmdlet from the Lync management shell to remove mirroring configuration for all published databases.
Uninstall-csmirrordatabase –databasetype User –sqlserverfqdn pia-sql-be01.widgets.com –dropexistingdatabasesonmirror –verbose
Uninstall-csmirrordatabase –databasetype Application –sqlserverfqdn pia-sql-be01.widgets.com –dropexistingdatabasesonmirror –verbose
Uninstall-csmirrordatabase –databasetype Centralmgmt –sqlserverfqdn pia-sql-be01.widgets.com –dropexistingdatabasesonmirror –verbose
Uninstall-csmirrordatabase –databasetype Archiving –sqlserverfqdn pia-sql-be01.widgets.com –dropexistingdatabasesonmirror –verbose
Uninstall-csmirrordatabase –databasetype Monitoring –sqlserverfqdn pia-sql-be01.widgets.com –dropexistingdatabasesonmirror –verbose
The SQL mirror node databases should now be in an offline state.  Manually remove the databases on the SQL mirror node through Management Studio.  Right-click each offline database and select Delete.
Note:  The database will have a small green arrow to indicate it is offline, so make sure you only remove the correct databases based on your topology.

The SQL mirroring endpoint information does not get removed automatically as part of the uninstall-csmirrordatabase cmdlet.  Manually remove the endpoint information on the principal and mirror through Management Studio.  Navigate to Server Objects>Endpoints>Database Mirroring. Right-click the mirroring_endpoint object and select Delete.

In Lync topology builder re-enable the mirror and witness settings on the pool properties and publish the changes.

Following the topology publish and subsequent database installation on the SQL mirror you should now notice that the witness information has been configured on the principal & mirror servers and that the Operating mode reflects the witness configuration.

Additionally, if you query the SQL witness you will see that it is successfully configured with endpoint configuration for monitoring the mirror:

Again, the bottom line here is that it is easiest to make sure the SQL witness is activated by enabling SQL mirroring and the SQL witness at the same time when you initially publish your Lync topology.  If that is not an option, you will have to follow the steps above to essentially break and remove the SQL mirror, and then add the mirror AND witness configuration back in.  For anyone out there that has attempted to add a SQL witness at a later date, do not assume that your witness configuration succeeded – you should absolutely verify this configuration in your environment and take the steps above if your environment did not actually get configured for SQL witness functionality.

For a long time Microsoft has offered the capability of on-premises Live Communications Server, Office Communications Server and Lync Server deployments to federate with AOL for instant messaging.  In order to use AOL federation there were certain basic requirements that had to be met:

• You must have a functional edge server (including DNS records & necessary certificates)
• You must have the appropriate Public IM Connectivity licenses for the users who will require PIC
• You must request PIC provisioning through the Microsoft PIC website

Licensing

In order to use PIC federation you had to have the appropriate licenses, just as you must have the appropriate Client Access Licenses in order to use Lync, Exchange, SharePoint or any other Microsoft software.  Most customers would see this cost included as part and parcel of their Enterprise Agreements with Microsoft, so while some people may dislike the cost of Enterprise Agreements, Microsoft is including a vast amount of functionality (PIC included) to you at a reasonable cost.

PIC Provisioning

Microsoft has largely handled the PIC provisioning process through their PIC website, whereby you simply request the public IM providers you want to federate with and Microsoft handles all the coordination and enablement on the back end.  Having Microsoft handle the coordination was a “single throat to choke” but it often resulted in longer setup times as it could take up to 30 days for the services to be available once the request was submitted.

This is all good and well – why bring it up now?

Microsoft announced earlier this year that the PIC agreements with Yahoo! and AOL were not being renewed, meaning customers would either A) lose their ability to federate with those providers or B) have to look at third-party solutions to keep the federation alive.  The EOL date for the Microsoft PIC agreements is June 30, 2014, so the clock has been ticking ever since the announcement was made.  AOL recently stepped up to the plate and announced that they will begin offering direct federation for Lync customers through their PIC website, a welcome change of heart that allows customers to “keep the lights on” between their on-premises Lync deployments and the AOL cloud.  Additionally, the provisioning process allowed customers to contact AOL directly and negate the need to request provisioning through Microsoft.  Reading all this you would think this is a “Win-Win” situation, but as the old saying goes, the “Devil is in the details”…

The Details

I recently went through this provisioning process with a customer and discovered that the new AOL PIC federation service is not free and actually costs you additional monthly fees on top of what you’ve already paid for your Lync CALs.  For this customer it would have cost them $10 per user, per month to use the AOL federation service.  Add this up over a year and you could have substantial increases in your operating expenses to support AOL federation.  On the plus side, however, AOL includes written SLAs as part of the service and offers customers various tiers of support for service incidents.  Note:  Should you decide to use AOL federation your fees could be different as AOL had different levels of fees based on the number of Lync users whom you wanted to have AOL federation enabled for.

My Thoughts

The fact that Microsoft included these costs within Enterprise Agreements was both a blessing and a curse – it meant that some customers would grumble about the costs, but it also meant that customers could simply take advantage of all the included features without a second thought.  Now that Microsoft will no longer have an agreement in place after June 30, 2014, the true cost of the federation has now come to the surface and I have to admit that the AOL federation rose has some thorns.  I can certainly understand that AOL has infrastructure and operational costs associated with this service so a fee is understandable, but some folks (myself included) might question if connectivity with AOL services is worth the cost they charge you, especially considering that only instant messaging is available.  Skype, on the other hand, offers IM & audio federation with Lync (with video coming in the near future), so the value proposition of AOL seems to be eroding when compared to Skype.
Is AOL federation worth it?  That’s up to you to decide…but suddenly Skype seems a lot more attractive to me!

In the November 2011 Cumulative Update of Lync 2010, Microsoft added the ability to disable file transfers via the edge server.  This feature enhancement undoubtedly was the result of customers voicing concerns about data loss protection and was a welcomed addition to the IT administrator’s arsenal.  In short, the feature allowed administrators to block all file transfers that would traverse an organization’s edge server but allowed file transfers within the confines of the internal network (assuming the user was assigned a conference policy that allowed it).

Lync 2010

In Lync 2010, to block all file transfers on the edge server you would use the following command:
http://support.microsoft.com/kb/2621840
new-csfiletransferfilterconfiguration -identity edgeserver:pia-ls2013-ed01.widgets.com -blockfileextension $true -action blockall -enabled $true

Lync 2013

The same file transfer blocking capabilities exist in Lync 2013, but the commands are a bit different from what was used in Lync 2010.
In Lync 2013, to block all file transfers on the edge server you would use the following command:
http://technet.microsoft.com/en-us/library/gg425897.aspx
new-csfiletransferfilterconfiguration -identity edgeserver:pia-ls2013-ed01.widgets.com -action blockall -enabled $true

Simply put, Lync does not support certificates that are issued using the Cryptography API: Next Generation providers.  At the time of this writing, Lync 2010 and Lync 2013 only support certificates that are issued using legacy Cryptography API providers.  To determine if your certificate was issued with CryptoAPI:NG support, use these quick instructions:
Using certutil.exe, you can examine the information about the certificate.
Certutil.exe –v –store my “certificateserialnumber”
A lot of data will be returned, but you need concern yourself with only a single piece of that information.  If you do a search and find Microsoft Software Key Storage Provider, then your certificate has been issued using the new CryptoAPI:NG provider and won’t work with Lync.

If you say to yourself, “So what!?  I’m going to use the certificate anyway!”…  Attempting to assign a certificate that is used using the CryptoAPI:NG providers within Lync will result in an error and the certificate cannot be used:

An error occurred: “System.Security.Crpytography.Cryptographic.Exception” “The buffer supplied to a function was too small.”

Personal Thoughts

Having done a number of Lync deployments, I had not run into this particular issue yet and was a bit puzzled at why this was the first time I had seen it.  It took some time and lab work, but was able to consistently reproduce it and determine what was occurring.  Does this issue constitute the end of the world?  No, of course not.  Does it mean Lync is insecure and broken?  Absolutely not.  Read on to calm yourself.

Background

Lync relies heavily on certificates and anyone familiar with it knows that.  Microsoft has taken extensive measures in documenting the certificate requirements for Lync:
http://technet.microsoft.com/en-us/library/gg195673(v=ocs.14).aspx
http://technet.microsoft.com/en-us/library/gg195752(v=ocs.14).aspx
http://technet.microsoft.com/en-us/library/gg195796(v=ocs.14).aspx
http://technet.microsoft.com/en-us/library/gg425950(v=ocs.14).aspx
http://technet.microsoft.com/en-us/library/hh202161(v=ocs.14).aspx
What is not well documented publically is that Lync doesn’t include support for CryptoAPI:NG.  I could not find a single reference anywhere that denotes this in TechNet.  If anyone out there can find this information, please let me know and I will update this post to reflect that.

What is CryptoAPI:NG?

As with anything in IT, things advance.  CryptoAPI:NG is simply that – an advancement of the cryptographic stack that was introduced in Windows Vista and Windows Server 2008.  For details on this, check out this Technet article that gives great details into what advancements are included and this Technet article that describes applications that are currently supported.  There are two important things to remember here:

1. CryptoAPI:NG was introduced with Windows Vista and Windows Server 2008.  If you have Windows XP and Windows Server 2003, you need not be concerned because those OS’s don’t support it.
2. While OS support might have been added, applications must explicitly opt-in for support to use the new CryptoAPI:NG features.

For every Lync installation this means that there is the potential to see this issue.  Lync will be installed on Server 2008 or newer, but the chances of seeing this heavily depend on your internal PKI configuration and how certificate templates are configured.

Does my PKI support CryptoAPI:NG?

First of all, only Server 2008 Certification Authorities or newer support CryptoAPI:NG.  If you only have Server 2003 Certification Authorities then you need not worry as you won’t ever see this issue.
Second, the default templates are not configured for CryptoAPI:NG support so you will never see this issue using the default Web Server template.
Third, if you are using custom certificate templates then there is a possibility the template has been configured to require the new CryptoAPI:NG providers.
To determine if the certificate template is configured for CryptoAPI:NG support, use these quick instructions:
On your Certification Authority, open the Certification Authority MMC.
Right-click Certificate Templates and click Manage

Right-click the applicable template and click Properties

Click on the Cryptography tab
If the following settings are checked, then CryptoAPI:NG is configured for the template:

Provider Category – Key Storage Provider
Requests must use one of the following providers
Providers – Microsoft Software Key Storage Provider

How would I get a certificate with CryptoAPI:NG?

Answering this question is the all-important one and turns out to be relatively simple:
If you request certificates using the Lync Certificate Request Wizard or the Lync Management Shell, you won’t.
In all my testing I could never get a certificate using CryptoAPI:NG when using the wizard or shell, even if the CA template required CryptoAPI:NG.  When using the wizard or shell, the certificate always came back with the Microsoft RSA SChannel Cryptographic Provider, which is legacy CryptoAPI.  While it seems odd that the CA would issue a certificate with a provider it isn’t configured for, it does make sense that the certificate wizard and shell would not request it because it is up to the Application to opt-in for CryptoAPI:NG functionality.  Since Lync doesn’t support it, the wizard and shell use the legacy CryptoAPI functionality and everything works.  The only time I could successfully get a certificate using CryptoAPI:NG was by manually requesting the certificate through the Certificates MMC console on the computer.  In that scenario there are no restrictions by an application on what should be used, so the MMC console adheres to what is specified in the certificate template.
Note:  I have seen some reports that public CA’s have issued CryptoAPI:NG certificates, but I cannot verify whether those certificates were requested using the Lync tools.  I also did not test that scenario for this article.

I’ve got a CryptoAPI:NG certificate…now what?

Assume you have a CryptoAPI:NG certificate and you simply cannot request a new one.  It turns out it is possible to use that certificate with a little workaround:
Export the CryptoAPI:NG certificate (with private key) from the Lync Server machine and import it onto a Windows XP machine.  Then export the certificate (with private key) from the XP machine and import it onto your Lync Server machine.  This export process on the XP machine will convert the certificate into using the legacy CryptoAPI provider and will result in the certificate being able to be used on the Lync Server machine.  This MSDN article describes why this conversion occurs.
Again, assume you cannot use the Lync certificate wizard to request certificates and you don’t have an XP machine available to convert the certificate – maybe the organization requires a dedicated team to issue the requests for you and they always use the Certificates MMC.  Getting things working in that case requires the certificate template used to be configured to not require CryptoAPI:NG.  This could be accomplished in two ways:
Option 1
Use the default Web Server template
Option 2
Change the custom CA template so that CryptoAPI:NG is not required

Provider Category – Legacy Cryptographic Service Provider
Requests must use one of the following providers
Microsoft RSA SChannel Cryptographic Provider
Microsoft DH SChannel Cryptographic Provider

Summary

Again, to sum it all up:  Lync does not currently support CryptoAPI:NG certificates.  It is entirely possible that a Cumulative Update or the next version of Lync will include support, but for now make sure your certificates are usable by not requiring CryptoAPI:NG!