Microsoft Cloud Connector Edition (CCE) is software that provides PSTN and PBX connectivity through Office 365. It discusses CCE architecture, requirements, and deployment options. CCE uses a set of 4 virtual machines (domain controller, central management store, mediation, and edge server) installed on customer hardware to enable Cloud PBX users to use on-premises PSTN/PBX resources while supporting up to 500 concurrent calls. The document also covers CCE call flows, multi-site deployments, redundancy, and automatic updates.

1. Simple Hybrid Voice Deployments
Matt Hurst
TechnicalDirectorEMEA

2. Firstly…..Why CCE Hybrid?

3. SfB with PSTN/EV Deployment Options
“Cloud PBX”
in Office 365
PSTN services
provided by
Microsoft
User homed on
‘Cloud PBX’ in
Office 365
PSTN via
On Prem CCE &
SBC
Skype for
Business Server
and PSTN
services 100%
on-premises
Online Hybrid On Premises

4. TDM PBX/IP-PBX &
Voicemail
Analog phones
Analog fax
machine
Local SIP
Carrier
PSTN
SIP Trunk
to ITSP #2
“Drop in” installation
Painless interconnect to
PBX and Skype for
Business O365, enabling
co-existence and simple
migration using AD
Legacy Support
Analogue and FAX
tightly integrated
SBC Functionality
Security & Demark
Protocol and transcoding
support
SIP Registrar
Standard SIP devices can
register and interconnect
CCE
Office 365
Microsoft Office and Exchange
Hybrid Benefit - Integration & Migration

5. 5
ITSP UK
Multi-Site, Multi-Country, Mixed Deployments
Multi-Site Deployments using Hybrid
• Meet local regulatory requirements
• Provide integration to each site’s needs
• Maintain or choose provider country by country
CCE
Office 365
Microsoft Office and Exchange
London
ITSP
Japan
CCE
TokyoPSTN
New York

6. 6 Confidential and Proprietary – NDA use only
• Set of 4 VMs (Domain Controller, Central Management Store,
Mediation and Edge server) installed on customer hardware
• Enables Cloud PBX users to use on-premises PSTN / PBX
resources
• Supports up to 50 or 500 concurrent calls
Microsoft Cloud
Connector Edition
(CCE) is software that
provides PSTN and
PBX connectivity
through Office 365
• Windows Server 2012 R2 ISO image (Standard or Data Center
edition)
• Local server administrator account with permissions to install /
configure Hyper-V on host servers
• Qualified SBC/Gateway (minimum of two recommended)
• Internet / Express Route connection for deployment
General Requirements
What is Microsoft Cloud Connector Edition (CCE)?

7. 7 Confidential and Proprietary – NDA use only
User and call control in O365
Mediation server and SBC/GW on
premise
Placed in DMZ
2 NICs’ one DMZ, other internal for media
One CCE per Tenant
Media is kept local provided the
recommended firewall rules are used
CCE Architecture

8. 8 Confidential and Proprietary – NDA use only
 A Minimal Topology (minTop)
– The minimum components required to run a
Mediation server
 No SBA
 No local users / registrar
 Could change in future releases
– Fixed set of 4 VM’s
– Automatically updates
– 100% managed through O365
 No local administration other than deployment
– Independent from Company AD etc
 Separate dedicated forest and DNS zone
CCE Virtual Machine Details

9. 9 Confidential and Proprietary – NDA use only
 CCE is stateless
– Calls are load balanced across
multiple CCE’s in a site
– If the CCE goes down the calls
are re-built on the remaining
devices
– SBC/GW’s work in Active /
Active to CCE
High Availability

10. 10 Confidential and Proprietary – NDA use only
 Each user is
configured with
“Gateway Affinity”
 All calls will be made
and received through
the users home site,
even when traveling
Multiple Sites

11. 11 Confidential and Proprietary – NDA use only
Internal Firewall Rules
Source IP Destination IP Source Port Destination Port
Cloud Connector
Mediation component
SBC/PSTN Gateway Any TCP 5060**
SBC/PSTN Gateway Cloud Connector
Mediation component
Any TCP 5068/ TLS 5067
Cloud Connector
Mediation component
SBC/PSTN Gateway UDP 49 152 – 57 500 Any***
SBC/PSTN Gateway Cloud Connector
Mediation component
Any*** UDP 49 152 – 57 500
Cloud Connector
Mediation component
Internal clients TCP 49 152 – 57 500* TCP 50,000-50,019
(Optional)
Cloud Connector
Mediation component
Internal clients UDP 49 152 – 57 500* UDP 50,000-50,019
Internal clients Cloud Connector
Mediation component
TCP 50,000-50,019 TCP 49 152 – 57 500*
Internal clients Cloud Connector
Mediation component
UDP 50,000-50,019 UDP 49 152 -57 500*
Firewall Considerations
External Firewall Rules
Source IP Destination IP Source port Destination port
Any Cloud Connector
Edge External
Interface
Any TCP 5061
Cloud Connector
Edge External
Interface
Any Any TCP 5061
Cloud Connector
Edge External
Interface
Any Any TCP 80
Cloud Connector
Edge External
Interface
Any Any UDP 53
Cloud Connector
Edge External
Interface
Any Any TCP 53
Cloud Connector
Edge External
Interface
Any UDP 3478 UDP 3478
Any Cloud Connector
Edge External
Interface
TCP 50,000-59,999 TCP 443
Any Cloud Connector
Edge External
Interface
UDP 3478 UDP 3478
Cloud Connector
Edge External
Interface
Any TCP 50,000-59,999 TCP 443

12. From Skype for Business On Premise
to Cloud PBX with CCE

13. 13
Skype for Business On Premise
Confidential and Proprietary
Skype for Business
User
Skype for Business
User
Front-End role
PSTN PSTN GW
Sonus EDGE
Mediation role
Domain
Controller
Central
Management
Store (CMS)
EDGE role
Skype for Business
User
External
Firewall

14. 14
From OnPrem to Cloud Connector Edition
Confidential and Proprietary
Skype for Business
User
Skype for Business
User
Front-End role
PSTN PSTN GW
Sonus EDGE
Mediation role
Domain
Controller
Central
Management
Store (CMS)
EDGE role
Skype for Business
User
Domain
Controller
Skype for Business
Online user in
internal network
Skype for Business
Online user in internet
Skype for Business
Online infrastructure
External
Firewall
Internal
Firewall
Cloud PBX

15. Sonus CloudLink

16. 16 Confidential and Proprietary – NDA use only
Sonus Cloud Link Appliance
Independently tested, award winning low to mid-range capacity Session Border Controllers for enterprise
premise deployments
SBC 1000 & SBC 2000
CCE Offering
 Up to 500 CCE sessions on a single
appliance
– COM Express module (“ASM”) with state of the art
server class CPU, memory, SSD
– SBC capacity up to 600 sessions
 Unparalleled TDM and analog port options
– 16 PRI, 48 FXS in single appliance
– Rich PRI, FXS, FXO, BRI port mix
 Easy configuration wizard to speed CCE
deployment
 Secure architecture to minimize service
disruption

17. 17 Confidential and Proprietary – NDA use only
Sonus SBC 1000/2000
CCE ASM
SBC
Ethernet
Private protocol over
internal Ethernet
Web Server
WS2012 R2 Base OS
FXS FXO BRI PRI
How Does Sonus Cloud Link Work?
 UX Comms runs on the base OS
– Deploys and manages the VM’s
– Provides information back to the SBC UI for operational status
UX
Comms

18. 19 Confidential and Proprietary – NDA use only
Sonus SBC 1000/2000
CCE ASM
SBC
Ethernet
Private protocol over
internal Ethernet
Web Server
WS2012 R2 Base OS
FXS FXO BRI PRI
Auto Update - Sonus Cloud Link CCE
 4 VM’s are running on the previous release
 Host CCE process downloads new VM’s
 New VM’s are brought up – grace license. Old VM’s are shut down
 V-Switch is moved to the new VM’s
 UX Comms is notified about the update – UI is updated
UX
Comms X

19. 20
 ASM CPU:
– 8 Cores, 16 thread “Broadwell” Xeon® CPU
for embedded platforms
– SSD 512GB HDD
• ASM Server blade CPU is LATEST Technology
• We offer 16 threads within the Broadwell CPU
• We can allocate enough vCPU threads to the Mediation server (Media Transcode for CCE)
• We allocate 1 x vCPU thread for the other 3 MV’s
• + 1vCPU x 4VM during Auto-Update = 16 vCPU threads
• Therefore we can SCALE correctly to the 500 sessions (vCPU threads to Mediation VM determines
this) even during auto-update – no performance impact during auto-update.
• No sharing of vCPU threads (Thread sharing between VM’s can have serious performance impact)
Application Solution Module (ASM) for Cloud Link Cloud Connector
Edition Deployments

20. 21
Cloud Connector Edition – SBC1k Architecture

21. 22
Cloud Connector Edition – SBC 2k Architecture

22. CCE Appliance Benefits

23. 24
Non-Sonus Cloud Connector Edition Installation is Lengthy
* Source: https://blogs.technet.microsoft.com/nexthop/2016/05/11/cloud-connector-edition-smaller-hardware
Confidential and Proprietary
 Installation understand process follows Microsoft®
Cloud Connector Edition installation instructions
– Get CCE bits (Hyper-V, CloudConnector.msi,
Windows Server ISO) on Host Server (~40 min)
– Create virtual switch adapter (5 min)
– Create VHD using CloudConnector.msi and
WS2012R2 ISO (4 hours)
– Complete an answer file (.ini) with customer
information (45 fields, 20 min)
– Create file share to host certificate and
configuration exchange between Host/VM and
HostHA1/HostHA2 (10 min)
– Import certificate for CCE EDGE (~45 min)
– Deploy the CCE VM on the host (2 hours)
– Configure gateway
– Activate your O365 tenant for hybrid capability
– Create a PSTN site to assign the user
Install procedure may take 7+ hours at every site (Increased OPEX)

24. 25
Sonus Cloud Link – CCE solution 6.1
Confidential and Proprietary
 Faster deployment
 CCE Setup Wizard
 End User oriented
 Partner oriented
 HA support
 Pre-loaded Package
 Easy configuration template
 More secure and reliable
 Preconfigured firewall
 Environment validator
 Logs helper

25. 26
Sonus Cloud Link – CCE Setup Wizard
 5 straightforward tabs to click through
 Key configuration settings
– ASM Configuration
– Generate CSR or Import Signed CSR
Easily
– Configure CCE
 Assign external IP addresses for
Mediation and Edge servers
 Configure number of concurrent calls
 Configure CCE High Availability (HA)
 HA Master
 HA Slave
 Deploy CCE VM!
Sonus Cloud Link may reduce CCE install time by 5+ hours, with no additional
software downloads
Confidential and Proprietary

26. 27
Enhanced SBC Config Wizards
New SBC Cloud Connector Edition
template
 Inherits information from CCE
– Minimizes time and errors
 Customized for your CCE
deployment
 Optimized for CCE performance
 Optimized for CCE security

27. 28
Preparing for CCE deployment

28. 29 Confidential and Proprietary – FOR INTERNAL INFORMATION PURPOSES ONLY
CCE – Network Architecture
External
Firewall
Internal
Firewall

29. 30 Confidential and Proprietary – FOR INTERNAL INFORMATION PURPOSES ONLY
CCE – Network Architecture
External
Firewall
Internal
Firewall

30. 32 Confidential and Proprietary – FOR INTERNAL INFORMATION PURPOSES ONLY
Cloud Tenant, Public Domain and DNS
 An Office 365 Tenant with E5, or E3 + Cloud PBX option
Licenses
– Microsoft subscription
 A Global or Skype Online Administrator Account on your
Office 365 Tenant
– Can be configured when creating your Office365 account
 A public Domain Name associated with your Office 365
Tenant.
– From any vendor and associated on Office365 portal
 A public IP for the CCE (Edge External Side).
– Delivered by customer IT or Internet Provider
 A DNS Record on the Public Domain forwarding to this
public IP.

31. 33 Confidential and Proprietary – FOR INTERNAL INFORMATION PURPOSES ONLY
CCE Firewall
 Internal firewall
– From Intern User to CCE
 UDP/TCP 49 152 - 57 500
– From CCE to Intern User
 TCP 50,000-50,019
 UDP 50,000-50,019
 External firewall
– From Public to CCE
 TCP 5061
 TCP 443
 UDP 3478
– From CCE to Public
 TCP 5061
 TCP 80
 UDP/TCP 53
 UDP 3478
External
Firewall
Internal
Firewall

32. 34 Confidential and Proprietary – FOR INTERNAL INFORMATION PURPOSES ONLY
Certificate
 A certificate (X509) is:
– An electronic “passport" signed by an Authority
– Allowing to exchange information securely over a network
– Using a Trusted Chain (PKI).
– Allowing to link a Public Key to an FQDN (or an email)
 A certificate contains:
– The Name (FQDN) of the Authority that sign it
– A validity
 Not Before
 Not After
– The Name (FQDN or email) of the computer or user
– The public Key of the computer or user

33. CCE Call Flows

34. 36
Cloud Connector Edition
Confidential and Proprietary

35. 37
CCE – Incoming Call to an Internal User
Confidential and Proprietary

36. 38
CCE – Outgoing Call from an Internal User
Confidential and Proprietary

37. 40
CCE – Extern User With Recommended Firewall
Confidential and Proprietary

38. Redundancy, Multi Site and Auto-Updates

39. 42 Confidential and Proprietary
CCE – Deployment scenarios

40. Multi site deployment

41. 45
O365 Tenant organization
Confidential and Proprietary
HybridPSTN
Site
Tenant
HybridPSTN
Appliance
SiteName
FQDN EDGE
Update Managment
HybridPSTN
Appliance
HybridPSTN
Site
HybridPSTN
Appliance
CCE Hostname
Deployment state
Update state
User 2User 1

42. 46
O365 Tenant organization
Confidential and Proprietary
 HybridPSTNSite and HybridPSTNAppliance are created
automatically when registering CCE during deployment
 They can be display and managed from Office365 Tenant
Powershell:
 All the HybridPSTNAppliance on a site are High Availability
– User will use randomly the HybridPSTNAppliance
 All the HybridPSTNSite are independant
– If all the Appliance on a HybridPSTNSite are down, User assigned to
this HybridPSTNSite loses service

43. 47
Auto-Update – IMPORTANT!!
 User configures the tenant HybridSite with time window
 Can NOT be stopped – Default is ANYTIME!
 Will be executed 1by1 on HA deployment
 Windows Update
– Apply update VM
– Drain Call
– Reboot VM
– Apply Update Host
– Reboot Host
 CCE Update
– Build a new set of 4 VM from scratch
– Once new set is ready, retire the previous version pack of VM
https://support.sonus.net/display/UXDOC61/Managing+Your+Office+365+Tenant
UPDATE!
Manual Windows OS Updates now
supported:
https://technet.microsoft.com/EN-
US/library/mt740658.aspx

44. 48
O365 Tenant Portal – Checking Update Status
Confidential and Proprietary
 Basic information about Site and Appliance:
 Basic User management:

45. Thank You