Skype for Business network planning
General Bandwidth Guidelines
Because bandwidth plays one of the biggest factors in a successful and quality user experience, you can never have too much. Given all the varying codecs and bandwidths, determining exact needs is very difficult to do as well.
Recommendation is 500kbps per concurrent Skype for Business session as a base starting point for determining bandwidth needs. Concurrency in the Skype for Business world is different from the traditional 8 to 1 trunking ratio that is regularly applied to PSTN calling. As Skype for Business uses the same network and bandwidth for internal, as well as PSTN, calls, video, conferencing and IM/Presence, utilizing the usage and persona models above will better provide you with information needed to determine bandwidth needs.
A more precise bandwidth calculation can be made by utilizing the Microsoft Provided Bandwidth Calculator available through this hyperlink, which utilizes personas, usage, sites and user counts to determine needs. At a minimum, regardless of user count, the recommendation of a minimum of 5Mbps up and down at each site. Additionally, be sure to run some ping tests back to the Gateway URL sip.ct950.com to test latency. RTT should be below 150ms to prevent jitter and packet loss.
Deploying Skype for Business and Network Adjustments
Now that general network, bandwidth and usage is determined, we need to get your network ready for using Skype for Business in production. This means that changes will likely need to be made to the network to accommodate the traffic that will be flowing in and out of your network through Skype for Business.
After determining the amount of bandwidth needed to support the full featured functionality of the product in your organization, it is important to use the right type of bandwidth for the product. While standard broadband connections can work in smaller deployments, most organizations will need more than just a cable modem or DSL connection to meet their needs.
Typical broadband does not guarantee bandwidth, but provides you with a max rate at which you might be able to use the bandwidth. A Cable modem, for instance, might have a 50 download, 10 upload connection, but that is shared bandwidth that bursts to those higher speeds when no one else is utilizing the same pipe. They provide an “up to” measurement for your service. When dealing with Real Time communication that relies on your bandwidth, you need to be able to rely on the bandwidth being there.
recommendation is using a guaranteed bandwidth, true internet connection that utilizes symmetric architecture. This means that both your download and your upload speeds are the same (such as 50/50 or 100/100). This type of internet connection will also provide you an MRTG view of the bandwidth utilization so you can monitor how much you use and how often you saturate that bandwidth. This allows you to make adjustments to your network based on factual usage data to provide the best overall experience to your users.
While dedicated circuits for our Skype for Business product can be provided, if you have a solid, true internet connection with enough bandwidth as determined by exercises above, you can have wonderful user experience utilizing your existing connection. Remember, true symmetrical internet is good for Skype for Business . Commercial broadband, however, is not.
Router SIP Inspection
If your router is not configured for the new traffic protocols that Skype for Business will introduce to your network, you could experience packet loss, dropped calls and jitter.You must make sure that SIP inspection or SIP ALG (Application level gateway) are disabled on your routers and firewalls to prevent this from happening. You may need to contact your ISP to have this done, but make sure this is completed prior to deployment. These features in routers are intended to block SIP traffic and will interfere with Skype for Business communications.
Because the product is not housed in your internal network and IP setup, you will need to make sure that traffic traversing the firewall to the hosted Skype for Business Servers does not get blocked. You will need to add exceptions to the firewall for all Skype for Business Server IP addresses and allow for IPs and ports see link below:
In addition to the firewall adjustments above, if you are using a PC level firewall other than the built-in Windows firewall, you will need to add exceptions to the PC antivirus/antimalware itself to disable security for the Skype for Business client.
While these changes are always required for firewalls, you may need to add exceptions to other security devices that sit between computers and the internet if you have other devices in your network that provide security or the ability to block certain network traffic.
Preferred Traffic Configuration
With the proper bandwidth and internet connection, there is still the probability that an employee internally could be streaming other types of media traffic across your environment that could impact the service quality. To prevent this, it is recommended that you prefer the Skype for Business outbound traffic over other traffic from your network.
As this is a setting that would need to be applied to the firewall on the ISP side, it may not always be possible to configure this setting. However, when possible, it is recommended that you enable outbound QoS policies on your firewall to prefer traffic destined to the hosted Skype for Business server IPs over traffic destined for other IPs. By default, Skype for Business Voice takes higher priority over other modalities of the product, so by enabling half of your outbound internet bandwidth to prefer the Skype for Business IPs over other traffic, this will allow Skype for Business Voice to take the highest priority over other forms of media and outbound traffic on your network.
To implement this prioritization of traffic destined for hosted Skype for Business platform, configure your router to give priority access to outbound traffic destined for the 69.4.190.x IP addresses listed above. The configuration on your router will vary depending on the device.
Note: Even with this applied, long sessions may not maintain priority.
QoS and DSCP is not supported for our Skype for Business product, however, this only affects traffic on your internal network. If you have multiple sites in your organization that are interconnected, this would be a beneficial policy to apply to make sure that Skype for Business traffic across your network gets the priority it needs. While this doesn’t carry over the internet to the hosted servers, by applying this internally and applying the preferred traffic policy above to the outbound traffic, you are providing the best chance for your network to successfully handle Skype for Business traffic and other real time protocols.
Skype for Business edition phones (like the Polycom devices) will automatically tag the outbound traffic with DSCP marking 46, giving the Skype for Business Voice the highest tag available and highest priority in the network. To get the same policies applied to the PC clients, you will need to push out an Active Directory Group Policy to apply DSCP tags to the voice and other modalities provided within Skype for Business.
For more information on applying these policies for your local PCs, you may reference http://technet.microsoft.com/en-us/l.../jj205371.aspx for Microsoft provided information. For the Skype for Business infrastructure we have specified the following port ranges for these services:
Audio: 50020:50039 - DSCP value: 46
Video: 58000:58039 - DSCP value: 34
Application Sharing: 42000:42039 - DSCP value: 24
File Transfer: 42040:42039 - DSCP value: 14
After applying the policy to the PCs, you will need to enable the DSCP Trust on the internal switches so the tags pass through from site to site. The process for enabling the DSCP Trust application is dependent on the switch model you own. While we can help with certain switch models, you may have to engage your switch provider or search online for settings to enable this on the switches themselves.
Corporate Wi-Fi is regularly deployed, and while useful for many enterprise applications, is not the best connectivity for real time VOIP traffic. If you are planning on including an element of Wi-Fi in your Skype for Business deployment, please check through URL below for a list of Microsoft approved WI-Fi devices and vendors. If designed specifically for Real Time VOIP protocols, Wi-Fi could provide a good user experience as well, allowing for mobility within the office for your workers.
Wi-Fi devices and vendors: http://technet.microsoft.com/en-us/o.../dn788945.aspx
There are a few vendors that have been certified for Microsoft Skype for Business for their Network infrastructure. Referencing the information we gathered earlier on network architecture and infrastructure, if you are already utilizing one of the network vendors from the URL below, they will have configuration guidelines and network readiness instruction pertaining directly to Microsoft Skype for Business. If you are looking to upgrade your network in preparation for the pending deployment of Skype for Business, we would encourage you to look at these certified vendors for your new network infrastructure. You can access the most current list of vendors at the following URL:
Wired Network and vendors: http://technet.microsoft.com/en-us/o.../dn788945.aspx
Using a VPN
One consideration to keep in mind with your Skype for Business deployment is how you currently do business today. VPN is an increasingly common way of allowing remote sites or large corporations to maintain security over their network and data while allowing their workers to access the tools they need to get their jobs done. This, however, is not a recommended method for connecting to a Skype for Business client.
Skype for Business media stream and signaling are encrypted between client and server. Because a VPN also runs encryption, this would force encrypted Skype for Business traffic to be re-encrypted through the VPN, then decrypted more than once. This can cause latency and jitter. Additionally, errors in VPN set-up can further complicate the matter for real time traffic protocols from Skype for Business. As such, VPN is not a recommended environment for Skype for Business.