Each and every environment you encounter will always deal unique challenges. Today – it’s co-locating Skype services on a dual homed server.
Why dual homed?
In Australia, some SIP providers supply a SIP trunk via direct IP connect – without the need for a VPN or SBC. This is both a good and bad thing. Good, because it makes configuring enterprise voice cheaper, easier and less complex. Bad, because opening ports to a server inside of your network is a potential security risk.
Stand-alone Vs co-locating
Another way of achieving PSTN connect whilst still keeping things secure is to deploy a stand-alone mediation server (or pool), that has a NIC in your DMZ environment, and a NIC in your internal network. You’d then configure your firewall to only allow traffic from your SIP provider to your DMZ NIC.
A word on routing
It’s vitally important that your internal and mediation networks are on 2 different, non-routable subnets. If both NIC’s are on the same subnet, you’ll run into all kinds of routing issues.
For the purposes of this how-to, here’s my network configuration:
Internal NIC IP: 10.130.1.21
Internal Gateway: 10.1.1.1
Internal DNS: 10.1.1.69
Mediation NIC IP: 172.16.2.2
Mediation Gateway: BLANK
Mediation DNS: 126.96.36.199, 188.8.131.52 (google’s DNS servers)
Before we do anything, rename your NICs to help you identify them.
Open up the properties of your Mediation NIC, and ensure that the NIC has no default gateway. You can enter an External DNS server if your SIP trunk provider uses an FQDN rather than an IP address if you wish.
Ensure that the binding order prioritizes the Internal NIC over the Mediation NIC.
Then, open up the topology builder and ensure that Limit service usage to the selected IP addresses is ticked and that you’ve entered the following:
Primary IP Address: Your internal NIC IP
PSTN IP Address: Your Mediation NIC IP
Publish the topology, then run bootstrapper.exe to publish the changes on your front end server.
Adding static routes
We now need to ensure that by default, all traffic is being routed out the Internal NIC, and that only the traffic destined for your SIP trunk provider is leaving the mediation NIC
Open an elevated command prompt, and then run:
netsh interface ipv4 set interface “Internal NIC” metric=1
netsh interface ipv4 set interface “Mediation NIC” metric=99
Finally, we need to add a static route to route traffic destined for your SIP trunk provider out your mediation NIC:
Run the following command from an elevated command prompt:
route add 184.108.40.206/24 172.16.2.1 -p
(where 220.127.116.11/24 is the IP address subnet range of your SIP trunk provider, and 172.16.2.1 is the gateway address for the mediation server NIC)
Once configured, restart the Skype for Business Mediation Server service, and you should be up and running!
Fixing the control panel “page cannot be displayed” issue
One thing to note is that ticking Limit service usage to selected IP addresses breaks access to the
Skype for Business Control Panel from any front end server.
To fix this, open IIS on the front end server, expand Sites then right click on the internal web site and click Edit Bindings
Then, select HTTPS and set the IP Address to All Unassigned and click OK
You’ll then be able to open the Skype for Business control panel.