The article discusses the secure-by-design architecture of the HDX RealTime Optimization Pack 2.x for Skype for Business, a solution jointly developed by Citrix and Microsoft during 2015 and now widely implemented within security-conscious organizations around the world.

One of the key reasons why so many organizations have embraced virtualization of desktops and applications is that it is inherently more secure to keep apps and data in the data center or Cloud rather than on each user’s device. Skype for Business users routinely engage in instant messaging, generating chat logs that are potentially full of confidential information. They often attach files to these instant messages. And they keep contact lists with personally identifiable information. By virtualizing Skype for Business, this potentially sensitive or proprietary data is not stored on the user’s device but instead is kept safe in the data center.

Virtualization of Skype for Business also creates the potential of locking down an organization’s real-time communications infrastructure such that it can only be accessed via XenApp or XenDesktop but not from a native Skype for Business client. This is made possible by the architecture of the HDX RealTime Optimization Pack, which redirects media processing to the user device whenever possible but relies entirely on the hosted Skype for Business client for user authentication and SIP (Session Initiation Protocol) signaling.

Much of the communication in organizations today involves people outside the corporate firewall such as employees who are working from home or offsite or on Bring-Your-Own devices (BYOD).  For employee remote access with the HDX RealTime Optimization Pack, the recommended solution is to use the Microsoft Edge Server.

In some cases, customers have, as an alternative, used an IPSec VPN. This enables the HDX RealTime Media Engine (RTME) used by the hosted Skype for Business client to access the Skype for Business Server behind the firewall over a secure VPN connection. An IPSec VPN is the obvious choice since these support transporting both UDP and TCP traffic whereas SSL VPNs only support TCP transport. Caution should be exercised since VPNs can potentially degrade audio-video quality. Citrix has customers successfully using a full VPN tunnel via NetScaler for external users, with Split Tunneling disabled. NetScaler supports DTLS for UDP traffic.

The generally preferred solution for remote access is to deploy a Microsoft Edge Server in the DMZ and configure it for remote worker access. This method of deployment is the primary subject of the remainder of this document.

To support communications across your organization’s firewall, deploy the Microsoft Edge Server in your perimeter network (also known as DMZ, demilitarized zone, and screened subnet). The Edge Server controls how users outside the firewall can connect to your Skype for Business Server deployment. It also controls communications with external users that originate within the firewall.

Microsoft provides extensive documentation about planning for and configuring servers and firewalls for remote access.  Please consult that documentation to understand how to plan for and implement your servers to prepare for external user access to Skype for Business.

With the HDX RealTime Optimization Pack, the HDX RealTime Media Engine (RTME) runs on the user device as a plug-in to Citrix Receiver. The HDX RealTime Media Engine performs media transmission but is not involved in user authentication or SIP signaling. Understanding that the media engine is running on the remote endpoint clarifies the architecture and port requirements.

System Architecture

HDX RealTime Optimization Pack Components

The HDX RealTime Connector is installed on XenApp/XenDesktop and interfaces to the Skype for Business client’s Media Manager API. It communicates command-and-control information, and ringtones and music-on-hold, to the HDX RealTime Media Engine on the user device over an ICA virtual channel.

Remote Access with two Virtual Desktop users

The following diagram shows the system architecture of two endpoints connecting to Citrix XenApp or XenDesktop with the HDX RealTime Optimization Pack installed. The diagram shows the signaling and media paths for a call between the two users. The media flows point-to-point using SRTP.

For conference calls and calls between external and internal users, a similar flow applies, but the media flows between the external device and the Edge Server acting as a relay, and then between the Edge Server and the internal device.

Port Requirements for Firewall Traversal

For an on-premises Skype for Business infrastructure, inbound ports 3478 (UDP) and 443 (TCP) on the external network interface of the AV Edge service must be opened. Different ports apply to Office 365 / Skype for Business Online (see support.office.com).

Note that only the AV Edge service (used for media probing and relaying) needs to be accessible from the internet for this scenario. The Access Edge service, used for access by external users running the native Skype for Business client locally, has a different IP address.  On the firewall (e.g. NetScaler), you can disable SIP by blocking incoming TCP connections to the Access Edge Service, if you would like to limit external access to only XenApp/XenDesktop users and deny access to native Skype for Business clients, when the highest possible level of security is needed.

Media Protocols

Media traffic over UDP (or TCP if necessary) is encrypted via SRTP (Secure Real Time Protocol).

To use the Microsoft Edge Server for media relay, MRAS (Media Relay Authentication Service) is used. The virtualized Skype for Business client requests a temporary token to authenticate media relays from the outside. The token is sent to the HDX RealTime Media Engine over ICA, secured via Secure ICA, TLS or DTLS. (See Microsoft documentation for details of MRAS.)

Authentication

User authentication is performed by the hosted Skype for Business client. No user authentication goes through the Edge Server.

It is not necessary to install a Skype for Business Server Certificate on the user device.

DNS Considerations for Remote Workers

DNS configuration for remote workers must support lookup of AV Edge IP addresses by name.