Skype4B / Lync DHCP Config Tool

Put up your hand if you know how to configure DHCP for Skype for Business and Lync phone devices? Leave your hand raised if you enjoy this process? Okay, I thought so, read on…

When deploying Skype for Business/ Lync Optimized or Qualified phone devices you are required to make specific DHCP configuration settings in order for the devices to be able to authenticate and connect to the system. The settings that are required are some special Vendor Class Options and a standards-based Option 120 setting.

DHCP Vendor Class Options - Option 43

Option 43 is a special option type used in DHCP responses that encapsulates options for a specific Vendor Class. A DHCP server will respond with Vendor Class options only when a device specifically requests them. The method for requesting the Vendor Class options is normally achieved by the device putting a Vendor Class ID in Option 60 of its initial DHCP DISCOVER message. This method is usually used for settings that might be required by the device when it first boots.

Another method (which I’ve only ever seen used by Skype4B/Lync devices) is to send an INFORM message after the initial discovery process has completed to the DHCP server requesting additional information for a specific Vendor Class. The signalling for the Vendor Class request is the same as in the DISCOVER method however, in this case the Option 60 message is inserted in the INFORM message. It is important to note that the INFORM method is not supported by all DHCP servers, however, it is supported by Windows DHCP servers and Cisco switch/router DHCP servers. If you're using an different DHCP server you may need to check that it response to INFORM messages. 

Skype for Business and Lync phone devices use Option 43 to pass information about the certificate provisioning service to the phones. The phones need this information in order to do PIN Authentication with the system. The options encapsulated within option 43 include the following:

Option Number	Option Name	ASCII Value	Setting Type
001	Vendor Class (UCIdentifier)	MS-UC-Client	Common setting
002	Protocol (URLScheme)	https	Common setting
003	Web FQDN (WebServerFQDN)	pool.domain.com	Variable - Set this to match your pool / domain
004	Web Port (WebServerPort)	443	Common setting
005	Cert Prov URL (CertProvRelPath)	/CertProv/CertProvisioningService.svc	Common setting

These settings combine to give the phone all the information it needs to contact the Certificate Provisioning service on the system. The phone will recombine these to be a URL as follows:

https://pool.domain.com:443/CertProv/CertProvisioningService.svc

DHCP Option 120

Option 120 is a specific option that is described as part of a RFC 3361. The option describes SIP server locations in the form of FQDNs or IP Addresses. Skype for Business and Lync devices have been designed to use this standard option to discover the location of the pool for SIP signalling (registration, authentication, call signalling, etc).   

Option Number	Option Name	ASCII Value	Setting Type
120	SIP Pool FQDN (UCSipServer)	pool.domain.com	Variable - Set this to match your pool / domain

The encoding of Option 120 is not just a simple ASCII byte conversion for entry into the DHCP server. There are also framing bits around the FQDN that is described as part of RFC 3361. The RFC described two different types of encodings for Option 120 –  the first is FQDN format, and the second is IP Address format. Only the FQDN formatting option is available for Skype for Business and Lync due to the fact that it uses TLS-based SIP which requires FQDN matching when creating the secure channel connection.

How Does DHCP Option 120 interact with DNS?

If you don’t specify anything for DHCP Option 120 the Skype4B/Lync Phone Edition devices will fall back to looking up the following DNS records:

• _sipinternal._tls SRV record
• _sip._tls SRV record
• sipinternal.<user domain>  (Be careful of this record. This is not included in the certificate SAN list by default so don’t enter it into DNS unless you have added it specifically to the SAN list)
• sip.<user domain> (This record is included by default in the certificate SAN list. So it’s safe to use.)

During the process, if Option 120 is not discovered, the Skype4B/Lync Phone Edition devices will display “Registrar FQDN cannot be found. Please contact your support team” on the screen and then sign in using the fall back DNS lookups. This is not ideal because users might be confused by this message so it’s always recommended to configure Option 120.

Configuring the DHCP Server

The method of configuring the DHCP server supplied by Microsoft is to use a command line tool called DHCPUtil that will create the byte encoded output for each of the required Options. The output of the DHCPUtil command is then used in conjunction with a batch file to deploy the setting within your DHCP server. This process is multi-step and I have found it prone to errors, and difficult to troubleshoot once the options are deployed, because they are displayed as bytes in the interface. The DHCPUtil method also only supports configuring Server Options within the Windows DHCP server and does not support Scope Level options configuration. I figured I could build a tool in Powershell that would be easier to configure, more flexible, and help you in troubleshooting your DHCP deployments.

Skype4B / Lync DHCP Config Tool

Features:

• Deploy Server and Scope level settings within your Windows DHCP server.
• The tool will encode the settings as required to be deployed within the server.
• The tool will download and display the current settings from the DHCP server.
• Edit and remove individual settings as required.
• Export to Cisco IOS Switch/Router DHCP configuration commands.

 Note: The tool must be run on a Windows DHCP server!

Available on the TechNet Gallery:

DOWNLOAD HERE

The tool itself is fairly straightforward to use –  when it loads, it will query for all the scopes configured in the DHCP server. The scopes are displayed in the drop down list at the top of the form. When you select a Scope from the list, the tool will query the Options available for that scope and show them in the settings text boxes (current settings are shown in green). If the scope has no options configured, the boxes will be empty. If you would like to auto fill the boxes with the common configuration settings you can click on the Defaults button. When you have filled in the settings with the desired configuration you can click the Upload Settings button and the Options will be configured on the server. If you would only like to upload specific Options, you can use the Check Boxes next to the settings to select the desired Options to upload. The Remove Settings button will remove any of the settings from the selected scope that has the check box ticked. If you only want to delete a specific option, then you tick only the check box of the specific item before clicking the Remove Settings button.

Your DHCP server may already have Option 120 or the Vendor Class options defined. If this is the case and any of these options are defined as anything other than the Binary type then the tool will display the setting as <UNSUPPORTED TYPE>. This looks like the following:

Unsupported Type of and Existing Option

If this happens you can choose to upload a new setting over the existing setting. If you do this the tool will display a dialog asking if you would like to delete and replace the existing option definition with a new one. The new definition that the tool will create will be Binary in type which it will be able to edit and display.

Option Definition Change Dialog

The tool also does checks on Option 120 when it reads it from the DHCP server to ensure that it is formatted correctly (as defined by RFC3361). If it determines that the setting is not in the correct format it will display <UNSUPPORTED FORMAT> in the text box. If this happens, then I suggest you upload a new setting over the top of the unsupported setting to ensure that your phones can parse the option properly.

Important Note: You must refresh the scopes within the Windows DHCP Server MMC console in order to see changes you have made with the DHCP Config Tool. 

Cisco Router / Switch Configuration

If you do not have Windows DHCP server for the subnet that your devices are deployed on, you may choose to use a Cisco switch or Router to be the DHCP server. The "Export Cisco" button allows you to export Cisco IOS configuration commands for option 120 and 43 of a Cisco switch or router running as a DHCP server.

It should be noted that when you use this format in a router or switch there is a significant difference from a Windows DHCP server implementation. In the Cisco method you are hard coding the DHCP server to respond with these Option 43 settings for every device that requests Vendor Class options of any class. On a Windows DHCP server, it will only send Option 43 information to devices that have requested the specific Vendor Class of MS-UC-Client (the device does this by putting this Vendor Class info into Option 60 of its initial request message). This means that, per subnet, you can only have one Vendor Class deployed on a Cisco switch/router. In addition to this, you need to make sure that there are no other devices on the subnet that use Option 1-5 in their respective Vendor Classes because they will receive the settings you have deployed for Skype4B/Lync in their DHCP responses. This may have undesired results when they parse and use these settings instead of the ones they were expecting. So be sure you understand the risks of this where deploying using this method and try to limit the device on the subnet to be your Skype4B / Lync devices only (where possible).

The tool will output the format as shown below:

!OPTIONS FOR CISCO DHCP CONFIG

option 43 hex 010C4D532D55432D436C69656E7402056874747073031446453030312E6D79736B7970656C61622E636F6D040334343305252F4365727450726F762F4365727450726F766973696F6E696E67536572766963652E737663

option 120 hex 000546453030310A6D79736B7970656C616203636F6D00

These settings can be inputted directly into your DHCP pool settings in Cisco IOS!

An example of a basic configuration might look like this:

Router(config)# service dhcp

Router(config)# ip dhcp pool TEST-POOL

Router(dhcp-config)# network 10.20.2.0 255.255.255.0

Router(dhcp-config)# default-router 10.20.2.1

Router(dhcp-config)# dns-server 10.20.2.100

Router(dhcp-config)# lease 8

Router(config)# ip dhcp excluded-address 10.20.2.1 10.20.2.199

Router(config)# option 43 hex 010C4D532D55432D436C69656E7402056874747073031A32303133454E5446453030342E6D796C796E636C61622E636F6D040334343305252F4365727450726F762F4365727450726F766973696F6E696E67536572766963652E737663

Router(config)# option 120 hex 000C32303133454E544645303034096D796C796E636C616203636F6D00

Note: Other settings like NTP server, Time Offset, Config server, etc. may also be required depending on the device.

Server Scopes and Subnet Scopes

The tool allows you to access Server Scope or Subnet Scopes within the DHCP server. The server scope should be looked at as the fall-back settings for all scopes. If you apply settings to the server scope, then these will be used by default by all subnets in the DHCP server. If you apply Subnet level settings, then these will be used in preference to the Server Scope settings. Below is an example of Subnet level settings, however Option 120 in this case is a Server Scope level setting. Note the different icons used for the different scope types:

The Wrap Up

Congratulations, you are now an expert at configuring DHCP servers for Skype for Business and Lync phone devices! I hope you enjoy this new tool and that it brings you great joy and delight over the holiday season.