Deploy Web downloadable clients in Skype for Business Server
Summary: Deploy the Skype for Business 2015 Web App and Skype Meetings App used with Skype for Business Server.
Skype for Business Web App is an Internet Information Services (IIS) web client that is installed on the server running Skype for Business Server. By default it's deployed on demand to meeting users who don't already have the Skype for Business client. These meeting users are more often than not connecting from outside your network. Whenever a user select a meeting URL but doesn't have the Skype for Business client installed, the user is presented with the option to join the meeting by using the latest version of Skype for Business Web App, Skype Meetings App, or Skype for Business for Mac.
The voice, video, and sharing features in Skype for Business Web App require a Microsoft ActiveX control that is used as a plugin by the user's browser. You can either install the ActiveX control in advance or allow users to install it when prompted, which happens the first time they use Skype for Business Web App or the first time they access a feature that requires the ActiveX control.
Note
In Skype for Business Server Edge Server deployments, an HTTPS reverse proxy in the perimeter network is required for Skype for Business Web App client access. You must also publish simple URLs. For details, see Setting Up Reverse Proxy Servers and DNS requirements for simple URLs in Skype for Business Server.
Enable Multi-Factor Authentication for Skype for Business Web App
Skype for Business Web App, Skype Meetings App, and Skype for Business for Mac support multifactor authentication. In addition to user name and password, you can require other authentication methods, such as smart cards or PINs, to authenticate users who are joining from external networks when they sign in to Skype for Business meetings. You can enable multifactor authentication by deploying Active Directory Federation Service (AD FS) federation server and enabling passive authentication in Skype for Business Server. After AD FS is configured, external users who attempt to join Skype for Business meetings are presented with an AD FS multifactor authentication webpage that contains the user name and password challenge along with any other authentication methods that you configure.
Important
The following are important considerations if you plan to configure AD FS for multi-factor authentication:
Multi-factor ADFS authentication works if the meeting participant and organizer are both in the same organization or are both from an AD FS federated organization. Multi-factor ADFS authentication doesn't work for Lync federated users because the Lync server web infrastructure doesn't currently support it.
If you use hardware load balancers, enable cookie persistence on the load balancers so that all requests from the Skype for Business Web App or Meetings App clients is handled by the same Front End Server.
When you establish a relying party trust between Skype for Business Server and AD FS servers, assign a token life that is long enough to span the maximum length of your Skype for Business meetings. Typically, a token life of 240 minutes is sufficient.
This configuration doesn't apply to Lync mobile clients.
Configure Multi-Factor Authentication
Install an AD FS federation server role. For details, see the Active Directory Federation Services 2.0 Deployment Guide
Create certificates for AD FS. For more information, see "Federation server certificates" section of the Plan for and deploy AD FS for use with single sign-on article.
From the Windows PowerShell command-line interface, run the following command:
add-pssnapin Microsoft.Adfs.powershell
Establish a partnership by running the following command:
Add-ADFSRelyingPartyTrust -Name ContosoApp -MetadataURL https://lyncpool.contoso.com/passiveauth/federationmetadata/2007-06/federationmetadata.xml
Set the following relying party rules:
$IssuanceAuthorizationRules = '@RuleTemplate = "AllowAllAuthzRule" => issue(Type = "http://schemas.contoso.com/authorization/claims/permit", Value = "true");'$IssuanceTransformRules = '@RuleTemplate = "PassThroughClaims" @RuleName = "Sid" c:[Type == "http://schemas.contoso.com/ws/2008/06/identity/claims/primarysid"]=> issue(claim = c);' Set-ADFSRelyingPartyTrust -TargetName ContosoApp -IssuanceAuthorizationRules $IssuanceAuthorizationRules -IssuanceTransformRules $IssuanceTransformRules Set-CsWebServiceConfiguration -UseWsFedPassiveAuth $true -WsFedPassiveMetadataUri https://dc.contoso.com/federationmetadata/2007-06/federationmetadata.xml
Disable BranchCache
The BranchCache feature in Windows 7 and Windows Server 2008 R2 can interfere with Skype for Business Web App web components. To prevent issues for Skype for Business Web App users, make sure that BranchCache isn't enabled.
For details about disabling BranchCache, see the BranchCache Deployment Guide.
Verifying Skype for Business Web App Deployment
You can use the Test-CsUcwaConference cmdlet to verify that a pair of test users can participate in a conference using the Unified Communications Web API (UCWA). For details about this cmdlet, see Test-CsUcwaConference in the Skype for Business Server Management Shell documentation.
Troubleshooting Plug-in Installation on Windows Server 2008 R2
If installation of the plug-in fails on a computer running Windows Server 2008 R2, you might need to modify the Internet Explorer security setting or the DisableMSI registry key setting.
Modify the security setting in Internet Explorer
Open Internet Explorer.
Select Tools, select Internet Options, and then select Advanced.
Scroll down to the Security section.
Clear Do not save encrypted pages to disk, and then select OK.
Note
If selected, this setting will also cause an error when trying to download an attachment from Skype for Business Web App.
Rejoin the meeting. The plug-in should download without errors.
Modify the DisableMSI Registry setting
Select Start, and then select Run.
To access the Registry Editor, type regedit.
Navigate to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer.
Edit or add the DisableMSI registry key of type REG_DWORD and set it to 0.
Rejoin the meeting.
Enable Skype Meetings App to replace Skype for Business Web App (Optional, Skype for Business Server 2015 only)
This procedure is optional, and applies to Skype for Business Server 2015 CU5 and later. If you don't use it, external users continue to join meetings using Skype for Business Web App.
Enable simplified meeting join and Skype Meetings App
When you enable access to the Content Delivery Network (CDN), users will have the ability to connect to CDN online and get Skype Meetings App (on Windows) and Skype for Business for Mac (on Mac), and will use the simplified meeting join experience.
Set-CsWebServiceConfiguration -MeetingUxUseCdn $True
Allow client side logging telemetry from the meeting join web page or the Skype Meetings App to be sent to Microsoft servers (the command defaults to false).
Set-CsWebServiceConfiguration -MeetingUxEnableTelemetry $True
Information sent to Microsoft is in strict compliance with Skype for Business data collection practices.
Set the timeout before fall back to the locally hosted Skype for Business Web App experience if CDN isn't available. The default value is 6 seconds. If this value is set to 0, there will be no timeout.
Set-CsWebServiceConfiguration -JoinLauncherCdnTimeout (New-TimeSpan -Seconds 10)
Note
With MeetingUxUseCdn in Skype for Business Server 2015 Cumulative Update 5, the default value is set to False. This causes an issue where Skype for Business for Mac client is unable to join non-federated partners' meetings as a guest, even if Skype for Business Admin has set MeetingUxUseCdn to True. For this to work, Skype for Business Server 2015 must have the Cumulative Update 7, 6.0.9319.534, or later. See Enable Skype Meetings App to replace Skype for Business Web App in Skype for Business Server 2015.
See also
Plan for Meetings clients (Web App and Meetings App)
Configure the meeting join page in Skype for Business Server