I had an interesting case today where a client who was
running a Lync 2010 hybrid with O365 Skype for Business online reported that federated partners who were also using Skype for Business Online could not IM,
call, screen share, or see presence. My initial
reaction was to check and see if they had configured their on-premises instance
for federated domains to use the “sipfed.online.lync.com” proxy FQDN as both Phil
Sharp and our Tom
Pacyk had blogged about issues with Lync 2013 when you have the domain configured as both an Edge Server and Hosted Provider. Sure enough they had a couple domains
configured this way. I used the
following command to update all the domains to not specify
sipfed.online.lync.com as a proxy fqdn:
Get-CsAllowedDomain | Where {$_.ProxyFqdn -eq
"sipfed.online.lync.com"} | Set-CsAllowedDomain -ProxyFqdn $null
I forced replication and waited 15 minutes and re-tested,
still no luck. I then pulled the client logs and noticed that my messages were
resulting in a 504 Server Time-Out:
Server: IncomingFederation/6.0.0.0
ms-diagnostics: 1036;reason="Previous hop shared address space peer did not report diagnostic information";Domain="clientpartnerdomain.org";PeerServer="sipfed.online.lync.com";source="sip-na.clientdomain.com"
ms-edge-proxy-message-trust: ms-source-type=AuthorizedServer;ms-ep-fqdn=na1.clientdomain.com;ms-source-network=federation;ms-source-verified-user=verified
ms-diagnostics: 1036;reason="Previous hop shared address space peer did not report diagnostic information";Domain="clientpartnerdomain.org";PeerServer="sipfed.online.lync.com";source="sip-na.clientdomain.com"
ms-edge-proxy-message-trust: ms-source-type=AuthorizedServer;ms-ep-fqdn=na1.clientdomain.com;ms-source-network=federation;ms-source-verified-user=verified
I then decided to collect SIP and S4 traces from the edge
server while attempting to IM a user on S4B online, the trace at this point
also did not provide much information other than that it was being routed
correctly but that once it reached O365 it would just timeout:
At this point I felt that this had to be something with O365’s
Skype for Business settings and not an issue with our client’s on premises configuration. So I checked the portal’s settings and they had configured “On
only for allowed domains” and enabled “Let people use Skype for Business to
communicate with Skype users outside your organization”.
So federation was enabled, however it was only for specific domains,
so I added the clientpartnerdomain.org to the list of allowed domains (which
was empty) and then waited 30 minutes and sure enough it worked!
SOLUTION:
Make sure that if you have a hybrid configuration that your on
premises allowed domains, are also listed in your O365 tenant!
in this case you enabled federation only to listed domains rest of the world will be blocked. What if you want to open it to the rest of the world, changing it to allow all block only specific does not resolve the issue
ReplyDelete