locked
New-Cs​Hosting​Provider and possible to use Direct federation RRS feed

  • Question

  • Hi there,

    I was take a look to the documentation: New-Cs​Hosting​Provider which says: "When you establish a federation relationship with a hosting provider, you effectively establish federation with any organization hosted by that provider ".

    Question: Can I avoid that and still having Skype hybrid established?

    Today we have used direct federations and I do not see any reasons why Skype hybrid should change that. But as the Hosting Provider is required, I'm not sure do we expecting to open a Pandora's box.


    Petri

    Thursday, February 1, 2018 11:54 AM

All replies

  • Hi Petri X,

    Would you please tell us did you want to do SFB hybrid or you want to do SFB federation?

    If you want to you do SFB hybrid, you need to run New-CSHostingProvider, it is the required step, for details, please refer to
    https://blogs.technet.microsoft.com/canitpro/2015/12/23/step-by-step-skype-for-business-2015-hybrid-configuration/

    If you want to do SFB federation, for direct federation, you don’t have to run New-CSHostingProvider, please refer to
    https://technet.microsoft.com/en-us/library/jj204800(v=ocs.15).aspx

    Moreover, if you want to SFB federate with Public Skype, you need to do following steps:
    1.Configure Federation and PIC.
    2.Configure at least one policy to support federated user access.
    3.Configure the Skype PIC provider setting.

    For more information, please refer to
    https://technet.microsoft.com/en-us/library/dn705313.aspx


    Best Regards,
    Alice Wang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Friday, February 2, 2018 5:47 AM
  • Hi Petri,

    If you have a Hosting Provider defined for LyncOnline (Access Edge Service FQDN: sipfed.online.lync.com), this enables federation with any organisation who is using Skype for Business Online and has federation enabled.

    For an organisation that allows Open Federation this isn't an issue.

    However, if you don't have Open Federation, to restrict federation with specific partners on Skype for Business Online, you'd have to add the domains (e.g. domain: x500.co.uk, Access Edge Service FQDN: sipfed.online.lync.com). 

    But you can't do this, because of the presence of the LyncOnline Hosing Provider, you'd get the error "Cannot add the federated server 'sipfed.online.lync.com' because a hosting provider already exists with this value".

    What you could do is remove the LyncOnline Hosting Provider, which would unfortunately break Push Notifications if you are using them, but would allow you to restrict communications to specific domains.  You might be able to do something to define push.lync.com as a Hosting Provider, I've never tried though.

    Hope this helps,
    Steve.

    Friday, February 2, 2018 8:23 AM
  • Hi Alice,

    Today I have direct federation with companies xyz.com, abc.com, qwerty.com. From these companies abc.com is the only one using O365 cloud services.

    Now, to be able to setup Skype hybrid with O365 I need to run, as you stated as well, "new-cshostingprovider" CMDLet. But that says it will open the federation with all O365 companies.

    On the O365 tenant I could setup external communication to be either Allow all block listed or Block all Allow listed. But on premises the hosting provider is still there.

    Is this something which I have - again - misreading, or how I could avoid the open federations to on premises Skype with all O365 companies who have open federation used in their site?

    I already realised that before I'm able to perform the hosting provider CMDLet, I need to remove the direct federation with company abc.com as they are already in O365.

    And just in case, those companies does not really exists :)


    Petri

    Friday, February 2, 2018 10:09 AM
  • Steve,

    I cannot remove the hosting as it is required for the Skype Hybrid setup :(


    Petri

    Friday, February 2, 2018 10:10 AM
  • The requirement for maintaining Direct Federation on-prem including with partners on Office 365, and having the LyncOnline/SkypeforBusinessOnline Hosting Provider defined puts you between a rock and a hard place.

    I am not aware of any solution within Skype for Business to allow this to happen.

    If Direct Federation and having a hybrid SfB deployment is an absolute requirement, my only other thought would be to do something with DNS resolution from the Edge (this is a little extreme).  For example, have the Edge use a DNS Server that can't resolve directly (remove the root hints & don't have forwarders), then define Conditional Forwarders to *.lync.com, *.microsoft.com, *.partner1.com, *.partner2.com, *.partner3.com etc. via another DNS Server.

    Friday, February 2, 2018 11:24 AM
  • There are 4 types of federation

    1. Direct Federation -- You specify the AccessEdge and then all connections to/from that AccessEdge is trusted. The certificate requirements are no-longer applicable. There is no message limitation

    2. Enhanced Federation -- You discover the Access Edge Using SRV Records. Certificate should be valid ( to prevent spam) and then there are 20 msg/sec limitation

    3. Open Federation -- Inbound connection from any SIP domain is acceptable

    4. HSP -- A hosted service provider like SkypeForBusinessOnline cannot have their certificates updated every time a new SIP domain is added.

    When you set-up a direct federation with SkypeForBusinessOnline , all SkypeForBusinessOnline domains will be able to send messages to your organization.

    If you do not have open federation ( i.e you use allow lists) , and have HSP, then only domains in your allowed domain will receive/send traffic to SkypeForBusinessOnline 

    For any HostingProvider certificate would be a challenge, and you do not want to trust *any* SIP domain, so Lync 2010 introduced HSP

    Saturday, February 3, 2018 4:08 AM
  • I actually got help to get hosting provider applied into on-premises, and also how to add Allowed domains with proxyFQDN:

    1. Remove all Allowed domains where proxyFQDN is sipfed.online.lync.om

    2. Apply hosting provider

    3. Add Allowed domains back, but without proxyFQDN

    4. With set-csalloweddomain add the proxyFQDN

    But of course, I endup to the problems already in step 2 :D

    When I applied the hosting provider, at that moment (after replication) all my Direct Federation partners were lost for on-premise users. And I was not able to get them back, until I removed the hosting provider. Have I skipped some step, or how I could end up to issue like that? How the hosting provider could cause such a problem?


    Petri

    Thursday, February 8, 2018 1:12 AM
  • While doing some more analysing, I found the following error:

    Direction: outgoing;source="local";destination="internal edge"
    Message-Type: response
    Start-Line: SIP/2.0 504 Server time-out
    From: "lastname, firstname"<sip:usera@company.com>
    To: <sip:fedUser1@fedcompany.net>;
    CSeq: 1 SUBSCRIBE
    ms-diagnostics: 1008;reason="Unable to resolve DNS SRV record";domain="company.com";dns-srv-result="NegativeResult";dns-source="InternalCache";source="SIPAccess.company.com"
    ms-edge-proxy-message-trust: ms-source-type=EdgeProxyGenerated;ms-ep-fqdn=EdgePool.domain.com;ms-source-verified-user=verified

    Wait... my Skype Edge is doing SRV record for my own domain? And yes, when I run the following command on the Edge server:

    nslookup -q=srv _sipfederationtls._tcp.company.com.

    That failed, because the DNS server which my Edge is using have extra forwarder to another DNS server hosting also "company.com" for internal purposes.

    When I removed the hosting provider, the system returned to normal state.

    Anybody knows how the hosting provider affect to the DNS behaviour on the Skype Edge?


    Petri

    Thursday, February 8, 2018 9:17 AM
  • Hi Petri, 

    My understanding is that in this scenario you can't define individual O365 domains you want to federate with after you configure sipfed.online.lync.com as a hosting provider during a hybrid setup.

    As you have mentioned you can't have a singular allowed domain using sipfed.online.lync.com and a hosting provider using the same proxy FQDN. If you do (which ended up being the case in one of my scenarios) and you restart an edge server then the RTCSrv service did not start. You'll notice errors in the event log stating you have a hosting provider and an IM service provider with the same Proxy FQDN. I removed the hosting provider in my case as it wasnt required at that time, I only needed to federate with a single O365 domain and Hybrid wasn't needed. 

    If and when Hybrid is a requirement we will face the same situation. Its then important to discuss with the business the benefits of this change, particularly if they are planning a future cloud implementation. Its generally deemed a "security risk" to allow federation however on the basis you disable file share through edge and have archiving in place to mitigate any concerns I don't see this being an issue. 

    Regards

    AM


    Monday, April 9, 2018 8:21 AM