Considerations for a small SFB deployment RRS feed

  • Question

  • We currently have all our users in Office 365 (SFB, Exchange and SharePoint). SSO is configured with ADFS and a wildcard certificate. We want to unlock some additional functionality for a small subset of the users, e.g. Persistant Chat, so we decided to implement a SFB on-premises deployment and configure Hybrid mode with Office 365. Initially the deployment will consist of a Standard Edition FE Server, Edge Server and Office Web Apps server - no pools at all. However I have several concerns providing my lack of experience with Lync/SFB to date:

    1. Active Directory and DNS: The Active Directory domain is a .local domain. There is a UPN suffix configured for each user which is an Internet-routable domain name (a .com). Currently the UPN of a user is their SIP address and sign-in name. All Office 365 records that point to SFB online are configured in a DNS zone for the .com zone. This is Split-Brain DNS so currently I am referring to the zone that services internal needs. All documentation for installing the first Frontend server states that DNS records should be created first, however I am not sure in which zone I need to create the records - in the .local or in the .com zone. If I do this in the .com zone I will break connectivity to Lync Online since Hybrid is not configured yet.

    2. Certificates: For internal certificates, we have ADCS so I think this will not be a problem. To the best of my knowledge, the current wildcard certificate that I use as a Service Communications Certificate for Office 365 and ADFS is not supported and will not work at all with Hybrid. Therefore, I have to request another trusted certificate with all the names listed in the SAN. For such a small deployment, which are the names that I have to include in the certificate request? Can I go with the Access Edge service name (e.g. skypeweb.[domain].com) and a join.[domain].com name (for Simple URLs scheme join.[domain].com/meet, join.[domain].com/dialin, join.[domain].com/admin). Which one should be in the Subject and which in the SAN? Do I need any additional names here?

    3. Reverse Proxy and Edge: I have 2 Web Application Proxies with a Cluster IP with NLB which connect to ADFS. Can I use these as a Reverse Proxy for the HTTP traffic to the Edge? Will this somehow interfere with the connection between the Proxy and the ADFS servers?

    4. Network: Can I go with two public IP addresses in this scenario - one of the Reverse Proxy and one of the Edge server?

    5. Interoperability with Exchange Online: If some users are eventually moved to On-Premises, will the Exchange integration between SFB and Exchange Online continue to work providing that the mailboxes will remain in Office 365? Specifically, joining SFB meetings from Outlook and archiving in the Conversation History folder in the mailbox?

    Thanks in advance to anyone trying to clear these questions out.

    Monday, September 12, 2016 5:11 PM


  • Hi Yordan Yordanov,

    Welcome to post in our forum.

    Based on my understanding, if you want to configure Skype for business hybrid for O365, when creating DNS SRV records for hybrid deployments, the records, _sipfederationtls._tcp.<domain> and _sip._tls.<domain>, should point to the on-premises Access Proxy.

    Please refer to


    For the SFB server certificate, it’s usually used for SAN certificate for your deployment.

    You need to add the SAN entries: Lyncdiscover.domian.com, meet.domain.com, dialin.domain.com.

    Subject Name: skypeweb.domian.com

    Here is a blog for your reference


    You could use on IP address for reverse proxy and the other for edge server.

    After you eventually moved users to on-premise, the Exchange integration between SFB and Exchange Online will continue to work.

    Hope this helpful to you.

    Note:Microsoft is providing this information as a convenience to you. The sites are
    not controlled by Microsoft. Microsoft cannot make any representations
    regarding the quality, safety, or suitability of any software or information
    found there. Please make sure that you completely understand the risk before
    retrieving any suggestions from the above link.

    Alice Wang
    TechNet Community Support

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Edited by Alice-Wang Tuesday, September 13, 2016 9:16 AM
    • Proposed as answer by Alice-Wang Monday, September 19, 2016 9:58 AM
    • Marked as answer by Alice-Wang Tuesday, October 11, 2016 12:51 PM
    Tuesday, September 13, 2016 7:55 AM