locked
Two companies, two edge servers, conditional forwarders for DNS and Federation RRS feed

  • Question

  • Hi All

    Have a complicated issue which i hope someone here has come across, environment is as follows:

    Company A
    Standard FE
    Edge DMZ NIC1 - 3 IP's and GW
    Edge Internal NIC2 - Internal IP no GW
    Static routes so only internal traffic to FE goes via Internal NIC

    Company B
    Standard FE
    Edge DMZ NIC1 - 3 IP's and GW
    Edge Internal NIC2 - Internal IP no GW
    Static routes so only internal traffic to FE goes via Internal NIC

    Separate AD domains, trusts between the two and conditional forwarders for DNS
    Company did not want to go through a domain consolidation so built two separate SFB deployments

    Issue is they want federation externally and between the two companies
    However, since DNS goes internally, i cannot get federation to work between the two. External federation works fine
    SFB Hybrid also enabled

    How can i get federation to work between the two companies? Setup srv and dns records to point externally somehow? 

    Monday, December 18, 2017 11:58 PM

All replies

  • each edge should have external DNS server not the internal one that have conditional forwarding and for internal FE DNS names you could  use hosts file and that is the recommended scenario even if you didn't have these to domains

    so use external DNS to refer to external Edge of other domain and build hosts file to refer to its own domain internal FE.

    the only thing to be aware about it is to open the firewall ports on public IP of edge to accept from the second one.

    Tuesday, December 19, 2017 7:13 AM
  • Hi Shaun,

    You do not need the internal DNS and also the edge stays in DMZ as workgroup. What you need to do is add the external domain in your host file and the other company needs do the same if you dont have external SRV records. The access edge FQDN must be published externally with a public certificate.

    Then you add the domains in the allow list in Skype control panel with the access edge FQDN defined.

    Greetings,

    Erdem


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Tuesday, December 19, 2017 8:23 AM
  • Are there any update for this issue, if the reply is helpful to you, please try to mark it as an answer, it will help others who has similar issue.


    Regards,

    Leon Lu


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Thursday, December 21, 2017 12:24 PM
  • Hi ShaunJacob,

    Agree with erdem and hamedAdel,

    You should add following record in the public DNS

    DNS Type

    Value

    Resolution

    Purpose

    SRV

    _sipfederationtls._tcp.<sip-domain>

    Access Edge FQDN: access.<sip-domain>

    Federation and public IM connectivity

    SRV

    _sip._tls.<sip-domain>

    Access Edge FQDN: access.<sip-domain>

    external user access

    SRV

    _xmpp-server._tcp.<sip-domain>

    Access Edge FQDN: access.<sip-domain>

    XMPP federation

    A

    sip.<sip-domain>

    Access Edge FQDN: access.<sip-domain>

    locate Edge Server

    A

    Access Edge FQDN: access.<sip-domain>

    Access Edge IP address

    Edge Server Access edge

    A

    A/V Edge FQDN: av.<sip-domain>

    A/V Edge IP address

    Edge Server A/V edge

    A

    Conf Edge FQDN: conf.<sip-domain>

    Conf Edge IP address

    Edge Server Conf edge

    A/CNAME

    lyncdiscover.<sip-domain>

    reverse proxy public IP address

    external AutoDiscover Service

    A

    meet URL

    reverse proxy public IP address

    proxied to Lync Server Web Service

    A

    dial-in URL

    reverse proxy public IP address

    proxied to Lync Server Web Service

    A

    external Web Services FQDN

    reverse proxy public IP address


    Regards,

    Leon Lu


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, December 29, 2017 7:30 AM