none
How to Federate My Company Lync with Microsoft?

    Question

  • We're MS Partners and i've seen a several parterns that have Microsoft workers on their Lync (or communicator) Contact List, are there some prerequisites to do this Federations? Obviouslly we've deployed everything to make Federations, already did several federations with some customers.

    Some directors form the company are asking to me to make this possible.

    Someone from MS that could help me?


    Gilberto Verastegui
    Wednesday, July 06, 2011 3:52 PM

Answers

  • Gilberto,

    In order to federate with MS, authorization is needed from MS. MS has an internal process to add partners/customers to their federation list. I recommend you contact your Microsoft partner account manager and ask to have federation enabled for your organization.

    You will also have to configure your end as well, Here are the set-up instructions that I have used with customers in the past. The documentation below references LCS/OCS, they are applicable with Lync.

    Federation Requirements

    1. Live Communications Server 2005 or greater must be used.
    2. A publically available DNS SRV record for _sipfederationtls._tcp.sip_domain for port 5061 that points to a valid A record for the Access Edge server.
      For example:

    set type=SRV
    _sipfederationtls._tcp.microsoft.com

    Non-authoritative answer: _sipfederationtls._tcp.microsoft.com SRV service location:
    priority = 0
    weight = 0
    port = 5061
    svr hostname = sipfed.microsoft.com

    set type=A
    sipfed.microsoft.com

    Non-authoritative answer:
    Name: sipfed.microsoft.com
    Address: 94.245.124.75

    1. Internal and External firewalls must be configured to allow-all Bi-directional traffic on TCP port 5061, and on TCP port 443. If the partner company has tighter firewall configuration requirements, they will have to add an allow ACL to the Microsoft access edge sipfed.microsoft.com, at IP Address: 94.245.124.75. Futher information on the recommended firewall configuration to allow for the various capabilitys of Lync/OCS may be found at http://technet.microsoft.com/en-us/library/gg425882.aspx
    2. The access edge server must be configured to allow federations, and Microsoft's SIP domain - microsoft.com - must be added to the allow list of the access edge server. For more information regarding OCS Acess Edge setup and deployment, please visit http://technet.microsoft.com/en-us/library/bb870345.aspx
    3. The certificate used on the Public interface of the Access Edge must be signed by a public Certificate Authority and have the SIP domain in the FQDN of the server in the "Subjext Name = ServerName.SIP_Domain" section of the certificate, or in a seperate "Subject Alternate Name = SIP_Domain" section of the Certificate. If multiple SIP domains will be serviced by the same Access Edge server, the SN= should be the FQDN of the access edge server itself, with a SAN= entry for each SIP Domain that will serviced by this edge server, and the entire chain of authority must be verifiable. For more information on installing certificates please visit http://technet.microsoft.com/en-us/library/bb663762.aspx

    Rob Herman
    Wednesday, July 06, 2011 5:39 PM

All replies

  • Gilberto,

    In order to federate with MS, authorization is needed from MS. MS has an internal process to add partners/customers to their federation list. I recommend you contact your Microsoft partner account manager and ask to have federation enabled for your organization.

    You will also have to configure your end as well, Here are the set-up instructions that I have used with customers in the past. The documentation below references LCS/OCS, they are applicable with Lync.

    Federation Requirements

    1. Live Communications Server 2005 or greater must be used.
    2. A publically available DNS SRV record for _sipfederationtls._tcp.sip_domain for port 5061 that points to a valid A record for the Access Edge server.
      For example:

    set type=SRV
    _sipfederationtls._tcp.microsoft.com

    Non-authoritative answer: _sipfederationtls._tcp.microsoft.com SRV service location:
    priority = 0
    weight = 0
    port = 5061
    svr hostname = sipfed.microsoft.com

    set type=A
    sipfed.microsoft.com

    Non-authoritative answer:
    Name: sipfed.microsoft.com
    Address: 94.245.124.75

    1. Internal and External firewalls must be configured to allow-all Bi-directional traffic on TCP port 5061, and on TCP port 443. If the partner company has tighter firewall configuration requirements, they will have to add an allow ACL to the Microsoft access edge sipfed.microsoft.com, at IP Address: 94.245.124.75. Futher information on the recommended firewall configuration to allow for the various capabilitys of Lync/OCS may be found at http://technet.microsoft.com/en-us/library/gg425882.aspx
    2. The access edge server must be configured to allow federations, and Microsoft's SIP domain - microsoft.com - must be added to the allow list of the access edge server. For more information regarding OCS Acess Edge setup and deployment, please visit http://technet.microsoft.com/en-us/library/bb870345.aspx
    3. The certificate used on the Public interface of the Access Edge must be signed by a public Certificate Authority and have the SIP domain in the FQDN of the server in the "Subjext Name = ServerName.SIP_Domain" section of the certificate, or in a seperate "Subject Alternate Name = SIP_Domain" section of the Certificate. If multiple SIP domains will be serviced by the same Access Edge server, the SN= should be the FQDN of the access edge server itself, with a SAN= entry for each SIP Domain that will serviced by this edge server, and the entire chain of authority must be verifiable. For more information on installing certificates please visit http://technet.microsoft.com/en-us/library/bb663762.aspx

    Rob Herman
    Wednesday, July 06, 2011 5:39 PM
  • Thanks a lot Rob, now i'm contacting our PAM.


    Gilberto Verastegui
    Tuesday, July 12, 2011 3:33 PM