locked
Lync Federation RRS feed

  • Question

  • Hi

    I´m having a problem with Lync Federation. I´m using my own PKI certificate in edge and FE servers. If i´m using my own certificates that is not trusted by anyone except my environment and I want to use federation between two different companies then who must trust my certificate certainly? I mean if I give my Root certificate to other company then where they have to import it to make things work - Edge, FE, Clients? Or maybe there is no change that I can use my own certificate to get Federation work? At the first point it´s important that it´s working for our internal clients - that part is done and everything is working from the inside and outside. But now I´m wondering about federation and after that Lync-Skype connectivity. So is there a way to make it work like that?

    I am not 100% sure that the problem is in certificate but i´m guessing cause everything else is working like a charm.

    Hope you can give me some advice!

    Taavi

    Friday, March 21, 2014 11:30 AM

Answers

  • You're correct Taavi, in addition to configuring federation through Lync Control Panel, if you are using your own issued certificate for the Edge external services then you will need to send your Root Certificate to the other company and they will need to install it on their Edge servers local computer Trusted Root Certificate Authorities store.

    For simplicity and best practice I'd recommend changing to a UCC certificate issued by a public CA. 

    If you are trying to federate with Office 365 (or any other cloud provider for that matter) you will be very hard pressed - if not impossible to get them to load you root cert and you will need to get a public CA certificate


    If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer" | Blog www.lynced.com.au | Twitter @imlynced



    • Edited by Georg Thomas Friday, March 21, 2014 1:44 PM
    • Proposed as answer by Georg Thomas Friday, March 21, 2014 2:37 PM
    • Marked as answer by Lisa.zheng Monday, March 31, 2014 2:53 AM
    Friday, March 21, 2014 1:42 PM

All replies

  • Hi Taavi

    You don't need to exchange certs to get Lync Federation to work. If you want company1.domain.com to talk to company2.domain.co.uk you need to configure Federation via the CSCP.

    http://technet. microsoft. com/en-us/library/jj204800.aspx

    http://technet. microsoft. com/en-us/library/dn440170.aspx

    Regards

    Andrew Price


    Friday, March 21, 2014 12:04 PM
  • Hi!

    Thank you for your replay! Unfortunately I don´t get it?

    I have configured Federation in Lync Control Panel. Configured Allowed Domains and enabled federation etc. I have Office 365 test account aswell and I tryied to federate with that so that my Lync on premise can talk with my office 365 client but that doesn´t work. I´m getting an error: ID504 (event ID 239). I tryied to make test via: https://www.eventzero.com/Tools/FederationTester/ but that cannot connect aswell. If i´m using my office 365 account then that EventZero tool is working but not with my company account. I think I have all the DNS records on place but I can´t see where the problem can come. From google I can find many articles about certificates and both side must trust both sides. In my case Microsoft Office 365 is not trusting me cause I use my own PKI cert. Same thing with EventZero. So I tought to ask that can this be the problem.

    Thank you!

    Taavi

    Friday, March 21, 2014 12:39 PM
  • You're correct Taavi, in addition to configuring federation through Lync Control Panel, if you are using your own issued certificate for the Edge external services then you will need to send your Root Certificate to the other company and they will need to install it on their Edge servers local computer Trusted Root Certificate Authorities store.

    For simplicity and best practice I'd recommend changing to a UCC certificate issued by a public CA. 

    If you are trying to federate with Office 365 (or any other cloud provider for that matter) you will be very hard pressed - if not impossible to get them to load you root cert and you will need to get a public CA certificate


    If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer" | Blog www.lynced.com.au | Twitter @imlynced



    • Edited by Georg Thomas Friday, March 21, 2014 1:44 PM
    • Proposed as answer by Georg Thomas Friday, March 21, 2014 2:37 PM
    • Marked as answer by Lisa.zheng Monday, March 31, 2014 2:53 AM
    Friday, March 21, 2014 1:42 PM
  • Thank you! 

    Then it´s understandable why it´s not working with 365 and other testers. I know that Public Cert is recommended but at the moment Lync is in Pilot and we are not 100% sure that it is the product we are going to use. So if Lync is the thing and working like a charm then I will buy a Public cert aswell! :)

    Thank you again!

    Taavi

    Friday, March 21, 2014 2:20 PM