Few days back, one of our client (a Hosting Services Provider) registered a ticket on our support portal regarding “federation | Presence unknown status”
Communication has been started with the client to narrow down and rectify the issue. Upon analysis it has been discovered that tenant of their hosted platform is trying to federate and communicate with a company using office 365 Skype for business online services.
So we started our troubleshooting SOP, verified following at Hosted Side:
- SRV record (Tenant domain) require for federation is in Place | Yes
- Skype for Business Server is allowing External communication | Yes
- Domain to federate with, is listed in Allowed SIP federated Domains, as in this case they are trying to federate with domain on Skype for Business Online, so SIP federated Partners Tab has been verified and found that LyncOnline as CSHostingProvider is enabled.
All good at Hoster side.
Next step was to verify setting on Skype for business Online side, and as it was not in our control, so client was requested to follow Office365 documentation and make sure all the setting required for setting federation is in Place. Which are:
- SRV record require for federation is in Place | Yes (nslookup -q=SRV _sipfederationtls._tcp.yourdomain.com)
- Lync Online federation is enabled in External Communication tab.
- Time to get operational, as Microsoft says that it may take some time like 12 plus hours.
We were expecting that the issue will be resolved if they make sure Skype for business online side configuration, but after a couple of days, they came back with update : Issue still exists.
Hmm, so now we have to look further and see what’s going wrong:
- Tested Federation will remote domain not on Office 365 and that work like a charm which make it clear that something fishy only with Skype for business Online tenant domains.
- Verified everything at Lync Online side our self and found that settings are in place as expected.
Detailed troubleshooting reveals that Office365 Lync Online is looking for tenant domain name in a Certificate assign to Access Edge Services of Skype for business Edge Servers as Access Edge FQDN, which is not the case in Hosted platforms, as they have SAN Cert with provider domain based names only, to avoid additional cost and configuration per tenant domain. Currently it seems to be a limitation for hosting providers tenants to federate with Skype for business Online tenants domain or have to add the tenant domain names (who want this feature) in SAN cert of Skype for business Edge Servers deployment.
If you have encounter similar situation or you have some further details or insights on this particular limitation or issue, always drop me your valuable feedback / comments at firstname.lastname@example.org