Lync On-Premise Mobility Configuration Can Cause issues with Lync Online (O365) Meetings

March 12th, 2013 | Tags:

 

Setup:

 

In this scenario:

  • Bob, a Lync On-Premise user, receives a Lync Meeting request from Carol, a Lync Online (Office 365) user
  • These users are not in the same organization
  • Federation is not setup for these domains
  • Open Federation is not setup for the Lync On-Premise environment
  • Mobility has been setup in the Lync On-Premise environment

Issue:

 

When Bob, the Lync On-Premise user receives a Lync Meeting request from Carol, a Lync Online (O365) user, and clicks on the Join Lync Meeting meet URL, he receives the following error in his client “A server error occurred.  Please contact your support team.”

Using Snooper, we open the Lync client diagnostic logs: Communicator-uccapi-0.uccapilog

We see the following error message:

SIP/2.0 500 The server encountered an unexpected internal error

ms-diagnostics: 1028;reason="Domain resolved by DNS SRV to a configured hosting service but the domain is not in the allow list";domain="domain.com";fqdn1="sipfed.online.lync.comtrue5061";source="sip.silbers.net"

 

Cause:

 

As I mention in the setup, there is no federation setup between the two Lync environments, and Open Federation is not setup for the Lync On-Premise environment.  What we notice in the error message however is that the client is trying to communicate with a domain configured as a “Hosting Service”, and is trying to connect to sipfed.online.lync.com

We can check the configured hosting providers in Lync with the following:

c:\Get-CsHostingProvider

Identity                                   : LyncOnline
Name                                      : LyncOnline
ProxyFqdn                              : sipfed.online.lync.com
VericiationLevel                      : UseSourceVerification
Enabled                                  : True
EnableSharedAddressSpace    : False
HostsOCSUsers                      : False
IsLocal                                   : False
AutoDiscoverUrl                      :

 

Here we can see that sipfed.online.lync.com is setup as a Hosting Provider.  This was configured as part of the Lync Mobility configuration.  Why is the Lync Meeting trying to talk to the hosting provider used for Lync Mobility?

Sipfed.online.lync.com is also used as the access edge for federation with Office 365. 

So let’s check the federation SRV record for domain.com and see if it is configured to point to Office 365.

Using nslookup for the SIP Federation SRV record:

c:\nslookup

Default Server: google-public-dns-a.google.com
Address: 8.8.8.8

>set type=srv
>_sipfederationtls._tcp.domain.com
Default Server: google-public-dns-a.google.com
Address: 8.8.8.8

Non-authoritative answer:
_sipfederationtls._tcp.domain.com SRV service location:
          priority       = 100
          weight         = 1
          port           = 5061
          svr hostname   = sipfed.online.lync.com

Here we can see the SRV record for domain.com is pointing to sipfed.online.lync.com.  Which means Carol’s Lync environment is hosted with Office 365.

When Bob attempts to join Carol’s meeting, Lync does a federation validation for Carol’s domain “domain.com” and finds a valid SRV record pointing to sipfed.online.lync.com.  Bob’s On-Premise Lync environment has sipfed.online.lync.com configured as a valid hosting provider. 

Since sipfed.online.lync.com is a valid hosting provider, Lync next checks to see if “domain.com” is an Allowed Domain.  In this scenario, the only Allowed Domain configured is Push.Lync.Com.

 

Get-CsAllowedDomain

Identity                    : Push.lync.com
Domain                     : Push.lync.com
ProxyFqdn                :
Comment                  :
MarkForMonitoring    : False

 

In the results we see only “Push.Lync.Com”, which is configured for push notifications with Lync Mobility.

Since Domain.com is not an Allowed Domain, Lync blocks the connection with the error: “Domain resolved by DNS SRV to a configured hosting service but the domain is not in the allow list”

Resolution:

 

Since domain.com is hosted on Office 365, which uses the same FQDN for Federation as Lync Mobility, it is necessary to add domain.com as an Allowed Domain. Keep in mind though that this not only allows Lync Meetings, but essentially enables federation with this entire domain.  So keep in mind your other policies that may target federation.

Set-CsAllowedDomain –Identity Domain.com

An alternate method would be to allow Open Federation.  This comes with its own warnings however, as Open Federation isn’t always the best solution.

No comments yet.