Lync On-Prem to Office 365 One Way Federation

So the scenario is pretty straight forward.  I have a Lync On-Prem deployment and when I try to find a person who is hosted on Office 365, their presence is listed as unknown.  If they try to start an IM conversation, they get:

SIP/2.0 403 Forbidden
Server: IncomingFederation/5.0.0.0
ms-diagnostics: 1034;reason="Previous hop federated peer did not report diagnostic information";Domain="acme2014.onmicrosoft.com";PeerServer="sipfed.online.lync.com";source="sip.domain.com"

The Office 365 person can see the presence of the Lync On-Prem user and can successfully start an IM and everything works.

My O365 External Communications is set to On except for blocked domains and there are no blocked domains.

So we can clearly see that the O365 is enabled for federation.  Next thing to verify is my DNS records for my O365 tenant and using OCS Connectivity it comes back as successful and green validating all DNS records are published.

So everything looks right on the O365 side.  On the Lync On-Prem side, we have the Hosted Partner setup:


Identity                  : LyncOnline
Name                      : LyncOnline
ProxyFqdn                 : sipfed.online.lync.com
VerificationLevel         : AlwaysVerifiable
Enabled                   : True
EnabledSharedAddressSpace : False
HostsOCSUsers             : False
IsLocal                   : False
AutodiscoverUrl           :

And than we also have added the domain to the allow list.

Lastly, we only have a single SIP Domain in our Lync On-Prem deployment so the default domain is the only one domain.

Where else can I look for additional information.

Thanks,

Joe

February 12th, 2014 8:21am

Hi Joe,

Can you test following please ?

Can you select "On only for allowed domain" option from office 365 Lync online admin panel and add your on-premise domain manually. Save the changes and verify the presence and IM between the users.

Thanks

Saleesh

Free Windows Admin Tool Kit Click here and download it now
February 12th, 2014 1:55pm

Thanks for the reply.  I should have mentioned I did try this before but I went ahead and switched it back to blocked by default and added the single domain.

I waited one hour (just to make sure everything took) and the problem remains.  Get the 403 error.

Thanks

February 12th, 2014 5:57pm

Please check you have enabled Public IM connectivity mode for Public IM service providers in Lync Online Control Panel.

Please check you created a rule for the provider Lync online in Lync Server Control Panel for Lync on premises.

For details, you can check

http://jackstromberg.com/2013/05/lync-on-premise-with-office-365-federation-error-id-403/

Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.

Free Windows Admin Tool Kit Click here and download it now
February 13th, 2014 11:49am

Lisa,

As mentioned in my first post.  I have this in my on-prem deployment:

Identity                  : LyncOnline
Name                      : LyncOnline
ProxyFqdn                 : sipfed.online.lync.com
VerificationLevel         : AlwaysVerifiable
Enabled                   : True
EnabledSharedAddressSpace : False
HostsOCSUsers             : False
IsLocal                   : False
AutodiscoverUrl           :

And my settings in O365 are:

On except for Blocked Domains

I know the O365 works fine, because I can federate with it fine from other on-prem Lync deployments.

Thanks.

February 14th, 2014 5:28am

Hello Joe2013, 

did you found solution?

We have same problem. Federated company O365 environment seems to be fine. Our LyncOnPrem seems to be configured fine too.

Problem is one-way federation (for certain users) from Lync 2013 -> to MS O365

Till DirSync is performed, federation is working.

BR Hr

Free Windows Admin Tool Kit Click here and download it now
February 22nd, 2015 8:26am

Check Federation and External Access - SIP Federated Providers, select the Lync-OnLine Provider and make sure that the radio button "Allow users to communicate with everyone using this provider".

If you don't, then you can only communicate with users that have been added to the users contact list.

So this means if the person you are trying to IM in O365 isn't added as a contact then you cant IM

February 23rd, 2015 3:27am

"Allow users to communicate with everyone using this provider" is already set.

---------------------------------------------------------------------

Problem is one-way federation (for certain users) from Lync 2013 -> to MS O365.

1) federations with O365 are working fine for "test user 1"

2) many federations with O365 are NOT working for "test user 2"(...but still some O365 federations are working)

---------------------------------------------------------------------

Till DirSync is performed, federation is working.

...or eg.: till we filtered "test user 1" from DirSync user had same problem as "test user 2"



Free Windows Admin Tool Kit Click here and download it now
March 8th, 2015 4:46pm

In my experience - 1 way federation has been an issue with firewall.  I do concede that I am not sure how this would not be "all or nothing' however.  Check your edge firewall on 5061 .... run a wireshark trace.  Look at the firewall logs for denys.  I would also test by turning off the windows firewall and checking results.  At this point, what could it hurt? 

_G

March 9th, 2015 10:19am

thx, I would like to provide update:

"Allow users to communicate with everyone using this provider" is already set.

---------------------------------------------------------------------

Federation with On-premise partners are working fine (both ways)

---------------------------------------------------------------------

Problem is one-way federation from Lync 2013 -> to MS O365. (for certain Lync 2013 On-prem users - users that are DirSync-ed to Contoso.com O365 Exchange) 

1) all federations with O365 are working fine for "test users 1". (that are filered from DirSync)

2) many federations with O365 are NOT working for "test users 2"(...but still some O365 federations are working for this group)

--------------------------------------------------------------------

If "test user 1" is filtered from DirSync, federation is working.

...if "test user 1" is not filtered (= is synchronized with Contoso.com O365). "test user 1" has same problem like as "test user 2"

---------------------------------------------------------------------

O365 sipfed.online.lync.com pointing to two IPs: 132.245.193.21 and 132.245.193.35. For both IPs there are enabled ports  5061, 443, + additional ports (that are not important to this problem).   

Free Windows Admin Tool Kit Click here and download it now
March 14th, 2015 12:19pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics