Hi

We are trying to federate between two lync deployments with the following domains, with our federation product.

1. Lync 2010 server - child1.parent.com

2. Lync 2013 server - child2.parent.com

Our product performs the TLS handshake with the two domains and acts as the remote domain to each of them.

When our product uses a self signed certificate, then the federation is successful, however when we replace thecertificates with a CA signed certificate like GoDaddy, then the other lync responds with a 504 Server time-out.

Text: The message has From and To domains that are not allowed in this combination

Result-Code: 0xc3e93d89 SIPPROXY_E_EPROUTING_MSG_ABSENT_SPLIT_DOMAIN_INFO_HEADER

.....

Data: summary="Domain type analysis indicates that the message should have a ms-split-domain-info header, but the header is absent";external-domain="child1.parent.com";external-type="domain-type-remote";internal-domain="child2.parent.com";internal-type="domain-type-both"

Any idea, as to why is this problem coming with a CA signed certificate. TLS Handshake is successful, as the 504 Server time-out is itself encrypted.

Hi

have you installed the trusted certificate root and intermediate certificates to the local machine certificate store on the edge servers? Have you allowed TCP/UDP 53 (DNS) and 80 (Http) outbound from the edge servers so they can perform CRL lookups? Probably incorrect certificate chain building going on.

thanks

Hi

Yes, the root and intermediate certificates are well installed and also there is no issue in crl lookup, as the TLS handshake is successful. The 504 sent by Edge is itself encrypted.

Could it be somehow related to hybrid deployment/split domain at lync? As both the domains have same parent domain?