Office 365–A Serious Flaw with Lync

I have just spent the last several days working an issue with Microsoft’s Office 365 group. I am extremely disappointed in the failure of logic and implementation.

Office 365 has a really nice Lync Online feature. They say that you can federate your Lync Online to Lync deployments at other companies. Well, that is only partially true.

The way Lync works today is that if I have Lync configured in my organization and have an Edge environment that is configured for open federation, then I can easily connect to and communicate with my business partners in other companies that are also configured for open federation. It is a great idea, and it saves a ton of money and effort when communicating with others in outside organizations.

Well, Lync Online doesn’t work that way. If I, as a Lync Online user, want to communicate via Lync with my business partners that also use Lync, then they have to do way more than just configure open federation. They have to specifically add the Lync Online environment because Microsoft doesn’t seem to know how to implement their own product.

I find it totally unacceptable.

Here is the resolution from Microsoft on my trouble ticket.

On-premise domain has to enable Federation with Lync Online to get this working.

Option#1 :  Add the HostingProvider service entry: 

From your Lync Front End server, launch the Lync Management Shell. Create a new Hosting Provider entry for Lync Online using the following command:

New-CSHostingProvider –identity LyncOnline –ProxyFqdn sipfed.online.lync.com –Enabled $True

Identity                                                                : LyncOnline

Name                                                    : LyncOnline

ProxyFqdn                                          : sipfed.online.lync.com

VerificationLevel                              : AlwaysVerifiable

Enabled                                                                : True

EnabledSharedAddressSpace     : False

HostsOCSUsers                                 : False

IsLocal                                                   : False

Option#2 : Use Direct Federation : Add the Lync Online Allow domain entry with ProxyFqdn. ( Run the following two commands )

New-CSAllowedDomain –identity onlinedomain.com

                Identity                                                : onlinedomain.com

                Domain                                                : onlinedomain.com

                ProxyFqdn                          :

Set-csAllowedDomain onlinedomain.com –ProxyFqdn sipfed.online.lync.com

 

Open Federation settings will not work with Lync Online domain. If the on-premise Lync Domain tries Open federation with a Lync Online domain: The Edge server rejects the communication as the host providing the service mismatch.

Advertisements
This entry was posted in Office Communications Server. Bookmark the permalink.

13 Responses to Office 365–A Serious Flaw with Lync

  1. Pingback: How to enable Office365 Lync Online to Federate with Lync On-Prep | techietom.co.uk

  2. Pingback: How to enable Lync On-Premise to Federate with Office365 Lync Online | Lync'd Up

  3. Korneel Bullens says:

    Hi,

    to be honest, this is no flaw at all. this has to do with the functionality of DNS (SRV records within it’s own DNS domain) and Microsoft not able to present a valid certificate for every domain integrated in Office 365.

    So I’m not agreeing with your Blog, this is simply the way it works, it’s not a flaw at all.

    a way easier solution, and I’m wondering why Microsoft did not point you out to it, is simply going into the Lync Admin Panel, go to external user access, remote domains, and add the SIP domain you want to federate with, and add sipfed.online.lync.com as the access edge. this is a known practice with domains that do not have a sipfederationtls SRV record, or are using a single edge with a single domain name although using multiple SIP Domain names.

    • Yes, you are right in that this is “by design” but I would still call it a major flaw in design and deployment. Just because they dropped the ball in the design does not make it acceptable. It is clearly a flaw.
      My point is simply that if an on-premises installation uses open federation, it is because they have chosen to allow others to federate with them and they want to avoid the overhead of having to configure all of the organizations for federation one by one. Microsoft can certainly configure certificates for each SIP domain and use the same open federation functionality as on-premises installations.
      So, today, if I have an on-premises Lync implementation, and I know of others that I need to work with that also have on-premises Lync implementations, then no additional configuration is needed if both implementations are configured to use open federation. Today, if either organization happens to be cloud hosted, this process fails to work, and the person in the cloud is now tasked with letting the administrator of the on-premises know that extra steps are needed on his side to make the change. Of course, that leads to testing, change control, and so on. While it may be a simple change, it does not mean that organizations can ignore MOF/ITIL and proper procedures within their organization.
      What has happened is now Lync Online is being treated the same as PIC; a lower class citizen. Administrators now have to take extra effort to federate with Lync Online despite their desire to use open federation to handle federated user connections.

      • A further complaint has come up with several organizations in how Lync Online in Office 365 is being handled when it comes to federation. If I, as a Lync Server 2010 on-premises implementation, decide to federate with Lync Online because a key partner is using it, then everyone that is in the Lync Online/Office 365 cloud can also then connect to my environment.

  4. Pingback: Enable Federation between Office 365 and Lync on Premise - Office 365 - Pro-Exchange

  5. Pingback: Første videokonferanse mellom Office 365 beta og lokal Lync installasjon. | Blog for prosjekt samordnet kommunikasjon

  6. Greg says:

    Unless you use the “Allow communications only with users on recipients contact lists” radio button.

  7. That sounds like way too much work.:)

  8. Liam says:

    Sorry – open federation is for lazy people. It’s mostly a vulnerability and treated that way in Lync Onprem installs for a reason. If you can’t setup an explicit Federation with a partner you don’t really understand the use and value of Lync.

    • So, Liam, I agree with you to a point. It makes sense from a security perspective to control federation.

      However, if an on-premises Lync environment federates with Lync Online using the sipfed.online.lync.com address, they expose themselves to more than just the one partner they want to configure for federation. From my point of view, federating with Lync Online is basically the same thing as federating with one of the public IM clouds.

      Of course, you know Lync better than I do, so correct me if I am wrong.

    • espryte says:

      I disagree Liam. If your point would be true then e-mail would never have taken off some 20 years ago.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s