Skype for Business to Office 365 Federation Issue

A customer I was working with who has an existing on-premises Lync deployment had trouble federating with with certain partner domains. After investigating the issue it was determined that the problem partner domains where using Skype for Business Online. The symptoms where that the users in the partner domain where able to see my customer’s presence information and able to send Instant Messages. However, the customer could not see the partner presence or reply to any communication (one-way federation).

I have come across one-way federation issues before whilst deploying, however, this was different in that the customer could federate with other partners fine, so I knew that the usual suspects such as certificates, DNS and firewall were probably not going to be the culprits here.

So focusing on the fact that the partner domain was in Office 365 this at least gave a starting point. Tracing the communication between the on-premises Edge server and Office 365 I was able to see that indeed the customer’s Edge server was discovering the correct federation SRV record for the partner ( and from the Edge server I could establish a connection to Office 365 using Telnet. However, the Edge server received no response from Office 365 federation service and timed-out the connection, which explains why customer users aren’t able to establish a communication stream.

Continue reading Skype for Business to Office 365 Federation Issue

Skype for Business–Block Call Identified as Malicious

For a long time there has been a little used feature within Lync and Skype for Business that allows end users to highlight a nuisance voice call to the administrators called Malicious Call Trace (MCT). MCT basically allowed the end user to report a call immediately after hanging up which would register in the call detail records database as a trouble call. This information could then be used by Skype for Business administrators to highlight potential issues and act accordingly. Often acting accordingly means not doing much, not because you don’t want to, but because you can’t. Whether that is time or money, they are usually the two main factors. Skype for Business doesn’t provide any administrative blocking options for incoming numbers, instead relies on end users keeping their relationships up to date and/or some third party tool that costs $$.

Continue reading Skype for Business–Block Call Identified as Malicious

Skype for Business–Survivable Branch Appliance or Cloud PBX?

Skype for Business Server has been out in the general market for 14 months so far. However, one particular role seems to be dragging it’s heals towards release, and that is the Skype for Business Survivable Branch Appliance. If you are considering an SBA, then the likes of Sonus and Audiocodes have an SBA product. However, if you look under the bonnet, this will be a Windows Server 2012 (in the latest release or Windows Server 2008 R2 in older image versions) with Lync Server 2013 core components installed to act as the SBA.

There appears to be something in the pipeline to bring the SBA to full Skype for Business edition, but there seems to be no urgency to release this to the market. Why?..

Well Microsoft released Cloud PBX late last year, and have made great strides in rolling this out globally across all their Office 365 datacenters and media networks. It is clear, that this is the where their main energy, focus and direction are taking, which is a good thing! But it also begs the question over the viability of not only Skype for Business Server in the future, but the role of the SBA in todays’ ecosystem.

The purpose of the SBA was always to give some level of PSTN calling capability to a site when the connection breaks to the central site where the Skype for Business Front End Pool is located. These were ideal for long distance branch sites with poor inter-site connectivity that was prone to connection issues. Admins could guarantee a level of service to users at that site in order to provide the basic tools for “normal” business operation (Normal = basic toolset).

Continue reading Skype for Business–Survivable Branch Appliance or Cloud PBX?

Skype Broadcast Meetings–A Preview–Q&A & On Demand Playback

Whilst preparing for the next Skype Show I was exploring if anything had changed on my tenant in light of the announcements made at Enterprise Connect back in April. For those who follow the Skype Show ( you will know I use Skype Broadcast Meetings as the main technology for these shows. So the announcements made at EC16, notably the Q&A functionality for Broadcast Meetings was particularly useful to me.

If you have ever used Broadcast Meetings, you will know that trying to engage with your audience is quite a challenge. Sure we have the ability to integrate Yammer, but this relies on the audience having a Yammer account, and then understanding enough about Yammer to join the group. This is a major put off, and people who want to engage are often put off by this. Broadcast Q&A will improve engagement 100% and I cannot wait for this feature to arrive!

And it has! At least in Technical Preview and much to my excitement!

Continue reading Skype Broadcast Meetings–A Preview–Q&A & On Demand Playback

Skype for Business & Azure AD Application Proxy As Reverse Proxy

Often when speaking with customers, there is a large discussion about what reverse proxy is used for Skype for Business deployments, cost of them and network dependencies. Experience has taught me that reverse proxies often take up far too much time on the discussion table because customers usually do not understand their need. They view these as nothing more than pass-thru devices and fail to understand or “buy in to” the edge network protection they provide when deployed properly. But Skype for Business requires one, so in the end its a choice, external meetings and mobility, or not?

Customers then ask for the cheapest solution and until now we are limited to WAP and KEMP as official qualified devices. Both have disadvantages. WAP has a dependency on ADFS which is a big turn off to customers who do not have a requirement for ADFS beyond simple reverse proxy. KEMP can be quite an expensive solution depending on throughput and high availability requirements.

So I have been looking for an alternative, cheaper, easier solution and as a result have been playing around with Azure AD Application Proxy. I admit this is not a qualified solution, but neither is Netscaler, IIS ARR and TMG, but we still use them… I would always advise to use qualified solutions for full end to end support.

There is a big difference between “it works” and “it works properly”

That said, I wanted to find out if Azure AD Application Proxy “works”.

Continue reading Skype for Business & Azure AD Application Proxy As Reverse Proxy

Skype for Business / Sonus Survivable Branch Appliance Firewall Rules

Deploying a Survivable Branch Appliance (SBA) into a Skype for Business topology takes a bit of planning. As part of the planning exercise you will no doubt be discussing what firewall ports are required in order to deploy the SBA securely from both external and internal source based attacks. Reading documentation from various sources online, I have yet to find a definitive and concise firewall rule table that addresses an SBA directly. However, breaking down an SBA into components it contains:

  • Session Border Controller
  • Skype for Business Mediation Server (collocated)
  • Skype for Business Registrar Server (collocated)
  • Skype for Business CMS local replica (collocated)

With this in mind I have collected all the ports required for a SBA deployment in a security conscious network.

Note: that these ports relate to the Sonus SBC 1000/2000 with the ASM SBA module installed. Other manufacturers of SBA’s may have other port requirements.

Continue reading Skype for Business / Sonus Survivable Branch Appliance Firewall Rules

Skype for Business–Understanding Location Based Routing

First I should note to you that this post will probably contain nothing new and fancy that cannot be found on other blogs historically regarding location based routing. The purpose of this is to summarise Location based routing (LBR) in my own words to remind me. If it helps you too, all the better! When researching this function Microsoft’s documentation on how to implement it is pretty procedural. By this I mean, it shows you how to enable it, but doesn’t really explain the implications or dependencies for it. Thank you to Ken Lasko’s ( and Rich Brynteson’s ( blogs on filling in the blanks!

So with these in mind, I wanted to get to grips with LBR and understand when and where to use it.


Location Based Routing is the ability to route calls to specific voice gateways and ultimately specific PSTN connections based on the user’s physical location.

Continue reading Skype for Business–Understanding Location Based Routing

Skype For Business–Is Presence Irrelevant?

When talking with customers new to unified communications, I ask them what they think is the most important feature deploying a unified communications solution will provide their business. 10 out of 10 customers will say the word presence within the first three items they list. To me this is significant, as human psychology shows, we tend to list things in order at which they are most important to us. When the CTO explains their objectives and goals, you need to take note of the order in which these are conveyed. These form not only the basis of the business requirements, but also the ones you need to pay particular attention to. Experience has taught me that businesses have on average 12 critical objectives that the solution must meet. These critical objectives are non-negotiable with the customer. Present a solution that does not meet all of these objectives, you might as well save yourself all the trouble of scope of work, high level design document(s) and reply with a “no bid” e-mail. It is that simple. After about 12, you and the solution have a bit more leeway and the customer is more open to suggestions, modifications, reasoning and guidance. Usually these are based on a “nice to have” or “budget dependent” criteria. Presence is never on this list!

Presence is the centre principle of real time communications. The idea of being able to see a persons availability to make informed choices of the best method of communication is the fundamental concept on which every unified communications platform is built. Yet, it appears that this core concept is now becoming increasingly irrelevant. I thought it was only me, but a comment on twitter (i forget by who) prompted me to think this is a much wider issue.

Continue reading Skype For Business–Is Presence Irrelevant?

Skype for Business– Migrate-CsAnnouncements

Those of you familiar with Skype for Business voice functionality will be aware of the use of announcements. Announcements are pre-determined messages that can be played when a user dials an incorrect number, unallocated number and they can even be used to route into response groups and other third party applications.

These announcements are created and assigned to a particular application server pool i.e a front end pool. This assignment means that the application server is responsible for the announcement and the response group service of that application server is used in order to play the announcement to the caller.

When this application server pool is down, the announcement service will also fail. Pool pairing and automated failover scenarios out of the box do not handle the failover of announcements to the DR application pool. Therefore, in a pure failover scenario, the announcement service is not resilient.

Many customers can often have numerous announcements for whatever reason, and the normal process of migrating these is sadly to recreate them on another pool. Even migrating from previous versions of Lync, the announcements are not automatically migrated and there is no move-csannouncement PowerShell commandlet to help.

Announcing the new function Migrate-CsAnnouncements

Continue reading Skype for Business– Migrate-CsAnnouncements

Skype for Business–Error Constructing or Publishing Certificate

When adding a new Skype for Business server to an existing topology, I came across the following error statement whilst trying to request a certificate from the internal certificate authority:

Command execution failed: Error Constructing or Publishing Certificate. The certificate validity period will be shorter than the “template name” certificate template specifies, because the template validity period is longer than the maximum certificate validity period allowed by the CA. Consider renewing the CA Certificate, reducing the template validity period, or increasing the registry validity period.

Continue reading Skype for Business–Error Constructing or Publishing Certificate