Recently, while creating some documentation for an install it struck me that federation may be a bit confusing if you aren’t working with Lync on a daily basis. With that in mind I’m writing this article in hopes of clearing up some common questions I hear around federation during deployments or see on the forums.
First of all, if you’re not sure what all of this federation stuff is about, there is a good overview here, but basically federation is the process by which we connect our Lync/OCS/LCS environments to other Lync/OCS/LCS environments, such as our partner companies. This connection allows users to easily communicate with users in other companies utilizing all the same modalities they have with users in their own environment (IM, Audio, Video, Desktop Share, etc….).
In Lync 2010 there are 3 types of federation: Dynamic, Enhanced and Direct. Picking which one is right for your partner companies is where it starts to get a little tricky. I won’t go into great detail about how to configure your edge server for federation in this article, but you can reference this article if you’d like more information there. Instead, I’d like to focus on choosing one of the 3 types of federation and the benefits of each.
We’ll start with dynamic federation.
Dynamic federation is a method where a partner company’s edge server is discovered by looking up an SRV record (_sipfederationtls._tcp.domain.com). Dynamic federation is perfect for an environment where users may need to add contacts from other companies quickly and without administrative intervention. The firewall will have to allow inbound connections to the access edge server on port 5061 from any potential partners, but for most companies who use open federation, they allow traffic from everywhere on this port to prevent needing administrative assistance.
There are a couple of limitations on Dynamic federation, first when a partner is discovered via dynamic federation; limitations are put on how many SIP messages (20) can be received per second by that partner. Also, there is a limit of 1000 contacts per federated contact. Last, but not least, if you discover a partner via dynamic federation, the A record and certificate for their federated access edge must match the sip domain of the user. It is very common to see 14607 warnings in the event viewer of your edge server if you are discovering partners via dynamic federation. This is expected behavior but can be modified by using one of the 2 other types of federation. Here is a look at that error:
If you would like to cross the 20 SIP messages per second mark, the 1000 user per partner mark, or be a little pickier about whom you federate with you can use Enhanced Federation.
Enhanced Federation requires that you add your partners SIP domain to the “Federated Domains” list in the Lync control panel. However, you do not need to add the FQDN of their access edge server. Enhanced federation is not limited like dynamic federation so you will no longer have a cap on the number of messages or users. However, if you configure a partner via enhanced federation, the A record and certificate for their federated access edge still must match the sip domain of the user. Here’s a screen shot of how to configure enhanced federation
Last but not least we come to Direct Federation.
Direct Federation just like enhanced federation, has no limit on the number of messages or users, but there is one big difference. If your partner company has an access edge server with an FQDN that doesn’t match the SIP domain, you can still federate. You will just need to put the FQDN of the access edge server and the domain name in like in the screen shot below.
The nice thing about Lync, is you can still utilize all 3 options, for example at my company we have enabled dynamic federation, but still utilize enhanced and direct federation for partners once we start seeing the 14607 errors start showing up.
That covers how you configure the different types of federation in a Lync environment; I did not however, cover federation with the Office 365 cloud. Federation with the Office 365 cloud is done via the Hosting Provider tab and works much like direct federation. For more information on that have a look at Tommy’s article here. There may also be additional consideration around firewall rules based on your company’s decision on which way to configure federated partners.
Hope this helps!
The Lync Guy's Blog 
Super clear article on federation types, thank you.
I have a twisty question for you… If you turn off federation, does that break web conferencing between 2 companies that are both running Lync (full fat clients)? When testing we had “dynamic” federation enabled. After we went into production we’ve since turned off all federation. One of our partners has Lync as well, and now online meetings don’t work. If company A sets the meeting up, those from company B get the error below. It fails the same way if B sets the meeting and A joins…
403 Forbidden
ms-diagnostics: 1002;reason=”From URI not authorized to communicate with federated partners”;source=”sip.opus-group.com”
Hi Ken,
I’ve never tested that scenario but the error is pretty clear. How are your meeting policies set?
Thanks!
-kp
Meeting polices are wide open (everything allowed)
External user access policy was set to Federated User access=off, Remote User Access=on, Public Provider access=off.
Ken,
It works if you enabled federated user access though correct? How about emailing me the full output of the policies kevin @ this domain dot com.
We can take this offline.
-kp
Hi Kevin,
I am currently facing an issue when trying to federate between lync 2010 edge server and ocs 2007 edge server.
When running a sip trace, I see that the connection is reset due to “failed to complete tls negotiation with federation peer”
I was hoping you could point me in the right direction.
Kind Regards,
Shane
Hi Shane,
Maybe it is a cert requirements mismatch, this article is about AOL but may be worth looking at:
http://blog.skinkers.com/2011/02/11/fixing-aol-instant-messenger-connectivity-problems-in-microsoft-lync-2010/
HTH
-kp
Hi Kevin,
Further to my issue. I have successfully federated a different lync edge server with the server that I am having issues with.
Are there any patches etc you are aware of that would need to be installed on an ocs edge server in order to enable federation with a lync edge server?
Some further info is that there is currently federation setup between the two parties using ocs 2007 on one side and lcs 2005 on the other side. We are using the same certificate on the lync edge server as the lcs 2005 server so I’ve not been able to work out how it is a certificate problem.
I’m unable to get a sip trace from the other party as yet so I’m flying a little blind on this unfortunately.
Hi Shane,
There are a number of hotfixes that have been releaseed for OCS 2007, I’d definitely suggest getting that box up to date and trying again. Also, although the certificate may be the same, the processing order of the encryption methods may be different and could potentially cause this.
HTH
-kp
Hi Kevin,
Thanks very much for your assistance. Issue turned out to be an incorrectly installed intermediate certificate. All working as expected now.
Cheers,
Shane.
Hi Kevin,
A newbie question: if you have two forests separated only by a WAN link, with a bidirectional trust between them, do you still need the Edge servers for federation? Or is a frontend on both sides enough? It’s actually for a proof of concept and I’d like to limit the initial investment.
Thanks,
Peter
Hi Lync Guy,
Nice article, I came across it while researching something weird, figured I throw it on here, maybe you or someone else knows whats up…
We have a federated partner, actually another division of our company, everything was working as intended, but now, they can not search for any of our Lync users by email\sip address – when they type in example@dsi.com & hit enter, nothing happens, not even “Presence Unknown”.
However, if they add the contact to their local outlook contacts, it works just fine – even if they just add them with an old email domain address that does not match the sip domain. It seems like it is matching the local outlook contact with the Exchange address book contact item. The can then see presence, send IMs, etc. with that person on our side.
Of course they have no issues with Federation with any other partner, either dynamic or direct.
Sorry for the rambling post, I know you aren’t my tech support, but if you have any clue, I appreciate it.
Thanks,
Sal
Kevin,
Do you know if Lync federation will work if we are still using LIVE@EDU? We are a school district and haven’t been upgraded to O365 yet. Any hope for us now, or do we have to wait until after we’re upgraded?
Thanks, -Evan
Hi Evan,
Not 100% sure on this, but I think you have to be on office 365, I have some friends with BPOS accounts and they cannot federate.
HTH
-kp
Pingback: Push Notification Fails with a 504 Server Time Out | The Lync Guy's Blog (Formerly OCSGuy)
We have Lync2010 pilot up and running, have merged our OCS2007 topology into Lync2010. Have mobility installed and running. We currently have federations with 40 companies, many added a long time ago. We don’t know if any of the federated partners are running OCS2005 or OCS2007/2007R2. When we move federation from the legacy OCS2007 edge server to Lync2010 we don’t want to break the existing federations. Will Lync2010 federation work with both OCS2005 and OCS2007/OCS2007R2. I thought I read somewhere that Lync2010 won’t work with OCS2005 is that true? Many thanks. Louise Aalto
Just wanted to say keep up the great work!
Hi Kevin,
I have also an issue with federated partners, whenever I call the callee receives the call and answer it then it says connecting call and changes the presence of Lync callee to busy but it never connects.
On the Lync front end traces I logged during the call it says the following:
$$begin_record
Trace-Correlation-Id: 1349273356
Instance-Id: 0005E053
Direction: outgoing
Peer: lyncedge.domain.com:50421
Message-Type: response
Start-Line: SIP/2.0 403 Forbidden
From: “Me”;tag=3903b98557;epid=120db13701
To: ;tag=3445ACE6FA78B204E18867583615A6A0
CSeq: 1 SUBSCRIBE
Call-ID: aea8f4e661aa4beaa3c355692d2ba167
Authentication-Info: TLS-DSK qop=”auth”, opaque=”70E4F319″, srand=”DD56FD6C”, snum=”431″, rspauth=”6b8f6bd6c58920debc6a2c524445cbe59a788e12″, targetname=”DEMOLYNC.domain.com”, realm=”SIP Communications Service”, version=4
Via: SIP/2.0/TLS 192.168.1.183:50421;branch=z9hG4bKD4A17C52.5133657F4EA4C357;branched=FALSE;ms-received-port=50421;ms-received-cid=53F800
Via: SIP/2.0/TLS 192.168.3.215:1134;received=88.253.47.61;ms-received-port=20127;ms-received-cid=5C1F00
ms-diagnostics: 1027;reason=”Cannot route this type of SIP request to or from federated partners”;source=”sip.domain.com”
Server: RTC/4.0
Content-Length: 0
Message-Body: –
$$end_record
—-
Thanks a lot
Mohammed,
If IM works but calling doesn’t, the issue is most likely firewall related. I would make sure the correct ports are open on your AV edge server.
HTH
-kp
hi Kevin
Thanks for this Nice Info,i have a Question,we have about 5 separate Forests,and want to integrate all of them by using Federation.the Dark point for me is which type of Federation i have to choose and which Lync general Features are available through Federation ? (Like IM- Presence – EV- COnferencing- etc)
Regards
Hi Mohammad,
As long as each of the forests have an edge environment you can use any type of environment. You will need SRV records to use open federation or enhanced federation, or you can just direct federation which doesn’t require SRV records. All features should be available between the environments.
HTH
-kp
Kevin,
I want make the Federation with 2 partners of my company, for do this, we need to have one AD FS, or all the configuration is doing in Lync Control Panel or Shell.
Sorry for my english, put i dont speak too much.
Hi Gabriel,
This can be done through just the Lync Control Panel. No Need to involve ADFS…
HTH
-kp
Thanks a lot for this information……………
Hi Kevin,
We have a peculiar issue with our federation and post enabling Lync Mobility, we are not able to successfully get the presence of our domain users from external domains. Our users/contacts already added to external domains/users clients can view our domain user presence but they cannot view any new members and we get the below errors on the snooper log and in client it says “presenc unknown” where as the information is successfully retreived for old users already in their contact list.
SIP/2.0 403 Forbidden
SIP/2.0 481 Call Leg/Transaction Does Not Exist
Have checked all the domain policies, configuration and also user setttings and all are well. Any ideas what could cause this issue?
Venkat-R
Are the people you are adding in the same domain as people that are working?
-kp
Hi Kevin, We are adding external domains and not the same domain. For ex if our domain is A and we get a request for federating with domain B, it was working till lync mobility without issues. After that when a user in domain B addes a new user of our domain A and tries to lookup, it fails with the stated error.
Hi Venkat-R,
Do you by chance have CU6? If so, can you verify how your entry for the provider (mobility) is configured and if the company you are testing with is using Office 365 for their Lync deployment?
Thanks!
Kevin
We dont have CU6 and 365, its on premises setup only.
What CU are you on? Also, I meant is the company you are federating with on Office 365 (not your environment).
HTH
-kp
Question for you. I want to forward ALL unknown (non-local) SIP requests to another proxy machine, which is NOT Lync. This machine will handle federation, as well as routing SIP around internally in the organization: some of our users are set up with Asterisk, or other PBXs).
The Lync federation stuff seems to not really support this. Either you enter domains by hand, or you turn on SRV lookup, which uses non-standard _sipfederationtls records.
The PSTN gateways seem to only work for tel: uris.
What’s left?
Hi Jerome,
Lync wasn’t really built to do this, I’m not sure it would be possible.
-Kevin
Great article I was wondering if anyone had info on connecting to external contacts via Lync 2010 not using the Lync client, we are currently federated but need the ability to connect to either MSN or AIM accounts for global manufacturering partners overseas as we move from googletalk to Lync 2010. Not sure how to add them. Any thoughts
Hi Rick,
This is called PIC (Public IM Connectivity). You need a license for this but can set it up at https://pic.lync.com It works in a similar fashion to federation.
HTH
-kp
Hi Kevin,
I would like to know is there any known issue between ocs and lync live meeting. Lync platform users are not able to join the live meeting hosted by ocs platform user.
Hi Kevin,
I would really appreciate you help. I am completely new to Lync / OCS and have had to learn so that I could implement a new Lync infrastructure at the company I’m working at. There is already a Lync 2010 and OCS server in place, but the company group I’m working for is in the process of splitting all the shared services, Lync/OCS being one of these. A new forest has been created (new domain name and new sip name) and I have installed a new Lync 2010 FE server and Edge server into this new forest. I now have to setup the server so that users in the new forest can IM users in the old forest. Can I do this by using the direct federation method yiou explained above? What do I need to do with the certificates on the edge server?
Thanks
Yes Paul you can do this with direct federation (or any other federation method). you just need to route from edge to edge (via the internal interfaces). Make sure you have the appropriate SRV records in place for federation and all certificates have the appropriate FQDN (the FQDN of the access edge server) and are trusted by each edge server. If that is all in place you should be good.
HTH
-kp
Great, thanks for your reply. I seem to have a problem with certificates at the moment so I wonder if you could advise on this problem. I think I have all the certificate requirements in place but seem to have issues when running the Microsoft Remote Connectivity Analyzer tool. It resolved the hostname of sip..co.uk, connects on port 443 ok but fails on the certificate validation saying the certificate couldn’t be validated. The Edge public certificate was obtained from a public CA, the Edge internal and Front End certificates were from a internal enterpise CA. I’m not sure if I have the correct subject name / SAN names for my Edge external certificate.
It’s a lot of info that I need to write down, would it be possible to e-mail you directly?
Hi Paul,
you said the certs fails validation for sip…co.uk. Is that the common name or in the SAN list on the cert? Try going to digicert.com/help and testing against your SIP. address to see what it tells you. Also, make sure all the edge servers have the appropriate root and intermediate cert chains installed and they are in the right containers (root in root, intermediate in intermediate).
HTH
-kp