Sign up for Office 365
Learn more about Office 365
Hi, I'm using Lync Online to communicate with contacts of a federated partner who are still on OCS 2007 R2. We can communicate just fine, there are no issues with instant messaging or A/V, however, while my partner's contacts can see my presence just fine their presence is always shown to me as 'unknown'. They have added Lync Online as an IM provider with default settings. I had their admins have a look at their OCS Edge Server's event log, and they are seeing truckloads of this event.
A significant number of connection failures have occurred with remote server sipfed.microsoft.com IP 126.96.36.199. There have been 109 failures in the last 577 minutes. There have been a total of 109 failures.
The specific failure types and their counts are identified below.
Instance count - Failure Type
This can be due to credential issues, DNS, firewalls or proxies. The specific failure types above should identify the problem.
Looks like the Lync Online federation proxy sipfed.microsoft.com has some kind of issue with OCS 2007 R2 domains. What can we do to get presence working in the direction from OCS 2007 R2 to Lync Online?
Regarding your issue with the presence unknown for federated OCS 2007 R2 contacts. This sounds like your end of the federation is setup correct as they are able to see your presence. However, they may not have the federation setup correctly on their side due to the mention of sipfed.microsoft.com as well as missing presence. Here is a TechNet article to refer to for them to configure federation for a Lync Online 2010 user.
Thanks Brent. The article describes how to add a hosting provider in Lync 2010, however, my federation partner is still running OCS 2007 R2. I worked with their admin, to adapt the instructions to their OCS 2007 R2 Edge Server, and we did the following.
Added an IM Service provider named 'Office 365'
Entered 'sipfed.online.lync.com' as the IM service provider Access Edge
Ticked 'Allow communications only from users verified by this provider'
I still couldn't see the presence of any of their OCS 2007 R2 contacts. We then tried the following.
Ticked 'Allow all communications from this provider' - no change
Entered my Lync Online domain and 'sipfed.online.lync.com' explicitly as an allowed domain, to increase the trust level (they are using open federation) - again no change
Instant messaging works fine but I still cannot see their presence.
What are we missing?
When you configured this, did you have them use the powershell to enter the cmdlet to configure the hosting provider? I will look further into this for you.
Thanks for your help, much appreciated. Again, they're on OCS 2007 R2. There is no PowerShell interface for that. It was done on their Edge Server via the OCS snap-in in Computer Management, but it mimics exactly what the New-CSHostingProvider would do in Lync Server 2010.
Because we can exchange instant messages just fine my guess is that it has something to do with presence subscriptions and trust levels, but the help on that is not helpful at all. I already tried to assign the contacts on both sides to the personal/family and team/workgroup level, but that didn't change anything, either.
I just don't know where to look. It might be a Lync to OCS thing because I can federate just fine with other Lync Online and Lync on-premises domains as well as Windows Live accounts.
This may seem a bit redundant, but have you by chance checked to see if the SRV federation record is configured on the OCS enviroemnt? If it is set up then it might be something with the OCS to Lync Online. The reason you can federate just fine with everything else is because everything on your end is set up correctly. I am still looking further into this issue to try and find a resolution for you.
Yep, the DNS SRV and A records are in place and correct. In fact, my OCS federation partner is federating successfully with a bunch of other organizations running OCS and Lync on-premises. So far it still looks like a Lync Online to OCS issue, however, since I've set up everything at their end according to the instructions how to add Office 365 as an IM provider to OCS 2007 R2 I'm not sure what else I need to do.
By now I have accounts on both sides, my own Lync Online domain and the OCS environment of my federation partner. Do you want to test directly with me in both environments?
Thanks for your continuing support
At this point it sounds like you have done everything you can to configure this to working. It seems that it is an issue with the OCS enviroment to the Lync online is whear the issue lies. I am still looking into this to see if I am able to find anything that will be of great help to you. thank you for your continued time and patience.
Thanks Brent, much appreciated.
I exported the complete chain of certificates that is used by the OCS Edge Server of my federation partner. It's been issued by 'Entrust.net Certification Authority (2048)'. Would it help if I sent these to you? We know that communication is working - it's just the presence that's broken, not sure if this could be a certificate issue at all.
Based on the information you have provided me, Lync online is set up correctly. I have included some additional articals that will be of assistance to you. All remaning configuration steps have to be done on the on premises server. I have sent you a PM with the information and the 2 articals. I hope this is of great assistance to you.
Thanks Brent Coldewey
Sorry - I replied to the 'PM' (whatever that means) before I saw your last message, so I thought it was from somebody else.
Unfortunately both articles are not helpful. We already tried adding my Lync Online domain as a trusted partner in OCS 2007 R2, specifying sipfed.online.lync.com as the Access Edge Server, but that didn't help. The second article is a year old and pertains to the Office 365 Beta, when the DNS records were pointing to the wrong server sipdir.online.lync.com, so that doesn't apply either.
What could possibly block the presence, yet allow instant messaging? Any idea where to look? Can we escalate this issue to a Lync team who could take a look at the traffic passing between my Lync Online domain and my OCS 2007 R2 federation partner?
Being that Lync is working correctly on your end and the issue lies with the OCS server. The partner you are trying to configure this with would need to contact our Commercial Technical support @ 18009364900 if they need help setting up or configuring their OCS on premises server to use federation.
Thanks, but they don't need help - they are federating successfully with a lot of others, just not Lync Online, so it's probably a Lync Online issue. So let me ask you again. What could possibly block the presence, yet allow instant messaging? Any idea where to look? Can we escalate this issue to a Lync team who could take a look at the traffic passing between my Lync Online domain and my OCS 2007 R2 federation partner, or at least provide some insight what might cause a behaviour like this? To be honest, I've never seen it before, it either doesn't work at all or it works fine. What settings control the ability to see a federated contact's presence independently of instant messaging and A/V communication?
Are they successfully federating with other partners using Lync Online? Are you able to successfully federate with other OCS 2007 R2 partners? We have went through the way you have Lync online set up on your end and it is set up correctly. Federation is governed by the proper DNS records and the way it is enabled in the Online Portal. If the DNS records are set correctly and the federation setting in the Portal are set to allow and not block or if is is on block the partner is on the list of allowed partners there should not be an issue with federation unless it is a compatability issue.
I agree that it must be some kind of compatibility issue. They can federate successfully with other Lync Online partners, as well as I can federate successfully with other OCS 2007 R2 partners. Again, communication is working, it's only the presence that's not working in one direction (I can't see their presence but they can see mine). So let me ask you again, what could possibly block the just presence, yet allow communication? What settings control the ability to see a federated contact's presence independently of instant messaging and A/V communication? I feel that that's what we need to look into here.
I agree, I will look into the different federation settings with Lync and the online portal. I will get back to you when i gather the information. I really appreciate your continued time and patience. ThanksBrent Coldewey
I was looking through the federation settings in Lync online and the status information. What is yours set to? There are 2 options available to choose from. 1. I want everyone to be able to see my presence regardless of system setting. (override default settings) 2. I want the system admin to decide. The best option if option number 1. Have your partner check this as well. and another question is your partner using Lync or Communicator?
Go to the Front End Server of the OCS and then go to global setting select federation tab allow the federation and in server name add your OCS edge server.
Then you will able to get the presence information of Lync online users
0 out of 1 people found this post helpful.
Lync Online is set to "Automatically display presence information", and our Lync Client is set to "I want the system administrator to decide". Again, that's not the issue here, because my federation partner can see my presence just fine. Again, my federation partner is still running OCS 2007 R2, so I would need you to tell me which settings in OCS 2007 R2 result in the same kind of configuration (as far as I know there is no such option in OCS 2007 R2, but I might be wrong). My federation partner is still using Office Communicator 2007 R2 because Lync 2010 is not a supported client for OCS 2007 R2.
So let me ask you again, what could possibly block the presence yet allow communication from OCS 2007 R2 to Lync Online? Please consider all information already provided in my earlier posts in this thread so that we don't go round in circles.
I sent you PM with details covering how to change the Federation settings on the OCS 2007 R2. It is almost identical to what Tarway from about mentioned. I hope this helps with the federation settings.
Thanks, but that is already in place, otherwise my partner wouldn't be able to federate with numerous other partners successfully, as I have already explained multiple times. May I also point out yet again that communication works fine and it's just the presence that is not shown. This is not a simple issue of federation not being configured at all.
Also, what are the certificate requirements for an organization that wants to federate successfully with Lync Online? Are there any public CA root certificates that are not supported? My partner uses an Edge Server certificate issued by the Entrust.net Certification Authority (2048), thumbprint 50 30 06 09 1d 97 d4 f5 ae 39 f7 cb e7 92 7d 7d 65 2d 34 31. Is this a CA that Lync Online would be willing to work with?
I downloaded and installed MOSDAL and created a diagnostic trace. This is what happens when I try to view the presence of a federated OCS 2007 R2 user from my Lync Online account.
CSeq: 1 SUBSCRIBE
Via: SIP/2.0/TLS 192.168.1.2:60333;received=10.27.46.15;ms-received-port=60333;ms-received-cid=B1A2C00
ms-diagnostics: 4033;reason="To User not authorized for Federation";source="BL20B03FES02.infra.lync.com"
However, the remote user is enabled for federation and can communicate with me (and view my presence) as well as other federation partners (both OCS 2007 R2 and Lync on-premises) just fine. It's just not working from Lync Online, so there must be something wrong at the Lync Online end.
I think this is as far as I can troubleshoot it from my end, I really need some help here from someone who can look at the communication between the two edge servers or who can shed some light on the way that Lync Online treats federation partners. This can't be that difficult to track down.
After looking over your issue, I have come to the conclusion that the issue lies within the confiiguration on the OCS Server/Network of the OCS Server. Since you are able to communicate with people from their network but they are unable to send the presence to you, their end is the root cause of this. Their network is incorrectly configured or their OCS is incorrectly configured and not sending or blocking the presence information out to Lync Online. I have checked with others within my department and we have determined this is an issue that lies out of our scope of support and we will not be able to support you further on this issue. If you do feel this issue needs further attention, please feel free to contact On-Premise Support @ 1-800-936-4900.
Charlie GaitherMicrosoft Lync Online Support
Your conclusion is incorrect. If you had read the whole thread you would have noticed that my federation partner is able to communicate successfully with everybody else (including Lync on-premises) but Lync Online, thus I have to assume that there is a compatibility issue between Lync Online and OCS 2007 R2. I would at least like my questions answered what could possibly block their presence yet allow communication and what root CAs used by federation partners are supported by Lync Online. You should be able to provide that information easily.
Also, I'd like you to confirm if the setup of Lync Online as an IM Provider in OCS 2007 R2 described at www.itworkedinthelab.com/.../ocs-2007-r2 is the correct way to do it. If not, what needs to be changed, and is there any official documentation from Microsoft how to do it properly?
I'd like to remind you of the fact that we're talking about interoperability of two generations of the same Microsoft enterprise application here, not some 3rd party issues. This should be a no-brainer.
Like I stated before this is the Community Forum for support for Lync Online issues only. Since the issue resides in the OCS, I am unable to provide you with any further support on the issue. Since Lync Online, in the way it is setup, does not have issue communicating with other OCSs then the issue is on the configuration of the OCS. This support is provided by Microsoft @ Commercial Technical Support 1-800-936-4900.
I do not accept this as an answer. The same OCS contact that I cannot view the presence of can be seen and contacted just fine from other OCS and Lync on-premises federation partners, so there's actually nothing wrong at all with the OCS side, and you haven't provided anything to prove otherwise - you just claim that it is while ignoring the facts I've provided during this lengthy and tiresome thread.
Unfortunately I cannot tell you to do your job properly, I can only ask you to provide the support that your paying customers deserve. Please reconsider your position and provide the answers I've been asking for. What issue could possibly block the presence yet allow communication, does Lync Online accept the certificate issuer Entrust.net Certification Authority (2048) that is used by my OCS federation partner, and is the setup of Lync Online as an IM provider on the OCS edge server the correct way to do it? These questions are valid and all related to Lync Online, the service I'm paying for.
Please check this link and see if this provides you with the information you are looking for.
Charlie, I'm aware of this article, however, my federation partner has configured Lync Online as an IM Provider, rather than adding my Lync Online domain as an individual entry. This is why I was asking if the setup of Lync Online as an IM Provider in OCS 2007 R2 described at www.itworkedinthelab.com (see earlier post in this thread) is the correct way to do it.
Unfortunately I am unable to answer your questions. I do not know anything about the setup of OCS and only provided that link to you per the request of someone else. This community forum is for Lync Online Support and Office 365. We have determined that your Office365 Federation is properly configured. Please have the Administrators of the OCS to contact commerical support @ 1-800-936-4900.
Charile GaitherMicrosoft Lync Online Support
In response to your last post, the OCS admin will need to add both sipfed.online.lync.com as a trusted service provider, and then add your domain specifically to their allow list. Since they have already added Lync Online as a service provider, here is what they need to do next:
Create a new entry in the federation Allowed Domains list for OCS:
I'm also going to send you a private message with further details in case you need to contact me again.
Thanks for your reply, much appreciated.
As far as I know, Lync PowerShell cmdlets do not work on OCS 2007 R2, so I made the suggested change to the OCS Edge Server manually ... but as soon as I had completed this, communication and presence stopped working in either direction for my Lync Online domain.
Once I deleted the domain entry (just leaving the IM provider entry in place) I was back to the situation where it is working from OCS 2007 R2 to Lync Online (i.e. OCS 2007 R2 can see presence and communicate with Lync Online, but not vice versa).
What am I missing?
I believe it to be a certificate issue at this point. Does the OCS server trust the CA's for Lync Online? Are there any TLS outgoing connection failures in your OCS server event logs?
To view Lync Online CA's, go to http://www.digicert.com/help/ (for example) and plug in sipdir.online.lync.com - Check your OCS server to see if it trusts the CA's listed there.
Thanks for that, will check that tomorrow ... but why sipdir.online.lync.com? Doesn't it have to be sipfed.online.lync.com, the one that is used in the hosting provider settings?
Also, could it be the just the other way, i.e. Lync Online not trusting the CA that issued the OCS edge server's certificate? I added its details in an earlier post in this thread, can you check it out for me please? I know that a few other federation partners of my OCS federation partner had to install this certificate chain, as it doesn't appear to be a CA that is included by default.
It's technically *.online.lync.com - so you can plug in either sipdir or sipfed. Lync Online does trust Entrust.net, I believe.
If everything looks correct on your end, please call us and reference the ticket number that I PM'ed to you on the 11th. We will need additional details from you to further investigate.
Did you have any luck resolving this?
I verified that my federation partner's OCS edge server trusts the *.online.lync.com certificate chain. This was to be expected, because communication and presence is working from OCS to Lync Online. Thus I think the issue is that Lync Online does not trust the certificate chain that is used by my partner's OCS edge server. I have exported the chain to a p7b file. Would you be able to verify it for me or point me to a website that either documents the supported certification authorities or performs an online check?
This KB article states what CA's are trusted by Microsoft Online Services: http://support.microsoft.com/kb/929395
As your CA (Entrust) is listed there, we will need to obtain additional information to resolve the issue. I will send you a private message with instructions on how to get in touch with us.
I'm based in New Zealand, which is outside the U.S., thus I cannot call a 1-800 number, sorry.
Would you be able to provide the following two pieces of information?
- If I sent you my OCS federation partner's certificate chain, would you be able to verify that it is compatible with Lync Online?
- What OCS 2007 R2 version (3.5.xxxx, or hotfixes, respectively) needs to be installed to be fully compatible with Lync Online?
I have only limited access to my partner's environment, not sure if I will be able to do tracing ... but with these two bits of information we should be able to rule out any issues related to certificates or OCS version, so let's check that first.
We can definitely take a look at your certificate chain, but we cannot gather your private information on this forum, we would need to be in contact with you via phone or email. If you check your PM's, I sent you a local New Zealand number which you can use to reach support if needed.
I do not believe there is a specific version number needed for federation to work with Lync Online, just OCS 2007 R2.
Did you get in touch with support?
Not yet, the OCS admin of my federation partner is away this week, and without him I don't have proper access to their OCS environment.
Have you had a chance to call in to support? Do you still need our assistance?
I still don't have access to my federation partner's OCS servers. I'd say close your call. I heard rumours that they want to upgrade to Lync soon, so I'm going to live with the current limitation that I can't see their presence.
Thanks for the update; I will consider this case closed.