Thou Shall Not Let Internal Users Connect to External Edge Interface

Thou Shall Not Let Internal Users Connect to External Edge Interface

Been involved with UC for a while, long before it was called UC, and over time we’ve all developed cardinal rules when it comes to deployments.  One that me, and I know several others have adhered to “Thou shall not let Internal Users connect to External Edge Interface”.  Right!?!

Times are a changing, and rules are often made to be broken, add the one above to the list, or bending of it anyway.  Extended Skype Online/Hybrid coexistence.  While in a Hybrid configuration users Online and Users Onprem are one big happy environment, right?  Wrong!!  Reality is, they are two separate environments with a Shared SIP Namespace, with some bits of Replication from Onprem to Online thrown in.  (Online doesn’t replicate to OnPrem, see other postings).

Usually this is all good, UNTIL, an Online user who normally works from home decided to come into the Office one day.  They sign in no problem, they hit up SIP and the Internal sees they’re an Online user, redirects the up, and right as rain.  Time to join the Onprem meeting hosted by their in office Manager.  Audio/Video works, but nooo presentation, and a error message comes up when trying to share content to Present:  “Your DNS configuration is preventing you from presenting content” or possibly other variants.

Skype Online users when signed in are for connectivity purposes, are External Federated Users, and actually need to connect to the Web Conferencing Interface on the External Edge.   If you’ve been following the aforementioned cardinal rule, there is not likely a name resolution for WebConf, and/or possibly firewall rules blocking internal connection to the External interface.

Don’t believe me, it’s in TechNet as a requirement for Hybrid: https://technet.microsoft.com/en-us/library/jj205403.aspx

webconf

Another odd scenario, and I hope this is rare; One large International Corporation, Separate forests, separate Domains, but replicating their split-brain internal DNS zones which house the internal SIP/Skype DNS entries.  Corporate Site A can’t resolve webconf.corporateB.com, because they have B’s internal Split-Brain Public zone replicated/resolved, instead of the Public DNS Zone.

Seems like the new rule now is, Add the External Web Services and Webconf FQDN’s to your Internal split brain DNS zones now.

Good times.

Additional note:

The Skype Online AV traffic also appeared to be going through the Edge AV NIC in the Wireshark captures.  Same machine signed into an Onprem account, connected directly with the Frontend.

Looking for more?

Imaginet can help with Skype for Business servicing, planning, updating and scaling. View more about our offers below!

View More

Korbyn Forsman

About Korbyn Forsman

Korbyn is a Microsoft Unified Communication (UC) Technical Director with over 15 years of extensive hands on experience with communication, collaboration and telephony solutions. Korbyn possesses in-depth knowledge of the latest technologies and best practices, specifically with the Microsoft Unified Communications platform. He has a tremendous UC project experience having worked on the strategy, design, architecture and implementation of highly complex global deployments of Lync, Exchange and OCS solutions. Korbyn‘s technical leadership and business acumen often have him speaking as an industry leader at Microsoft events.

Leave a Reply