Thou Shall Not Let Internal Users Connect to External Edge Interface
Been involved with UC for a while, long before it was called UC, and over time we’ve all developed cardinal rules when it comes to deployments. One that me, and I know several others have adhered to “Thou shall not let Internal Users connect to External Edge Interface”. Right!?!
Times are a changing, and rules are often made to be broken, add the one above to the list, or bending of it anyway. Extended Skype Online/Hybrid coexistence. While in a Hybrid configuration users Online and Users Onprem are one big happy environment, right? Wrong!! Reality is, they are two separate environments with a Shared SIP Namespace, with some bits of Replication from Onprem to Online thrown in. (Online doesn’t replicate to OnPrem, see other postings).
Usually this is all good, UNTIL, an Online user who normally works from home decided to come into the Office one day. They sign in no problem, they hit up SIP and the Internal sees they’re an Online user, redirects the up, and right as rain. Time to join the Onprem meeting hosted by their in office Manager. Audio/Video works, but nooo presentation, and a error message comes up when trying to share content to Present: “Your DNS configuration is preventing you from presenting content” or possibly other variants.
Skype Online users when signed in are for connectivity purposes, are External Federated Users, and actually need to connect to the Web Conferencing Interface on the External Edge. If you’ve been following the aforementioned cardinal rule, there is not likely a name resolution for WebConf, and/or possibly firewall rules blocking internal connection to the External interface.
Don’t believe me, it’s in TechNet as a requirement for Hybrid: https://technet.microsoft.com/en-us/library/jj205403.aspx
Another odd scenario, and I hope this is rare; One large International Corporation, Separate forests, separate Domains, but replicating their split-brain internal DNS zones which house the internal SIP/Skype DNS entries. Corporate Site A can’t resolve webconf.corporateB.com, because they have B’s internal Split-Brain Public zone replicated/resolved, instead of the Public DNS Zone.
Seems like the new rule now is, Add the External Web Services and Webconf FQDN’s to your Internal split brain DNS zones now.
The Skype Online AV traffic also appeared to be going through the Edge AV NIC in the Wireshark captures. Same machine signed into an Onprem account, connected directly with the Frontend.