This post talks about federation (also sometimes call external connectivity or public connectivity specifically when talking about federation to Skype consumer) in Skype for Business Online. This feature is also available on Skype for Business Server, but this post specifically considered Skype for Business Online.
What is Skype for Business Online Federation (external connectivity)?
Skype for Business external connectivity (federation) enables a Skype for Business user to connect with users in other organisations that use Skype for Business as well as those that host their own Skype for Business Server on-premises. Federated contacts can see presence, communicate by using IM and make Skype-to-Skype audio and video calls.
All federated communications are encrypted between the IM systems using access proxy servers. Microsoft does not control encryption after messages are passed to the federated partner’s network (if the partner is federated with an on-premises Skype for Business Server or third-party network).
What is Public IM connectivity?
This is off by default; it allows Skype for Business Online users to talk to Skype Consumer users. Note this is 1:1 for IM, Audio and Video, but not supported in any conference/multiparty scenario.
Note this feature historically offered federation with other public IM providers beyond just Skype Consumer with Skype for Business Server, but now only Skype Consumer is supported in Skype for Business Server and Skype for Business Online
How do I set Federation/External Connectivity up in Skype for Business Online?
First off, it is on by default. You can configure it under the Skype for Business Online Admin Portal
Default is On except for blocked domains
Options are to turn it off completely, On except for blocked domains or On only for allowed domains.
A Note on Enhanced Federation, Dynamic Federation and Direct Federation
On Skype for Business Server, there is the concept of different types or levels of Federation.
- “Dynamic Federation” or “Discovered Partner domain” i.e. being open federation and allowing discovery of companies via DNS without explicitly listing them in the allow list. This type of federation takes a dependency on both partners having their SRV records setup correctly
- “Enhanced Federation” or “Allowed Partner Domain federation” where Skype for Business Server is set to open federation, but you add your partners SIP domain to the allowed Federated Domains list Skype for Business.
- “Direct Federation” or “Allowed Partner Server”, where you configure the partner SIP domain name and the partner Edge Server FQDN as a federation partner in Policies
Dynamic Federation Rate Limits on Skype for Business Server
Dynamic Federation has some rate limits on the number of messages between companies/domains.
- If a federated organisation requests to more than 1000 Uniform Resource Identifiers (URIs, “users”, either valid or invalid), the federated organisation is put on a watch list and future connections are blocked on the edge server.
- If the Edge Server detects suspicious traffic on a connection, it will limit the federation partner to a low message rate of 1 message per second. The Edge Server detects suspicious traffic by calculating the ratio of successful to failed responses.
- The Edge Server also limits legitimate dynamically federated partner connections to 20 messages per second.
Enhanced Federation (where domains added to the allow list) does not get rate limited so you will not be regulated on the number of messages or users. Direct is also not rate limited, but there is no DNS lookup for the partner’s edge server.
For Skype for Business Server, If you know that you will have more than 1000 requests sent by a legitimate federated partner or a volume of over 20 messages per second sent to your organisation, to allow these volumes, you must add the federated partner to the Allow tab.
For Skype for Business Online, this rate limiting is supposed not exist for traffic from within the Office 365 cloud (tenant to tenant) but does apply to traffic coming from outside Office 365 (i.e. Skype for Business Server installs/users). At present, I can’t find a way to set a tenant to “open federation” and have an “allowed list”.
Some Considerations
- There is no “in the box” ability to restrict subsets of users federate to select organisations, it’s a global allow/block list
- Federated connections are not covered by the SLAs provided as a part of Office 365 subscriptions.
- Federated connections are not offered in service availability targets.
- Federated connections are excluded from the service continuity management Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).
- Text-based chat is the default communication type allowed across federated connections. Audio, video and content sharing may be possible if the federated partner’s environment is correctly configured with Skype for Business Server, which permits these types of communication.
- File transfer is available with federated connections.
- Skype for Business supports only federation traffic routed through the Internet.
Reference:
How Federated Traffic Is Evaluated When Using Automatic Discovery
Hi
can you please let us know, the call flow of skype for business online
i need assistance, how skype call is getting connected in cloud environment
we are maintaining skype for business cloud environment…we are not using hybrid or on-premise environment
please share the article…please mail at divyasankarj@rocketmail.com
so i can learn
Hi Tom.
I just about got my head arounf the federation option in SfB ‘on-prem’. So for example I have a federated partner COMPANYA.com where I just have the partner domain added in my console. Federation relies on COMPANYA having the correct SIP A and SRV record. (Allowed Partner Domain method).
I also have listed COMPANYB.com where I have both the partner domain added PLUS the partner access Edge server. The partner in this case does not need to add the SRV records into their DNS (this is called Allowed Partner Server or ‘Direct Federation’)
Now if I migrate my deployment to O365, what options do I have for COMPANYA and COMPANYB? Do I simply add them both as ‘Allowed Domains’? I’m thinking especially about COMPANYB, because I cannot see an option to specify an Access Edge server for direct federation. Surely I am not at the mercy of asking all my partner domains to add an SRV record to their Public DNS?
Thanks in advance
Hi,
This is a bit deep for a blog post chat, the best bet might be to start a thread on http://tom.qa/sfbforum, feel free to CC me on there.
Having SRV records is best practice, but I’m not sure off the top of my head if its a hard dependency for SfBO. It wouldn’t surprise me.
Tom
Do you know what the federation rate limits are for Skype for Business online, or, if there is a difference in the rate limit between “On except for blocked domains” and “Off except for allowed domains”?
They are not really published, but you shouldn’t hit a limit with normal usage. Are you hitting one?
Hello Tom,
Would like to confirm as I see in this article that SFB online no longer supports other Public IM Providers other than Skype consumer
Some Microsoft articles show it used/still supports WindowsLive, AOL, and Yahoo.
https://docs.microsoft.com/en-us/powershell/module/skype/set-cstenantpublicprovider?view=skype-ps