04-04-2018 12:44 AM
04-04-2018 12:44 AM
On-premises Skype for Business deployment on company ABC. All external traffic is forced to use corporate proxy setup. Together with this, we have a new online meeting which is hosted by company ZXY who is having Office 365 setup. And these two companies does not have federation enabled.
Skype user Jacky (from ABC) tries to join to meeting hosted by the ZXY but that fails because of error: "An error occurred during the Skype meeting".
If you take a look to Scott's blog article about: Anonymous join from Skype for Business and Lync clients. There is a sequence Skype/Lync client is using to join to the meeting:
Karen's client will continue querying these DNS records until it is successful in finding a destination. The DNS records that it will search are:
Because company ABC is using the proxy they have blocked the DNS queries to internet as it is useless, but that even it is enabled, the direct connections to the destination does not work.
The forth step "sip.tailspintoys.com" is a different issue, as for that records Skype client is able to use the corporate proxy for making the connection.
Here comes the problem:
When Skype goes through the proxy to sip.tailspintoys.com the Skype client receive the certificate from that host. If the host is on-premises solution, that is not problem because FQDN is listed on the certificate's SAN. But if the sip.tailspintoys.com is hosted on O365, the certificate's SAN does not contains the FQDN and because of that Skype client is unable to trust O365. It contains only O365 certs.
The only solutions are:
- enable federation. Yeah, but if edge is not deployed on the ABC, and next issue federation cannot be count as trusted.
- open FWs for allowing client traffic to go out and bypass the proxy, eh...
- Microsoft fix the certificates on the O365, most likely not as it will cost huge amount of money for them.
- Microsoft fix the Skype client to bypass the certificate validation and trust always to O365's certificates.
Does anybody knows any other idea to get this fixed? The best for the customers is, that Microsoft fix the certs for the Office 365.