APM: Office365 Skype for Business On-Premise Authentication
I've spent a few days working on an Office 365 lab hybrid deployment and have been unable to get Skype for business to authenticate or work properly. Is this supported? In my configuration I am attempting to use the F5 as the IDP. Azure AD connect is syncing properly and is not syncing password hashes to Azure. According to this document, Rich client application such as Lync or authenticating an Office subscription are not supported: Azure AD federation compatibility list However I am able to authenticate other thick-clients like Word, Excel, Outlook, etc without issue. A window with the APM login screen is displayed when authenticating--I would expect similar behavior for the Skype client. This makes me believe maybe this document is incorrect? I have gathered SSLdumps and see the authentication request reach the VIP: 1 10 1472838567.6975 (0.0018) C>SV3.3(448) application_data --------------------------------------------------------------- POST /saml/idp/profile/ecp/sso HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; WOW64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; MSOIDCR L 7.250.4556.0; App lync.exe, 16.0.7167.2040, {12B07E85-1B47-41C4-A4E2-43XXXXXXXXXX}) Content-Length: 1583 Host: idp.xxxxx.xxx --------------------------------------------------------------- 1 11 1472838567.6975 (0.0000) C>SV3.3(1632) application_data --------------------------------------------------------------- http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuehttps://idp.xxxxx.xxxx:443/saml/idp/profile/ecp /sso1472838xxx xxxx@xxxx.xxxxxxxxxxxxxx 2016-09-02T17:52:11Z2016-09-02T17:57:11Z http://schemas.xmlsoap.org/ws/2005/02/trust/ Issueurn:federation:MicrosoftOnline http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey --------------------------------- ------------------------------ 1 12 1472838567.7042 (0.0067) S>CV3.3(336) application_data --------------------------------------------------------------- HTTP/1.0 302 Found Server: BigIP Connection: Close Content-Length: 0 Location: /my.policy Set-Cookie: LastMRH_Session=9c7be893;path=/;secure Set-Cookie: MRHSession=xxxxxxxxxxxxxxxxxxxxxxxxxxx;path=/;secure Set-Cookie: MRHSHint=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/ --------------------------------------------------------------- 1 1472838567.7042 (0.0000) S>C TCP FIN 1 13 1472838567.7046 (0.0003) C>SV3.3(48) Alert I would expect that the APM should be responding to the request rather than closing the connection as seen above. To me the soap envelope looks OK, or maybe I'm missing something simple? I'm running 12.1.1, and have also tried 11.6.1. I have no on-premise Skype/Lync environment and have validated that all DNS entries for Skype are correct. Microsoft's Connectivity Analyzer succeeds on all tests. The Skype client produces a generic failure on login: "Cannot sign in because the server is temporarily unavailable". Any guidance would be appreciated, thanks!
Big IP Reverse Proxy Does not Seem to be passing traffic onto my Skype for Business Front End Servers
Hey all. I posted a question a little while ago but i never really got an answer because I think I overworded it. Long story short, I have all of my Skype for Business internal and external services running (AV, IM, and presence). I set up a DMZ Big IP set to forward reverse proxy traffic to my FE servers using the iAPP. When I connect to the public IP/URL NAT'd to the device, I get a certificate warning (have not set up SSL yet) but then I cannot connect. I can see the three FE servers lit up as green from the Big IP so I know they're connected, but when I run wireshark I don't see any extra traffic flowing from the Big IP to my FE servers when I attempt a sign in so I'm not sure that the traffic is even getting through the Big IP and I'm not sure why. Does anyone have any thoughts on this? I have 443, 80, 4443, and 8080 allowed from my Big IP to my FE servers so I do not believe it is my firewall but I could be wrong. Any help would be appreciated. Thanks all!
Skype For Business - TLS
We're in the process of migrating from an older LTM running 11.6 to a new LTM running 13.1. In our existing environment we have configured Skype for Business with the iApp for Lync. This has worked well and we've been running with this for nearly 2 years. Upon attempted migration to the new LTM, this using the latest Skype for Business iApp, we found that were having issues with some users. Further investigation revealed that on the new LTM, for the SIP (port 5061) virtual server, SSL passthrough was used. This is the same as on the existing LTM. However, when we tried connecting the this address and port with cURL, we do not get a response from any of the Skype front-end servers behind the F5. Adding client and server SSL profiles, thus putting the Virtual Server in SSL bridging mode, a response is received from one of the Skype servers (round robin, as expected) Connecting to the VIP on the older LTM, with cURL, in SSL passthrough mode gets a response from the Skype servers. We do have a case open with support and they are going to take a look at a trace, but their initial assessment is the configs look pretty similar. The question to the community, is what is the recommended setup for SSL/TLS with Skype for Business?
Split tunnel VPN Skype for Business - rewriting DNS
Hi, We are deploying an F5 VPN and have and existing SfB environment. We need to enable a split tunnel so external users don't register to the internal SfB server but resister to the SfB Edge server. When the server DNS is queried the result gives the internal server. We need to intercept the request and return with the SfB Edge server. How can this be done? Is this using iRules or is this a standard feature of the F5? Thanks.
Skype for business 2015
Hey All We are having a set of f5 which is placed in DMZ. So it is 2 arm mode, one arm facing the internal of DMZ and other arm, going external and through the same interface it goes to the production internal network as well. So , today we did the Skype for business configuration via the i app.The Skype setting has front end server .all request comes to front end server . This is my first time doing Skype.So the customer wanted reverse proxy for external connections. Also, the internal users also they want to go to f5 and then to lync server and not access directly ie while accessing via mobile phone app. The external users are signing in succesfully via app. But these same user when connected via corporate network, which goes via different VIP, the signing in isn't happening. The external users come on 443 and redirects to 4443 while internal user come on 443/80 and goes into 443/80 pool respectively via different vip. On taking a tcpdump, I can see response coming back from front end server. But the user isn't able to login .from front end server to f5 snat ip, it's reachable. But sign in is unsuccessful via mobile app. we are doing Snat for traffic to internal production servers.can you guys suggest what could be going wrong?How to properly create Intermediate SSL Certificate
Hello all. I believe this should be an easy question but i need some guidance. I am publishing Skype for Business reverse proxy services with a Big IP and I am using the iApp to do so. I can get my mobile clients to connect and sign in through the reverse proxy and I can do a lot of what needs to happen, but sometimes I can't connect to calls on my phone and when I run into the issue I also simultaneously get a certificate warning stating that the Godaddy certificate that i purchased and set up on my reverse proxy could not be verified. This is making me think that I set this up wrong somewhere. So what I did was I exported the certificate as a .pfx from my Edge server with it's private key and imported it to my F5 unit where I imported it as: Import Type: PKCS 12 (IIS) Certificate Name: Skype_Public Certificate Source: PFX I exported Password: ********** Key Security: Normal Then for the chain certificate I imported the godaddy bundle (labeled gd_bundle-g2-g1). There is also a PKCS7 certificate labeled as gd-g2_iis_intermediates but i couldn't get it imported into the Big IP and i was fairly confident it needed the bundle anyway. I imported the bundle as follows: Import Type: Certificate Certificate Name: Skype_Public_Bundle Certificate Source: gd_bundle-g2-g1 Then in the iApp i just went and set it to create a new client ssl profile and used the Skype_Public-PFX.crt as the ssl certificate and used Skype_Public_PFX.key as they Key. Finally I used the Skype_Public_Bundle.crt as my intermediate cert, fired up the iApp, and could sign in with my phone. But i got the above errors so I am thinking I dropped the ball somewhere as i am relatively inexperienced with SSL certificates.Completely Lost Trying to Set Up SSL For the Skype for Business Reverse Proxy iApp
Hey All. Doing my first ever Skype for Business deployment and I have most everything working properly (Internal/External IM/Presence and AV calls all work great for the desktop client). Now I am trying to set up my two Big-IP's to do reverse proxy traffic and I am honestly completely lost. Allow me to explain. I have a dual Big-IP setup in my test lab. I have one in my DMZ which is set using the iApp to forward reverse proxy traffic to my internal which is set through the same iApp to receive reverse proxy traffic. I have given it it's own public IP which is NAT'd to the DMZ F5 DMZ address. The DMZ F5 also has a self IP on the DMZ subnet for which I have opened 443, 80, 4443, and 8080 up to the VIP of the F5 on my internal lab subnet. The iApp on the DMZ Big IP shows green for the internal server so it looks like they're talking to eachother ok. Here's where I start beating my head against the wall, and before I go into detail I am going to come out and say that I have not yet configured a SSL profile on either Big IP which may be my issue here. If I download the Skype for Business app on my phone and try to sign into Skype with my SIP address and username, I get a certificate warning that comes from the DMZ Big IP so I know that my device at least makes it through the public/NAT IP address to the DMZ Big IP. But then after I click continue on the certificate warnings it will say signing in for a second and then juts kick me back to the logon screen. This has me wondering if the traffic is getting stuck somewhere in the chain of F5's, if it is a SSL issue, or if it is a configuration issue on my Skype Frent Ends somewhere and was hoping someone could provide some guidance. A followup question that I have to this is regarding what certificate to import and set up on my Big IP units. On my edge servers, I have a public certificate issued by a CA. On my FE servers I have a certificate assigned by my internal CA per Microsoft best practices. I would imagine that I should use the public cert, but the iApp states that "The certificate you select here MUST match the certificate you used in your Skype web services configuration." This would indicate that I would need to use the certificate from my FE servers, but then no mobile devices are not going to trust this certificate. Any advice here on exactly what I should do here would be greatly appreciated. Thanks!
Microsoft Skype Business Server Issue
Ok, I have helped a client setup a Microsoft Skype Business Server on an LTM. I used the iApp for both Lync and Skype. The Skype seems to work better. I have gotten almost all of the services communicating through the F5 with no issues. Did have to make a few tweaks but nothing big. Here is my question and issue. How do you get desktop sharing to work form internal to external and external to internal. They are able to share internal to internal and external to external. We have gone through all the MS documentation and all the firewall rules are in place and the servers are setup correctly. It is setup with a 2 tier LB setup - 1 external for Edge Services and the other Internal for Web Services / AV / Reverse Proxy. Thanks for any help provided. Matt
