Microsoft Lync Federation

                                              Lync 2010 Federation 

What is Federation?

Basically federation is the process of connecting our Lync/OCS/LCS environments with other Lync/OCS/LCS environments, such as our partner companies.  This connection allows users to easily communicate with users in other companies utilizing all the same modalities they have with users in their own environment (IM, Audio, Video, Desktop Share, etc….).

Type of Federation

In Lync 2010 there are 3 types of federation supported, those are Dynamic, Enhanced and Direct. Let us discuss each type in detail.

Dynamic Federation

Dynamic federation often called open federation is a method where a partner company’s edge server is discovered by looking up an SRV record (_sipfederationtls._tcp.domain.com).  Dynamic federation is perfect for an environment where users may need to add contacts from other companies quickly and without administrative intervention.  The firewall will have to allow inbound connections to the access edge server on port 5061 from any potential partners, typically most companies who use open federation, they allow traffic from everywhere on this port to prevent needing administrative assistance.

There are a couple of limitations on Dynamic federation, first when a partner is discovered via dynamic federation; limitations are put on how many SIP messages (20) can be received per second by that partner.  Also, there is a limit of 1000 contacts per federated contact.  Last, but not least, if you discover a partner via dynamic federation, the A record and certificate for their federated access edge must match the sip domain of the user.

Enhanced Federation

Enhanced Federation requires that you add your partners SIP domain to the “Federated Domains” list in the Lync control panel.  However, you do not need to add the FQDN of their access edge server.  Enhanced federation is not limited like dynamic federation so you will no longer have a cap on the number of messages or users. Below is a sample screen shot of how to configure enhanced federation configuration will look like

Direct Federation

Direct Federation just like enhanced federation, has no limit on the number of messages or users, but there is one big difference.  If your partner company has an access edge server with an FQDN that doesn’t match the SIP domain, you can still federate.  You will just need to put the FQDN of the access edge server and the domain name as shown in the screen shot below.

So, how do we know if we have an open federation? Simply open your Lync Control Panel, then Federation and External Access -> Access Edge Configuration and double click Global:

If Enable partner domain discovery is checked, it means the federation is open. You can also check the same using PowerShell, check if the EnablePartnerDiscovey is set to True with:

Get-CsAccessEdgeConfiguration

To close the federation you need to remove the Enable partner domain discovery checkbox in the Lync Control Panel or run the cmdlet:

Set-CsAccessEdgeConfiguration  -UseDnsSrvRouting  -EnablePartnerDiscovery $False

Enable or Disable Federation for an Organization

Follow the steps below to enable or disable federation for an Organization

1.  From a user account that is a member of the RTCUniversalServerAdmins group (or has equivalent user rights), or is assigned to the CsAdministrator role, log on to any lync server in your internal deployment.

2.  Open a browser window, and then enter the Admin URL to open the Lync Server Control Panel. For details about the different methods you can use to start Lync Server Control Panel, see Open Lync Server Administrative Tools.

3.  In the left navigation bar, click External User Access, and then click Access Edge Configuration.

4.  On the Access Edge Configuration page, click Global, click Edit, and then click Show details.

5.  In Edit Access Edge Configuration, do one of the following:

        To enable federated user access for your organization, select the Enable communications with      federated user’s   check box.

        To disable federated user access for your organization, clear the Enable communications with federated user’s   check box.

6.  If you selected the Enable communications with federated user’s check box, do the following:

        If you want to support automatic discovery of partner domains, select the Enable partner domain discovery check box.

    If your organization supports archiving of external communications, select the Send archiving disclaimer to federated partners check box.

7.  Click Commit.