Step-By-Step SkypeForBusiness Federation

In this article, I will explain how to create an SfB Federation easily with minimal port requirements.

I will go on through the following steps:

Prerequisites

1. Port opening — and a tip for checkpoint firewalls
2. DNS records.

Test

1. Ports
2. Certificate
3. DNS records

Deploy

Prerequisites

Firewall

Let’s go through the port requirements of Microsoft; link here.

We can see that the ports that we need are those:

1. TCP 433 — for TLS, AV, and access.
2. TCP 5061 — for access and SIP.
3. UDP 3478 — for AV and STUN.

The minimal port requirements.

If your organization has a checkpoint firewall, ensure that the “sip_tls_not_inspected” rule is chosen for port 5061 for the reason that the firewall won’t dissect and inspect out TLS packages that can cause corruption in the package.

DNS

As DNS goes, it’s pretty straightforward.

Ensure you have an “A record” for your access IP for each edge server you got (using their external IP as the IP).

If you are using an LTM to balance your edge servers, ensure that the IP of that LTM is the IP of access A record.

Also Ensure you have an up-to-date federation SRV record for your Skype for Business domain (Skype for Business server domain). For example, where a domain is example.com, the SRV record would be:

_sipfederationtls._tcp.example.com

Suppose you don’t want to create a DNS record. In that case, another solution is asking your federated partner to add records to their host file.

Host File

Tests

Ports

The easiest way to check if the ports are open is using PowerShell test-netconnection cmdlet.

And it should show you something like this:

Notice TcpTestSucceeded: True

Unfortunately, there is no easy way to check if the UDP port is open. You can ask your Firewall team to check if they have a rule that permits 3478 port for the federation.

Certificates

When you create a new federation, you have to ensure that your edge server trusts your federated partner’s certificate and vice versa.

First, ask your federated partner to send you the external certificate of their edge servers.

Next, you can run the following snippet of PowerShell code to check if you trust the certificate: Return True\False.

This PowerShell script test if your machine trust a certificate. (github.com)

If you are not comfortable with code, you can use the GUI option.

Press WinKey+R and type “certutil -URL.”

It will prompt you a window.

Click “Select…” and open your certificate. Click Retrieve and look at the “Status” is Verified.

DNS Records

Checking if the DNS records are correctly configured is easy as pinging the Access record and checking that you resolve to the correct IP.

Make sure your federated partner does the same.

Google.com is my external Federated partner FQDN and I expected to see the IP 74.125.133.100 from them.

Deploy

1. Log in to the Skype for Business Front End or Standard Edition Server and open the Skype for Business Control Panel.
2. To add the Federated Partner Skype for Business domain, go to SIP Federated Domains from top navigation.
3. Now add a new domain pointing to the Federated partner doamin and edge server pointing to External edge pool of the federated partner.

And that's it.