I recently was made aware of a new “feature” in Lync 2013 which I was not aware of. This is regarding client authentication and remote access users.

Skype for Business, formerly Lync 2013 for iOS, extends the power of Lync and Skype to your favorite mobile device: voice & video over wireless, rich presence. Lync 2013 free download - Lync, Skype for Business (formerly Lync 2013), Skype for Business (formerly Lync 2013), and many more programs. Skype for Business, formerly Lync 2013 for iOS, extends the power of Lync and Skype to your favorite mobile device: voice & video over wireless, rich presence, instant messaging, conferencing, and calling features from a single, easy-to-use interface. Key Features: Initiate a group IM or video conversation and invite additional participants. 2 thoughts on “ Lync 2013 – Client sign-in issues ” Adam December 2, 2014 at 10:19 am. In your notes here, it says the problem was that lync.mydomain.com was pointing at the Reverse Proxy rather than the FE – but in your list of DNS records it says to point it at the Reverse Proxy.

There are three authentication methods on the security – registrar tab in Lync Server Control Panel:

The following TechNet article describes each of these http://technet.microsoft.com/en-us/library/gg182601.aspx

Notice that the checkbox for Enable Integrated Windows Authentication is cleared in my configuration. According to the TechNet article, Microsoft recommends to enable this when serving remote access users, otherwise they won’t be able to authenticate. And here’s where my discovery comes in play.

I discovered that if this setting is enabled, a remote user with a local Lync client can log in to Lync with a username and password(of a Lync enabled user) without having to present a valid root certificate. The local PC does not have to be domain joined either. In my opinion, this is not very secure…The feature has obviously been there for a while, but I’ve never tried logging in to a system before without having the root certificate in place so that’s why I kinda didn’t know this was possible.

I think this setting was default disabled on Lync 2010 and had to be turned on, but I might be wrong on this one. Nevertheless, I would recommend this setting to be turned off in order to have some control of the clients logging in to the Lync environment. When Microsoft states that remote access clients won’t be able to authenticate unless you enable NTLM authentication, that’s not entirely true. They will be able to authenticate if they are provided with the domains root certificate from the internal rootCA. Domain joined clients get this by default, but nondomain clients like Mac’s, Linux and other Windows clients will have to import the certificate to the local trusted root certificate store.

This involves some manual actions to be taken, but in my opinion it’s worth the extra effort in order to have a more secure environment.

Of course, if the Lync environment is a multitenant solution where all users are treated as remote users and not able to acquire the root certificate from the domain in which Lync is installed(without a lot of intervention from the system administrators), NTLM authentication is the only way to allow clients to authenticate.

If anyone has comments regarding this matter or even have some other opinion on why this might be nice or not, please feel free to comment on this post 🙂

-->

Topic Last Modified: 2016-05-25

You should consider the following requirements for users and your network infrastructure while planning for a hybrid deployment.

Infrastructure Requirements

You must have the following configured in your environment in order to implement and deploy a hybrid deployment.

  • A Microsoft 365 or Office 365 organization with Skype for Business Online enabled. Note that you can use only a single tenant for a hybrid configuration with your on-premises deployment.

  • A single on-premises deployment (infrastructure) of Skype for Business Server or Lync Server that is deployed in a supported topology. See Topology Requirements.

    For information about configuring your Lync Server 2013 or Lync Server 2010 deployment for hybrid, see Configuring Lync Server 2013 hybrid deployments.

  • Skype for Business Server 2015 administrative tools. If you are using Lync Server 2013 or Lync Server 2010, you can use the Lync Server 2013 administrative tools.

    Did you install steam on your mac? Steam update mac. There are thousands of games on each platform that every user like to play.

  • To support Single Sign-on with Microsoft 365 or Office 365 so that users can use the same login credentials for signing in to Office as they do on-premises, you can use the password sync features of Azure Active Directory (AAD) Connect. You can also use Active Directory Federation Services (AD FS) for single sign-on with Microsoft 365 or Office 365.

    For more information, see Integrating your on-premises identities with Azure Active Directory.

  • A single directory synchronization solution to keep your on-premises and online Active Directory objects synchronized. For details about Directory Synchronization, see Directory Integration Tools.

Lync Client Support

There are some differences in the features supported in Lync clients, as well as the features available in on-premises and online environments. Before you decide where you want to home users in your organization, you can view the client support for the various configurations of Lync Server. The following clients are supported with Skype for Business Online in a Lync hybrid deployment:

  • Lync 2010

  • Lync 2013

  • Lync Windows Store app

  • Lync Web App

  • Lync Mobile

  • Lync for Mac 2011

  • Lync Room System

  • Lync Basic 2013

For details about client support, see the following topics:

Topology Requirements

To configure your deployment for hybrid with Skype for Business Online, you need to have one of the following supported topologies:

  • A Skype for Business Server 2015 deployment with all servers running Skype for Business Server 2015.

  • A Lync Server 2013 deployment with all servers running Lync Server 2013.

  • A Lync Server 2010 deployment with all servers running Lync Server 2010 with the latest cumulative updates.

    • The federation Edge Server and next hop server from the federation Edge Server must be running Lync Server 2010 with the latest cumulative updates.

    • The Skype for Business Server 2015 or Lync Server 2013 Administrative Tools must be installed on at least one server or management workstation.

  • A mixed Lync Server 2013 and Skype for Business Server 2015 deployment with the following server roles in at least one site running Skype for Business Server 2015:

    • At least one Enterprise Pool or Standard Edition server

    • The Director Pool associated with SIP federation, if it exists

    • The Edge Pool associated with SIP federation

  • A mixed Lync Server 2010 and Skype for Business Server 2015 deployment with the following servers roles in at least one site running Skype for Business Server 2015:

    • At least one Enterprise Pool or Standard Edition server

    • The Director Pool associated with SIP federation, if it exists

    • The Edge Pool associated with SIP federation for the Site

  • A mixed Lync Server 2010 and Lync Server 2013 deployment with the following server roles in at least one site running Lync Server 2013:

    • At least one Enterprise Pool or Standard Edition server in the site

    • The Director Pool associated with SIP federation, if it exists in the site

    • The Edge Pool associated with SIP federation for the site

Important

All user management, including user moves between on-premises and UNRESOLVED_TOKEN_VAL(skypeforbusiness) Online, needs to be done using the latest installed version of the administrative tools. The administrative tools must be installed on a separate server that has connect access to the existing on-premises deployment and to the Internet. The Move-CsUser cmdlet to move users from your on-premises deployment to UNRESOLVED_TOKEN_VAL(skype16_online) must be run from the administrative tools connected to your on-premises deployment.

For more information about supported topologies, see Supported topologies in Lync Server 2013, and Lync Server 2013 Reference Topologies for Enterprise Hybrid Deployments.

For troubleshooting information about hybrid deployments and connecting PowerShell to Lync Online, see Lync Online: Lync PowerShell and Hybrid Troubleshooting.

Requirements for Federation Allowed/Blocked Lists

The Allowed domains list includes domains that have a partner Edge fully qualified domain name (FQDN) configured. These are sometimes referred to as allowed partner servers or direct federation partners. You should be familiar with the difference between Open Federation and Closed Federation, referred to as partner discovery and allowed partner domain list, respectively, in on-premises deployments.

The following requirements must be met to successfully configure a hybrid deployment:

  • Domain matching must be configured the same for your on-premises deployment and your Microsoft 365 or Office 365 organization. If partner discovery is enabled on the on-premises deployment, then open federation must be configured for your online tenant. If partner discovery is not enabled, then closed federation must be configured for your online tenant.

  • The Blocked domains list in the on-premises deployment must exactly match the Blocked domains list for your online tenant.

  • The Allowed domains list in the on-premises deployment must exactly match the Allowed domains list for your online tenant.

  • Federation must be enabled for the external communications for the online tenant, which is configured by using the Lync Online Control Panel.

DNS Settings

When creating DNS records for hybrid deployments, all Lync external DNS records should point to the on-premises infrastructure. For details on required DNS records, please refer to Domain Name System (DNS) requirements for Lync Server 2013.

Additionally you need to ensure that the DNS resolution described in the following table works in your on-premises deployment:

DNS record

Resolvable by

DNS requirement

DNS SRV record for _sipfederationtls._tcp.<sipdomain.com> for all supported SIP domains resolving to Access Edge external IP(s)

Edge server(s)

Enable federated communication in a hybrid configuration. The Edge Server needs to know where to route federated traffic for the SIP domain that is split between on premises and online.

DNS A record(s) for Edge Web Conferencing Service FQDN, e.g. webcon.contoso.com resolving to Web Conferencing Edge external IP(s)

Internal corporate network connected users’ computers

Enable online users to present or view content in on-premises hosted meetings. Content includes PowerPoint files, whiteboards, polls, and shared notes.

Depending on how DNS is configured in your organization, you may need to add these records to the internal hosted DNS zone for the corresponding SIP domain(s) to provide internal DNS resolution to these records.

Lync For Mac 2011 End Of Life

Firewall Considerations

Computers on your network must be able to perform standard Internet DNS lookups. If these computers can reach standard Internet sites, your network meets this requirement.

Depending on the location of your Microsoft Online Services data center, you must also configure your network firewall devices to accept connections based on wildcard domain names (for example, all traffic from *.outlook.com). If your organization’s firewalls do not support wildcard name configurations, you will have to manually determine the IP address ranges that you would like to allow and the specified ports.

Lync 2013 Updates

Refer to the Help topic Office 365 URLs and IP address ranges.

Port and Protocol Requirements

In addition to the port requirements for internal Lync Server 2013 communication, you must also configure the following ports.

Lync 2013 mac client
Protocol / PortApplications

TCP 443

Open inbound

  • Active Directory Federation Services (federation server role)

    For more information, see Understanding AD FS Role Services.

  • Active Directory Federation Services (proxy server role)

  • Microsoft Online Services Portal

  • My Company Portal

  • Outlook Web App

  • Lync client (communication to Lync Online from on-premises Lync Server)

TCP 80 and 443

Open inbound

  • Microsoft Online Services Directory Synchronization Tool

TCP 5061

Open inbound/outbound on the Edge Server

PSOM/TLS 443

Open inbound/outbound for data sharing sessions

STUN/TCP 443

Open inbound/outbound for audio, video, application sharing sessions

STUN/UDP 3478

Open inbound/outbound for audio and video sessions

RTP/TCP 50000-59999

Open outbound for audio and video sessions

User Accounts and Data

In a Lync Server 2013 hybrid deployment, any user that you want to home in Lync Online must first be created in the on-premises deployment, so that the user account is created in Active Directory Domain Services. You can then move the user to Skype for Business Online, which will move the user’s contact list.

When you synchronize user accounts between your Lync on-premises and Lync Online deployments with AD FS and Dirsync, you need to synchronize the AD accounts for all Lync users in your organization between your on-premises and online Lync deployments, even if users are not moved to Lync Online. If you do not synchronize all users, communication between on-premises and online users in your organization may not work as expected.

Important

If the user is created by using the online portal for Microsoft 365 admin center, the user account will not be synchronized with on-premises Active Directory, and the user will not exist in the on-premises Active Directory. If you have already created users in Lync Online, and want to configure hybrid with an on-premises Lync Server, see Moving users from Lync Online to Lync on-premises in Lync Server 2013.

Lync 2013 Mac Os

You should also consider the following user-related issues when planning for a hybrid deployment.

  • User contacts The limit for contacts for Lync Online users is 250. Any contacts beyond that number will be removed from the user’s contact list when the account is moved to Lync Online.

  • Instant Messaging and Presence User contact lists, groups, and access control lists (ACLs) are migrated with the user account.

  • Conferencing data, meeting content, and scheduled meetings This content is not migrated with the user account. Users must reschedule meetings after their accounts are migrated to Lync Online.

User Policies and Features

  • In a Lync Server 2013 hybrid environment, users can be enabled for Instant Messaging, voice, and meetings either on-premises or online, but not both simultaneously.

  • Lync Client Some users may require a new client version when they are moved to Lync Online. For Office Communications Server 2007 R2, users must be moved to a Lync Server 2013 pool prior to migration to Lync Online.

    For more information about client support, see Clients for Lync Online and Supported Lync clients and network port configurations.

  • On-premises policies and configuration (non-user) Online and on-premises policies require separate configuration. You cannot set global policies that apply to both.