Thou shall not let Internal Users connect to External Edge Interface…

Been involved with UC for a while, long before it was called UC, and over time we’ve all developed cardinal rules when it comes to deployments.  One that me, and I know several others have adhered to “Thou shall not let Internal Users connect to External Edge Interface”.  Right!?!

Times are a changing, and rules are often made to be broken, add the one above to the list, or bending of it anyway.  Extended Skype Online/Hybrid coexistence.  While in a Hybrid configuration users Online and Users Onprem are one big happy environment, right?  Wrong!!  Reality is, they are two separate environments with a Shared SIP Namespace, with some bits of Replication from Onprem to Online thrown in.  (Online doesn’t replicate to OnPrem, see other postings).

Usually this is all good, UNTIL, an Online user who normally works from home decided to come into the Office one day.  They sign in no problem, they hit up SIP and the Internal sees they’re an Online user, redirects the up, and right as rain.  Time to join the Onprem meeting hosted by their in office Manager.  Audio/Video works, but nooo presentation, and a error message comes up when trying to share content to Present:  “Your DNS configuration is preventing you from presenting content” or possibly other variants.

Skype Online users when signed in are for connectivity purposes, are External Federated Users, and actually need to connect to the Web Conferencing Interface on the External Edge.   If you’ve been following the aforementioned cardinal rule, there is not likely a name resolution for WebConf, and/or possibly firewall rules blocking internal connection to the External interface.

Don’t believe me, it’s in TechNet as a requirement for Hybrid:


Another odd scenario, and I hope this is rare; One large International Corporation, Separate forests, separate Domains, but replicating their split-brain internal DNS zones which house the internal SIP/Skype DNS entries.  Corporate Site A can’t resolve, because they have B’s internal Split-Brain Public zone replicated/resolved, instead of the Public DNS Zone.

Seems like the new rule now is, Add the External Web Services and Webconf FQDN’s to your Internal split brain DNS zones now.

Good times.

Additional note:  The Skype Online AV traffic also appeared to be going through the Edge AV NIC in the Wireshark captures.  Same machine signed into an Onprem account, connected directly with the Frontend.

10 thoughts on “Thou shall not let Internal Users connect to External Edge Interface…”

  1. So what is the resolution? Have on-prem and online users all resolve to the external interface whilst also allowing all internal clients to route from inside the network to the external interface for

    1. The problem is when the Online users are inside your network. They won’t be able to connect to your frontend and must go out and come back in through IF Online users are never inside your network, it shouldn’t be a problem, but there are always times where they come into visit.

    1. Then you will likely need to resolve and allow through the firewall, traffic to the webconf service on the edge, if you want Online Skype users to join On-premise FE hosted Skype meetings.

  2. Just wanting to clarify something, you keep referring to the webconf service on the Edge server but what about the other services on the Edge server like SIP, Access Edge, AV Edge and particularly the Office Web Apps service on the reverse proxy which is used for file sharing and PowerPoint Presentations, do SfB online users need to be accessing those externally when on the internal network too?

    1. It is just the webconf that needs to be able to resolve and hairpin back to the webconf service for SFBO users who are working from the internal network when they are in a hybrid mode and trying to connect to an on premises meeting. Confusing scenario i know.

  3. One last thing, the webconf service sits only on the Edge server (certainly in our DNS we only have an external record for the service) so does that mean if I create an internal DNS record for the service (pointing to the external service of course) it will have no effect on on-prem users sitting inside our network?

    1. Yes, that is correct. Your webconf needs both external and internal dns resolution to the same external ip address. And it doesnt impact your onprem users.

Leave a Reply

Your email address will not be published. Required fields are marked *