Skype for Business Online Federation (External Connectivity, Public Connectivity) Options and Configuration
This post talks about federation (also sometimes call external connectivity or public connectivity specifically when talking about federation to Skype consumer) in Skype for Business Online. This feature is also available on Skype for Business Server, but this post specifically considered Skype for Business Online.
What is Skype for Business Online Federation (external connectivity)?
Skype for Business external connectivity (federation) enables a Skype for Business user to connect with users in other organisations that use Skype for Business as well as those that host their own Skype for Business Server on-premises. Federated contacts can see presence, communicate by using IM and make Skype-to-Skype audio and video calls.
All federated communications are encrypted between the IM systems using access proxy servers. Microsoft does not control encryption after messages are passed to the federated partner’s network (if the partner is federated with an on-premises Skype for Business Server or third-party network).
What is Public IM connectivity?
This is off by default; it allows Skype for Business Online users to talk to Skype Consumer users. Note this is 1:1 for IM, Audio and Video, but not supported in any conference/multiparty scenario.
Note this feature historically offered federation with other public IM providers beyond just Skype Consumer with Skype for Business Server, but now only Skype Consumer is supported in Skype for Business Server and Skype for Business Online
How do I set Federation/External Connectivity up in Skype for Business Online?
First off, it is on by default. You can configure it under the Skype for Business Online Admin Portal
Default is On except for blocked domains
Options are to turn it off completely, On except for blocked domains or On only for allowed domains.
A Note on Enhanced Federation, Dynamic Federation and Direct Federation
On Skype for Business Server, there is the concept of different types or levels of Federation.
- “Dynamic Federation” or “Discovered Partner domain” i.e. being open federation and allowing discovery of companies via DNS without explicitly listing them in the allow list. This type of federation takes a dependency on both partners having their SRV records setup correctly
- “Enhanced Federation” or “Allowed Partner Domain federation” where Skype for Business Server is set to open federation, but you add your partners SIP domain to the allowed Federated Domains list Skype for Business.
- “Direct Federation” or “Allowed Partner Server”, where you configure the partner SIP domain name and the partner Edge Server FQDN as a federation partner in Policies
Dynamic Federation Rate Limits on Skype for Business Server
Dynamic Federation has some rate limits on the number of messages between companies/domains.
- If a federated organisation requests to more than 1000 Uniform Resource Identifiers (URIs, “users”, either valid or invalid), the federated organisation is put on a watch list and future connections are blocked on the edge server.
- If the Edge Server detects suspicious traffic on a connection, it will limit the federation partner to a low message rate of 1 message per second. The Edge Server detects suspicious traffic by calculating the ratio of successful to failed responses.
- The Edge Server also limits legitimate dynamically federated partner connections to 20 messages per second.
Enhanced Federation (where domains added to the allow list) does not get rate limited so you will not be regulated on the number of messages or users. Direct is also not rate limited, but there is no DNS lookup for the partner’s edge server.
For Skype for Business Server, If you know that you will have more than 1000 requests sent by a legitimate federated partner or a volume of over 20 messages per second sent to your organisation, to allow these volumes, you must add the federated partner to the Allow tab.
For Skype for Business Online, this rate limiting is supposed not exist for traffic from within the Office 365 cloud (tenant to tenant) but does apply to traffic coming from outside Office 365 (i.e. Skype for Business Server installs/users). At present, I can’t find a way to set a tenant to “open federation” and have an “allowed list”.
- There is no “in the box” ability to restrict subsets of users federate to select organisations, it’s a global allow/block list
- Federated connections are not covered by the SLAs provided as a part of Office 365 subscriptions.
- Federated connections are not offered in service availability targets.
- Federated connections are excluded from the service continuity management Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).
- Text-based chat is the default communication type allowed across federated connections. Audio, video and content sharing may be possible if the federated partner’s environment is correctly configured with Skype for Business Server, which permits these types of communication.
- File transfer is available with federated connections.
- Skype for Business supports only federation traffic routed through the Internet.