Overview:
I had recently been engaged in an Office 365, Skype for Business Online hybrid implementation, whereby our customer was wishing to move all users away from the Skype for Business Server 2015 on-premises environment. User mailboxes were homed in Office 365 already and therefore, maintaining user contact lists and allowing the meeting migration service to handle scheduled end user meeting updates was something of interest to the customer, to maintain a positive end user experience.
The customer had met all perquisites for Skype for Business Server, which can be found here:
- Skype for Business Server 2015 topology with the latest updates applied
- External Access configured and working correctly, including federation
- An Office 365 E3 tenant was in use which includes Skype for Business Online
- Active Directory Synchronization was taking place
- All users were enabled for Skype for Business Server Only
To begin with, we implemented the required Shared SIP Address space configuration and ensured there was consistency between the Allow/Blocked federation lists between the on-premises and Online. Remote access has been enabled and all public DNS records were pointing at the on premises Edge and reverse proxy servers where required.
Issue:
We moved our first user online and to begin with, kicked off some basic testing from this user account which initially seemed successful. When we began testing the initiation of communications from an on-premises user, to an Online user, we noticed we could not see the presence for the Online user. Although from Online > on-premises, presence was OK.
Although we couldn’t see presence of the online homed user, we could actually initiate instant messaging and presence with that user…..time for snooper. During the review of the logs, we could see the request for presence subscription taking place, but upon the return packet, we were receiving the following FORBIDDEN message:
Upon examination of the 200 OK being received, we could see the following:
This forbidden message was present in each of the differing user accounts we have synced and tested.
It is important to note that the following scenarios DID work:
- Online user > On premise:
- IM, Presence, Audio, Video, Collaboration
- Online user > Federated user:
- IM, Presence, Audio, Video, Collaboration
- On-premises user > Online user
- IM, Audio, Video, Collaboration
- On-premises user > Federated user
- IM, Presence, Audio, Video, Collaboration
So initial testing highlighted that PRESENCE, from an online homed user, was NOT being received by the on-premises user (although the Online user logs showed that it was sending the info)
Resolution:
I decided to take a step back and look at the areas that I had not had full control over, the first being user synchronization. After initial testing, I could see that ALL users were being synced to Azure AD, prerequisite met, BUT the SIP attributes on the on-premises users were NOT being synced to Azure AD!
Working with the identity and access team, we updated the Azure AD Connect synchronization to ensure that the SIP attributes on the local accounts were included and BOOM – two-way presence!
We completed the in-depth testing and we are now able to migrate all users from Skype for Business Server to Office 365 Skype for Business Online.
