Forefront TMG rule for Lync online access

Similar Messages

• On Prem Lync - Enable federation for "Lync Online" causes presence fail and gives error when creating groups

  Hi all,
  We have had Lync on premise for a long time, and have recently added Office 365 Business Premium Plan because we wanted Cloud exchange and SharePoint.
  I have found that on our on prem Lync, when we enable federation for "Lync Online" it cause our presence to intermittently flick on and off, and we are unable to create groups in our Lync Client. We get the message "unable to create a group
  at this time".
  We are also not able to federate with Office365 hosted Lync Online clients.
  This seems to be a bug between Office365 plans that have hosted lync licenses and on prem Lync. Has anyone found the
  What I need to do is disable office365 Lync, and I have tried to do that in every location I can find (DNS/User settings), but I still have this issue.
  Has anyone come across this issue and found a fix?
  Simon.

  Hi,
  Did you do a Lync Hybrid environment or just make federation with Lync Online?
  Please double check if there is any wrong configuration for federation with Lync online environment. You can refer to the following steps in the link below of “Configure federation support for a Lync Online domain in Lync Server 2013”:
  http://technet.microsoft.com/en-us/library/hh202166.aspx
  Then make sure CMS replication update to the latest status.
  If the issue persists, check if Lync Server update the latest version. If not, update it and then test again.
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Is set-csclientpolicy not available for Lync Online (Office 365) ?

  Is set-csclientpolicy not available as a cmdlet to administer Lync Online?  we need to set the DisableCalendarPresence setting for our organization.

  If it's helpful, here's a listing of Lync Online cmdlets:
  http://technet.microsoft.com/en-us/library/jj994021.aspx
  As Richard noted, it's a very small subset of Lync 2013 on premises commands and set-csclientpolicy isn't one of the ones listed.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications

• Rule for Allowing Computer Access Microsoft

  I have a computer behind the ASA 5505 firewall. The computer needs to access Microsoft Activation Server. Reading some website information, I need to allow a huge list of servers that basically points to www and https traffic. Therefore, looking at this heavy requirements, I prefer to allow this computer to navigate to any https or http (www) server outside of the firewall. Below, I have included my current asa 5505 configuration. can you please tell me what needs to be added or so?
  hostname ciscoasa
  domain-name default.domain.invalid
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.2.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 170.18.18.132 255.255.255.240
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  banner motd
  banner motd +......................-+
  banner motd | |
  banner motd | *** Unauthorized Use or Access Prohibited *** |
  banner motd | |
  banner motd | For Authorized Official Use Only |
  banner motd | You must have explicit permission to access or |
  banner motd | configure this device. All activities performed |
  banner motd | on this device may be logged, and violations of |
  banner motd | this policy may result in disciplinary action, and |
  banner motd | may be reported to law enforcement authorities. |
  banner motd | |
  boot system disk0:/asa724-k8.bin
  ftp mode passive
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  object-group network obj_any
  object-group network microsoft-servers
  network-object host 207.46.21.123
  network-object host 4.26.252.126
  network-object host 8.26.205.253
  network-object host 8.27.149.126
  network-object host 65.55.58.195
  network-object host 94.245.126.107
  network-object host 192.70.222.41
  network-object host 192.70.222.59
  network-object host 157.55.44.71
  network-object host 118.108.3.84
  network-object host 207.46.131.43
  network-object host 207.46.19.190
  network-object host 143.127.102.40
  network-object host 72.14.204.101
  network-object host 64.208.186.114
  object-group network other_servers
  network-object 118.108.62.236 255.255.255.255
  access-list outside_access_in extended permit ip object-group psu-servers any
  access-list outside_access_in extended permit tcp 10.2.1.0 255.255.255.0 any eq www
  access-list outside_access_in extended permit tcp 10.2.1.0 255.255.255.0 any eq https
  access-list inside_access_out extended permit ip any any
  access-list inside_access_out extended permit tcp any object-group epay_servers eq https
  access-list inside_access_out extended permit ip any object-group psu-servers
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip audit name insidepolicy info action
  ip audit name outsidepolicy info action
  ip audit interface inside insidepolicy
  ip audit interface outside outsidepolicy
  ip audit info action
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any echo-reply outside
  icmp permit any outside
  asdm image disk0:/asdm-523.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) 170.18.18.133 10.2.1.2 netmask 255.255.255.255
  access-group inside_access_out in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 170.18.18.129 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  http server enable
  http 10.2.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  telnet timeout 5
  ssh 10.2.1.2 255.255.255.255 inside
  ssh 170.18.18.132 255.255.255.255 outside
  ssh timeout 30
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 10.2.1.2-10.2.1.254 inside
  dhcpd enable inside
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context

  Hello Par13,
  Yo do not need to allow anything as you are already allowing everything from inside to oustide:
  access-group inside_access_out in interface inside
  access-list inside_access_out extended permit ip any any
  That line allows everything that is innitiated from the inside interface of the ASA, the returning traffic that matches a connection already established from that inside host will be allowed by default ( Stateful inspection aplied by the ASA)
  Hope this helps.
  Regards,
  Do rate all the helpful posts
  Julio

• Getting denied errors when using TMG Array for publishing Exchange and Lync

  I'm setting up a TMG array of 2 TMG servers for Lync. The TMG array is already in use for Exchange. The Exchange publishing rules and web listener use a VIP of x.x.x.220.
  I added a secondary VIP of x.x.x.209 for Lync and set up a web listener and Lync pubishing rule using the secondary VIP. I am now getting the below error. And yes, there are publishing rule and listener for the Lync URL's already.
  I've google'd and google'd but didn't find any answers.
  One thing I do notice on the setting for the Lync Web Listener is that the secondary VIP IP shows as "Virtual IP" as opposed to "<server name>" as with the primary VIP IP for Exchange rules/listener (x.x.x.220).
  All the listner / rule settings are fine, and I've rechecked many times. It just appears that when I send requests for the Lync URL's, TMG doesn't even relate the request to the Lync Rule.
  Any help would be appreciated!
  me

  If NLB reports configuration failure as above, then that is your issue.
  The resulting error message when traffic hits TMG is because of that and the reason for it is that the IP address used in publishing is in the TMG configuration but most likely not configured on the NIC. As long as your IT dept doesn't resolve the issue
  with NLB then your progress will be limited.
  If the hotfix matches your environment, then apply it. If it resolves it, then that is good.
  If not, you need to review your NLB configuration in TMG (unicast/multicast) vs your network infrastructure. If it is multicast, then you need to have your networking team look at the switch TMG is conneced to and configure it accordingly.
  http://technet.microsoft.com/en-us/library/ff849728.aspx is a good start for troubleshooting and understanding NLB and TMG.
  Hth, Anders Janson Enfo Zipper

• Bulk enable Lync Online for users already synced to Office 365 E1

  We already have 8000 users on Office 365 using E1 Exchange Online. We also have a handful who are using E3 with all services. How do I create a powershell script that will enable all users for Lync Online in addition to what ever licenses and services
  they are currently using?

  Hi Chudly，
  For the office365 issue, I also recommend you can post in dedicated forum for more efficient support:
  http://community.office365.com/en-us/f/166.aspx
  If you want to modify the powershell script, please post the current script and the issue, we will notice and continue to follow up.
  If there is anything else regarding this issue, please feel free to post back.
  If you have any feedback on our support, please click here.
  Best Regards,
  Anna Wang
  TechNet Community Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Lync Online Voicemail

  We have a Lync Hybrid setup, some users are onprem and some are online with Office 365. 
  We were able to configure voicemail for onprem users, works without any issues. However when we enable UM for users homed @LyncOnline the voicemail does not activate. Is voicemail supported for Lync Online users? I could not find any detailed info on this. 
  Thanks
  Emin

  Voicemail is supported in Exchange Online when hosted by Microsoft, but Enterprise Voice is not supported with Lync Online hosted by Microsoft, therefore you would have difficulty enabling UM in Exchange Online for users hosted by Lync Online as you've found.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications
  This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Lync online meeting Firewall help

  We do not have Lync in my business but we do have some employees who join online Lync meetings that a customer hosts. The issue we are having is that we can log into the meeting and load the Lync Web App but when the host shares their screen, we get nothing. It just loops. I have made sure to allow the program through the local Windows Firewall ( I even disabled the Firewall in one test and still no go)I setup a meeting with the host today and logged in on my network and on my hot spot. Hot Spot works no problem which leads me to believe it's firewall related. I allowed the ports that I found for Lync Online and still nada. I have a Fortigate Firewall. Has anyone ever allowed Lync through this type of Firewall? I tried adding the applications to a Monitor Sensor and still can't see anything. We are running Win 7 Enterprise with IE 11...
  This topic first appeared in the Spiceworks Community

  That sounds like either ports blocked or perhaps a routing issue. Of course more details about your architecture are required to make a more accurate assumption. Also, you should be seeing errors in the Front End servers Event Log that could put you on to
  the underlying cause.
  Lastly, collect a trace using OCSLogger and analyze with Snooper to see why the audio is failing.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
  Lync Sorted blog

• Lync Online Capacity Planning

  Anybody know when the Lync bandwidth calculator is going to be updated for Lync Online. In the meantime has anyone found any good tools for network capacity planning to Lync Online?
  Ben

  You can also use Lync 2010 and 2013 Bandwidth Calculator for Lync online.
  If you have any more questions about Lync Online, I would recommend that you post your question in the following forum:
  http://community.office365.com/en-us/f/default.aspx.
  You can get a better response there.
  Lisa Zheng
  TechNet Community Support

• Forefront 2010 dening outlook 2013 and lync 2013 access to ther server

  we have currently, forefront TMG 2010, exchange server 2010 and lync 2010, running on our network and every working fine but recently i upgraded client MS Office 2010 to MS Office 2013 and suddenly forefront TMG 2010 started denying lync 2013 and outlook
  2013 access to the server.
  Please can somebody tell me how to resolve this problem.

  Hi，
  Thank you for your post here.
  Do you mean that you have published exchange server 2010 and lync 2010 via TMG?
  How dou you judge that TMG  blocks your traffic?
  Please check if there is any error information via TMG live logging.
  You can try to delete publish rule and reconfigure it.
  Best Regards
  Quan Gu

• HTTP/1.1 407 Proxy Authentication Required ( Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )

  17:06:13 Synchronizer Version 14.0.6123
  17:06:13 Synchronizing Mailbox '[email protected]'
  17:06:13 Synchronizing Hierarchy
  17:06:13   4 folder(s) added to online store
  17:06:13   1 folder(s) updated in online store
  17:06:13 Synchronizing local changes in folder 'Inbox'
  17:06:13 Error synchronizing folder
  17:06:13 [80041004-0-0-430]
  17:06:13 Error with Send/Receive.
  17:06:13 There was an error synchronizing your folder hierarchy. Error : 80041004.
  17:06:13 Synchronizing server changes in folder 'Calendar'
  17:06:13 Synchronizing server changes in folder 'Contacts'
  17:06:13 
  17:06:13 
  *Request*       
  17:06:13 17:06:13:0590
  17:06:13 POST
  17:06:13  http://
  17:06:13 contacts.msn.com
  17:06:13 /ABService/ABService.asmx
  17:06:13 
  17:06:13 <ABFindAll xmlns="http://www.msn.com/webservices/AddressBook"> <abId>00000000-0000-0000-0000-000000000000</abId><abView>Full</abView><deltasOnly>false</deltasOnly></ABFindAll>
  17:06:13 
  *Response*  
  17:06:13 17:06:13:0870
  17:06:13 HTTP/1.1 407 Proxy Authentication Required ( Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied.  )
  Via: 1.1 TMG
  Proxy-Authenticate: Negotiate
  Proxy-Authenticate: Kerberos
  Proxy-Authenticate: NTLM
  Connection: close
  Proxy-Connection: close
  Pragma: no-cache
  Cache-Control: no-cache
  Content-Type: text/html
  Content-Length: 707
  17:06:13 
  17:06:13 
  17:06:13 
  17:06:13 Error with Send/Receive.
  17:06:13 There was an error synchronizing a contacts folder. Error : 80004005.
  17:06:13 Synchronizing server changes in folder 'Drafts'
  17:06:13 Synchronizing local changes in folder 'Inbox'
  17:06:13 Error synchronizing folder
  17:06:13 [80041004-0-0-430]
  17:06:13 Synchronizing server changes in folder 'Sent Items'
  17:06:13 Synchronizing server changes in folder 'Deleted Items'
  17:06:13 Synchronizing server changes in folder 'Junk E-mail'
  17:06:13 Done
  17:06:13 
  17:06:13 
  *Request*       
  17:06:13 17:06:13:0870
  17:06:13 POST
  17:06:13  http://
  17:06:13 mail.services.live.com
  17:06:13 /DeltaSync_v2.0.0/Settings.aspx
  17:06:13 
  17:06:13 <?xml version="1.0" encoding="utf-8"?><Settings xmlns="HMSETTINGS:"><ServiceSettings><SafetySchemaVersion>1</SafetySchemaVersion><SafetyLevelRules><GetVersion/></SafetyLevelRules><SafetyActions><GetVersion/></SafetyActions><Properties><Get/></Properties></ServiceSettings><AccountSettings><Get><Options/><Properties/></Get></AccountSettings></Settings>
  17:06:13 
  *Response*  
  17:06:13 17:06:13:0870
  17:06:13 HTTP/1.1 407 Proxy Authentication Required ( Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied.  )
  Via: 1.1 TMG
  Proxy-Authenticate: Negotiate
  Proxy-Authenticate: Kerberos
  Proxy-Authenticate: NTLM
  Connection: close
  Proxy-Connection: close
  Pragma: no-cache
  Cache-Control: no-cache
  Content-Type: text/html
  Content-Length: 707
  17:06:13 
  17:06:13 

  Hi,
  According to the log, it seems that TMG firewall denied the request and replied with an HTTP 407 response, indicating that proxy authentication was required. This was done because the Forefront TMG firewall did not have any access rules which would allow
  the anonymous request. Please check if you have configured related access rules.
  When did you recieve this log? Is there anyting wrong? Which authentication method you have used, Kerberos, NTLM or other? 
  It seems that each time a web proxy client requests a resource through a Forefront TMG firewall that requires NTLM authentication the client is actually denied twice during the transaction before being successfully authenticated and allowed access. When
  the Forefront TMG firewall is configured to use Kerberos there is only a single denied request and HTTP 407 response and then contact a domain controller and obtain a Kerberos ticket to present to the TMG firewall to gain access to the resource.
  If you configured the TMG clients with a certain proxy name, please make sure you typed the TMG's domain computer name only (not IP address nor alias).
  Best regards,
  Susie

• How to use 2 TMG Servers for Internet Access

  Hi there,
  This is what we have setup at the moment.
  We have two TMG 2010 SP2 Servers, let's call them TMG1 & TMG2. They sit in two different sites (physically not logically) which I will refer to as Site1 and Site2. TMG1 sits in Site1 and TMG2 in Site2.
  All internal users access the Internet via TMG1. They all have TMG Clients installed and they receive TMG1 as their proxy server (WPAD) via our DHCP servers. 
  I feel bad to see that TMG2 cannot take a little bit of traffic off from TMG1 for those who want to access the Internet. How can I go about doing this. I can achieve this by adding the TMG2 manually on TMG Clients but I prefer to do this automatically. Is
  there a way to publish TMG2 in WPAD while TMG1 is already there? Dont forget we only have the luxury of using two TMG
  Standard servers. :(
  Thank you.

  Hi,
  You can consider to configure the Forefront TMG Arrays or NLB.
  Planning for Forefront TMG server high availability and scalability
  http://technet.microsoft.com/en-us/library/dd897010.aspx
  Thanks.
  Jeremy Wu
  TechNet Community Support

• Need information for federation with lync online

  We have an online lync account and one lync on premises account. We are trying to federate the two domains to enable chat and presence sharing between the two.
  Online Lync client is [email protected] and lync on premises client is [email protected] We have updated the SRV records for ggnucfederation.com as follows to enable federation with lync online.
  _sipfederationtls._tcp.ggnucfederation.com --> sip.xmppspark.in
  An A record for sip.xmppspark.in has also been added in the DNS to point to lync edge server. However we notice that, when we add
  [email protected] from lync online, then no TLS handshake message is received at Lync edge server.
  Interestingly, if we modify the SRV record to 
  _sipfederationtls._tcp.ggnucfederation.com --> sip.ggnucfederation.com
  and correspondingly create A record for sip.ggnucfederation.com, then TLS handshake is initiated and done.
  What could we have possibly missed that is causing problem in the first case? Is it necessary to create the SRV record of type sip.<domainname>?
  As per my understanding, lync online should query the srv record to get the target machine for the sipfederationtls and accordingly initiate tls handshake with the host name specified in the srv record. Is there anything more to this?

  Not sure what you mean bu "Any other SRV record" above. The bottom line is that, On Prem deployment have an SRV (_sipfederationtls) record that resolve in to sip.domain.com (Access edge FQDN which is a A record) and Lync online deployment should
  also have a SRV record (_sipfederationtls) that resolve in to sip.domain.com (CNAME Record) which points to sipfed.online.lync.com (A record which ger created automatically)
  http://thamaraw.com
  Thanks Thamara for your replies!
  By 'any other SRV record' i meant, that I wish to make the srv record (_sipfederationtls._tcp.ggnucfederation.com) point to sip.xmppspark.in. The reason for this is that our certificates are by this CNAME i.e. sip.xmppspark.in. So there is any way I could
  achieve that?
  Interestingly, does this restriction only applies to lync 2013 and office 365? I mean, I was going through some other forums, for lync 2010, where I found that people were using access edge fqdn as the sip srv record which was not necessarily sip.domain.com. 

• Access rule for Google Cloud Printer

  I want my user to access google doc, gmail account, google drive, and google cloud printer only but they dont get access to the google website.
  i make rule for it and block google search engine.
  after testing.
  google docx is accessing, gmail account is accessing and google drive is also accessing but i am not able to access google cloud printer. because google cloud printer is not a namespace
  so kindly help me out what should i do then what kind of rule i have to make so my user can also access google cloud printer. i dont want my client to access google search engine
  electrifying

  Hi,
  For this you can try creating a domain name set on the TMG server first. You can name the domain name set as "Google" for example. The entry in the domain set can be set to
  *.google.com  or the required domains . After that try creating an access rule with these properties:-
  1. From ---> Internal and Localhost
  2. To ---> Add the name of the created domain name set. (Google)
  Apply the changes and check if you are able to access the sites now.
  Check out this article : http://technet.microsoft.com/en-us/library/cc441706.aspx.
  Regards,
  Gijo

• Office 365 Lync Online / Skype For Business Journaling

  Hello, 
  From what I have found in my research, there is no way to journal Lync Online / Skype For Business IMs with Office 365.  Please correct me if I'm wrong.  Is anyone doing this by way of workaround or 3rd part product?  
  Thanks in advance. 
  This topic first appeared in the Spiceworks Community

  Thanks for the clear dialogue and responses.
  I want upgrade from Skype to Skype for Business, BUT want to retain my Skype ID (which is printed on my business cards) and existing contact connections.
  My situation is similar to Jim Carpenter's, in that I've used Skype for years.  I have it linked to my old Microsoft account that I'd set up for the old SkyDrive (now OneDrive) product. When I bought Office 365 Business Premium (includes Skype for Business), it necessitated creating a second Microsoft ID using the suffix [e-mail removed for privacy and security] to set up my new business account. That is a different login than my existing Skype login tied to the original MS account, and the new one not only accesses the MS programs, it accesses Exchange, through which I run Outlook calendar and contacts.
  So, are these the steps I should take?
  Unlink my existing Skype account
  then uninstall Skype
  then install Skype for Business
  I would guess that there would need to be a re-linking step of some sort, too, but I'm unclear on this.  Guidance?
  Please confirm that is the best path.  Will this process allow me to migrate the Skype ID and contacts to the business app?
  Thanks much.