Managing federation and external access to Skype for Business Server

  • Article

Deploying an Edge Server or Edge pool is the first step to supporting external users. For details about deploying Edge Servers, see Deploy Edge Server in Skype for Business Server.

After installing and configuring your internal deployment of Skype for Business Server, internal users in your organization can collaborate with other internal users who have SIP accounts in your Active Directory Domain Services (AD DS). Collaboration can include sending and receiving instant messages, and update of presence status and participating in conferences (also known as "meetings"). You enable and configure external user access to control whether supported external users can collaborate with internal Skype for Business Server users. External users can include remote users of your deployment, federated users (including supported users of public instant messaging (IM) service providers), and anonymous participants in conferences.

If your deployment includes a Skype for Business Server Edge Server or an Edge pool, the scope of possible communication types is greatly expanded. There are many options for external user access, communication with members of other SIP federated domains, and SIP federated providers. After setting up the Edge Server or Edge pool, you enable the external user access types and configure policies to control external access. In Skype for Business Server, you enable and configure external user access and policies using the Skype for Business Server Control Panel, the Skype for Business Server Management Shell, or both.

Important

When you design your configuration and policies for external user access, you must understand the precedence of policies and how the policies are applied. Skype for Business Server policy settings that are applied at one policy level can override settings that are applied at another policy level. Skype for Business Server policy precedence is: User policy (most influence) overrides a Site policy, and then a Site policy overrides a Global policy (least influence). This means that the closer the policy setting is to the object that the policy is affecting, the more influence it has on the object.

By default, no policies support external user access (including remote user access and federated user access), even if you've already enabled external user access support for your organization. To control the use of external user access, you must configure one or more policies. In the following policies, you specify the type of external user access that's supported:

  • Global policy: The global policy is created when you deploy your Edge Servers. By default, no external user access options are enabled in the global policy. To support external user access at the global level, you configure the global policy to support one or more types of external user access. The global policy applies to all users in your organization, but site policies and user policies override the global policy. If you delete the global policy, you do not remove it. Instead, you reset it to the default setting.

  • Site policy: You can create and configure one or more site policies to limit support for external user access to specific sites. The configuration in the site policy overrides the global policy, but only for the specific site that's covered by the site policy. By default, a site policy is applied to all users in that site, but user policies to override the site policy settings.

  • User policy: You can create and configure one or more user policies to limit support for remote user access to specific users. The configuration in the user policy overrides the global and site policy, but only for the specific users that the policy is assigned to. If you create a user policy, you must apply it to one or more users before it takes effect.

To determine which configuration settings and which policies you need to create or edit, refer to the following decision points:

Do you want to allow internal and external users of your domain to be able to collaborate using instant messaging, Web conferencing, and Audio/Video?

Configure the settings as detailed in the topics Configure policies to control remote user acces, and Enable or disable federation and public IM connectivity.

Do you want to allow anonymous users to attend and be invited to conferences hosted by users in your deployment?

Configure the settings as detailed in the topic Assign conferencing policies to support anonymous users and Create conferencing policies.

Do you want to allow users to communicate with SIP Federated Domain contacts?

Configure the settings as detailed in the topics Configure policies to control federated user access, Enable or disable federation and public IM connectivity, and Manage SIP federated domains for your organization.

If you have enabled communication with SIP Federated Domains, do you want to enable SIP Federation automatic discovery?

Configure the settings as detailed in the topic Enable or disable discovery of federation partners.

If you have enabled communication with SIP Federation Domains, do you want to enable sending a disclaimer to Federated contacts notifying them that you use archiving and that communications may be archived?

Configure the settings as detailed in the topic Enable or disable sending an Archiving disclaimer to federated partners in.

Do you want to allow users to communicate with SIP Federated Providers that enable communication with public providers?

Configure the settings as detailed in the topics Configure policies to control public user access, Enable or disable federation and public IM connectivity, and Create or edit public SIP federated providers

Do you want to allow users to communicate with SIP Federated Providers that are hosted providers running Microsoft 365 or Office 365 and Skype for Business Online?

Configure the settings as detailed in the topics Enable or disable federation and public IM connectivity and Create or edit hosted SIP federated providers.

Is your deployment configured in a split (also known as a hybrid) domain, where some users have their home server in an on-premise deployment, and other users are configured with a home server in an online environment?

Configure the settings as detailed in the topics Configure policies to control federated user access, Enable or disable federation and public IM connectivity, and Create or edit hosted SIP federated providers.

You can configure external user access settings even if you haven't enabled external user access for your organization. However, the policies and other settings that you configure are in effect only when you have external user access enabled for your organization. External users can't communicate with your users when external user access is disabled or if no external user access policies are configured to support it.

Your edge deployment authenticates the types of external users and controls access based on how you configure your edge support. The exception to this rule is anonymous users, who are authenticated by the conference ID and a passkey that is sent to the anonymous participant when you create the conference and invite participants. To control communication, you can configure one or more policies that define how users inside and outside your organization communicate with each other. The policies and settings include the default global policy, site policies, and user policies that you can create and configure.