About Skype For Business/Lync Interruptions

Enabling SSL Interception on the ProxySG appliance causes service issues with Skype for Business and Microsoft Lync clients.

What Conditions Cause Skype for Business/Lync to Fail?

Uninterrupted or problematic Skype for Business or Lync client connections depend on the SGOS configuration, what is intercepted, and in versus out of network requests. This does not apply to just overall availability, but individual functions within the service/client.

Symptoms

  • Skype for Business clients unable to log in to either Office 365 or the on-premises Lync Server.
  • Skype for Business clients unable to join meetings hosted on the on-premises Lync Server/Office 365 cloud/Lync Server behind NAT.
  • Skype for Business clients are unable to join meeting audio bridge; they are still able to attend the audio bridge by calling in through the desk phone or opting to not be on the audio bridge.

The following conditions provide the symptoms based on specific configurations.

Condition 1

When: 

  • SGOS: SSL Interception: On.
  • Client uses port 5061 but firewall blocks this port; the connection defaults to port 443.

The following occurs:

  • Skype for Business/Lync login fails.
  • Joining an externally-hosted meeting fails.

Condition 2

When:

  • SGOS: SSL Interception: On.
  • SGOS: Tunnel on Error: Off.
  • NAT exists between the clients and the Lync server.

The following might occur:

  • Joining a meeting might fail.
  • Media use within the meeting fails:

    • Skype for Business/Lync audio.
    • Skype for Business/Lync video.
    • Sharing desktop/application.

Technology Root Causes

  • Various Microsoft clients, such as Skype for Business and Outlook, now strictly enforce the OCSP/CRL checks. SGOS did not include a CRL Distribution point extension or Authority Information Access (for OCSP) extension on the emulated certificates. This caused these Microsoft clients to abruptly conclude SSL/TLS handshakes and generate exceptions.
  • The Skype for Business client uses Session Initiation Protocol (SIP) over SSL protocol during the login phase. If SGOS is configured to intercept SSL traffic on port 443, errors occur because SIP is not understood.
  • Skype for Business clients use the Traversal Using Relay NAT (TURN) protocol (if UDP communication is blocked by firewall) to determine the audio functionality related servers. The ProxySG appliance does not understand the Pseudo-TLS handshake.

SGOS Fix

SGOS 6.5.9.15+ provides fixes (with some additional configuration) to allow Skype for Business and Lync clients to operate properly. See Skype for Business/Lync Fix: SGOS Configuration.

If you cannot install the recommended release (currently SGOS 6.5.10.x) at this time, Symantec provides a set of workaround instructions. See SfB/Lync Best Practices.

Alternate Media

PDF

www.symantec.com