I was unable to federate a Lync installation. I kept getting a 504 error as seen below.
The source of the problem was actually two things. The first was outbound port 5060 was blocked by the firewall on the Lync Edge server. Once that was list was opened, I got a successful response when I ran
Test-CsFederatedPartner -TargetFqdn lyncedge.addomain.local -Domain push.lync.com
(side note: I previously had this configured using the instructions found here.)
A successful response looks like this
After that, I had some external domains (that I knew were lync open federated) work and some did not. The one that did not appeared to have the same 504 error.
Upon further investigation with logging on the edge server and using snooper, I found this:
It turns out that this destination domain is configured with a go-daddy certificate (YUCK!!!)
Since Windows 2008 R2 does not have these roots installed on them, I found this error when I went to this URL https://certs.godaddy.com/anonymous/repository.pki
See the Red Warning on the cert?
That’s because the ROOT cert is not installed on the edge server.
Looking at the details on the root cert I see this:
Downloading that root cert is the first link on the website, the one whose thumbprint ends in “EE E4”
From there, you open the local computer certificate mmc, and install it… see the following images
Now that it is installed, and I verify the thumbprint
All looks good.
And the test of federation to this external domain works
So in summary, the error was two things, port 5060 outbound was being blocked, and the edge server did not have the destination domain root certificate installed. (Just one more reason in a long list I have to not do business with go-daddy)