A customer was having problems with their Lync 2010 deployment federating with Office 365. When searching for a Lync Online user they would see “Presence Unknown” and be unable to send Instant Messages. They could Federate with other On-Prem Lync organisations OK. They had LyncOnline configured as a Hosted Provider and Partner Domain Discovery Enabled (Dynamic Federation). Their _sipfederationtls._tcp DNS record was configured correctly as was the O365 customer.
Using OCSLogger and Snooper on the Edge server I was able to spot the problem.
504 Server time-out
ms-diagnostics: 110;reason=”Certificate trust with another server could not be established”;”ErrorType=”The peer certificate does not contain a matching FQDN”
The next thing I checked was the certificate assigned to the External Edge to discover it was a Wildcard Certificate. From experience I know that Office 365 Federation does not work unless you have a valid SAN entry on your Edge certificate. It must match your SIP domain and the host in your _sipfederationtls SRV record. The customer purchased a SAN certificate and now Office 365/Lync Online Federation works.
Just one to watch, although interesting that Federation with On-Prem and External User access seemed to work with the Wildcard cert. Microsoft state a SAN certificate is required for Edge servers.
Links: Certificate requirements for external user access in Lync Server 2013: https://technet.microsoft.com/en-GB/library/gg398920.aspx
Technical Architect at Symity