This section describes how to configure security for Office Communications Server 2007 Edge Services.

Tasks

  1. Enable Remote User Access
  2. Configure Accepted SIP Domains with a Wildcard Value
  3. Configure Call Detail Records (CDR)
  4. Enable UPN Logon
  5. Configure Audio/Video Conferencing and Web Conferencing Policies
  6. Add Contact Tenant Isolation
  7. Disable Non-Contacts Presence Information Display
  8. Enable Address Book Isolation
  9. Configure Basic Authentication on the External Address Book Website
  10. Enable Redirection on the External Address Book Website
  11. Test External Client login using Office Communicator 2007

Enable Remote User Access

Procedure W03-DWHO.59: To enable remote user access

  1. Log on to OCSEDGEAV01 with the local Administrator account.

  2. Open the ComputerManagement console, and then expand Services and Applications.

  3. Right-click Microsoft Office Communications Server 2007 and click Properties.

  4. On the Access Methods tab, clear the Federate with other domains check box and select the following check boxes:

    • Allow remote user access to your network
    • Allow anonymous users to join meetings
    • Allow remote users to communicate with federated contacts

Configure Accepted SIP Domains with a Wildcard Value

Procedure W03-DWHO.60: To configure accepted SIP domains with a wildcard value

  1. Log on to OCSPOOLFE01 as Fabrikam\Administrator, and start the Office Communications Server 2007 management tool.

  2. Right-click the Forest node and select Properties | Global Properties.

  3. On the General tab, click Add.

  4. Enter the "*" wildcard character, and then complete the configuration.

Configure Call Detail Records (CDR)

Procedure W03-DWHO.61: To configure call detail records (CDR)

  1. Log on to OCSPOOLFE01 as Fabrikam\Administrator, and start the Office Communications Server 2007 management tool.

  2. Right-click the Forest node and select Properties | Global Properties.

  3. On the Call Detail Records tab, select the following check boxes:

    • Peer-to-Peer call details
    • Conferencing call details
    • Voice call details

Enable UPN Logon

By default Office Communications Server 2007 supports both NTLM and Kerberos logon, with Kerberos as the default. To ensure that UPN logon works as expected, it is necessary to ensure that the server is configured for NTLM only. This is configured once per pool as follows:

Procedure W03-DWHO.62: To enable UPN logon

  1. Log on to OCSPOOLFE01 as Fabrikam\Administrator, and start the Office Communications Server 2007 management tool.

  2. Navigate to Forest/ Enterprise pools/ OCSPool01. Right click on the Front Ends node and select Properties.

  3. On the Authentication tab, select NTLM from the drop down list.

Configure Audio/Video Conferencing and Web Conferencing Policies

Office Communications Server 2007 allows for either per user policies or per forest policies to be configured for both Voice and Meetings. The default setting for both of these is to support per forest settings and anonymous participants in a meeting is disabled. In a HMC environment it is likely that different services will be offered to different business and thus it is necessary to configure each user with the correct settings. To change the default behavior you will need to make the following changes.

Procedure W03-DWHO.63: To configure Audio/Video Conferencing and Web Conferencing policies

  1. Log on to OCSPOOLFE01 as Fabrikam\Administrator, and start the Office Communications Server 2007 management tool.

  2. Right-click the Forest node and select Properties | Global Properties.

  3. On the Meetings tab, change the Anonymous Participants setting to Enforce per user. Change the Global Policy setting to Use per User Policy.

  4. Right-click the Forest node and select Properties | Voice Properties.

  5. On the Policy tab, change the Global policy setting to Use per User Policy.

Add Contact Tenant Isolation

Note:
Once this step is complete you will not be able to use the Installation Wizard as the domain preparation will be reported as partial. It is possible however to ensure the command line installation tool to install components as needed.

Procedure W03-DWHO.64: To add contact tenant isolation

  1. On AD01, run Active Directory Users and Computers and expand your domain. Note that you need to ensure you have "View Advanced Features" enabled.

  2. Configure advanced security settings. Remove the following rights:

    User

    Permission

    Applies to

    Authenticated Users

    Read RTCUserSearchPropertySet

    Users

    Authenticated Users

    Read RTCUserSearchPropertySet

    Contacts

Disable Non-Contacts Presence Information Display

This procedure ensures users who are not in the users contact list cannot view presence information.

Procedure W03-DWHO.65: Disable non-contacts presence information display

  1. Log on to OCSPOOLFE01 as Fabrikam\Administrator, and start the Office Communications Server 2007 management tool.

  2. Right-click the Forest node and select Properties | Global Properties.

  3. On the Users tab, clear the Enable users to view presence information for non-contacts check box.

Enable Address Book Isolation

Procedure W03-DWHO.66: To enable Address Book Isolation

  1. Log on to OCSPOOLFE01 as Fabrikam\Administrator.

  2. Download and install the Office Communications Server 2007 Resource Kit onto OCSPOOLFE01.

  3. Run ABSConfig.exe from the installation directory for the Office Communications Server 2007 Resource Kit (by default, \Program Files\Microsoft Office Communications Server 2007\ResKit).

  4. On the Configure WMI tab, select Partition ABS data by Organizational Unit and create individual ABS files per OU.

Configure Basic Authentication on the External Address Book Website

Procedure W03-DWHO.67: To Configure Basic Authentication on the External Address Book Website

  1. Log on to OCSPOOLWEB01 as Fabrikam\Administrator, and start the Internet Information Services (IIS) Manager.

  2. Navigate to Web Sites/Default Web Site/Abs.

  3. Right-click the Ext virtual directory, and click Properties

  4. On the Directory Security tab, under Authentication and access control, click Edit.

  5. Clear the Integrated Windows Authentication check box. Select Basic authentication. At the warning prompt, click Yes.

  6. In the Default Domain field, enter a backslash "\"

  7. If you are prompted with the Inheritance Overrides dialog box, click Select All, and then click OK.

Enable Redirection on the External Address Book Website

The Address Book Web site uses the /handlervirtual directory in order to look up the credentials of the incoming user request, determine which Active Directory Organizational Unit (OU) the users belongs in, and then redirects the connection to the correct subdirectory so the client can retrieve the correct address book for their organization. Redirection is disabled by default; in this procedure you will enable it.

Procedure W03-DWHO.68: To enable redirection on the external Address Book Website

  1. Log on to OCSPOOLWEB01 as Fabrikam\Administrator.

  2. Open Windows Explorer and navigate to C:\Program Files\Microsoft Office Communications Server 2007\Web Components\Address Book Files\Ext\Handler.

  3. Open web.config with a text editor.

  4. Under <appSettings>, modify the value of the redirect key to true. For example:

      Copy Code
    <appSettings> 
    	<add key="redirect" value="true"/> 
    </appSettings>
    

Test External Client login using Office Communicator 2007

In this section you will run Microsoft Office Communicator 2007 from a client computer and log on to Office Communications Server 2007 via the Access Edge Server.

Note:
External Microsoft Office Communicator 2007 clients require a trusted Certificate from a trusted root certificate authority in order to log on to Office Communications Server 2007 via the Access Edge Server.

Procedure W03-DWHO.69: To install the Communicator client

  1. Log on to an external client computer which uses DNS01 for name resolution.

  2. Install the Microsoft Office Communicator 2007 client, accepting all defaults.

Procedure W03-DWHO.70: To enable the Administrator account for Office Communications Server 2007

  1. Log on to OCSPOOLFE01 as Fabrikam\Administrator.

  2. Open Active Directory Users and Computers by running dsa.msc at a command prompt.

  3. In the Users container, double-click the Administrator account.

  4. On the Account tab, set an UPN login for the administrator by entering administrator in the User Logon Name field, and then use the drop-down box to select @fabrikam.com.

  5. On the Communications tab, select Enable user for Office Communications Server.

  6. Accept the default sign-in name sip:Administrator@fabrikam.com.

  7. Select OCSPool01.fabrikam.com in the Server or pool drop-down list.

  8. Ensure enhanced presence and remote user access is enabled.

Procedure W03-DWHO.71: To Sign in to Office Communications Server 2007 as an external client using Office Communicator 2007

  1. On to the external client computer which uses DNS01 for name resolution, run Microsoft Office Communicator 2007.

  2. Set your sign sign-in address to administrator@fabrikam.com.

  3. Set sip.consolidatedmessenger.com as the external server name or IP address.

  4. Set the communicator client to connect to Office Communications Server via TLS.

  5. Sign in to Office Communications Server 2007.