This section describes how to configure security for Office Communications Server 2007 Edge Services.
Tasks
- Enable Remote User Access
- Configure Accepted SIP Domains with a Wildcard Value
- Configure Call Detail Records (CDR)
- Enable UPN Logon
- Configure Audio/Video Conferencing and Web Conferencing
Policies
- Add Contact Tenant Isolation
- Disable Non-Contacts Presence Information Display
- Enable Address Book Isolation
- Configure Basic Authentication on the External Address Book
Website
- Enable Redirection on the External Address Book
Website
- Test External Client login using Office Communicator
2007
Enable Remote User Access
Procedure W03-DWHO.59: To enable remote user access
-
Log on to OCSEDGEAV01 with the local Administrator account.
-
Open the ComputerManagement console, and then expand Services and Applications.
-
Right-click Microsoft Office Communications Server 2007 and click Properties.
-
On the Access Methods tab, clear the Federate with other domains check box and select the following check boxes:
- Allow remote user access to your network
- Allow anonymous users to join meetings
- Allow remote users to communicate with federated
contacts
- Allow remote user access to your network
Configure Accepted SIP Domains with a Wildcard Value
Procedure W03-DWHO.60: To configure accepted SIP domains with a wildcard value
-
Log on to OCSPOOLFE01 as Fabrikam\Administrator, and start the Office Communications Server 2007 management tool.
-
Right-click the Forest node and select Properties | Global Properties.
-
On the General tab, click Add.
-
Enter the "*" wildcard character, and then complete the configuration.
Configure Call Detail Records (CDR)
Procedure W03-DWHO.61: To configure call detail records (CDR)
-
Log on to OCSPOOLFE01 as Fabrikam\Administrator, and start the Office Communications Server 2007 management tool.
-
Right-click the Forest node and select Properties | Global Properties.
-
On the Call Detail Records tab, select the following check boxes:
- Peer-to-Peer call details
- Conferencing call details
- Voice call details
- Peer-to-Peer call details
Enable UPN Logon
By default Office Communications Server 2007 supports both NTLM and Kerberos logon, with Kerberos as the default. To ensure that UPN logon works as expected, it is necessary to ensure that the server is configured for NTLM only. This is configured once per pool as follows:
Procedure W03-DWHO.62: To enable UPN logon
-
Log on to OCSPOOLFE01 as Fabrikam\Administrator, and start the Office Communications Server 2007 management tool.
-
Navigate to Forest/ Enterprise pools/ OCSPool01. Right click on the Front Ends node and select Properties.
-
On the Authentication tab, select NTLM from the drop down list.
Configure Audio/Video Conferencing and Web Conferencing Policies
Office Communications Server 2007 allows for either per user policies or per forest policies to be configured for both Voice and Meetings. The default setting for both of these is to support per forest settings and anonymous participants in a meeting is disabled. In a HMC environment it is likely that different services will be offered to different business and thus it is necessary to configure each user with the correct settings. To change the default behavior you will need to make the following changes.
Procedure W03-DWHO.63: To configure Audio/Video Conferencing and Web Conferencing policies
-
Log on to OCSPOOLFE01 as Fabrikam\Administrator, and start the Office Communications Server 2007 management tool.
-
Right-click the Forest node and select Properties | Global Properties.
-
On the Meetings tab, change the Anonymous Participants setting to Enforce per user. Change the Global Policy setting to Use per User Policy.
-
Right-click the Forest node and select Properties | Voice Properties.
-
On the Policy tab, change the Global policy setting to Use per User Policy.
Add Contact Tenant Isolation
Note: |
---|
Once this step is complete you will not be able to use the Installation Wizard as the domain preparation will be reported as partial. It is possible however to ensure the command line installation tool to install components as needed. |
Procedure W03-DWHO.64: To add contact tenant isolation
-
On AD01, run Active Directory Users and Computers and expand your domain. Note that you need to ensure you have "View Advanced Features" enabled.
-
Configure advanced security settings. Remove the following rights:
User
Permission
Applies to
Authenticated Users
Read RTCUserSearchPropertySet
Users
Authenticated Users
Read RTCUserSearchPropertySet
Contacts
Disable Non-Contacts Presence Information Display
This procedure ensures users who are not in the users contact list cannot view presence information.
Procedure W03-DWHO.65: Disable non-contacts presence information display
-
Log on to OCSPOOLFE01 as Fabrikam\Administrator, and start the Office Communications Server 2007 management tool.
-
Right-click the Forest node and select Properties | Global Properties.
-
On the Users tab, clear the Enable users to view presence information for non-contacts check box.
Enable Address Book Isolation
Procedure W03-DWHO.66: To enable Address Book Isolation
-
Log on to OCSPOOLFE01 as Fabrikam\Administrator.
-
Download and install the Office Communications Server 2007 Resource Kit onto OCSPOOLFE01.
-
Run ABSConfig.exe from the installation directory for the Office Communications Server 2007 Resource Kit (by default, \Program Files\Microsoft Office Communications Server 2007\ResKit).
-
On the Configure WMI tab, select Partition ABS data by Organizational Unit and create individual ABS files per OU.
Configure Basic Authentication on the External Address Book Website
Procedure W03-DWHO.67: To Configure Basic Authentication on the External Address Book Website
-
Log on to OCSPOOLWEB01 as Fabrikam\Administrator, and start the Internet Information Services (IIS) Manager.
-
Navigate to Web Sites/Default Web Site/Abs.
-
Right-click the Ext virtual directory, and click Properties
-
On the Directory Security tab, under Authentication and access control, click Edit.
-
Clear the Integrated Windows Authentication check box. Select Basic authentication. At the warning prompt, click Yes.
-
In the Default Domain field, enter a backslash "\"
-
If you are prompted with the Inheritance Overrides dialog box, click Select All, and then click OK.
Enable Redirection on the External Address Book Website
The Address Book Web site uses the /handlervirtual directory in order to look up the credentials of the incoming user request, determine which Active Directory Organizational Unit (OU) the users belongs in, and then redirects the connection to the correct subdirectory so the client can retrieve the correct address book for their organization. Redirection is disabled by default; in this procedure you will enable it.
Procedure W03-DWHO.68: To enable redirection on the external Address Book Website
-
Log on to OCSPOOLWEB01 as Fabrikam\Administrator.
-
Open Windows Explorer and navigate to C:\Program Files\Microsoft Office Communications Server 2007\Web Components\Address Book Files\Ext\Handler.
-
Open web.config with a text editor.
-
Under <appSettings>, modify the value of the redirect key to true. For example:
Copy Code <appSettings> <add key="redirect" value="true"/> </appSettings>
Test External Client login using Office Communicator 2007
In this section you will run Microsoft Office Communicator 2007 from a client computer and log on to Office Communications Server 2007 via the Access Edge Server.
Note: |
---|
External Microsoft Office Communicator 2007 clients require a trusted Certificate from a trusted root certificate authority in order to log on to Office Communications Server 2007 via the Access Edge Server. |
Procedure W03-DWHO.69: To install the Communicator client
-
Log on to an external client computer which uses DNS01 for name resolution.
-
Install the Microsoft Office Communicator 2007 client, accepting all defaults.
Procedure W03-DWHO.70: To enable the Administrator account for Office Communications Server 2007
-
Log on to OCSPOOLFE01 as Fabrikam\Administrator.
-
Open Active Directory Users and Computers by running dsa.msc at a command prompt.
-
In the Users container, double-click the Administrator account.
-
On the Account tab, set an UPN login for the administrator by entering administrator in the User Logon Name field, and then use the drop-down box to select @fabrikam.com.
-
On the Communications tab, select Enable user for Office Communications Server.
-
Accept the default sign-in name sip:Administrator@fabrikam.com.
-
Select OCSPool01.fabrikam.com in the Server or pool drop-down list.
-
Ensure enhanced presence and remote user access is enabled.
Procedure W03-DWHO.71: To Sign in to Office Communications Server 2007 as an external client using Office Communicator 2007
-
On to the external client computer which uses DNS01 for name resolution, run Microsoft Office Communicator 2007.
-
Set your sign sign-in address to administrator@fabrikam.com.
-
Set sip.consolidatedmessenger.com as the external server name or IP address.
-
Set the communicator client to connect to Office Communications Server via TLS.
-
Sign in to Office Communications Server 2007.