Protecting External Connectivity In OCS 2007

October 29, 2009 by Chris Williams · Leave a Comment
Filed under: Instant Messaging (IM), OCS 2007, OCS 2007 R2, Reference, Voice over IP 

Last Friday on TechRepublic’’s “10 Things” Blog, Brien Posey wrote about 10 Common Network Security Design Flaws.

The second flaw is “opening more firewall ports than necessary.” And what does he use as an example? OCS 2007 R2.

It’’s a very good example. As he states, OCS requires several ports opened in order to provide external connections to other networks. Without proper protection, this can be a risk to you. Ports left open (and not monitored) are little signposts saying, “Enter Here!”

(This is only if you want to use external connections. If you”re only interested in OCS for internal IM and Presence, you won”t need to open those ports.)

Brien puts forth Microsoft ForeFront as a good solution to the problem. ForeFront’’s Threat Management Gateway is a reverse proxy - intended to filter requests for access into & out of your network. At the risk of sounding too provider-loyal, it IS a natural fit. (If you use a hosted OCS provider, chances are ForeFront is in place.)

In order to protect External Connectivity completely though, you”ll have to use the OCS Edge Server. There’’s an advantage to this: depending on how you want to communicate with others, you can enable only what you need. Each of the External Connectivity services requires a service enabled on the OCS Edge Server. According to Microsoft’’s TechNet, these are:

  • Access Edge service — Lets outside users communicate with your OCS using SIP.
  • Web Conferencing Edge service — Lets outside users participate in your conferences.
  • A/V Edge service — Lets you share audio and video with external users.

The TechNet page also gives links on how to administer these services:
Microsoft TechNet — Managing External Connectivity for Your Organization with Edge Servers

I blogged about this because it’’s important to remember. Brien’’s #1 network security flaw was the “set it and forget it” mentality. Doing that with OCS can leave a lot of exploitable holes in your network. All of them preventable if you remember to protect External Connectivity.

Technorati Tags:

Tags: , , , ,

OCS Not Working? It May Be KB974571′’s Fault

October 21, 2009 by Chris Williams · Leave a Comment
Filed under: Conferencing, Instant Messaging (IM), OCS 2007, OCS 2007 R2, Unified Communications, Voice over IP 

A few days ago OCS 2007 users couldn”t get online. Right after Patch Tuesday. OCS just refused to work. Why?

Turns out it’’s a bug with a new patch. KB974571, to be exact. Once it went live, it started blocking OCS and Live Communication Server installs. Reporting that “the evaluation license has expired.”

If this only happened to evaluation copies, that might make sense. (KB974571 was supposed to help with spoofing.) However, like a well-meaning but overzealous mother, it disrupted full-version installs as well. Enough that Microsoft escalated the bug to a Known Issue.

Doug Deitterick at TechNet Blogs posted this warning last week: Do NOT Apply KB974571 to LCS/OCS Servers.

So if this all went down last week, why am I blogging about it today? It’’s because we”re still receiving support calls. Apparently some offices were able to limp forward with partially-working OCS servers, unaware of KB974571′’s effect.

And also because the patch hasn”t been fixed yet. Right now, uninstalling the KB974571 patch is the only way to fix the problem. (OCS snaps right back when you do it, too.)

If your OCS 2007 and/or 2007 R2 haven”t worked since last week, check your server for KB974571′’s presence. If you have no communications capability, it’’s a safe bet that the patch is the problem. Uninstall it. Or call us to uninstall it, if you”re in the San Francisco Bay Area.

Microsoft’’s Security Bulletin on this issue: http://support.microsoft.com/default.aspx/kb/974571

Technorati Tags:

Tags: , , , ,

If You Use OCS 2007, SQL Server or Windows Server 2008, Get the Latest Patches

October 14, 2009 by Chris Williams · Leave a Comment
Filed under: Exchange Server 2007, OCS 2007, OCS 2007 R2, SQL Server 2008 

Yesterday Microsoft released a big group of patches. 34 of them in fact; Microsoft’’s biggest Patch Day ever.

As far as I can tell, this update does not include patches for OCS. But it does patch Windows XP/Vista, Windows Server 2008, SQL Server, and Internet Information Server (IIS). All of which are important to OCS 2007′’s function. So I definitely recommend patching ASAP if you use OCS. Or even if you don”t.

The Security Bulletin is available here: http://www.microsoft.com/technet/security/bulletin/ms09-oct.mspx
With full details on what software is affected, why, and how critical the patch is.

All of the patches are available on Microsoft Update. If you want to download them directly, you”ve got a few options:

  • Click the “Affected Software and Download Locations” subhead for a categorical listing. It’’s divided up by Windows System, Office Suites, Server Software, Developer Tools & Security Software. Locate the software you want to patch under its appropriate category and click the download link.
  • Click the “Detection and Deployment Tools and Guidance” subhead for links to two more options - the Download Center & the Update Catalog.
    • There’’s guidance on updating servers under here too.

Chances are if you use Microsoft servers, you already knew about this batch of patches. I highlighted it just in case it got lost/delayed in the shuffle. Server and database patches can prevent a lot of nasty things - like the server crashing and not waking back up. Let’’s skip that, shall we?

Technorati Tags:

Tags: , ,

Time to Panic? OCS Users Can Talk with Gmail Users Now

October 7, 2009 by Chris Williams · Leave a Comment
Filed under: Conferencing, Instant Messaging (IM), OCS 2007 R2 

A couple months ago I blogged on how to IM people on other networks from within OCS - MSN/Windows Live, AIM and Yahoo. But two other IM services were left off the list: Cisco’’s Jabber and Google Talk/Gmail.

At the time, OCS users couldn”t Instant Message Gmail users. Now they can.

Wait, users chatting with people on MORE Instant Messaging networks?! The horror! They won”t get anything done! The office will spend all day sending bad jokes and silly cat pictures to themselves!

Guess what? Microsoft just made it worse (better really, but doom-and-gloom attracts readers). And they did it for free!

Microsoft has released a new XMPP Gateway for Microsoft Office Communications Server 2007 R2. Download the Gateway here. Yes, it’’s a free download.

The OCS Team Blog has razor-sharp instructions on how to setup the new XMPP Gateway here:
Configuring XMPP Connectivity to Gmail
It requires a properly configured OCS 2007 R2 system, an Edge Server, and a server running Windows Server 2008 to host the gateway.

What does this gateway do?

The XMPP Gateway allows interoperability between your OCS 2007 R2 system, and user accounts on Gmail & Cisco’’s Jabber. In other words, you can add Gmail & Jabber users like you would any OCS contact in Office Communicator. See their current status with Presence, and send Instant Messages if they”re available.

(This also means Office Communicator’’s logging capability will record your conversations. Which most IM networks don”t do unless you specify. More on why this is handy later.)

Why install this at all? Won”t it just distract employees even more?

Nope. In fact, I can think of two big reasons why being able to chat with Gmail & Jabber users is good. Before I list them though, I should clarify something about Gmail.

Recently Google added the ability to chat into Gmail’’s interface. (There’’s a FAQ page for it here.) This means everyone who has a Gmail account can IM other Gmail users right from Firefox/Internet Explorer.

Why is this important? Because the first advantage of installing the XMPP Gateway is…

1. It lets you chat with clients & partners who don”t have OCS 2007.
Not everyone uses OCS (yet), so it’’s no guarantee that a client or partner will have it. However, it’’s a pretty safe bet they have Gmail accounts. Which means using this gateway, you can chat with them. Even hold conferences online.

That’’s a huge advantage right there. Some firms only deal with clients through phone and email, usually if they”re overseas or far enough away that time zones factor in. This gateway provides a no-cost way to add IM to that mix.

2. It makes adding OCS more attractive.
If you”re waffling over buying OCS, the ability to IM people on several networks does have some value incentive. Adding chat with Gmail, AIM and MSN/Windows Live increases OCS” usability, like I described above. It also means users will take to it more easily, if they know they can add in colleagues. Or clients. Or even (gasp!) friends.

A final note: Microsoft also dropped PIC license requirements for Windows Live and AIM. You can federate with AIM automatically, if you have a standard CAL for OCS 2007.

Having more Instant Messaging options CAN cause distraction instead of productivity. The whole ”time to panic” thing isn”t completely ridiculous. I addressed this back in May with my “Is There a Reason to Use Instant Messaging in Business?” post.

However, IM is another communication tool. Try the XMPP Gateway out if you already use IM. Or if it”d help with client communications. Chances are, being able to chat with people on the largest webmail provider in the world might just help you out.

Technorati Tags:

Tags: , , , ,