Protecting External Connectivity In OCS 2007

October 29, 2009 by Chris Williams · Leave a Comment
Filed under: Instant Messaging (IM), OCS 2007, OCS 2007 R2, Reference, Voice over IP 

Last Friday on TechRepublic’’s “10 Things” Blog, Brien Posey wrote about 10 Common Network Security Design Flaws.

The second flaw is “opening more firewall ports than necessary.” And what does he use as an example? OCS 2007 R2.

It’’s a very good example. As he states, OCS requires several ports opened in order to provide external connections to other networks. Without proper protection, this can be a risk to you. Ports left open (and not monitored) are little signposts saying, “Enter Here!”

(This is only if you want to use external connections. If you”re only interested in OCS for internal IM and Presence, you won”t need to open those ports.)

Brien puts forth Microsoft ForeFront as a good solution to the problem. ForeFront’’s Threat Management Gateway is a reverse proxy - intended to filter requests for access into & out of your network. At the risk of sounding too provider-loyal, it IS a natural fit. (If you use a hosted OCS provider, chances are ForeFront is in place.)

In order to protect External Connectivity completely though, you”ll have to use the OCS Edge Server. There’’s an advantage to this: depending on how you want to communicate with others, you can enable only what you need. Each of the External Connectivity services requires a service enabled on the OCS Edge Server. According to Microsoft’’s TechNet, these are:

  • Access Edge service — Lets outside users communicate with your OCS using SIP.
  • Web Conferencing Edge service — Lets outside users participate in your conferences.
  • A/V Edge service — Lets you share audio and video with external users.

The TechNet page also gives links on how to administer these services:
Microsoft TechNet — Managing External Connectivity for Your Organization with Edge Servers

I blogged about this because it’’s important to remember. Brien’’s #1 network security flaw was the “set it and forget it” mentality. Doing that with OCS can leave a lot of exploitable holes in your network. All of them preventable if you remember to protect External Connectivity.

Technorati Tags:

Tags: , , , ,

How to IM People on Other Networks (AIM, Yahoo, MSN) from OCS — Part 2

August 6, 2009 by Chris Williams · 1 Comment
Filed under: Instant Messaging (IM), OCS 2007, OCS 2007 R2 

Last week I discussed what you”d need to connect OCS 2007 R2 to the MSN/Windows Live IM service. This week I”ll do the same for AIM and Yahoo - the two biggest Instant Messaging services out there.

A word of caution before I write this out, though — spammers & phishers use AIM and Yahoo to send out dangerous links and files. Make sure your company’’s communications policy explains this. And advises all users to ignore/block any suspicious messages they receive.

As I mentioned last week, in order to connect to AIM or Yahoo you must move up from a Standard CAL to a Public IM Connectivity (PIC) License. PIC licenses are available through Microsoft Volume Licensing. This is necessary because your Edge Servers will need the PIC License Numbers before Microsoft can approve their provisioning.

But Wait! Configure Users” Ability to Connect First
I found this in TechNet yesterday. It’’s a prerequisite step to individual users communicating with external Instant Messages. It’’s probably covered in existing OCS documentation, but I thought it was prudent to add here:
Configure Users for Federation, Public IM Connectivity, and Remote User Access

Connecting to AIM And/Or Yahoo IM
With that settled, let’’s move to what we”re here for. The process for AIM and Yahoo is very similar to provisioning MSN/Windows Live. Here it is:

  1. Purchase an OCS Public IM Connectivity (PIC) License under Microsoft Volume Licensing (Enterprise, Select or Open Value). Contact your local Microsoft partner for this.
  2. Once the PIC License is approved by a Regional Operations Center (ROC), Microsoft Volume Licensing sends you a letter with instructions on public IM connectivity provisioning.
  3. Use the instructions provided to start the provisioning, depending on which IM service you”re connecting to.
  4. When all requested public IM providers complete their provisioning, Microsoft sends a notice of completion to you. It may take up to 4 weeks for provisioning to finish on both Microsoft’’s side and AOL/Yahoo’’s.

Things to Note
–AOL requires the A record to be published in DNS in order to authenticate its public certificate.
–While you can IM between networks with this setup, Multi-party IM, file transfers, and audio/video aren”t supported.

That’’s it. That’’s how you connect OCS 2007 to Public IM networks. Not too difficult, provided your setup is in order.

If you”d like more, Microsoft has published a guide with detailed specs and some more information. Download it here: http://go.microsoft.com/fwlink/?LinkId=155970

Tags: , , ,

How to IM People on Other Networks (AIM, Yahoo, MSN) from OCS — Part 1

July 30, 2009 by Chris Williams · 4 Comments
Filed under: Instant Messaging (IM), OCS 2007, OCS 2007 R2 

Everybody asks the question when they find out what Office Communicator does. “Oh, this is instant messaging too? Can I chat with my friend in San Francisco on AIM?”

And then Management’’s hair goes white. Employees spending all day IMing! Nothing will get done!

Yes, there is a risk of this (though much less than what most people think). But there’’s plenty of good reasons to IM people on other networks. Discussions with partners and vendors. A direct line to Tech Support. Telecommuters. Even conversations with clients!

So, how do you go about installing the capability? It turns out to be pretty easy, provided you have the right information. And the right license.

Prerequisites for Provisioning
Adding the capability to connect to the public IM networks is called provisioning in OCS. This will require configuration changes on your side. Here’’s what’’s needed:

  • Public key infrastructure (PKI) support
  • OCS servers must support federation
  • Edge Servers must be configured to enable support for each public IM provider (MSN/Windows Live, AIM, Yahoo) you want
  • This information is needed as well:
    • Microsoft Agreement Number
    • Access Edge service fully qualified domain name (FQDN)
    • Primary Session Initiation Protocol (SIP) domain
    • Any additional SIP domains
    • Any additional Access Edge service FQDNs
    • Contact information

The provisioning process is determined based on your licensing. A standard CAL for OCS 2007 allows access to the MSN/Windows Live IM network. In order to provision servers to access AIM and Yahoo IM networks, you”ll need an OCS Public IM Connectivity License. (Contact Microsoft to see if you”re eligible.)

Today I”m going to list how to connect with a standard CAL to the MSN/Windows Live IM network. Next week I”ll detail how to connect to AIM and Yahoo.

Connecting to MSN/Windows Live
It’’s actually very easy to provision OCS for MSN/Windows Live. You simply:

  1. Contact your Microsoft account manager to request the provisioning.
  2. The account manager will send you a URL to a website. This URL initiates the process.
  3. Enter the requested information on the initiation website.  Submit.

Wasn”t so hard, was it? Provisioning can take up to 30 days to complete. But once it does, you”ll be able to talk with friends on MSN/Windows Live right from Office Communicator.

However, note: Windows Live may require a change to your existing IDs in order to work. You must change your ID if it matches a domain that’’s the same as the domain you request be provisioned for public IM connectivity. (I would think this would make things easier, but who knows.)

Apparently submitting a domain for provisioning “reserves” that domain for use with your company’’s IM setup. So the user ID must be changed. For instructions on how to do this, go here:
http://support.microsoft.com/gp/Messenger/

Part 2 next week!

Tags: , , ,