Unified communications: Securing access to OCS

Unfortunately, there is no way that I can possibly provide even a high-level overview of unified communications security within the confines of an article. There are simply too many aspects of the unified communications infrastructure that would need to be addressed. That being the case, I want to focus my attention on one particular component that I think deserves some of the most attention: the Office Communications Server (OCS) edge server.

The edge server allows OCS to be accessible to the outside world. The OCS edge server is placed in the network's demilitarized zone and proxies requests between the Internet and the back-end network. The reason why I want to talk about the edge server is because it is exposed to the Internet.

Install the appropriate roles

The first suggestion I would make is that you install the appropriate roles on your edge server. An edge server actually supports three different roles. You can install one, two or all three roles. Installing roles that are not needed can constitute a security risk.

The three roles are:

Access Edge: Allows external users to authenticate into the OCS deployment.

A/V Edge: Allows external users to take advantage of the network's audio and video capabilities from outside the organization.

Web Conferencing Edge: Allows external users to participate in Web conferences.

Be careful with how you enable 'federation'

In an OCS environment, federation refers to the way in which your OCS infrastructure is exposed to the outside world. When

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security for the midmarket Locking down security in the move to electronic medical records A CIO's advice for implementing single sign-on solutions Options for outsourcing security grow, offer IT budget savings Network access control: Pointers for getting the knack of NAC Stopping malware viruses from attacking Web 2.0 technology Virtual servers no escape from IT security management concerns Unified communications security: How safe is it? Risk assessment frameworks easy to employ Midmarket regulatory compliance management: Don't let your guard down Single sign-on: Sensible security on scale Information security management for the midmarket Using key risk indicators to sell your information security program IT security spending a bright spot in '09, with more growth predicted Gartner: Vetting security of third-party partners in five steps Locking down security in the move to electronic medical records Security and risk management in the midmarket Identity and access management planning guide for the midmarket Information systems management for the midmarket CIOs share advice on doing more with less Get smart about patching security vulnerabilities A CIO's advice for implementing single sign-on solutions VoIP and unified messaging for the midmarket Midmarket data center management guides: Tips and best practices FAQ: What is unified communications, and why would I want it? Mobile unified communications options for the midmarket Fixed-mobile convergence saves firms costly mobile phone charges Unified communications plans should tap CIO CIOs grapple with tying Wi-Fi, VoIP into unified communications plan Unified communications: Savvy business move or security meltdown? Unified communications security: How safe is it? CIO Joseph Edward: In-house app ties parishes together CIO Shawn Partridge: Rockford improves communication in the construction world

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

you initially configure the edge server, there is a setup wizard screen called the Enable Features on Access Edge Server screen that allows you to choose whether or not you want to allow anonymous users to join meetings, and whether or not you want to enable federation.

Although it is not exactly spelled out on this screen, there are three types of federation you can use. The first type that OCS allows is called direct federation. Direct federation is basically a trust relationship between two organizations. The organizations would have made an agreement to share presence information with each other, and to support the use of direct collaboration between the two organizations. With this type of federation, the participants use digital certificates to positively verify each other's identities.

The second type of federation that is available is something called enhanced federation. Enhanced federation (sometimes called open federation) is enabled through the Enable Features on Access Edge Server screen that I described earlier. By selecting the Allow Discovery of Federation Partners check box, you allow users to communicate with users in other organizations that also run OCS or Live Communications Server. What makes this different from direct federation is that there is not a direct trust between organizations, but rather an open trust that allows communication with any external OCS or LCS organization.

The third type of federation is called federation with public instant messaging providers. Once again, this type of federation is activated through the Enable Features on Access Edge Server screen. The screen contains check boxes administrators can use to enable federation with MSN, Yahoo and AOL instant messaging.

None of these types of federation are necessarily dangerous to use, but they do give your organization varying degrees of exposure. It is therefore important to choose the federation type that fits your plans for unified communications. Of course if you only want to use OCS as an internal communications mechanism then you don't have to enable federation at all.

In this article, I have explained that one of the most important tasks in protecting your unified communications network is controlling access to it from the outside world. This is important, because sensitive information is often passed through unified communications networks, and you do not want to accidentally expose your unified communications network to the world.

Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. Write to him at editor@searchcio-midmarket.com.