How to secure Office Communications Server

The Office Communications Server edge server is the most vulnerable piece of a unified communications application. Here's how to lock it down.

As unified communications (UC) are starting to become much more prevalent, it has become apparent that UC networks are prone to many of the same types of security threats as normal TCP/IP networks. Some of the more common threats include things like spam directed at instant messaging, man-in-the-middle attacks, denial-of-service attacks, sniffing and the list goes on.

Unfortunately, there is no way that I can possibly provide even a high-level overview of unified communications security within the confines of an article. There are simply too many aspects of the unified communications infrastructure that would need to be addressed. That being the case, I want to focus my attention on one particular component that I think deserves some of the most attention: the Office Communications Server (OCS) edge server.

The edge server allows OCS to be accessible to the outside world. The OCS edge server is placed in the network's demilitarized zone and proxies requests between the Internet and the back-end network. The reason why I want to talk about the edge server is because it is exposed to the Internet.

Install the appropriate roles

The first suggestion I would make is that you install the appropriate roles on your edge server. An edge server actually supports three different roles. You can install one, two or all three roles. Installing roles that are not needed can constitute a security risk.

The three roles are:

Access Edge: Allows external users to authenticate into the OCS deployment.

A/V Edge: Allows external users to take advantage of the network's audio and video capabilities from outside the organization.

Web Conferencing Edge: Allows external users to participate in Web conferences.

Be careful with how you enable 'federation'

In an OCS environment, federation refers to the way in which your OCS infrastructure is exposed to the outside world. When you initially configure the edge server, there is a setup wizard screen called the Enable Features on Access Edge Server screen that allows you to choose whether or not you want to allow anonymous users to join meetings, and whether or not you want to enable federation.

Although it is not exactly spelled out on this screen, there are three types of federation you can use. The first type that OCS allows is called direct federation. Direct federation is basically a trust relationship between two organizations. The organizations would have made an agreement to share presence information with each other, and to support the use of direct collaboration between the two organizations. With this type of federation, the participants use digital certificates to positively verify each other's identities.

The second type of federation that is available is something called enhanced federation. Enhanced federation (sometimes called open federation) is enabled through the Enable Features on Access Edge Server screen that I described earlier. By selecting the Allow Discovery of Federation Partners check box, you allow users to communicate with users in other organizations that also run OCS or Live Communications Server. What makes this different from direct federation is that there is not a direct trust between organizations, but rather an open trust that allows communication with any external OCS or LCS organization.

The third type of federation is called federation with public instant messaging providers. Once again, this type of federation is activated through the Enable Features on Access Edge Server screen. The screen contains check boxes administrators can use to enable federation with MSN, Yahoo and AOL instant messaging.

None of these types of federation are necessarily dangerous to use, but they do give your organization varying degrees of exposure. It is therefore important to choose the federation type that fits your plans for unified communications. Of course if you only want to use OCS as an internal communications mechanism then you don't have to enable federation at all.

In this article, I have explained that one of the most important tasks in protecting your unified communications network is controlling access to it from the outside world. This is important, because sensitive information is often passed through unified communications networks, and you do not want to accidentally expose your unified communications network to the world.


Read more on Voice networking and VoIP