Lync Edge is a role that makes Lync services available to external users and companies in a secure manner. A Lync Edge Server is not part of the internal domain, and in general, it is deployed in a Demilitarized Zone (DMZ) network with a series of limitations (for example, usually, the name resolution of the Lync Servers in the internal network is limited to local hosts file). The previously mentioned restrictions and other security features, however, are not enough to defend the server from some kind of Internet threats including Distributed Denial-of-Service (DDoS) and brute-force attacks. An extremely powerful instrument we have at our disposal to protect our Lync deployment is the Microsoft SIP Processing Language (MSPL). MSPL is a scripting language used specifically to filter and route SIP messages. Chris Norman, for example, has shared a really interesting MSPL script to block presence indicators with federated partner at http://voipnorm.blogspot.it/2013/01/mspl-script-blocking-federated-presence.html. The idea behind the script is to keep features we need running (such as IM), limiting the information we show to external users. The steps we will see (required to apply the previously mentioned solution) are the same every time we use an MSPL script.
Get-CsServerApplication
BlockFederatedPresence.am
). New-CsServerApplication -Identity "EdgeServe:cheshirecat.absoluteuc.corp/Simple" -Uri "http://sip.absoluteuc.org/BlockFederatedPresence" -ScriptName "C:BlockFederatedPresence.am"-Enabled $true -Critical $false
The explanation of the preceding code is as follows:
Identity
parameter indicates the Edge Server using the FQDN of the server. In our scenario, it is the Edge Server cheshirecat.absoluteuc.corp
.appUri
parameter of the script (I customized the one in Chris Norman's script found at http://sip.yourdomain.com/BlockFederatedPresence
)..am
file (in our scenario, C:BlockFederatedPresence.am
).$true
or $false
is a switch to activate or deactivate the script.$true
or $false
is a switch to select whether Lync Server can start when our application does not start for any reason.Stop-CsWindowsService
| Start-CsWindowsService
).Rui Maximo wrote a post for Lync 2010 Edge Servers where he talks about DDOS to the Lync Edge Servers and points out how to use MSPL to handle this kind of threat Lync Server 2010: Security at the Edge at http://technet.microsoft.com/en-us/magazine/hh219285.aspx, Code4Lync at http://mohamedasakr.wordpress.com/, and Lync Development at http://blog.greenl.ee/ are two blogs, from Mohamed Sakr and Michael Greenlee, that have a lot of interesting posts dedicated to MSPL.
18.188.198.94