Office Communications Server 2007 provides the means for communicating with users of IM services provided by MSN, AOL, and Yahoo!. Once a connection is established, authorized Office Communications Server users can add contacts, share presence information, and communicate in real time with IM users in these public networks. Note that file transfer, games, formatted text, multimedia, and conferencing will not work over connections between Office Communications Server 2007 and public IM service providers.
Organizations that want to take advantage of public IM connectivity must do the following:
Obtain separate public IM connectivity service licenses from Microsoft
Provision the organization's Session Initiation Protocol (SIP) domain using a dedicated Microsoft provisioning Web site
Public IM connectivity licenses cover all three of the supported public IM service providers (MSN, AOL, and Yahoo!), but administrators retain control over which of the providers they enable for their organizations. IM providers are disabled by default when the Edge Server is configured. You can enable one, two, or all three of the public IM service providers if so desired. If desired, administrators can update provisioning information to reflect modification of IM service providers. You can temporarily disable a connection to a provider simply by changing settings in Office Communications Server. However, to permanently disable or enable a connection to an IM provider, use the provisioning process as explained in the Considerations for Deploying the Public IM Connectivity Scenario and Provisioning Federation with a Public IM Service Provider sections later in this chapter.
As in other federation scenarios, users in your organization can add users of the public IM networks to their allow and block lists in the Office Communicator client. Three scenarios are possible:
A user of one of the public IM networks added to an allow list can both exchange IM with, and see presence information for, the owner of the list. Use the Personal Information Manager panel, located on the Personal tab on the Options dialog box in Office Communicator to allow and block these lists.
A public IM user who is not on either an allow list or a blocked list can exchange IM and presence information with an internal user, but the internal user can block all such requests.
A user added to a block list can neither exchange IM with, nor see presence information for, the owner of the list.
Administrators have full control over who in their organization is authorized for public IM connectivity. Once that permission is granted, however, a user can communicate with all of the public IM service providers enabled for the organization. It is not possible to authorize a user to communicate over one enabled public IM service provider but not over another one.
Administrators can authorize public IM connectivity on a per-user or group basis and change both individual and group authorizations as needed. Administrators can exercise additional control over spim (unsolicited commercial IM, or spam over IM) by setting message filters that further restrict access from unverified users. For more information on message filtering, see the Security Considerations section later in this chapter or "Configuring Intelligent IM Filtering" in the "Office Communications Server 2007 Administration Guide."
As with other types of federation, all IM traffic between an organization and a public IM service provider uses an encrypted mutual transport layer security (MTLS) connection. For the purpose of connecting to MSN, AOL, and Yahoo!, an organization must use a certificate from a public certification authority from the list of trusted CAs in Microsoft Windows Server 2003.
Microsoft Office Communicator version 1 and version 2 are both supported as clients by Microsoft Office Communications Server 2007. However, if a user has been enabled for 'Enhanced Presence' in the Office Communications Server 2007 user configuration, Office Communicator version 1 will no longer function for this user.
As shown in Figure 8-1 corporate IM users will typically connect to the Home Server, using Office Communicator as a client, whereas federation or external IM users will connect to the Edge Server through a firewall.
The following are some considerations that you need to be aware of before implementing the Public IM Connectivity scenario in your enterprise:
Acquiring a certificate Public IM connectivity requires mutual transport layer security (MTLS), using a certificate obtained from a public certification authority. For AOL, client and server Enhanced Key Usage (EKU) is required. For more information, contact an appropriate public certification authority. For more information, see the Knowledge Base article "Unified Communications Certificate Partners for Exchange 2007 and for Communications Server 2007" found at http://support.microsoft.com/kb/929395.
Acquiring service licenses Before completing the provisioning form and initiating the request to connect with the public IM service providers, you must first purchase service licenses, pursuant to the terms and conditions of your Microsoft Volume Licensing agreement. Without first purchasing licenses, the provisioning process will not be completed.
Enabling connections to public IM service providers Each IM service provider with which you want to federate must be enabled and configured on the Edge Server. For more information, see the Enabling Federation with Public IM Service Providers section later in this chapter.
Authorizing users for public IM connectivity You can authorize all your enterprise users, certain groups of users, or particular individuals. Users who are not authorized for public IM connectivity can nevertheless be authorized for other types of federation and remote user access. For more information, see the "Enabling User Accounts for Office Communications Server" section in the "Office Communications Server 2007 Administration Guide."
Submitting a provisioning request Your organization and the public IM service provider must exchange network connectivity information in order to activate federation. You perform this exchange by connecting to a Microsoft-hosted provisioning site (http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=provision) and completing a form that initiates a provisioning request.
Configuring DNS If you configure a public provider as described in the Enabling Federation with Public IM Service Providers section later in this chapter, the Domain Name System (DNS) Service Record Locator (SRV) record must be published by your partners for you to locate them as Allowed Partners or Discovered Partners. You do not need to publish a DNS SRV record unless you want other enterprises to be able to locate you as one of their Allowed Partners or Discovered Partners. For procedures on configuring DNS for public IM connectivity, see the section "Step 2.2. Configure DNS" in the "Office Communications Server 2007 Edge Server Deployment Guide."
Enabling federation with the public IM service providers is a multi-step process:
Provision federation with the IM service providers. Your organization and the public IM service provider must exchange network connectivity information to activate federation. You perform this exchange by connecting to a Microsoft-hosted provisioning site and completing a form that initiates a provisioning request.
Before completing the provisioning form and initiating the request to connect with the public IM service providers, you must have first purchased service licenses for Office Communications Connectivity and installed Office Communications Server, pursuant to the terms and conditions of your Microsoft Volume Licensing agreement. Without first purchasing licenses, the provisioning process will not be completed.
Configure DNS on the Edge Server. If you enable enhanced federation or configure a public or private provider in the IM service providers table, you must do the following:
Publish a DNS-SRV record for _sipfederationtls._tcp.<domain>, where <domain> is the name of your organization's domain, on the appropriate DNS server for the SIP domain hosted by your organization. This DNS server must be publicly accessible.
To ensure that DNS-SRV queries are sent to the correct DNS server, provide the internal and external edges of the Edge Server with the address of a DNS server that can resolve internal domains and can forward DNS queries for external domains to public DNS servers.
Publish a DNS A record for the Edge Server on an appropriate DNS server. A single record is sufficient for an array of Edge Servers.
Obtain a public certificate. Public IM connectivity requires MTLS, using a certificate obtained from a public certification authority. For more information, contact an appropriate public certification authority.
Configure the Edge Server for federation. Public IM connectivity requires federation to be enabled on the Edge Server.
Enable connections to public IM service providers. Each IM service provider with which you want to federate must be enabled and configured on the Edge Server.
Authorize users for public IM connectivity. You can authorize all your internal users, certain groups of users, or particular individuals. Users who are not authorized for public IM connectivity can nevertheless be authorized for other types of federation and remote user access.
The following sections provide additional details concerning some of the steps just listed. For additional information, see the documentation included with Office Communications Server 2007.
The first step in enabling public IM connectivity is to initiate provisioning with one or more of the public IM service providers (MSN, AOL, and Yahoo!).
After you purchase separate service licenses for public IM connectivity, you complete a Web form (http://r.office.microsoft.com/r/rlidLCS?clid=1033&p1=2&p2=library&p3=provision) for initiating provisioning requests.
The following information is required to complete the form:
Master Agreement Number, which identifies your company's Microsoft Business Agreement, which establishes the general terms and conditions of its relationship with Microsoft. Contact your software benefits administrator for this information.
Enrollment Agreement Number, which identifies your company's purchase of licenses for public IM connectivity. Contact your software benefits administrator for this information.
Names of your organization's SIP domains.
The fully qualified domain name (FQDN) of your organization's Edge Server.
Network administrator contact information.
Names of the public IM service providers with which you want to federate.
Microsoft will send you an e-mail message confirming that it has received your provisioning information and is in the process of validating the request. Upon validation, Microsoft will send you a second e-mail message verifying that your information has been forwarded to the appropriate public IM service providers and providing an estimate of how long the process is likely to take. If the request is not validated, you will receive an e-mail message explaining how to resolve the issues responsible for the denial.
After validating your Edge Server and SIP domains, Microsoft will forward the information to the public IM service providers with which you want to connect. The public IM service providers will then provision their routing tables to direct instant messages targeting your SIP domains to the Edge Server specified in the form. Once provisioning is complete, each public IM service provider informs Microsoft, which sends you a final e-mail message confirming that the process is complete. After you have received this final message, you can establish a connection from your Edge Server to the public IM service providers to which you want to connect.
After you provision federation with one or more public IM service providers, the next step is to configure your Edge Server for MTLS. This step requires obtaining the necessary certificate from a public certification authority.
Provisioning is complex and involves routing changes to the networks of Microsoft's partners. As a result, provisioning is optimized to work as a single-threaded process. If you want to change provisioning data—specifically, AP FQDN, SIP domains, and the partners to which you want to connect—you must wait until the provisioning request is complete before you submit the changes. If you want to change provisioning data after provisioning has been completed, you need to enter data for all of your existing providers, as well as for any new ones that you want to add. For this reason, please print and save the "Thank you" page that is displayed upon successful submission of your data. This page has the tracking number and a copy of the data that you submitted.
IM service providers include the following:
Public IM service providers such as MSN, AOL, and Yahoo!. These providers appear in the IM service providers table by default, but they are disabled.
Private organizations such as data centers, hosting services, and clearing houses.
Federating with public or private IM service providers requires enabling federation on the Edge Server.
IM service providers typically, though not necessarily, host multiple SIP domains. Before Office Communications Server, federating with an organization's multiple domains required entering each one explicitly in the direct partner table. Office Communications Server provides two mechanisms that simplify federating with organizations hosting multiple domains:
If your organization requires tighter controls over federation than enhanced federation provides but you do not want to incur the overhead of entering every domain in the direct partner table, you might want to consider configuring the domains in the allowed partners table. For this approach to work, the partner's internal domains must each contain a DNS-SRV record that points to the Edge Server that you list in the IM service providers table.
Public IM connectivity allows users in your organization to use IM to communicate with users of instant messaging services provided by public IM service providers, including MSN Internet services, Yahoo!, and AOL. Use the IM Provider tab of the Edge Server Properties dialog box to control the IM service providers that are allowed to federate with your organization. You can add or remove an IM service provider, as well change other settings for any IM service provider (including temporarily blocking the IM service provider). For more information on configuring IM providers, see "Configuring IM Provider Support on Edge Servers" in the "Office Communications Server 2007 Administration Guide."
Table 8-1 summarizes the four main federation options.
Table 8-1. Federation Options
Type of federation | Must specify Edge Server | Must specify domain |
---|---|---|
Allowed partner server | Yes | Yes |
IM service provider table | Yes | No |
Discovery of partners | No | No |
Allowed partner domain | No | Yes |
You cannot configure both IM service providers and a default route to a clearing house on the same Edge Server or on an array of Edge Servers. Furthermore, you cannot configure any routing method that requires DNS SRV. If your Edge Server is configured with a default route, or if you want to configure it with a default route, you must first remove the three public IM service providers that populate the IM service providers table when you installed Office Communications Server.
Basic IM and presence work with all public IM providers. However, note the following exceptions to the general rule:
When an Office Communications Server user sets his presence to Do Not Disturb (DND) in Office Communicator, users on the Yahoo! public IM networks can still send instant messages without knowing that the Office Communications Server user cannot see these messages.
The public IM networks do not support group IM. As a result, users hosted on the public IM networks (MSN, AOL, and Yahoo!) cannot join IM conferences hosted by Office Communications Server.
Administrators also need to consider how to handle existing accounts on provider networks, public IM connectivity capacity questions, and security issues. These issues are discussed in the following sections.
Users with existing e-mail accounts will receive an e-mail message notifying them that to continue using IM they must change their e-mail address. Users without IM accounts on a public provider will receive new e-mail accounts. Users' existing public IM contact lists and e-mail messages will be transferred to the new sign-in ID and e-mail address. A user's IM and e-mail contacts will be updated with the user's new sign-in ID. The message will provide a link to a Web page for assistance making the change.
Table 8-2 provides examples of how AOL and Yahoo! screen names are added to contact lists of Office Communications Server users.
Table 8-2. Adding AOL and Yahoo! Screen Names to Contact Lists
Example | User name to be added to Office Communications Server contact list |
---|---|
An Office Communications Server user wants to add AOL user [email protected] to the Office Communicator client's contact list. | |
An Office Communications Server user wants to add AOL user kim970 to the Office Communicator client's contact list. | |
An Office Communications Server user wants to add Yahoo! user kimakers@yahoo.com to the Office Communicator client's contact list. |
For information on how MSN migrates accounts, see Figure 8-4 which describes the change process.
As shown in Figure 8-4 MSN users who are already using MSN Connect must change their e-mail IDs. Users' existing MSN contact lists and e-mail messages will be transferred to the new sign-in ID and e-mail address. Users' IM and e-mail contacts will be updated with the user's new sign-in ID. Windows Live Messenger Service will work unless your IT administrator has blocked access.
Public IM capacity in Office Communications Server is determined by the bandwidth of the organization's Internet connection. So a T1 connection to public providers provides greater IM access than a 256K connection. Note that SIP, used for IM communication, is particularly capable of supporting large numbers of users. For information on capacity planning, see "Capacity Planning" in the "Office Communications Server 2007 Planning Guide."
The main security issue with public IM is controlling spim. Controlling spim can be discussed in terms of contacts or message content.
All SIP traffic must be carried over the TLS protocol. IP security (IPsec) is not supported. User Datagram Protocol (UDP) is not supported. Compression is done only by TLS negotiation (RFC 2246).
There are several techniques available to control SPIM by limiting contacts:
To limit SPIM when enabling individual users for public IM connectivity, use Active Directory Users and Computers as follows:
Log on as a member of the DomainAdmins RTCUniversalServerAdmins group to an Enterprise Edition Server or a server that is a member of an Active Directory domain and that has the Office Communications Server administration tools installed.
Open Active Directory Users and Computers. Click Start, click All Programs, click Administrative Tools, and then click Active Directory Users and Computers.
In the console tree, expand the Users container or the other organizational unit (OU) that contains the user account for which you want to enable federation, public IM connectivity, or remote user access; right-click the user account name; and then click Properties.
On the Communications tab, click the Configure button next to Additional Options.
In User Options, under Federation, do the following:
Click OK twice.
To limit spim when configuring IM provider support on an Edge Server, use the Edge Server Properties dialog box as follows.
On the Access Edge Server, open Computer Management.
In the console tree, expand Services And Applications, right-click Office Communications Server 2007, and then click Properties. (See Figure 8-5.)
On the IM Provider tab, do one of the following:
To view or edit the settings for an IM service provider, in the Edit IM Service Provider dialog box, click the name of the IM service provider, and then click Edit. In the Edit IM Service Provider dialog box, view or change settings, as appropriate, and then click OK.
To temporarily block any IM service provider in the list, you can temporarily disable support, click the name of the IM service provider, and then click Edit. In the Edit IM Service Provider dialog box, clear the Allow This IM Service Provider check box and then click OK. This blocks the IM service provider until you later select the check box, but it does not delete the configuration information.
To permanently remove an IM service provider from the list, click the name of the server and then click Remove. If you later want to add the IM service provider again, you must use the procedure described previously (in the first bullet) to add the provider and specify all settings.
To add an IM provider, click Add. In the Add IM Service Provider dialog box, specify the appropriate options and then click OK.
To limit SPIM when enabling users on recipients' contact lists, use the Add IM Service Provider dialog box to permit IM traffic with contact list items only as follows:
On the Access Edge Server, click Start, point to All Programs, point to Administrative Tools, and then click Computer Management.
If necessary, expand Services And Applications.
Right-click Microsoft Office Communications Server 2007 and then click Properties.
On the IM Provider tab, click Add. (See Figure 8-6.)
In the Add IM Service Provider dialog box, do the following:
Select the Allow This IM Service Provider check box to enable the new provider.
In the IM Service Provider Name box, type the name of the IM service provider. This name will appear in the Provider column of the IM service providers table.
In the Network Address Of The IM Service Provider Access Proxy box, type the FQDN of the provider's Access Proxy.
Select the This Is A Public IM Service Provider check box only if the provider is MSN, AOL, or Yahoo!
Select an option for filtering incoming communications. To limit IM to users on contact lists, select the option Allow Communications Only From Users On Recipients' Contact List.
Click OK.
Click OK or Apply to continue.
You can use the Intelligent IM Filter application to protect your Office Communications Server 2007 deployment against harmful instant messages from unknown endpoints outside the corporate firewall. The Intelligent IM Filter provides the following filtering features:
To configure URL filtering, do the following:
On the Access Edge Server, open Computer Management.
In the console tree, expand Services And Applications, right-click Office Communications Server 2007, point to Application Properties, and click Intelligent IM Filter. (See Figure 8-7.)
On the URL Filter tab, configure the appropriate settings.
It is also possible to access the Intelligent IM Filter by right-clicking either the Enterprise pool or the Standard Edition server.
To configure a file transfer filter, do the following:
On the Access Edge Server, open Computer Management.
In the console tree, expand Services And Applications, right-click Office Communications Server 2007, point to Application Properties, and click Intelligent IM Filter.
On the File Transfer Filter tab, configure the appropriate settings.
It is also possible to access the Intelligent IM Filter by right-clicking either the Enterprise pool or the Standard Edition server.
For more information on the Intelligent IM Filter application, see "Configuring Intelligent IM Filtering" in the "Office Communications Server 2007 Administration Guide."
Media sharing over a public IM connection is not an issue administrators need to worry about. Users cannot share either audio-visual or binary files over a connection to a public IM provider. Specifically, keep these considerations in mind:
Between a public IM provider and Office Communications Server, only text and presence information can be exposed.
Between two Office Communications Servers, sharing of audio-visual or binary files in an IM session is supported.
The easiest way to configure multiple users for public IM connectivity is to use the Configure Users Wizard. (See Figure 8-8.) You can access the wizard by using either the Active Directory Users and Computers snap-in or the Office Communications Server Administrative snap-in on an Office Communications Server attached to your SIP domain.
To enable multiple users for public IM connectivity by using the Active Directory Users and Computers snap-in, do the following:
If the computer is a domain controller, click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users And Computers. Otherwise, if the computer is not a domain controller, at the command prompt type dsa.msc and press Enter.
Go to the folder where your user accounts reside.
Do one of the following:
On the Welcome To The Configure User Wizard page, click Next.
Under Configure User Settings, select Public IM Connectivity.
On the Configure Operation Status page, if you want to export the log, click Export to save the XML file.
Click Finish.
To enable multiple users for public IM connectivity by using the Office Communications Server administrative snap-in, do the following:
Click Start, point to All Programs, point to Administrative Tools, and then click Office Communications Server 2007.
In the console tree, expand the forest node.
Expand subsequent nodes under the Domains node until you reach the domain that the server or pool resides in.
Expand the Standard Edition Servers or Enterprise Pools node.
Expand the server or pool.
Do one of the following:
Right-click the Users folder, and then click Configure Users to configure all user accounts on this server or pool.
Click the Users folder, and in the Details pane, select the user or users that you want to configure, and then click Configure Users.
On the Welcome To The Configure User Wizard page, click Next.
Under Configure User Settings, select Public IM Connectivity.
On the Configure Operation Status page, if you want to export the log, click Export to save the XML file.
Click Finish.
You can also enable or disable public IM connectivity for individual users. To configure an individual user for public IM connectivity by using the Active Directory Users and Computers snap-in, do the following:
If the computer is a domain controller, click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users And Computers. Otherwise, if the computer is not a domain controller, at the command prompt type dsa.msc and press Enter.
Go to the folder where your user accounts reside.
Expand the folder.
Right-click the user account that you want to configure, and then select Properties.
On the Communications tab, make sure that the Enable User For Office Communications Server check box is selected. If it is not, select it now.
Enter a sign-in name, and select a server or pool for the user to sign in to. (See Figure 8-9.)
Click Configure.
Under Federation Settings, select the Enable Public IM Connectivity check box and then click OK.
Click OK.
An individual user can be authorized for federation, public IM connectivity, remote access, or any combination of the three. Enabling public connectivity for a user does not require disabling federation or remote access.
You can also disable public IM connectivity for one or more users at any time. To do so, follow any of the procedures described previously for enabling public IM connectivity for one or more users, but clear the Enable Public IM Connectivity check box where the procedure says to select it.
When you enable individual user accounts for Office Communications Server 2007 in Active Directory Users and Computers, you can change user account settings to specify the functionality available to each user. For information on the impact of global, group, and individual settings, see "Managing User Accounts" in the "Office Communications Server 2007 Administration Guide."
As shown in the previous sections, settings for user accounts can be configured in different ways. In general, settings can be configured by using the following methods:
Globally for all users in the forest, using the Office Communications Server 2007 administrative snap-in.
Individually or in groups, using the Configure Office Communications Server Users Wizard in the Office Communications Server 2007 administrative snap-in or the Active Directory Users and Computers snap-in. After enabling user accounts in Active Directory Users and Computers, using the Configure User Wizards to configure user accounts is recommended—especially for newly enabled user accounts—because it supports configuration of multiple users at a time.
Individually, using the Communications tab of the user account Properties in Office Communications Server 2007 or Active Directory Users and Computers. This approach is useful if you want to change a small number of settings for a small number of user accounts, or for configuring settings that cannot be configured using the Configure User Wizard.
All three methods are not available for configuration of all settings. Additionally, some of the user account settings that have global settings require that the global setting be configured prior to configuring settings on specific user accounts. Table 8-3 describes which of the methods can be used to configure each of the specific user settings, as well as the global configuration requirements.
Table 8-3. Configuring Per-User and Global Settings for User Accounts
The user settings that do not have global settings are configured only at the user level. Table 8-4 shows the configurable user settings that do not use global settings and the configuration methods available for each setting.
Table 8-4. User Settings that Do Not Use Global Settings
3.137.167.86