官术网_书友最值得收藏!

Deploying a secure Lync Edge

Lync Edge is a role that makes Lync services available to external users and companies in a secure manner. A Lync Edge Server is not part of the internal domain, and in general, it is deployed in a Demilitarized Zone (DMZ) network with a series of limitations (for example, usually, the name resolution of the Lync Servers in the internal network is limited to local hosts file). The previously mentioned restrictions and other security features, however, are not enough to defend the server from some kind of Internet threats including Distributed Denial-of-Service (DDoS) and brute-force attacks. An extremely powerful instrument we have at our disposal to protect our Lync deployment is the Microsoft SIP Processing Language (MSPL). MSPL is a scripting language used specifically to filter and route SIP messages. Chris Norman, for example, has shared a really interesting MSPL script to block presence indicators with federated partner at http://voipnorm.blogspot.it/2013/01/mspl-script-blocking-federated-presence.html. The idea behind the script is to keep features we need running (such as IM), limiting the information we show to external users. The steps we will see (required to apply the previously mentioned solution) are the same every time we use an MSPL script.

How to do it...

  1. Connect to a Lync Front End Server.
  2. Open the Lync Server Management Shell and launch the following cmdlet to get a list of the existing server applications:
    Get-CsServerApplication
  3. Now, we can install the script (BlockFederatedPresence.am).
    New-CsServerApplication -Identity "EdgeServe:cheshirecat.absoluteuc.corp/Simple" -Uri "http://sip.absoluteuc.org/BlockFederatedPresence" -ScriptName "C:\BlockFederatedPresence.am"-Enabled $true -Critical $false

    The explanation of the preceding code is as follows:

    • The Identity parameter indicates the Edge Server using the FQDN of the server. In our scenario, it is the Edge Server cheshirecat.absoluteuc.corp.
    • Uri is a value we define in the appUri parameter of the script (I customized the one in Chris Norman's script found at http://sip.yourdomain.com/BlockFederatedPresence).
    • ScriptName indicates the path to the .am file (in our scenario, C:\BlockFederatedPresence.am).
    • Enabled $true or $false is a switch to activate or deactivate the script.
    • Critical $true or $false is a switch to select whether Lync Server can start when our application does not start for any reason.
  4. We have to restart the Lync services (Stop-CsWindowsService | Start-CsWindowsService).

See Also

Rui Maximo wrote a post for Lync 2010 Edge Servers where he talks about DDOS to the Lync Edge Servers and points out how to use MSPL to handle this kind of threat Lync Server 2010: Security at the Edge at http://technet.microsoft.com/en-us/magazine/hh219285.aspx, Code4Lync at http://mohamedasakr.wordpress.com/, and Lync Development at http://blog.greenl.ee/ are two blogs, from Mohamed Sakr and Michael Greenlee, that have a lot of interesting posts dedicated to MSPL.

主站蜘蛛池模板: 湖南省| 铜川市| 太白县| 阿拉善左旗| 潜山县| 博客| 陕西省| 安义县| 军事| 南部县| 湖州市| 二连浩特市| 阿城市| 敦化市| 饶河县| 遂川县| 宁武县| 九江县| 习水县| 富锦市| 乐至县| 大关县| 巴林右旗| 高青县| 曲靖市| 乌兰察布市| 咸宁市| 汽车| 兰西县| 宁波市| 呼玛县| 林州市| 巴青县| 河北省| 静安区| 湛江市| 阳春市| 虞城县| 青岛市| 平阴县| 肃宁县|