Securing Unified Messaging Network Traffic
Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-08-29
An important aspect of the overall network security for your organization is correctly configuring security for your Microsoft Exchange Server 2007 Unified Messaging servers. Enabling Unified Messaging servers, IP gateways, and other servers that are running Microsoft Exchange Server 2007 to communicate by using Transport Layer Security (TLS) or Internet Protocol security (IPsec) increases the level of security for your whole network. This topic contains information and links to security-related topics that can help you increase the level of protection for your network.
Unified Messaging can communicate with IP gateways, IP PBXs, and other Exchange 2007 computers in a secured or an unsecured mode, depending on how the UM dial plan has been configured and if the appropriate certificate trusts have been established between the IP gateways and Unified Messaging servers on your network. In unsecured mode, the Voice over IP (VoIP) and Session Initiation Protocol (SIP) traffic is not encrypted. However, the UM dial plans and the Unified Messaging server that are associated with the UM dial plan can be configured by using the VoIPSecurity parameter. The VoIPSecurity parameter configures the dial plan to encrypt the VoIP and SIP traffic by using Mutual Transport Layer Security (MTLS). This is known as secured mode.
There are several things that you can do to help protect your Unified Messaging servers and the network traffic that is sent between your IP gateways and Unified Messaging servers and between your Unified Messaging servers and other Exchange 2007 servers in your organization. To understand the components that must be used in your Unified Messaging environment to help protect the network data that is sent and received by Unified Messaging servers in your organization, you must first understand how to do the following:
Use IPsec to protect Unified Messaging network data.
Use TLS to protect Unified Messaging network data.
Use the different types of certificates that are used with Unified Messaging to implement TLS.
Correctly configure Unified Messaging servers and IP gateways to use TLS.
There are various components that must be configured to help enable the Unified Messaging server to communicate in a secure manner with other Exchange 2007 servers and IP gateways. The following components help secure the data that is passed over the network:
- IPsec IPsec uses cryptography-based protection services, security protocols, and dynamic key management. It provides the strength and flexibility to help protect communications between private network computers, domains, sites, remote sites, extranets, and dial-up clients. It can even be used to block receipt or transmission of specific types of traffic. For more information about the security options that are available to help secure UM traffic, see Understanding Unified Messaging VoIP Security.
- TLS After you have successfully imported and exported the required trusted certificates, an IP gateway will request a certificate from the Unified Messaging server, and then it will request a certificate from the IP gateway. Exchanging the trusted certificates between the IP gateway and the Unified Messaging server helps secure the channel over which the IP gateway and Unified Messaging server to communicate by using TLS. For more information about the security options that are available to help secure UM traffic, see Understanding Unified Messaging VoIP Security.
- Certificates Digital certificates are electronic files that work like an online passport to verify the identity of a user or computer. They are used to create an encrypted channel that is used to help protect data. A certificate is basically a digital statement that is issued by a certification authority (CA) that vouches for the identity of the certificate holder and enables the parties to communicate in a secure manner by using encryption. They can be issued by a trusted third-party CA, such as by using Certificate Services, or they can be self-signed. For more information about the security options that are available to help secure UM traffic, see Understanding Unified Messaging VoIP Security.
- VoIP security Unified Messaging can communicate with IP gateways, IP PBXs, and other Exchange 2007 computers in a secured or an unsecured mode depending on how the UM dial plan has been configured. By default, UM dial plans communicate in an unsecured mode. You can use the Get-UMDialPlan cmdlet in the Exchange Management Shell to determine the security setting for a UM dial plan. For more information about how to enable VoIP security on a Unified Messaging dial plan, see How to Configure Security on a Unified Messaging Dial Plan.