Securing Unified Messaging Network Traffic
Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2009-10-10
An important aspect of the overall network security for your organization is configuring security correctly for Microsoft Exchange Server 2010 Unified Messaging (UM) servers. Enabling Unified Messaging servers, IP gateways, and other servers running Exchange 2010 to communicate by using Transport Layer Security (TLS) or IP security increases the level of security for your whole network. The following information and links to security-related topics can help you increase the level of protection for your network.
Unified Messaging can communicate with IP gateways, IP Private Branch eXchanges (PBXs), and other Exchange 2010 computers in a secured or an unsecured mode, depending on how the UM dial plan is configured and whether the appropriate certificate trusts have been established between the IP gateways and Unified Messaging servers on your network. In Unsecured mode, the Voice over IP (VoIP) and Session Initiation Protocol (SIP) traffic isn't encrypted. However, the UM dial plans and the UM server associated with the UM dial plan can be configured using the VoIPSecurity parameter. The VoIPSecurity parameter configures the dial plan to encrypt the VoIP and SIP traffic using mutual Transport Layer Security (TLS) using SIP Secured or Secured mode..
There are several things you can do to help protect your UM servers and the network traffic that is sent between your IP gateways and UM servers and between your UM servers and other Exchange 2010 servers in your organization. To understand the components that must be used in your UM environment to help protect the network data sent and received by UM servers in your organization, you need to first understand how to do the following:
Use IPsec to protect UM network data.
Use TLS to protect UM network data.
Use the different types of certificates used with Unified Messaging to implement TLS.
Correctly configure UM servers and IP gateways to use TLS.
There are various components that must be configured to help enable the Unified Messaging server to communicate in a secure manner with other Exchange 2010 servers and IP gateways. The following components help secure the data that is passed over the network:
- IPsec IPsec uses cryptography-based protection services, security protocols, and dynamic key management. It provides the strength and flexibility to help protect communications between private network computers, domains, sites, remote sites, extranets, and dial-up clients. It can even be used to block receipt or transmission of specific types of traffic. For more information about the security options available to help secure UM traffic, see Understanding Unified Messaging VoIP Security.
- TLS After you've successfully imported and exported the required trusted certificates, an IP gateway will request a certificate from the UM server, and then it will request a certificate from the IP gateway. Exchanging the trusted certificates between the IP gateway and the UM server helps secure the channel over which the IP gateway and UM server communicate by using TLS. For more information about the security options available to help secure UM traffic, see Understanding Unified Messaging VoIP Security.
- Certificates Digital certificates are electronic files that work like an online passport to verify the identity of a user or computer. They're used to create an encrypted channel that is used to help protect data. A certificate is basically a digital statement issued by a certification authority (CA) that vouches for the identity of the certificate holder and enables the parties to communicate in a secure manner by using encryption. They can be issued by a trusted third-party CA, for example, using Certificate Services, or they can be self-signed. For more information about the security options that are available to help secure UM traffic, see Understanding Unified Messaging VoIP Security.
- VoIP security Unified Messaging can communicate with IP gateways, IP PBXs, and other Exchange 2010 computers in a secured or an unsecured mode depending on how the UM dial plan is configured. By default, UM dial plans communicate in an unsecured mode. You can use the Get-UMDialPlan cmdlet in the Exchange Management Shell to determine the security setting for a UM dial plan. For more information about how to enable VoIP security on a UM dial plan, see Configure VoIP Security on a UM Dial Plan.