Managing Federated Partner Access

Configuring Access for Federated Partners

If you configured access for federated partners during deployment, you do not need to do so again unless you want to change the access method for Access Edge Servers of any or all of your federated partners.

Using Office Communications Server 2007, you can enable access by federated partners, including other organizations and audio conferencing providers (ACPs) who provide telephony integration for your organization. You can implement federation using the following methods:

• Allow discovery of federation partners. This is the default option during initial configuration of an Access Edge Server because it balances security with ease of configuration and management. For instance, when you enable discovery of federated partners on your Access Edge Server, Office Communications Server 2007 automatically evaluates incoming traffic from discovered federation partners and limits or blocks that traffic based on trust level, amount of traffic, and administrator settings.

• Do not allow discovery of federation partners and limit access of federated partners to only those listed on the Allow list. Connections with federated partners are allowed only if the federated partner domain and, optionally, the partners Access Edge Server FQDN are listed in the Allow list. This method offers the highest level of security, but does not offer the ease of management and other features available with automatic discovery.

You can also enable discovery of federation partners and add federated partners to the Allow list. Adding specific partners to the Allow list gives them a higher level of trust. Your Access Edge Server would then discover federated partners other than the ones listed on the Allow list.

If you did not specify the appropriate federation method during edge server deployment or you now want to change the federation method, you can use one of the following two procedures to enable the appropriate method:

• To use discovery of Access Edge Servers, either with all federated partners or only for specific federated partner domains, use the first procedure in this section.

• To disallow discovery, restricting federated partner access to specific federated domains and their specified Access Edge Servers, use the second procedure in this section.

Monitoring and Controlling Federated Partner Access

If you have configured support for federated partners, which might be one or more specific external organizations or an audio conferencing provider (ACP) providing telephony integration, you need to actively manage the external domains that can communicate with the servers in your organization. Office Communications Server 2007 provides mechanisms to facilitate tracking and control of federated domain connections, including the following:

• Domains. You can view a list of the federated domains that have most recently made at least one connection to your Access Edge Server.

• Usage. DNS-based discovery of Access Edge Servers is the recommended configuration for the Access Edge Server. This configuration can be used in conjunction with the Allow tab, on which you can configure allowed domains. For increased security explicitly specify the FQDN of a federated partner's Access Edge Server. When a domain is configured in the Allow list, communications with this domain are assumed to be legitimate. The Access Edge Server does not throttle connections for these domains. In case of DNS-based discovery of federated domains that are not on the Allow tab, connections are not assumed to be legitimate, so the Access Edge Server actively monitors these connections and limits the allowed throughput. The Access Edge Server marks a connection for monitoring in one of two situations:

  • If suspicious traffic is detected on the connection. To detect suspicious activity, the server monitors the percentage of specific error messages on the connection. A high percentage can indicate attempted requests to invalid users. In this situation, the connection is placed on a watch list, and the administrator can choose to block this connection.

    If a federated party has sent requests to more than 1000 user URIs (valid or invalid) in the local domain, the connection is placed on the watch list. Any additional requests are then blocked by the Access Edge Server. A federated domain could exceed 1000 requests either because the federated party is attempting a directory attack on the local domains (in which case the administrator would want to block the connection), or because valid traffic between the local and federated domains exceeds the limit (in which case the administrator would probably not want the connection to be throttled and would probably want to add the domains associated with that connection to the Allow list).

An administrator can review lists and take appropriate action, which can be any of the following:

• Leave the list as is.

• If the domain is a federated partner that requires more than 1000 legitimate, active requests on a consistent basis, add the specific domain to the Allow list.

• To permanently block the federated domain from connecting to your organization, add the name to the Block list and revoke the certification (move it to the revoked list) so that the TLS connection is automatically dropped upon initiation.

Use the procedures in this section to monitor domains and the watch list and, if necessary, manage individual domain connections.