When You Need an Access Edge Server

Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2 will reach end of support on January 9, 2018. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

If you want to enable external or remote users to collaborate with any Office Communications Server users in your organization, you must deploy an Access Edge Server, in addition to any other edge servers and internal servers you might deploy.

The Access Edge Server provides the core functionality for collaboration between your internal users and users outside your internal network who are using Communicator or the Live Meeting 2007 client. The Access Edge Server provides a single, trusted connection point for both outbound and inbound Session Initiation Protocol (SIP) traffic.

Like the Live Communications Server 2005 Access Proxy, the Office Communications Server 2007 Access Edge Server enables the following capabilities:

  • Federation. Internal users can communicate with external users of a federated organization by using IM or conferencing.

  • Remote user access. Remote or roaming users of your organization can access servers running Office Communication Server from outside your intranet.

  • Public IM connectivity. Employees can use IM to communicate with users of instant messaging services that are provided by the MSN® network of Internet services, Yahoo!®, and AOL®. Public IM connectivity requires a separate license.

Available Federation Methods

Using Office Communications Server 2007 to enable access by federated partners, you can implement federation using the following methods:

  • Allow discovery of federation partners. This is the default option during initial configuration of an Access Edge Server because it balances security with ease of configuration and management. For instance, when you enable discovery of federated partners on your Access Edge Server, Office Communications Server 2007 automatically evaluates incoming traffic from discovered federation partners. If any federated partner sends requests to more than 1000 URIs (valid or invalid) in the local domain, the connection first placed on the watch list. Any additional requests are then blocked by the Access Edge Server, unless this domain has been configured on the Allow tab of the Access Edge Server.

  • Do not allow discovery of federation partners and limit access of federated partners to only those listed on the Allow list. Connections with federated partners are allowed only if the federated partner domain and, optionally, the partners Access Edge Server FQDN are listed in the Allow list. This method offers the highest level of security, but does not offer the ease of management and other features available with automatic discovery.

The following applies if you enable discovery of federation partners AND add federated partners to the Allow tab on the Access Edge Server properties. When a domain is configured on the Allow list, communications with this domain are assumed to be legitimate. The Access Edge Server does not throttle connections for these domains. In case of DNS-based discovery of federated domains that are not on the Allow tab, connections are not assumed to be legitimate, so the Access Edge Server actively monitors these connections and limits the allowed throughput.

Security Monitoring

As explained earlier, Office Communications Server 2007 cannot guarantee the identity of external conference participants in Web conferences or IM conferences. The edge server relies on the connecting SIP server to send the legitimate SIP URI of the user. However, Office Communications Server provides some monitoring capabilities for federated communications.

If you have configured support for federated partners, which might be one or more specific external organizations or an audio conferencing provider (ACP) providing telephony integration, you can monitor the external domains that can communicate with the servers in your organization using the Open Federation tab on the details pane in Computer Management on an Access Edge Server. Office Communications Server 2007 provides mechanisms to facilitate tracking and control of federated domain connections, including the following:

  • Domains. You can view a list of the federated domains that have most recently made at least one connection to your Access Edge Server.

  • Usage. DNS-based discovery of Access Edge Servers is the recommended configuration for the Access Edge Server. This configuration can be used in conjunction with the Allow tab, on which you can configure allowed domains and for heightened security explicitly specify the FQDN of a federated partner's Access Edge Server. When a domain is configured on the Allow list, communications with this domain are assumed to be legitimate. The Access Edge Server does not throttle connections for these domains. In case of DNS-based discovery of federated domains that are not on the Allow tab, connections are not assumed to be legitimate, so the Access Edge Server actively monitors these connections and limits the allowed throughput. The Access Edge Server marks a connection for monitoring in one of two situations:

    • If suspicious traffic is detected on the connection. To detect suspicious activity, the server monitors the percentage of specific error messages on the connection. A high percentage can indicate attempted requests to invalid users. In this situation, the connection is placed on a watch list, and the administrator can choose to block this connection.

    • If a federated party has sent requests to more than 1000 URIs (valid or invalid) in the local domain, the connection first placed on the watch list. Any additional requests are then blocked by the Access Edge Server. Two possible situations can cause a federated domain to exceed 1000 requests:

      The federated party is attempting a directory attack on the local domains. In this case the administrator would want to block the connection.

      Valid traffic between the local and federated domains exceeds 1000 requests. In this situation, the administrator would probably not want the connection to be throttled. In this case, the administrator would probably want to add the domains associated with that connection to the Allow list.

An administrator can review lists and take appropriate action, which can be any of the following:

  • Leave the list as is.

  • If the domain is a federated partner that requires more than 1000 legitimate, active requests on a consistent basis, add the specific domain to the Allow list.

  • To permanently block the federated domain from connecting to your organization, add the name to the Block list and revoke the certification (move it to the revoked list) so that the TLS connection is automatically dropped upon initiation.

See the Introduction to Microsoft Office Communications Server 2007 Administration Guide for specific details.