Addressing Threats to Enterprise Voice for Lync Server 2010
Topic Last Modified: 2012-10-18
Enterprise Voice is the software-based VoIP solution available in Microsoft Lync Server 2010. Enterprise Voice uses VoIP for both internal calls and for connecting to traditional telephone networks. Because internal VoIP calls, like IM, are all encrypted, security concerns that are specific for VoIP focus on the transfer of calls to and from the unencrypted public switched telephone network (PSTN).
Enterprise Voice requires two devices to provide VoIP connectivity with the PSTN:
A device with connectivity to the PSTN such as IP PBX, Media gateway, Session Border Controller at a service provider.
A Lync Server 2010 server role, the Mediation Server, that can translate SIP over TCP to SIP over TLS for internal routing, if necessary.
If you choose to configure the link between a media gateway and the Mediation Server for TCP, that link becomes a potential security loophole because the signaling is unencrypted. Nevertheless, some currently available devices with connectivity to the PSTN do not support MTLS, so a TCP connection to the Mediation Server may be required until such time as you are able to upgrade your device. The recommended mitigation for this potential security issue is to deploy the Mediation Server in its own subnet by installing a two network interface cards, each with a separate IP address in a separate subnet with a separate port setting. One card serves as the Mediation Server’s internal edge, listening for TLS traffic from internal servers. The second card acts as the Mediation Server’s external edge, listening for TCP traffic from the media gateway. Using two dedicated listening addresses ensures the clear separation between trusted traffic originating in the Lync Server 2010 network and untrusted traffic from the PSTN. For details about the necessity for two dedicated, non-routed subnets, see "Communications Server Mediation Server: Dual NIC Issue" at http://go.microsoft.com/fwlink/p/?LinkId=214403