Office Communications Server 2007 R2 provides the means to communicate with other users on the public IM services that are managed and maintained by AOL, Yahoo!, and MSN. After the communication is established, users can share contacts and presence information, as well as communicate in real time across these networks. However, file transfers, games, formatted text, multimedia, and conferencing will be unavailable between Microsoft Office Communications users and public IM providers.
Enterprises that want to use public IM connectivity for their infrastructure need to:
Obtain licensing for public IM connectivity, in addition to the license for Office Communications Server 2007 R2 and the Office Communications client.
Set up and provision the site domain identification and presence by using a Microsoft Web site that is dedicated to the purpose of managing registration and provisioning for public IM connectivity.
The license purchased includes all three IM providers (MSN, Yahoo!, and AOL). However, the administrator controls whether users have access to one, two, or all three of the providers.
By default, none of the three providers are accessible. You must complete a two-step process to enable your users to access the IM providers. First, you must provision the providers for your enterprise. Then, you can enable your users for one, two, or all three providers by configuring the options under Federation in the Office Communications Server management tool. If you need to enable or disable a provider at a later time, you can run the provisioning process again.
As in other federation scenarios, users in your organization can add users of the public IM networks to their Allow and Block lists in the Office Communicator client. To allow or block these lists in Office Communicator, users should do the following:
Open Office Communicator.
Select the drop-down list in the upper left of Office Communicator
Select Tools and then Add A Contact.
Select either Use An Email Address Or Sign-In Address or Search For A Contact.
Fill in the required e-mail or contact information, or select from Search for the contact you need to add.
The following three scenarios are possible:
An external user of one of the public IM networks who is added to an Allow list can exchange IM with and see presence information for the owner of the list.
An external public IM user who is not on either an Allow list or a Block list can exchange IM and presence information with an internal user, but the internal user can block all such requests.
An external public IM user who is added to a Block list can neither exchange IM with, nor see presence information for, the owner of the list.
Administrators have full control over who in their organization is authorized for public IM connectivity. After authorization, a user can communicate with all public IM service providers that are enabled for the organization. If MSN and Yahoo! are both enabled, you cannot prevent a user from using MSN and allow only Yahoo! to be used.
Administrators can authorize public IM connectivity for individual users or for groups and can change these authorizations as needed. Administrators can exercise additional control over unsolicited commercial IM or spam over IM (SPIM) by configuring message filters that restrict access from unverified users. For more information about message filtering, see the section titled "Security Considerations" later in this chapter or the section titled "Configuring Intelligent IM Filtering" in the Office Communications Server 2007 R2 Administration Guide, found at http://go.microsoft.com/fwlink/?LinkId=137125.
Note
Intelligent message filtering is a feature of the IM process that can be configured to look for file attachments and hyperlinks. It enables you to block all URLs, allow only local URLs, warn the user that the IM might not be safe, or convert the URLs to plain text. You can also configure URL prefixes that you want to block, for example, ftp: or gopher:
You can either enable file transfers, block all file transfers, or block only file transfers of the type that you specify. If you choose the latter, there is a black list of file extensions that you must input to not allow.
IM traffic between an organization and a public IM service provider uses an encrypted mutual transport layer security (MTLS) connection. For the purpose of connecting to MSN, AOL, and Yahoo!, an organization must use a certificate from a public certification authority (CA) chosen from the list of trusted CAs in Microsoft Windows Server 2003.
As shown in Figure 8-1, corporate IM users typically connect to the home server by using Office Communicator as a client. External IM users connect to the Access Edge Server through perimeter firewalls.
The following are some items to take into account before implementing public IM connectivity in your enterprise.
Acquiring a certificate. Public IM connectivity requires mutual transport layer security (MTLS), using a certificate obtained from a public certification authority. For AOL, client and server Enhanced Key Usage (EKU) is required. Chapter 4 explains certificates, their types, and how to acquire them. Refer to that chapter for information about what is necessary to obtain the proper certificate types for your requirements.
Acquiring service licenses. Before completing the provisioning form and initiating the request to connect with the public IM service providers, you must purchase service licenses. You cannot complete the provisioning process without first buying the service licenses.
Enabling connections to public IM service providers. Each IM service provider with which you want to federate must be enabled and configured on the Access Edge Server. For more information, see the section titled "Enabling Federation with Public IM Service Providers" later in this chapter.
Authorizing users for public IM connectivity. You can authorize all your enterprise users, certain groups of users, or particular individuals. Users who are not authorized for public IM connectivity can be authorized for other types of federation and remote user access.
Submitting a PROVISIONING request. Your organization and the public IM service provider must exchange network connectivity information to activate federation for IM connectivity to the external provider sites. To perform this exchange, connect and sign into the Microsoft Volume License Services (MVLS) management site at http://go.microsoft.com/fwlink/?LinkID=133691 and then select Online Offerings. Completing and submitting the Web form will initiate a PROVISIONING request. It may take up to 30 days to process the request because Microsoft and each of the providers have work that must be accomplished to complete the request.
Configuring DNS. If you configure a public provider as described in the section titled "Enabling Federation with Public IM Service Providers" later in this chapter, the Domain Name System (DNS) Service Record Locator (SRV) record must be published by your partners for you to locate them as allowed partners or discovered partners. For information about the other federation scenarios, see Chapter 7.
Chapter 7 defines how federation works in Office Communications Server 2007 R2. Public IM connectivity is a special case of federation. For specifics on federation, please refer to Chapter 7. This section only defines the specifics of how to configure public IM connectivity and does not go into any detail of federation, which is required for public IM connectivity.
Enabling federation with the public IM service providers requires completion of the steps outlined in this section.
Your organization and the public IM service provider must exchange network information to activate the federation that will result in public IM connectivity. This is done by using the provisioning site discussed in the section titled "Configuring Public IM Connectivity" earlier in this chapter.
Note
Before you complete the provisioning form and initiate the request to connect with the public IM service providers, you must purchase service licenses for Office Communications connectivity and install Office Communications Server according to the terms and conditions of your Microsoft Volume Licensing agreement. If you do not first purchase the appropriate licenses, the provisioning process cannot be completed.
If you enable enhanced federation or configure a public or private provider in the IM service providers table, you must configure the correct DNS Host (A) record and Service (SRV) record to allow external parties to locate and identify your Access Edge Server.
Public IM connectivity requires MTLS using a certificate with Server EKU obtained from a public certification authority. For more information, see Chapter 4.
Public IM connectivity requires federation to be enabled on the Edge Server. For more information on configuring federation in your environment, see Chapter 7.
Each IM service provider with whom you want to federate must be enabled and configured on the Access Edge Server. If you do not enable and configure a provider, users will not have access to this provider. As mentioned earlier, public IM is a special case of federation and should be treated like a federated partner. More information is contained in the section titled "Enabling Connections to Public IM Service Providers" later in this chapter.
You can authorize all your internal users, certain groups of users, or particular individuals. Users who are not authorized for public IM connectivity can be authorized for other types of federation and remote access. Remote access and federation are discussed in Chapter 7. For specific public IM connectivity user configuration, see the section titled "Authorizing Users for Public IM Connectivity" later in this chapter.
The first step in enabling public IM connectivity is to initiate provisioning with one or more of the public IM service providers (MSN, AOL, and Yahoo!). You must purchase the required number of licenses for public IM connectivity. After you purchase separate service licenses for public IM connectivity, to prepare and initiate PROVISIONING, complete the Web form at http://go.microsoft.com/fwlink/?LinkID=133691.
The following information is required to complete the form:
The Master Agreement Number, which identifies your organization’s Microsoft Business Agreement and establishes the general terms and conditions of its relationship with Microsoft. Contact your software benefits administrator for this information.
The Enrollment Agreement Number, which identifies your company’s purchase of licenses for public IM connectivity. Contact your software benefits administrator for this information.
The names of your organization’s Session Initiation Protocol (SIP) domains.
The fully qualified domain name (FQDN) of your organization’s Access Edge Server.
The network administrator’s contact information.
The names of the public IM service providers with which you want to federate.
Microsoft will send you an e-mail message confirming that it has received your provisioning information and is in the process of validating the request. Upon validation, Microsoft will send you a second e-mail message verifying that your information has been forwarded to the appropriate public IM service providers and providing an estimate of how long the process is likely to take. If the OFFERING request is not validated, you will receive an e-mail message explaining how to resolve the issues.
After validating your Edge Server and SIP domains, Microsoft will forward the information to the public IM service providers with which you want to connect. The public IM service providers will then provision their routing tables to direct instant messages targeting your SIP domains to the Access Edge Server specified in the form. After provisioning is complete, each public IM service provider informs Microsoft, which sends you a final e-mail message confirming that the process is complete. After you receive this final message, you can establish a connection from your Access Edge Server to the public IM service providers to which you want to connect.
After you provision federation with one or more public IM service providers, the next step is to configure the external interface of your Edge Server for MTLS. This step requires obtaining the necessary certificate from a public certification authority.
Note
A certificate from a public certification authority is mandatory. The certificate must be trusted by the public IM providers. The public IM providers have root certificates from all major commercial public certification authorities and will not recognize a certificate obtained from your internal, public key infrastructure (PKI).
The final step is to test and confirm connectivity with each of the providers and then provide detailed instructions to your end users about how to connect with external users at each of the public IM providers.
Caution
Provisioning is complex and involves routing changes to the networks of Microsoft’s partners. As a result, provisioning is optimized to work as a single-threaded process. If you want to change provisioning data—specifically, Access Edge Server, your FQDN, SIP domains, and the partners to which you want to connect—you must wait until the PROVISIONING request is complete before you submit the changes.
If you want to change provisioning data after provisioning has been completed, you need to enter data for all of your existing providers, as well as for any new ones that you want to add. For this reason, please print and save the Thank You page that is displayed upon successful submission of your data. This page has the tracking number and a copy of the data that you submitted, which will make your CHANGE request much simpler and reduce the time required and the potential for mistakes.
Direct from the Source: End-user Licensing and Auditing
Senior Test Lead
Licensing for public IM on office Communications Server is monitored through a combination of honor system and auditing. The public providers get paid based on the number of people using the system, so you should assume they each have their own auditing systems and will identify rampant licensing violations. There is a lot involved in how Microsoft and the public providers monitor, but the basic mechanism is that user counts for every Uniform Resource Identifier (URI) that is using public IM are auditable by the public providers. This sidebar describes a query tool that administrators can use to view IM usage data within their organizations.
Note
Because of the lead time that is required for licensing, we recommend that customers purchase lot sizes and then deploy users against those lots.
Querying for Public IM usage Statistics
Use the public Internet connectivity usage query script Picstats.sql to report statistics related to public IM use. For example, you can use the script to determine the average number of public IM users that are in the contact lists of your deployed users. This tool is part of the office Communications Server Resource Kit Tools installation, and you can see a schematic presentation of the data provided by this tool in the section titled "Provisioning Federation with the Public IM Service Providers" later in this sidebar.
On the Companion Media
Note that you must be logged on to an account that is in a role that is allowed to run the query script Picstats.sql. For more information, refer to the Readme file in the Office Communications Server Resource Kit Tools installation folder OCS 2007 Resource Kit Tools on the companion media.
To start the public Internet connectivity usage query script Picstats.sql, do the following:
On the Windows taskbar, click Start, click Run, type cmd, and then click OK. (If doing this from a server other than the SQL server, you will need to install the SQL tools and connect to the SQL server.)
At the command prompt, type cd %Program Files%Microsoft SQL Server90ToolsBinn and then press Enter.
Enter the appropriate query script, Picstats.sql syntax, and then press Enter.
The syntax for this query script is as follows:
osql.exe -E -S <sqlserver> tc -d rtc -i picstats.sql
Here <sqlserver> represents the Microsoft SQL Server instance to which you want to connect. The -E flag instructs object-structured query language (OSQL) to attempt to connect by using windows Authentication. The default value is to the rtc instance on the local computer.
The following is an example of a valid query script Picstats.sql command:
osql.exe -E -S pool-be.contoso.com tc -d rtc -i picstats.sql
The query script Picstats.sql returns three rows of data based on the contact list information stored within the SQL server that is associated with your office Communications Server pool. For more information, see the following sample output and the description following it.
PIC Min Max Avg StDev Domain Contacts/User Contacts/User Contacts/User Contacts/User ______ _____________ _____________ _____________ _______________ AOL 1.00 102.00 17.07 13.73 Yahoo! 1.00 4.00 1.80 1.30 MSN 1.00 96.00 16.79 13.56 Users with at Least Total Enterprise Users % with atLeast One PIC Contact One PIC Contact ___________________ ______________________ _______________ 1000.00 2674.00 37.40 Min PIC %/User Max PIC %/User Avg PIC %/User StDev PIC %/User ______________ ______________ ______________ ________________ 0.00 100.00 33.52 34.27
The first row in the output shows the minimum, maximum, average, and standard deviation in contacts per user for each of the three providers.
The second row shows the number of users that have at least one public IM connectivity contact, the total number of enterprise users, and the percentage and count of users that have at least one public IM connectivity contact.
The third row is similar to the first row, but it provides a summary number rather than a breakout per provider. This row provides the minimum, maximum, average, and standard deviation in total contacts per user.
Public IM Connectivity Monthly Subscription licenses
Public IM connectivity monthly subscription licenses are available on a per-user, per-month subscription and are an addition to the Client Access license (CAL). Similar to all online services models, public IM connectivity has two licensing components associated with its use: a Services Subscription license (SSL) and a User Subscription license (USL). One public IM connectivity SSL is required for each company agreement, and one public IM connectivity USL is required for each user that is accessing any or all of the public IM service providers.
Pricing for public IM connectivity includes access to all three public IM service providers: Microsoft Network (MSN), America Online (AOL), and Yahoo!.
There is no public IM service provider license available for only one or only two providers. Public IM connectivity is sold as a per-user, per-month service agreement; however, public IM connectivity service licenses can be added to a current customer’s select, enterprise, or government agreements.
There is no minimum license requirement. Customers can also add licenses at any time. There is no refund or reimbursement for public IM connectivity licenses that are not used. Public IM connectivity service licenses can be added to a current customer’s select, enterprise, or government agreements. Customers can prorate the months left on their agreements by adding public IM connectivity service licenses, but the termination of public IM connectivity service must end in conjunction with the customer’s agreement. For example, if a customer has 17 months left on its current agreement, it has the option to buy 17 months of public IM connectivity service.
Microsoft offers volume licensing solutions that scale to meet the needs of small, medium, and enterprise businesses and organizations. Licensing programs provide volume pricing and are designed to save organizations time and money by making the purchase and management of multiple software licenses easier. To view licensing terms, conditions, and supplemental information that is relevant to the use of products licensed through Microsoft Volume Licensing Programs, visit the Microsoft Volume License Services Web site at http://go.microsoft.com/fwlink/?LinkID=133691.
IM service providers typically, though not necessarily, host multiple SIP domains. Before Office Communications Server, federating with an organization’s multiple domains required that you enter each domain explicitly in the direct partner table. The following two mechanisms in Office Communications Server simplify federating with organizations that host multiple domains:
The IM service providers table, which requires you to specify an Edge Server but not every domain that it might serve
The hosting of multiple domains by including multiple FQDNs in a certificate on the Access Edge Server
Note
Public IM connectivity enables users in your organization to use IM to communicate with users of instant messaging services that are provided by public IM service providers, including MSN, Yahoo!, and AOL. Use the IM Provider tab in the Office Communications Server 2007 Properties dialog box, found in the Services and Applications node in Computer Management on the Access Edge Server, to control the IM service providers that are allowed to federate with your organization. You can add or remove an IM service provider, as well change other settings for any IM service provider (including temporarily blocking the IM service provider). For more information about configuring IM providers, see the section titled "Configuring IM Provider Support on Edge Servers" in the Office Communications Server 2007 R2 Administration Guide, found at http://go.microsoft.com/fwlink/?LinkId=137126.
Important
You cannot configure any routing method that requires DNS SRV. If your Edge Server is configured with a default route, or if you want to configure it with a default route, you must first remove the three public IM service providers that populated the IM service providers table when you installed Office Communications Server.
Basic IM and presence work with all public IM providers. Note the following exceptions:
When an Office Communications Server user sets his presence to Do Not Disturb in Office Communicator, users on the Yahoo! public IM networks can still send instant messages without knowing that the Office Communications Server user cannot see the messages.
The public IM networks do not support group IM. As a result, users hosted on the public IM networks (MSN, AOL, and Yahoo!) cannot join IM conferences hosted by Office Communications Server.
Administrators also need to consider how to handle existing accounts on provider networks, public IM connectivity capacity questions, and security issues. These issues are discussed in the following sections of this chapter.
Users who have existing e-mail accounts will receive an e-mail message notifying them that to continue using IM, they must change their e-mail address. Users that do not have IM accounts on a public provider will receive new e-mail accounts. Users’ existing public IM contact lists and e-mail messages will be transferred to the new sign-in ID and e-mail address. A user’s IM and e-mail contacts will be updated with the user’s new sign-in ID. The message will provide a link to a Web page for help with making the change.
Table 8-1 provides examples of how AOL and Yahoo! screen names are added to contact lists of Office Communications Server users.
Table 8-1. Adding AOL and Yahoo! Screen Names to Contact Lists
EXAMPlE | USER NAME TO BE ADDED TO OFFICE COMMUNICATIONS SERVER CONTACT LIST |
|---|---|
An Office Communications Server user wants to add AOL user [email protected] to the Office Communicator client’s contact list. | |
An Office Communications Server user wants to add AOL user kim970 to the Office Communicator client’s contact list. | |
An Office Communications Server user wants to add Yahoo! user [email protected] to the Office Communicator client’s contact list. |
How It Works: How the Provider Migrates Existing MSN Accounts
For information about how MSN migrates accounts, see Figure 8-2, which describes the change process.
MSN users who are already using MSN Connect must change their e-mail IDs. Users’ existing MSN contact lists and e-mail messages will be transferred to the new sign-in ID and e-mail address. Users’ IM and e-mail contacts will be updated with each user’s new sign-in ID. Windows Live Messenger Service will work unless the organization’s administrator has blocked access.
Public IM capacity in Office Communications Server is determined by the bandwidth of the organization’s Internet connection. A T-1 connection to public providers offers greater IM access than a 256-kilobyte (k) connection. Note that SIP, when used for IM communication, is capable of supporting large numbers of users. For information about capacity planning, see Chapter 14.
The main security issue with public IM is controlling spam over instant messaging (SPIM). SPIM occurs when electronic junk e-mail (spam) shows up as unwanted messages in a user’s IM. There are two mechanisms through which to help control SPIM: limiting public contacts and limiting message content.
Note
All SIP traffic must be carried over the Transport Layer Security (TLS) protocol. Internet Protocol (IP) security (IPsec) is not supported. User Datagram Protocol (UDP) is not supported. Compression is done only by TLS negotiation (RFC 2246).
There are several techniques that you can use to control SPIM by limiting contacts, as explained in this section.
When you enable users for public IM connectivity
When you enable IM service providers
When enabling users that are on a recipient’s contact list
Note
SPIM can come from sources that users do not recognize because of the nefarious ways that valid contacts are gathered (for example, stealing contact lists from users and providers, or monitoring unsecured channels of communication).
To limit the potential for SPIM, enable individual users for public IM connectivity by using Active Directory Users and Computers as follows.
Log on as a member of the DomainAdmins RTCUniversalServerAdmins group to an Enterprise Edition Server, a Standard Edition Server, or a server that is a member of an Active Directory domain and that has the Office Communications Server administration tools installed.
Open Active Directory Users and Computers.
Click Start, click All Programs, click Administrative Tools, and then click Active Directory Users And Computers.
In the console tree, expand the Users container or the other organizational unit (OU) that contains the user account for which you want to enable federation, public IM connectivity, or remote user access.
Right-click the user account name and then click Properties.
On the Communications tab, click the Configure button next to Additional Options.
In User Options, under Federation, do the following:
To enable the user account for federation, select the Enable Federation check box.
To enable the user account for public IM connectivity, select the Enable Public IM Connectivity check box.
To enable the user account for remote access, select the Enable Remote User Access check box.
Click OK twice.
To limit SPIM when configuring IM provider support on an Access Edge Server, use the Access Edge Server Properties dialog box, as follows.
On the Access Edge Server, open Computer Management.
In the console tree, expand Services And Applications, right-click Office Communications Server 2007 R2, and then click Properties. (See Figure 8-3.)
On the IM Provider tab, do one of the following:
To view or edit the settings for an IM service provider, in the Microsoft Office Communications Server 2007 R2 Properties dialog box, select the IM Provider tab, click the name of the IM service provider, and then click Edit.
In the IM Service Provider dialog box, view or change settings as appropriate and then click OK.
To temporarily block any IM service provider in the list, you can temporarily disable support. Follow these steps to do so.
Click the name of the IM service provider and then click Edit.
In the Edit IM Service Provider dialog box, clear the Allow This IM Service Provider check box and then click OK.
This blocks the IM service provider until you later select the check box, but it does not delete the configuration information. Temporarily blocking a service provider prevents having to repeat the provisioning steps.
To permanently remove an IM service provider from the list, click the name of the server and then click Remove.
If you later want to add the IM service provider again, you must use the procedure described in the section titled "Provisioning Federation with the Public IM Service Providers" earlier in the chapter to add the provider and specify all settings.
To add an IM provider, click Add.
In the Add IM Service Provider dialog box, specify the appropriate options shown in Figure 8-4. Then click OK.
To limit SPIM when enabling users that are on a recipient’s contact list, use the Add IM Service Provider dialog box to permit IM traffic with only contact list items, as shown in Figure 8-4, as follows.
On the Access Edge Server, click Start, point to All Programs, point to Administrative Tools, and then click Computer Management.
If necessary, expand Services And Applications.
Right-click Microsoft Office Communications Server 2007 R2 and then click Properties.
On the IM Provider tab, click Add.
In the Add IM Service Provider dialog box, select the Allow This IM Service Provider check box to enable the new provider.
In the IM Service Provider Name text box, type the name of the IM service provider. This name will appear in the Provider column of the IM service providers, as in Figure 8-3.
In the Network Address Of The IM Service Provider Access Edge text box, type the FQDN of the provider’s Access Edge Server.
Select the This Is A Public IM Service Provider check box only if the provider is MSN, AOL, or Yahoo!
Select an option for filtering incoming communications. To limit IM to users on contact lists, select the option Allow Communications Only From Users On Recipient’s Contact List.
Click OK.
To continue, click OK again or Apply.
You can use the Intelligent IM Filter application to protect your Office Communications Server 2007 R2 deployment against harmful instant messages from unknown endpoints outside the corporate firewall. The Intelligent IM Filter provides the following filtering features:
Enhanced URL filtering
Enhanced file transfer filtering
To configure URL filtering, do the following.
On the Access Edge Server, open Computer Management.
In the console tree, expand Services And Applications, right-click Office Communications Server 2007 R2, point to Application Properties, and then click Intelligent IM Filter. (See Figure 8-5.)
On the URL Filter tab:
Choose to enable URL filtering by selecting Enable URL Filtering.
Block All Hyperlinks, Both Intranet And Internet, That Contain Any Of The File Extensions Defined On The File Transfer Filter Tab relies on the input box on the File Transfer tab being filled out with extensions you do not want to allow.
Allow Local Intranet URLs will allow URLs only from your local intranet in IM.
Block Instant Messages That Contain Hyperlinks is a blanket denial of all IM containing hyperlinks.
The Allow Instant Messages That Contain Hyperlinks, But Convert The Links To Plain Text. Enter The Notice You Want To Insert At The Beginning Of Each Instant Message Containing Hyperlinks option also enables you to send a notice to your user as to why the link is in plain text.
The Allow Instant Messages That Contain Hyperlinks. Enter The Warning You Want To Insert At The Beginning Of Each Instant Message Containing Hyperlinks option enables unmodified hyperlinks but enables a warning message to be sent to the IM recipient in advance of the hyperlink.
Enter The Prefixes, Separated By A Space, That You Want The URL Filter To Block. These are URL types that you do not want to allow. Examples would be nntp, news, and gopher.
Note
It is also possible to access the Intelligent IM Filter by right-clicking either the Enterprise pool or the Standard Edition Server.
To configure a file transfer filter, do the following.
On the Access Edge Server, open Computer Management.
In the console tree, expand Services And Applications, right-click Office Communications Server 2007 R2, point to Application Properties, and then click Intelligent IM Filter, as shown in Figure 8-6.
On the File Transfer Filter tab, configure the appropriate settings.
Checking Enable File Transfer Filtering turns on the filtering engine on instant messages received.
The Block All File Extensions option disables the ability to receive files with any extension.
Block Only File Extensions In The List Below uses the black list that you create and maintain of all file extensions that you do not want to allow. The Enter The File Extensions, Beginning With A Period And Separated By A Space, That You Want The File Transfer Filter To Block. If This List Is Empty, All File Extensions Will Be Blocked input box works in conjunction with the Block Only File Extensions In The List Below and the URL filter option Block All Hyperlinks, Both Intranet And Internet, That Contain Any Of The File Extensions Defined On The File Transfer Filter Tab.
Note
It is also possible to access the Intelligent IM Filter by right-clicking either the Enterprise pool or the Standard Edition Server.
Also, you can consider using the advanced protection features of Forefront for Office Communications Server, a product from the Microsoft Forefront product group that isespecially suited to these tasks and much more. For more information, see http://go.microsoft.com/fwlink/?LinkID=133692.
For more information about the Intelligent IM Filter application, see the section titled "Configuring Intelligent IM Filtering" in the Office Communications Server 2007 R2 Administration Guide, found at http://go.microsoft.com/fwlink/?LinkId=137125.
Media sharing over a public IM connection is not an issue administrators need to worry about. Users cannot share audio-visual or binary files over a connection to a public IM provider. Keep the following considerations in mind in case users ask:
Between a public IM provider and Office Communications Server, only text and presence information can be exposed.
Between two Office Communications Servers, sharing of audio-visual or binary files in an IM session is supported.
The easiest way to configure multiple users for public IM connectivity is to use the Configure Office Communications Server Users Wizard, as shown in Figure 8-7. You can access the wizard by using the Active Directory Users and Computers snap-in or the Office Communications Server administrative snap-in on an Office Communications Server that is attached to your SIP domain.
To enable multiple users for public IM connectivity by using the Active Directory Users and Computers snap-in, do the following.
If the computer is a domain controller, click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users And Computers. Otherwise, you will need to install the Active Directory management tools.
Go to the folder where your user accounts reside.
Do one of the following:
Right-click the Users folder or the folder where your user accounts reside and then click Configure Users to configure all user accounts in this folder.
Click the Users folder. In the details pane, select the user or users that you want to configure and then click Configure Users.
On the Welcome To The Configure Users Wizard page, click Next.
Under Configure User Settings, select Public IM Connectivity.
On the Configure Operation Status page, if you want to export the log, click Export to save the XML file.
Click Finish.
To enable multiple users for public IM connectivity by using the Office Communications Server administrative snap-in, do the following.
Click Start, point to All Programs, point to Administrative Tools, and then click Office Communications Server 2007 R2.
In the console tree, expand the forest node.
Expand subsequent nodes under the Domains node until you reach the domain that the server or pool resides in.
Expand the Standard Edition Servers or Enterprise Pools node.
Expand the server or pool.
Do one of the following:
Right-click the Users folder and then click Configure Users to configure all user accounts on this server or pool.
Select the user or users that you want to configure and then click Configure Users.
On the Welcome To The Configure Users Wizard page, click Next.
Under Configure User Settings, select Public IM Connectivity.
On the Configure Operation Status page, if you want to export the log, click Export to save the XML file.
Click Finish.
You can also enable or disable public IM connectivity for individual users. To configure an individual user for public IM connectivity by using the Active Directory Users and Computers snap-in, do the following.
If the computer is a domain controller, click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users And Computers. If the computer is not a domain controller, you will need to install the Active Directory management tools.
Go to the folder where your user accounts reside.
Expand the folder.
Right-click the user account that you want to configure and then select Properties. The Administrator Properties dialog box appears.
On the Communications tab, make sure that the Enable User For Office Communications Server check box is selected. If it is not, select it now.
Enter a sign-in name and then select a server or pool for the user to sign in to, as shown in Figure 8-8.
Click Configure.
Under User Options, select the Enable Public IM Connectivity check box and then click OK.
Click OK.
You can also disable public IM connectivity for one or more users at any time. To do so, follow the procedure for enabling public IM connectivity for one or more users in the section titled "Using the Active Directory Users and Computers Snap-In" earlier in this chapter, but clear the Enable Public IM Connectivity check box instead of selecting it.
When you enable individual user accounts for Office Communications Server 2007 R2 in Active Directory Users and Computers, you can change user account settings to specify the functionality available to each user. For information about the impact of global, group, and individual settings, see the section titled "Managing User Accounts" in the Office Communications Server 2007 R2 Administration Guide, found at http://go.microsoft.com/fwlink/?LinkId=137128.
As shown in the previous sections, settings for user accounts can be configured in different ways. In general, settings can be configured by using the following methods:
Globally for all users in the forest by using the Office Communications Server 2007 R2 administrative snap-in.
Individually or in groups by using the Configure Office Communications Server Users Wizard in the Office Communications Server 2007 R2 administrative snap-in or the Active Directory Users and Computers snap-in. After you enable user accounts in Active Directory Users and Computers, it is recommended that you use the Configure Users Wizard to configure user accounts—especially for newly enabled user accounts—because it enables you to configure multiple users at a time.
Individually by using the Communications tab of the user account Properties tab in Office Communications Server 2007 R2 or Active Directory Users and Computers. This approach is useful if you want to change a small number of settings for a small number of user accounts, or for configuring settings that cannot be configured by using the Configure Users Wizard.
All methods are not available for configuration of all settings. Additionally, some of the user account settings that have global settings require that the global setting be configured prior to configuring settings on specific user accounts. Table 8-2 describes which of the methods can be used to configure each of the specific user settings, as well as the global configuration requirements.
Table 8-2. Configuring Per-User and Global Settings for User Accounts
DESCRIPTION | GLOBAL CONFIGURATION | CONFIGURABLE IN THE CONFIGURE OFFICE COMMUNICATIONS SERVER USERS WIZARD? | CONFIGURABLE FROM THE PROPERTIES, COMMUNICATIONS TAB? | |
|---|---|---|---|---|
Federation | Enables or disables an Office Communications Server 2007 R2 user’s ability to communicate with users from other organizations that have an Office Communications Server 2007 R2 deployment and a federated link. | Users cannot be enabled for federation unless federation is enabled at the global level. | Yes, but it takes effect only when federation is enabled at the global level. | Yes, but it takes effect only when federation is enabled at the global level. |
Public IM connectivity | Enables or disables an Office Communications Server 2007 R2 user’s ability to communicate with users hosted on AOL, Yahoo!, or MSN Internet services. | Users cannot be enabled for public IM connectivity unless federation is enabled at the global level. | Yes, but it takes effect only when public IM connectivity is enabled at the global level. | Yes, but it takes effect only when public IM connectivity is enabled at the global level. |
Archiving | Enables or disables archiving of IM conversations of the Office Communications Server 2007 R2 user. This control can be enabled independently for internal conversations and for conversations with users outside your organization. | Yes. At the global level, you can choose to enable archiving for all users, disable archiving for all users, or enable and disable archiving on a per-user basis. | Yes, but only if the global setting is configured to enable and disable archiving on a per-user basis. | Yes, but only if the global setting is configured to enable and disable archiving on a per-user basis. |
Invite anonymous participants to meetings | Enables or disables the ability for Office Communications Server 2007 R2 users in your organization who are allowed to organize meetings to invite participants outside your organization. | Yes. At the global level, you can choose to allow users to invite anonymous participants, disallow users from inviting anonymous participants, or enforce settings at a per-user level. | Yes, but only if the global setting is configured to allow configuration of anonymous participation on a per-user basis. | Yes, but only if the global setting is configured to allow configuration of anonymous participation on a per-user basis. |
Enforces a meeting policy for an Office Communications Server 2007 R2 user who is allowed to organize meetings. The policy specifies aspects of meetings that the organizer can create. The policy name is used to specify which meeting policy to apply. | Yes. At the global level, you can set up one or more meeting policies for specific uses and either select a single global meeting policy to be applied to all users in the forest or specify that the meeting policy is to be applied on a per-user basis. | Yes, if you specify at the global level to apply the meeting policy on a per-user basis. | Yes, if you specify at the global level to apply the meeting policy on a per-user basis. | |
Enterprise Voice policy | A Voice policy associates telephone usage records with users. | Yes. At the global level, you can set up one or more Voice policies for specific uses and either select a single global Voice policy to be applied to all users in the forest or specify that the Voice policy is to be applied on a per-user basis. | Yes, but only if the global policy is configured to specify Voice policy on a per-user basis. | Yes, but only if the global policy is configured to specify Voice policy on a per-user basis. |
The user settings that do not have global settings are configured only at the user level. Table 8-3 shows the configurable user settings that do not use global settings and the configuration methods available for each setting.
Table 8-3. User Settings that Do Not Use Global Settings
DESCRIPTION | CONFIGURABLE IN THE CONFIGURE OFFICE COMMUNICATIONS SERVER USERS WIZARD? | CONFIGURABLE FROM THE PROPERTIES, COMMUNICATIONS TAB? | |
|---|---|---|---|
Enable user for Office Communications Server | Enables an Active Directory user for Office Communications Server 2007 R2. | No. | Yes, if an account has been initially enabled in Active Directory Users and Computers and then disabled, it can be re-enabled on the Properties, Communications tab. |
Sign-in name | Similar to a user’s e-mail address, the sign-in name uniquely defines the user’s SIP address as a SIP URI. | No. | Yes. |
Server or pool | FQDN of the Standard Edition Server or Enterprise pool where a user’s data is stored. | No. | Yes. |
Enhanced presence | Enables or disables enhanced presence, which enables users to control their presence with more detail. This enables users to create different presence categories and assign data items to the categories. Different views of the categories can be created. With enhanced presence, users can expose different presence states for different categories of contacts. | Yes, but once it is enabled, it cannot be disabled for a user. | Yes, but once it is enabled, it cannot be disabled for a user. |
Remote user access | Enables or disables a Live Communications user to sign in to Office Communications Server 2007 R2 services from outside the perimeter network of the user’s organization without requiring a virtual private network (VPN). | Yes. | Yes, as an additional option. |
PC-to-PC communications only | Enables or disables only PC-to-PC audio communications for the user, but not Remote Call Control or Enterprise Voice. This option does not require deployment of a Remote Call Control server or Unified Messaging. | No. | Yes, as an additional option. |
Enables or disables Office Communications Server 2007 R2 user control of a Private Branch eXchange (PBX) desktop telephone by using Office Communicator 2007. This option also enables PC-to-PC audio communications. | No. | Yes, as an additional option. | |
Enterprise Voice | Enables or disables Enterprise Voice for the user. This option also enables PC-to-PC audio communications. | Yes. | Yes, as an additional option. |
Enable PBX integration | Enables or disables PBX integration for an Enterprise Voice user. This option requires first enabling Enterprise Voice for the user. | No. | Yes, as an additional option. |
Line URI (user’s phone/device) | URI that uniquely identifies the user’s telephone line. This URI can be in the form of a SIP URI or a TEL URI. | No. | Yes, as an additional option. |
Remote Call Control server URI | SIP URI that uniquely identifies the Remote Call Control gateway that controls the telephone line. | No. | Yes, as an additional option. |