Understand Secure Cloud UM Infrastructures

Applies to: Office 365 for enterprises

When you deploy your UM service in the cloud, the infrastructure must be designed to provide security for the traffic going to and from the cloud, and for your on-premises servers.

In a typical on-premises UM deployment, your PBX is connected directly to your UM servers using SIP-aware VoIP gateways, as shown in the following diagram.

This arrangement doesn’t expose your organization to a security risk, because all the communication is on the private network.

When you deploy the UM service in the cloud, you need to add a session border controller (SBC) to make the connection to the Internet more secure. VoIP gateways and IP PBXs generally aren’t intended to be placed on a public IP network and don’t have the safeguards provided by an SBC. If you place your gateways on the boundary between your internal, private network and the external, public IP network, the traffic over the Internet is protected, but you leave your on-premises gateway open to attack.

Therefore, for a secured UM online deployment, send the traffic from your on-premises gateways through SBCs, as shown in the following diagram.

SBCs are designed to handle SIP and media traffic and have two interfaces, one on the private network and a second on the public Internet, so your private network is isolated from the Internet.

Note   If you are connecting to Exchange Online UM with Microsoft Lync Server 2010, the Lync Edge Server acts as the secure network border element, and no SBC is required.

Set up a secure UM infrastructure in the cloud

The following checklists explain how to set up your infrastructure to communicate securely with Exchange Online UM:

• Checklist: Connect a Traditional PBX to Exchange Online UM
• Checklist: Connect an IP PBX to Exchange Online UM
• Checklist: Connect Lync Server 2010 to Exchange Online UM