Key Security Enhancements in Office Communications Server 2007 R2

Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2 will reach end of support on January 9, 2018. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

Office Communications Server 2007 R2 includes the following security enhancements

• Consolidated Edge Servers allows use of network address translation (NAT) for all server roles if a single Edge Server is being used. Multiple Edge Servers behind a hardware load balancer cannot use NAT, and the expanded edge configuration not supported.

• Reduced port requirements for audio /video support externally. The requirement for the open port range of 50,000-59,999/TCP and 50,000-59,999/UDP inbound and outbound on firewalls is reduced to specific scenarios. The base requirement for 443/TCP and 3478/UDP are still required.

Note

If you federate with enterprises that are on Office Communications Server 2007 and need to use audio/video between your enterprise and the federated enterprise, the port requirements will be those for the older version of the Edge Servers that are deployed. For example, the port ranges required for Office Communications Server 2007 must be implemented for both enterprises until the federated partner upgrades their edge to Office Communications Server 2007 R2. At that time, port requirements can be reviewed and reduced according to the new configuration.

A complete list and discussion of all new features in Office Communications Server 2007 R2 and Office Communicator 2007 R2 can be found in the Getting Started documentation.

Trustworthy by Design

Office Communications Server 2007 R2 is designed and developed in compliance with the Trustworthy Computing Security Development Lifecycle (SDL), which is described at the Microsoft Web site: https://go.microsoft.com/fwlink/?linkid=68761. The first step in creating a more secure unified communications system was to design threat models and test each feature as it was designed. Multiple security-related improvements were built in to the coding process and practices. Build-time tools detect buffer overruns and other potential security threats before the code is checked in to the final product. Of course, it is impossible to design against all unknown security threats. No system can guarantee complete security. However, because product development embraced secure design principles from the start, Office Communications Server 2007 R2 incorporates industry standard security technologies as a fundamental part of its architecture.

Trustworthy by Default

Network communications in Office Communications Server 2007 R2 are encrypted by default. By requiring all servers to use certificates and by using Kerberos authentication, TLS, Secure Real-Time Transport Protocol (SRTP), and other industry-standard encryption techniques, virtually all Office Communications Server 2007 R2 data is protected on the network. In addition, role-based setup makes it possible to deploy Office Communications Servers so that only the services, and the permissions related to those services, are installed as appropriate on each server role.

Trustworthy by Deployment

The Office Communications Server planning guide, deployment guides, migration guide, and this guide all document best practices and recommendations to help you determine and configure the optimal security levels for deployment and assess the risks of activating non-default options.