Step 4.1. Configure Federation

  • Article

Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2 will reach end of support on January 9, 2018. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

Federation provides you organization with the ability to communicate with other organizations Access Edge Server to share IM and presence. You can also federate with an audio conferencing provider using either of the two following methods. The process of configuring federation with an organization or an audio conferencing provider is identical.

If you have enabled federation on the Access Edge Server, access by federated partners, including audio conferencing providers (ACPs), is controlled using one of the following methods:

  • Allow automatic discovery of federated partners. This is the default option during initial configuration of an Access Edge Server because it balances security with ease of configuration and management. For example, when you enable automatic discovery of federated partners on your Access Edge Server, Office Communications Server 2007 allows any federated domain to send communications with you and automatically evaluates incoming traffic from federation partners and limits or blocks that traffic based on trust level, amount of traffic, and administrator settings.

  • Allow discovery of federated partners, but grant a higher level of trust to specific domains or Access Edge Servers that you specify on the Allow list. For example, if you want to grant a higher level of trust to partners using the SIP domain contoso.com and fabrikam.com, you would add these two domains on the Allow tab. Restricting discovery in this way establishes a higher level of trust for connections with the domains or Access Edge Servers that you add to your Allow list, but still provides the ease of management that is possible by discovering other federation partners that are not listed on the Allow tab.

  • Do not allow discovery of federation partners and limit access of federated partners to only the domains or Access Edge Servers for which you want to enable connections. Connections with federated partners are then allowed only with the specific domains or Access Edge Servers you add to the Allow tab. This method offers the highest level of security, but does not offer ease of management. For example, if an FQDN of an Access Edge Server changes, you must manually change the FQDN of the server in the Allow list.

How Federated Traffic Is Evaluated When Using Automatic Discovery

If you choose to use automatic discovery of federated partners, the Access Edge Server automatically evaluates incoming federated traffic in the following way:

If a federated party has sent requests to more than 1000 URIs (valid or invalid) in the local domain, the connection first placed on the Watch list. Any additional requests are then blocked by the Access Edge Server. If the Access Edge Server detects suspicious traffic on a connection, it will limit the federation partner to a low message rate of 1 message per second. The Access Edge Server detects suspicious traffic by calculating the ratio of successful to failed responses. The Access Edge server also limits legitimate federated partner connections (unless added to the allow list) to 20 messages/sec.

If you know that you will have more than 1000 requests sent by a legitimate federated partner or a volume of over 20 messages per second sent to your organization, to allow these volumes, you must add the federated partner to the Allow tab.

After configuring federation, you can use Office Communications Server 2007 administrative tools to monitor and manage federated partner access on an ongoing basis. For more information, see the Introduction to Microsoft Office Communications Server 2007 Administration Guide.

Enabling discovery of federated partners

If you did not enable discovery of federated partners when you configured your Access Edge Server, you can use the Computer Management snap-in to do so. If you already selected this option during setup, you do not need to perform this step.

To enable discovery of federated partners

  1. Log on to the Access Edge Server as a member of the RCT Local Administrators group or a group with equivalent user rights.

  2. Open Computer Management. Click Start, click All Programs, click Administrative Tools, and then click Computer Management.

  3. In the console tree, expand Services and Applications, right-click Microsoft Office Communications Server 2007, and then click Properties.

  4. On the Access Methods tab, select the Allow discovery of federated partners check box.

Add a Trusted Federated Partner

Use the following procedure to add a trusted federated partner domain and optionally the FQDN of its Access Edge Server, use the following procedure.

To add a trusted federated partners

  1. Log on to the Access Edge Server as a member of the RTC Local Administrators group or a group with equivalent user rights.

  2. Open Computer Management. Click Start, click All Programs, click Administrative Tools, and then click Computer Management.

  3. On the Allow tab, click Add.

  4. In the Add Federated Partner dialog box, do the following:

    • In the Federated partner domain name box, type the domain of each federated partner domain.

    • In the Federated partner Access Edge Server box, optionally type the FQDN of each Access Edge Server that you want to add to your Allow list. Remember if you configure the FQDN of a partner's Access Edge Server and the FQDN changes, you must manually update your configuration for this partner.

    • Click OK.

  5. Repeat this procedure for each federated partner you want to add to your Allow list, and then click OK.