Addressing Threats to Group Chat
Topic Last Modified: 2011-07-13
Microsoft Lync Server 2010 Group Chat is an optional server role that can be deployed to enable a persistent chat room resource for groups to collaborate on discussions, files, and other materials. Making use of Group Chat can enhance the ability of work teams to compile notes, conversations, and work items and refer back to those on the next meeting. Internal and external users (domain members and federated partners) can be attendees in a Group Chat room. All attendees must be invited. An optional compliance database can be deployed, based upon legal requirements.
Group Chat is made up of the following components:
Group Chat Server, running the following:
Group Chat database
Compliance Server (optional)
Compliance database (can be collocated as instance with Group Chat database)
Group Chat administration tools
The Group Chat Server is located on the internal infrastructure and receives the incoming chat traffic through the associated Front End. External attendees are connected to the Group Chat Server through the Access Edge service. Federated partner clients are supported as attendees as well. By default, TLS protects client communication for SIP, and HTTPS for communication with the Web service. MTLS is used for communication between the Group Chat Server and the Front End Server, and it employs port 8011/TCP.
Group Chat deployment supports both a single-server deployment and a multiple-server configuration. A common Group Chat database is used for either single-server or multiple-server deployments. With multiple Group Chat Servers, the Lookup service and Channel service communicate amongst the Group Chat Servers to ensure that a chat room that was initiated on one server is available for participants in that chat room on any Group Chat Server. It is important to note that all Group Chat Servers in a multiple-server environment are on the same subnet. Group Chat is not supported in a topology where the Group Chat Servers are located on separate local area network subnets.
Configuration of server settings must be done on the local Group Chat Server. Global settings that affect all settings on the collection of Group Chat Servers can be done on any server in the pool. For details about deploying and configuring Group Chat, see the Deploying Group Chat Server documentation.
Deploy Group Chat Servers in a physically secure environment.
Use certificates from your internal CA, or public certificates issued from a unified communications-certified CA.
Use guidance from the Security Guides for the server operating system of the Group Chat Server and the database server to reduce the attack surface.
Ensure that all clients and servers are kept patched and up to date with the latest service packs.