管理对 Lync Server 2013 的联盟和外部访问Managing federation and external access to Lync Server 2013

 

上次修改的主题: 2013-10-07Topic Last Modified: 2013-10-07

部署边缘服务器或边缘池是支持外部用户的第一步。Deploying an Edge Server or Edge pool is the first step to supporting external users. 有关部署边缘服务器的详细信息,请参阅部署文档中的在 Lync Server 2013 中部署外部用户访问For details about deploying Edge Servers, see Deploying external user access in Lync Server 2013 in the Deployment documentation.

在安装并配置 Lync Server 2013 的内部部署后,组织中的内部用户可以与在 Active Directory 域服务中 (AD DS) 的其他内部用户进行协作。After installing and configuring your internal deployment of Lync Server 2013, internal users in your organization can collaborate with other internal users who have SIP accounts in your Active Directory Domain Services (AD DS). 协作可包括发送和接收即时消息以及更新当前状态和参与会议(也称为“会议”)。Collaboration can include sending and receiving instant messages, and update of presence status and participating in conferences (also known as "meetings"). 启用和配置外部用户访问,以控制受支持的外部用户是否可以与内部 Lync Server 用户进行协作。You enable and configure external user access to control whether supported external users can collaborate with internal Lync Server users. 外部用户可以包括部署的远程用户、联盟用户(包括支持的公共即时消息 (IM) 服务提供商用户)、XMPP 联盟以及会议的匿名参与者。External users can include remote users of your deployment, federated users (including supported users of public instant messaging (IM) service providers), XMPP federation and anonymous participants in conferences.

如果您的部署包括安装 Lync Server 2013 边缘服务器或边缘池,则可能的通信类型的范围很大程度上扩展,其中包含用于外部用户访问的多种选项、与其他 SIP 联合域的成员通信、SIP 联合提供程序和 XMPP 联盟用户。If your deployment included the installation of a Lync Server 2013 Edge Server or an Edge pool, the scope of possible communication types is greatly expanded with a number of options for external user access, communication with members of other SIP federated domains, SIP federated providers, and XMPP federated users. 在设置边缘服务器或边缘池之后,您可以启用要提供的外部用户访问的类型,并配置策略以控制外部访问。After setting up the Edge Server or Edge pool, you enable the types of external user access that you want to provide, and configure the policies to control for the external access. 在 Lync Server 2013 中,你可以根据任务要求,使用 Lync Server 控制面板、Lync Server Management Shell 或两者来启用和配置外部用户访问和策略。In Lync Server 2013, you enable and configure external user access and policies using the Lync Server Control Panel, the Lync Server Management Shell or both, based on the task requirements. 有关这些管理工具的详细信息,请参阅 operations 文档中的 Lync server 2013 管理工具 、操作文档中的 Lync Server 2013 命令行 管理程序,并在操作文档中 安装 lync server 2013 管理工具For details about these management tools, see Lync Server 2013 administrative tools in the Operations documentation, Lync Server 2013 Management Shell in the Operations documentation, and Install Lync Server 2013 administrative tools in the Operations documentation.

重要

在为外部用户访问设计您的配置和策略时,您必须了解策略的优先级以及如何应用这些策略。When you design your configuration and policies for external user access, you must understand the precedence of policies and how the policies are applied. 在一个策略级别应用的 Lync Server 策略设置可以覆盖在另一个策略级别应用的设置。Lync Server policy settings that are applied at one policy level can override settings that are applied at another policy level. Lync Server 策略优先级为:用户策略 (影响最大的) 替代网站策略,然后网站策略将覆盖全局策略 (最小影响) 。Lync Server policy precedence is: User policy (most influence) overrides a Site policy, and then a Site policy overrides a Global policy (least influence). 这意味着,策略设置越接近策略影响的对象,它对对象的影响就越大。This means that the closer the policy setting is to the object that the policy is affecting, the more influence it has on the object.

默认情况下,即使已为组织启用对外部用户访问的支持,也不会将任何策略配置为支持外部用户访问(包括远程用户访问、联盟用户访问)。要控制外部用户访问的使用,必须配置一个或多个策略,同时指定每个策略支持的外部用户访问类型。其中包括以下外部访问策略:By default, no policies are configured to support external user access, including remote user access, federated user access, even if you have already enabled external user access support for your organization. To control the use of external user access, you must configure one or more policies, specifying the type of external user access supported for each policy. This includes the following external access policies:

  • 全局策略   在部署 Edge 服务器时创建全局策略。Global policy   The global policy is created when you deploy your Edge Servers. 默认情况下,全局策略中未启用任何外部用户访问选项。By default, no external user access options are enabled in the global policy. 要支持全局级别的外部用户访问,请将全局策略配置为支持一种或多种外部用户访问选项。To support external user access at the global level, you configure the global policy to support one or more types of external user access options. 全局策略适用于组织中的所有用户,但站点策略和用户策略将覆盖全局策略。The global policy applies to all users in your organization, but site policies and user policies override the global policy. 如果删除全局策略,则不要将其移除。If you delete the global policy, you do not remove it. 相反,将其重置为默认设置。Instead, you reset it to the default setting.

  • 站点策略   可创建和配置一个或多个站点策略,以将外部用户访问限制到指定站点。Site policy   You can create and configure one or more site policies to limit support for external user access to specific sites. 站点策略中的配置将覆盖全局策略,但仅适用于站点策略覆盖的指定站点。The configuration in the site policy overrides the global policy, but only for the specific site covered by the site policy. 例如,如果在全局策略中启用远程用户访问,则可以指定禁用特定站点的远程用户访问的站点策略。For example, if you enable remote user access in the global policy, you might specify a site policy that disables remote user access for a specific site. 默认情况下,站点策略应用于该站点的所有用户,但可以将用户策略分配给用户以覆盖站点策略设置。By default, a site policy is applied to all users of that site, but you can assign a user policy to a user to override the site policy setting.

  • 用户策略   可以创建和配置一个或多个用户策略,以将远程用户访问支持限制到指定用户。User policy   You can create and configure one or more user policies to limit support for remote user access to specific users. 用户策略中的配置将覆盖全局和站点策略,但仅适用于为其分配策略的特定用户。The configuration in the user policy overrides the global and site policy, but only for the specific users to whom the user policy is assigned. 例如,如果在全局策略和站点策略中启用远程用户访问,则可以指定禁用远程用户访问的用户策略,然后将该用户策略分配给特定用户。For example, if you enable remote user access in the global policy and site policy, you might specify a user policy that disables remote user access and then assign that user policy to specific users. 如果创建用户策略,必须将其应用于一个或多个用户,然后才能生效。If you create a user policy, you must apply it to one or more users before it takes effect.

若要确定您需要创建或编辑哪些配置设置和哪些策略,请参阅以下决策点:To determine which configuration settings and which policies you need to create or edit, refer to the following decision points:

是否要允许域的内部和外部用户能够使用即时消息、Web 会议和音频/视频进行协作?Do you want to allow internal and external users of your domain to be able to collaborate using instant messaging, Web conferencing, and Audio/Video?

配置在Lync server 2013 中配置策略以控制远程用户访问和在lync Server 2013 中启用或禁用联盟和公共 IM 连接的主题中的详细设置。Configure the settings as detailed in the topics Configure policies to control remote user access in Lync Server 2013, and Enable or disable federation and public IM connectivity in Lync Server 2013

是否要允许匿名用户参加和受邀参加由您的部署中的用户主持的会议?Do you want to allow anonymous users to attend and be invited to conferences hosted by users in your deployment?

按照主题分配会议策略以支持 lync server 2013 中的匿名用户、在 lync server 2013 中创建或修改会议策略lync server 2013 的会议策略设置参考中的详细信息配置设置Configure the settings as detailed in the topic Assign conferencing policies to support anonymous users in Lync Server 2013, Create or modify a conferencing policy in Lync Server 2013 and Conferencing policy settings reference for Lync Server 2013

是否要允许用户与 SIP 联盟域联系人通信?Do you want to allow users to communicate with SIP Federated Domain contacts?

配置在 lync server 2013 中的 "配置策略以控制联盟用户访问"、"在 lync server 2013 中启用或禁用联盟和公共 IM 连接" 和 "在 lync 2013 SERVER 中管理组织的 SIP 联盟域" 中详细说明的设置。Configure the settings as detailed in the topics Configure policies to control federated user access in Lync Server 2013, Enable or disable federation and public IM connectivity in Lync Server 2013, and Manage SIP federated domains for your organization in Lync Server 2013

如果您已允许与 SIP 联盟域进行通信,是否希望允许与 XMPP 联盟伙伴联系人进行通信?If you have enabled communication with SIP Federation Domains, do you want to enable communications with XMPP Federated Partner contacts?

配置在 Lync server 2013 中的 " 配置策略以控制 XMPP 联盟用户访问 " 和 " 在 lync Server 2013 中管理 XMPP 联盟伙伴" 主题中详细介绍的设置。Configure the settings as detailed in the topic Configure policies to control XMPP federated user access in Lync Server 2013 and Manage XMPP federated partners in Lync Server 2013.

如果已启用与 SIP 联盟域的通信,是否要启用 SIP 联合自动发现?If you have enabled communication with SIP Federated Domains, do you want to enable SIP Federation automatic discovery?

按照在 Lync Server 2013 中启用或禁用联合合作伙伴的发现主题中的详细说明配置这些设置。Configure the settings as detailed in the topic Enable or disable discovery of federation partners in Lync Server 2013.

如果您已允许与 SIP 联盟域进行通信,是否要允许向联盟联系人发送弃用声明,以通知他们您使用存档且可以对通信进行存档?If you have enabled communication with SIP Federation Domains, do you want to enable sending a disclaimer to Federated contacts notifying them that you use archiving and that communications may be archived?

按照在 Lync Server 2013 中启用或禁用向联盟伙伴发送存档免责声明一主题中的详细说明配置这些设置。Configure the settings as detailed in the topic Enable or disable sending an Archiving disclaimer to federated partners in Lync Server 2013.

您是否希望允许用户与 SIP 联合提供程序通信,以启用与公用提供程序(如 Windows Live Messenger、AOL 和 Yahoo)的通信 ! ?Do you want to allow users to communicate with SIP Federated Providers that enable communication with public providers, such as Windows Live Messenger, AOL, and Yahoo!?

配置在 lync server 2013 中的 "配置策略以控制公用用户访问" 主题中的详细信息,在 lync server2013 中启用或禁用联盟和公共 IM 连接,以及在 lync server 2013 中创建或编辑公共 SIP 联合提供程序Configure the settings as detailed in the topics Configure policies to control public user access in Lync Server 2013Enable or disable federation and public IM connectivity in Lync Server 2013, and Create or edit public SIP federated providers in Lync Server 2013.

重要

  • 从2012年9月1日起,Microsoft Lync 公共 IM 连接用户订阅许可证 ( "PIC USL" ) 不再可用于购买新的或更新的协议。As of September 1st, 2012, the Microsoft Lync Public IM Connectivity User Subscription License (“PIC USL”) is no longer available for purchase for new or renewing agreements. 拥有主动许可证的客户将能够继续与 Yahoo!联合联合Customers with active licenses will be able to continue to federate with Yahoo! 信使,直到服务关闭日期。Messenger until the service shut down date. AOL 和 Yahoo!的生命周期结束日期为2014年6月An end of life date of June 2014 for AOL and Yahoo! 已宣布。has been announced. 有关详细信息,请参阅 Lync Server 2013 中的支持公用即时信使连接For details, see Support for public instant messenger connectivity in Lync Server 2013.

  • PIC USL 是 Lync Server 或 Office 通信服务器与 Yahoo!联合所需的每个用户每月订阅许可证。The PIC USL is a per-user per-month subscription license that is required for Lync Server or Office Communications Server to federate with Yahoo! Messenger.Messenger. Microsoft 提供此服务的能力因 Yahoo!中的支持而受到了支持,其下凸的底层协议。Microsoft’s ability to provide this service has been contingent upon support from Yahoo!, the underlying agreement for which is winding down.

  • Lync 是前所未有的强大工具,用于跨组织和世界各地的个人进行连接。More than ever, Lync is a powerful tool for connecting across organizations and with individuals around the world. 与 Windows Live Messenger 的联盟不需要除 Lync Standard CAL 之外的其他用户/设备许可证。Federation with Windows Live Messenger requires no additional user/device licenses beyond the Lync Standard CAL. Skype 联合身份验证将添加到此列表中,使 Lync 用户可以使用即时消息和语音访问成百上千人。Skype federation will be added to this list, enabling Lync users to reach hundreds of millions of people with IM and voice.

您是否希望允许用户与运行 Microsoft 365、Microsoft Lync Online 和 Microsoft Lync Online 2010 的托管提供商的 SIP 联合提供程序进行通信?Do you want to allow users to communicate with SIP Federated Providers that are hosted providers running Microsoft 365, Microsoft Lync Online, and Microsoft Lync Online 2010?

配置在 lync server 2013 中创建或编辑公共 SIP 联合提供程序的主题中详细介绍的设置,在 lync server 2013 中启用或禁用联盟和公共 IM 连接 ,以及 创建或编辑托管的 SIP 联合提供者 Lync server 2013Configure the settings as detailed in the topics Create or edit public SIP federated providers in Lync Server 2013, Enable or disable federation and public IM connectivity in Lync Server 2013 and Create or edit hosted SIP federated providers Lync Server 2013

是否在拆分(也称为混合)域中配置您的部署?在该域中,某些用户的主服务器位于本地部署中,而其他用户的主服务器配置为位于联机环境中Is your deployment configured in a split (also known as a hybrid) domain, where some users have their home server in an on-premise deployment, and other users are configured with a home server in an online environment?

配置在 Lync server 2013 中的 " 配置策略以控制联盟用户访问" 中的详细信息,在 lync server 2013 中启用或禁用联盟和公共 IM 连接 ,并 创建或编辑托管的 SIP 联合提供者 Lync server 2013Configure the settings as detailed in the topics Configure policies to control federated user access in Lync Server 2013, Enable or disable federation and public IM connectivity in Lync Server 2013 and Create or edit hosted SIP federated providers Lync Server 2013

如果您选择列出相关要求的表:If you prefer a table that lists the requirements:

跨) 联盟或外部访问类型的联合访问 (中的选项卡 (向下) Tab in Federation and External Access (Across) Federation or External Access Type (Down) 外部访问策略External Access Policy 访问边缘配置Access Edge Config SIP 联盟域SIP Federated Domains SIP 联盟提供商SIP Federated Providers XMPP 联盟伙伴XMPP Federated Partner

远程用户Remote Users

在 Lync Server 2013 中配置策略以控制远程用户访问Configure policies to control remote user access in Lync Server 2013

在 Lync Server 2013 中启用或禁用远程用户访问Enable or disable remote user access in Lync Server 2013

SIP 联盟联系人SIP Federated Contacts

在 Lync Server 2013 中配置用于控制联合用户访问的策略Configure policies to control federated user access in Lync Server 2013

在 Lync Server 2013 中启用或禁用联盟和公共 IM 连接Enable or disable federation and public IM connectivity in Lync Server 2013

在 Lync Server 2013 中启用或禁用联盟伙伴发现Enable or disable discovery of federation partners in Lync Server 2013

在 Lync Server 2013 中启用或禁用向联盟伙伴发送存档免责声明Enable or disable sending an Archiving disclaimer to federated partners in Lync Server 2013

在 Lync Server 2013 中管理组织的 SIP 联盟域Manage SIP federated domains for your organization in Lync Server 2013

XMPP 联盟联系人XMPP Federated Contacts

在 Lync Server 2013 中配置用于控制联合用户访问的策略Configure policies to control federated user access in Lync Server 2013

在 Lync Server 2013 中配置策略以控制 XMPP 联盟用户访问Configure policies to control XMPP federated user access in Lync Server 2013

在 Lync Server 2013 中启用或禁用联盟和公共 IM 连接Enable or disable federation and public IM connectivity in Lync Server 2013

在 Lync Server 2013 中管理 XMPP 联盟伙伴Manage XMPP federated partners in Lync Server 2013

拆分域 / 混合用户Split Domain / Hybrid Users

在 Lync Server 2013 中配置用于控制联合用户访问的策略Configure policies to control federated user access in Lync Server 2013

在 Lync Server 2013 中启用或禁用联盟和公共 IM 连接Enable or disable federation and public IM connectivity in Lync Server 2013

创建或编辑托管的 SIP 联合提供商 Lync Server 2013Create or edit hosted SIP federated providers Lync Server 2013

公共 IM 服务联系人Public IM Service Contacts

配置策略以控制 Lync Server 2013 中的公共用户访问Configure policies to control public user access in Lync Server 2013

在 Lync Server 2013 中启用或禁用联盟和公共 IM 连接Enable or disable federation and public IM connectivity in Lync Server 2013

在 Lync Server 2013 中创建或编辑公共 SIP 联合提供程序Create or edit public SIP federated providers in Lync Server 2013

匿名用户对会议的访问权限Anonymous user access to meetings and conferences

在 Lync Server 2013 中分配会议策略以支持匿名用户Assign conferencing policies to support anonymous users in Lync Server 2013

备注

您还必须考虑会议策略:在 lync server 2013 中创建或修改会议策略lync Server 2013 的会议策略设置参考中的以下配置设置You must also consider the following configuration settings under Conferencing policies: Create or modify a conferencing policy in Lync Server 2013 and Conferencing policy settings reference for Lync Server 2013

即使没有为组织启用外部用户访问,也可以配置外部用户访问设置,包括要用于控制外部用户访问的任何策略。但是,只有为组织启用外部用户访问之后,配置的策略和其他设置才会生效。如果禁用外部用户访问或没有配置支持此功能的外部用户访问策略,外部用户将无法与组织的用户进行通信。You can configure external user access settings, including any policies that you want to use to control external user access, even if you have not enabled external user access for your organization. However, the policies and other settings that you configure are in effect only when you have external user access enabled for your organization. External users cannot communicate with users of your organization when external user access is disabled or if no external user access policies are configured to support it.

边缘部署会根据边缘支持的配置方式来对外部用户(匿名用户除外,他们通过会议 ID 和密钥(当您创建会议和邀请参与者时发送给匿名参与者)进行身份验证)类型进行身份验证并控制访问。为了控制通信,可以配置一个或多个策略并配置设置以定义部署内外的用户如何相互通信。除了可以创建和配置为特定站点或用户启用一种或多种类型外部用户访问的站点和用户策略之外,这些策略和设置还包括默认的外部用户访问全局策略。Your edge deployment authenticates the types of external users (except for anonymous users, who are authenticated by the conference ID and a passkey that is sent to the anonymous participant when you create the conference and invite participants) and controls access based on how you configure your edge support. In order to control communications, you can configure one or more policies and configure settings that define how users inside and outside your deployment communicate with each other. The policies and settings include the default global policy for external user access, in addition to site and user policies that you can create and configure to enable one or more types of external user access for specific sites or users.