Security

Exchange Conferencing Server provides security when:

Because the hosting conference technology provider sets the guidelines for participation in an online conference, the conference technology provider also sets the format for conference security. Conference Management Service controls security for creating and accessing conferences, so this type of security is the same for all conference technology providers.

Controlling Access to Conferences

When you schedule a conference, you control access to it by specifying whether the conference is public or private. With Exchange Conferencing Server, you can create public conferences, public conferences that require a password, or private conferences.

Public Conferences

Public conferences are accessible to any user who has access to the URL. By default, conferences are public.

When you schedule an online conference using Outlook Web Access for Exchange Server 5.5 or versions of Outlook earlier than Outlook 2000, you can schedule only public conferences that are not password protected. All public conferences are listed on a page accessible from the home page of the conference access page. The URL for the list of public conferences is http://<server_name>/conferencing/list.asp, where server_name is the name of the IIS server or the fully qualified domain name of the IIS server hosting the conference.

Public Conferences With Password

You can create a public conference that participants can access with the correct password. The conference technology provider uses the password to further limit access. To create a public conference with a password in Outlook 2000, verify that the Allow external attendees check box is selected and include the password on the conference invitation.

Private Conferences

You can create a private conference so that only attendees that you invite can participate. Conference Management Service, the conference technology provider, or both, check the credentials of each participant to see if he or she is authorized to participate in the conference. If Conference Management Service performs the check, it uses IIS to check the user’s credentials.

Only attendees who have credentials known to IIS can access the conference pages. To create a private conference, verify that the Allow external attendees check box is cleared on the conference invitation. For more information on conference technology provider security, see “Security Supplied by the Conference Technology Provider” later in this chapter.

The type of conference, whether it is public, public with password, or private, is also communicated to the associated conference technology providers. The conference technology provider may provide additional security for private conferences; for example, Data Conferencing Provider forces public certificate authentication and subsequent data encryption during a private conference.

Client Certificates Required for Private Conferences

A digital certificate is an electronic document that grants credentials to the users or computers on the network. Certificates are required for users who want to join private data conferences.

Data Conferencing Provider recognizes X.509 v3 certificates that are granted from a trusted certificate authority. An example of a trusted certificate authority is Certificate Services in Windows 2000. Certificate Services must exist in the Active Directory forest. The MCU queries Certificate Services to obtain a machine certificate, which it then uses to authenticate conference attendees. The MCU uses Windows CryptoAPI (CAPI) to scan Active Directory and the local registry for a list of certificate authorities that are valid in the organization. The MCU then compares the client certificates against this list to validate the authenticity of the attendee.

If you want users with third-party certificates to participate in private conferences, verify that your organization subscribes to the third-party certification services and that the hierarchy of trusted certificate authorities is properly configured.

Security Supplied by the Conference Technology Provider

Each conference technology provider included in the online conference receives information about the security level of the conference. The level at which the conference technology provider secures the information in the conference varies depending on the conference technology provider.

Data Conferencing Provider allows any user to access a public conference. For password-protected public conferences, users must have a password to access the conference. For a private conference, a public certificate must be exchanged with the MCU that authenticates the user as an attendee of the conference. In addition, the connection between the user and the authenticating MCU (and any other MCU in the conference) is secured using Secure Sockets Layer (SSL) encryption.

Video Conferencing Provider does not distinguish between public and private conferences, but it does use the authentication features of Conference Management Service. Multicast clients can participate in private video conferences, but their connection will not be encrypted. The experience will be similar to participating in a public conference. However, clients without multicast connectivity that connect to the conference through an H.323 unicast connection cannot participate in private video conferences.

Accessing the Conference Location URL

The location of each online conference is defined by a unique URL:

http://<server>/<root>/<conference id>[<optional parameters>]

Conference Management Service and IIS create the conference access pages that participants use during the conference. Because users access all conferences through IIS virtual roots, you can place global IIS-defined restrictions on access to conference access pages. For example, you can limit participation in the conference to a specific group of users.