Applies to: Exchange Server 2007 SP3, Exchange Server
2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-08-29
An important aspect of the overall network security for your organization is correctly configuring security for your Microsoft Exchange Server 2007 Unified Messaging servers. Enabling Unified Messaging servers, IP gateways, and other servers that are running Microsoft Exchange Server 2007 to communicate by using Transport Layer Security (TLS) or Internet Protocol security (IPsec) increases the level of security for your whole network. This topic contains information and links to security-related topics that can help you increase the level of protection for your network.
Securing Network Traffic
Unified Messaging can communicate with IP gateways, IP PBXs, and other Exchange 2007 computers in a secured or an unsecured mode, depending on how the UM dial plan has been configured and if the appropriate certificate trusts have been established between the IP gateways and Unified Messaging servers on your network. In unsecured mode, the Voice over IP (VoIP) and Session Initiation Protocol (SIP) traffic is not encrypted. However, the UM dial plans and the Unified Messaging server that are associated with the UM dial plan can be configured by using the VoIPSecurity parameter. The VoIPSecurity parameter configures the dial plan to encrypt the VoIP and SIP traffic by using Mutual Transport Layer Security (MTLS). This is known as secured mode.
There are several things that you can do to help protect your Unified Messaging servers and the network traffic that is sent between your IP gateways and Unified Messaging servers and between your Unified Messaging servers and other Exchange 2007 servers in your organization. To understand the components that must be used in your Unified Messaging environment to help protect the network data that is sent and received by Unified Messaging servers in your organization, you must first understand how to do the following:
- Use IPsec to protect Unified Messaging network data.
- Use TLS to protect Unified Messaging network data.
- Use the different types of certificates that are used with
Unified Messaging to implement TLS.
- Correctly configure Unified Messaging servers and IP gateways
to use TLS.
Unified Messaging Security Components
There are various components that must be configured to help enable the Unified Messaging server to communicate in a secure manner with other Exchange 2007 servers and IP gateways. The following components help secure the data that is passed over the network:
- IPsec IPsec uses cryptography-based
protection services, security protocols, and dynamic key
management. It provides the strength and flexibility to help
protect communications between private network computers, domains,
sites, remote sites, extranets, and dial-up clients. It can even be
used to block receipt or transmission of specific types of traffic.
For more information about the security options that are available
to help secure UM traffic, see Understanding Unified
Messaging VoIP Security.
- TLS After you have successfully
imported and exported the required trusted certificates, an IP
gateway will request a certificate from the Unified Messaging
server, and then it will request a certificate from the IP gateway.
Exchanging the trusted certificates between the IP gateway and the
Unified Messaging server helps secure the channel over which the IP
gateway and Unified Messaging server to communicate by using TLS.
For more information about the security options that are available
to help secure UM traffic, see Understanding Unified
Messaging VoIP Security.
- Certificates Digital certificates are
electronic files that work like an online passport to verify the
identity of a user or computer. They are used to create an
encrypted channel that is used to help protect data. A certificate
is basically a digital statement that is issued by a certification
authority (CA) that vouches for the identity of the certificate
holder and enables the parties to communicate in a secure manner by
using encryption. They can be issued by a trusted third-party CA,
such as by using Certificate Services, or they can be self-signed.
For more information about the security options that are available
to help secure UM traffic, see Understanding Unified
Messaging VoIP Security.
- VoIP security Unified Messaging can
communicate with IP gateways, IP PBXs, and other Exchange 2007
computers in a secured or an unsecured mode depending on how the UM
dial plan has been configured. By default, UM dial plans
communicate in an unsecured mode. You can use the
Get-UMDialPlan cmdlet in the Exchange Management Shell to
determine the security setting for a UM dial plan. For more
information about how to enable VoIP security on a Unified
Messaging dial plan, see How to Configure
Security on a Unified Messaging Dial Plan.
For More Information
- For more information about Unified Messaging dial plans, see
Understanding
Unified Messaging Dial Plans.
- For more information about security and protection features in
Exchange 2007, see Security and
Protection.