Topic Last Modified: 2011-05-15

When you configure clients prior to deploying an Microsoft Lync Server 2010 network, take the following recommended measures to enhance client security:

In general, you control access for a user account by enabling and disabling each user account in Active Directory. However, if a user is signed into Lync Server 2010 when you disable the user account, the user continues to have access until sign out. Also, a user can sign in for up to 180 days (default Lync certificate expiration time) after the user account is disabled in Active Directory. To prevent this, you can disable certificate-based authentication or reduce the certificate expiration time. To help ensure that only users with appropriate credentials can access Lync Server 2010, you can also do the following:

For details about the use of these cmdlets, see the specific cmdlet in the Lync Server Management Shell section of the Operations documentation.

Client Firewall Exclusions

The Lync client installer configures the firewall during installation with the following exceptions:

  • Microsoft Lync 2010

  • UCMapi (on a 32-bit computer) or UCMapi64 (on a 64-bit computer)

Uninstalling the Lync client removes these entries.

Microsoft Lync 2010 Attendee is available to join meetings only, for users without Lync 2010. Two installers are available (Administrator mode and User mode)client exceptions depend on the installation method:

  • Administrator mode installation, for user accounts that are members of the Administrators group. Administrators can install this client through download from the web, or IT admins can push this client to end user desktops to simplify Lync 2010 meeting joins. The Attendee Lync client configures the firewall during installation with the following exception:

    • Microsoft Lync 2010 Attendee. Uninstalling the Attendee client removes this entry.

  • User mode installation, for user accounts that are members of the Users group, which typically prevents admin installation of new software. Installation includes a per-user installation of the Attendee client. Using this installation method, the Attendee Lync client does not configure the firewall during installation. The user is prompted with a Windows Firewall request dialog when joining their first meeting. This adds an entry for Microsoft Lync 2010 Attendee to the firewall exception list, if the user grants access. This entry is not removed when a user uninstalls the Attendee client because the user granted access separately.

When users first use the Lync Web App client, they are prompted to install the Microsoft ActiveX control, which is required only if the user wants to share their screen or share an application. To view shared content, the Active X control is not required. If the user chooses to install the ActiveX control, a firewall exception is added for ReachAppShaX.exe.