Topic Last Modified: 2011-05-06
Microsoft Lync Server 2010 also depends on SQL Server databases for storing user information, conference state, archiving data, and Call Detail Records (CDRs). You can maximize the availability of Lync Server 2010 data on Lync Server back-end databases, by partitioning the application data in a way that improves fault tolerance and simplifies troubleshooting. To achieve these goals, partition the application data by:
- Using server partitioning best
practices Separate your operating system,
application, and program files from your data files.
- Storing transaction log files and database
files Store these files separately to increase
fault tolerance and optimize recovery, and store them on an
encrypted disk or volume.
- Using server clustering Cluster the
back-end servers to optimize Lync Server 2010 system
availability.
- Ensure that all data backups are encrypted and properly
handled Lost, discarded, or misplaced backup
media can pose a significant threat to data security for Lync
Server 2010 deployments
On any Lync Server 2010 server except Standard Edition server, the SQL Server Express instance (RTCLOCAL instance) is not remotely accessible, and no local firewall exceptions are created, except for SQL Server Express on a Standard Edition server. On a Standard Edition server, both the back-end database and the Central Management store (CMS) are set up to be remotely accessible. To harden SQL Server databases, you can do the following:
- Customize the SQL Server Express firewall on Standard Edition
servers, limiting the scope of servers that can remotely access the
database. By default, any IP address can remotely access the
database.
- Use SQL Server Configuration Manager to specify the protocols,
IP addresses, and ports for SQL Server remote access:
- Lync Server 2010 uses the TCP/IP protocol. It supports IP
version 4 (IPv4), but not IP version 6 (IPv6).
Note: Lync Server 2010 can function in a network with dual IP stack enabled. - Lync Server 2010 supports multiple IP address (multi-homed
network address cards). You can specify that SQL Server listen only
to specific IP addresses (individual address or by subnet) and only
use specific protocols.
- Lync Server 2010 supports static and dynamic SQL Server
ports.
- Lync Server 2010 uses the TCP/IP protocol. It supports IP
version 4 (IPv4), but not IP version 6 (IPv6).
- Run SQL Server on a static (non-default) port, and do not run
SQL Server Browser (so it cannot report the listening port to the
client). This requires a custom configuration on each SQL Server
client, including Front End Servers, Monitoring Server, Archiving
Server, and administrative consoles (running Lync Server Management
Shell, Lync Server Control Panel, or Topology Builder), and all
other servers running Lync Server databases).
Note: |
---|
Access to databases must be limited to trusted database administrators. A malicious database administrator could insert or modify data into the databases to acquire privileges over the Lync Server 2010 servers or obtain sensitive information from the services, even if the database administrator has not been granted direct access or control of the Lync Server 2010 servers. |
For details about custom configurations and hardening SQL Server databases, see Using Lync Server 2010 with custom SQL Server network configuration at http://go.microsoft.com/fwlink/?LinkId=214008
Note: |
---|
You can also harden operating systems and applications servers, and you can use Group Policy to implement security lockdowns in your Lync Server deployment. For details, see Hardening and Protecting Servers and Applications for Lync Server 2010. |