Monitoring and Controlling Federated Partner Access

If you have configured support for federated partners, which can be specific external organizations or an audio conferencing provider (ACP) that provides telephony integration, you need to actively manage the external domains that can communicate with the servers in your organization. Office Communications Server 2007 R2 provides mechanisms to facilitate tracking and control of federated domain connections, including the following:

Domains. You can view a list of the federated domains that have most recently made at least one connection to your Access Edge service.
Usage. DNS-based discovery of Access Edge services is the recommended configuration for the Access Edge service. This configuration can be used in conjunction with the Allowtab, on which you can configure allowed domains. For increased security, explicitly specify the FQDN of a federated partner's Access Edge service. When a domain is configured in the Allow list, communications with this domain are assumed to be legitimate. The Access Edge service does not throttle connections for these domains. In case of DNS-based discovery of federated domains that are not on the Allowtab, connections are not assumed to be legitimate, so the Access Edge service actively monitors these connections and limits the allowed throughput. The Access Edge service marks a connection for monitoring in one of two situations:
- If suspicious traffic is detected on the connection. To detect suspicious activity, the service monitors the percentage of specific error messages on the connection. A high percentage can indicate attempted requests to invalid users. In this situation, the connection is placed on a watch list, and the administrator can choose to block this connection.
- If a federated party has sent requests to more than 1,000 user URIs (valid or invalid) in the local domain, the connection is placed on the watch list. Any additional requests are then blocked by the Access Edge service. A federated domain could exceed 1,000 requests either because the federated party is attempting a directory attack on the local domains (in which case the administrator would want to block the connection), or because valid traffic between the local and federated domains exceeds the limit (in which case the administrator would probably not want the connection to be throttled and would probably want to add the domains associated with that connection to the Allow list).

An administrator can review lists and take appropriate action, which can be any of the following:

Leave the list as is.
Add the specific domain to the Allow list, if the domain is a federated partner that requires more than 1,000 legitimate, active requests on a consistent basis.
Block the federated domain from connecting to your organization. To do this, add the name to the Block list and revoke the certification (that is, move it to the revoked list) so that the TLS connection is automatically dropped upon initiation. The Block list takes precedence over the Allow list; if a domain exists in both lists, the domain is blocked. In this case, the configuration validation mechanism on the Edge Server also reports a warning-level event (14518), in case the overlap is unintentional.

Use the procedures in this section to monitor domains and the watch list and, if necessary, to manage individual domain connections.

To view federated domain connections and usage

On an Edge Server running the Access Edge service, open Computer Management.
In the console tree, expand Services and Applications, click Office Communications Server 2007 R2.
In the details pane, click the Open Federationtab.
Expand Domainsand review the listed connections, looking for any activity that is out of the ordinary or suspicious, and then determine whether action is required for any domain.
Expand Watch Listand review the throttled connections, looking for any suspicious activity or domains that may require a higher level of trust, and then determine whether action is required.

To add an external domain to the Allow list

On an Edge Server running Access Edge service, open Computer Management.
In the console tree, expand Services and Applications, right-click Office Communications Server 2007 R2, and then click Properties.
On the Allowtab, click Add.
In the Add Federated Partnerdialog box, do the following:
- In Federated partner domain name, type the FQDN of the external SIP domain of the federated partner that you want to add to the list. This name should not already exist in the Allow list for this Access Edge Server. The name cannot exceed 256 characters in length.
- If the federated partner does not publish its federation records for discovery or you want to establish a higher level of trust for the federated partner, in Federated partner Access Edge Server, type the FQDN of the Access Edge service that the federated partner uses for external connectivity. The name cannot exceed 256 characters in length.

To add an external domain to the Block list

On an Edge Server running the Access Edge service, open Computer Management.
In the console tree, expand Services and Applications, right-click Office Communications Server 2007 R2, and then click Properties.
On the Blocktab, click Add.
In the Add Blocked SIP Domainsdialog box, in SIP domain, type the name of the domain to be added to the list of blocked SIP domains. This name should be unique and should not already exist in the Block list for this Access Edge service. The name cannot exceed 256 characters in length.