Federation provides your organization with the ability to
communicate with other organization’s Edge Servers to share instant
messaging (IM) and presence information. You can also federate with
an audio conferencing provider (ACP) using either of the two
following methods. The process of configuring federation with an
organization or an ACP is identical. For details, see List of
Supported ACPs at
If you have enabled federation on the Edge Server, you control access by federated partners, including ACPs, by using one of the following methods:
- Allow automatic discovery of federated partners. This is the
default option during initial configuration of an Edge Server
because it balances security with ease of configuration and
management. For example, when you enable automatic discovery of
federated partners on your Edge Server, Office Communications
Server 2007 R2 allows any federated domain to send communications
with you, automatically evaluates incoming traffic from federation
partners, and limits or blocks that traffic based on trust level,
amount of traffic, and administrator settings.
- Allow discovery of federated partners, but grant a higher level
of trust to specific domains or Edge Servers that you specify on
the Allow list. For example, if you want to grant a higher level of
trust to partners using the Session Initiation Protocol (SIP)
domain contoso.com and fabrikam.com, you would add these two
domains on the
Allowtab. Restricting discovery in this way establishes a
higher level of trust for connections with the domains or Edge
Servers that you add to your Allow list, but still provides the
ease of management that is possible by discovering other federation
partners that are not listed on the
Allowtab.
- Do not allow discovery of federation partners and limit access
of federated partners to only the domains or Edge Servers for which
you want to enable connections. Connections with federated partners
are then allowed only with the specific domains or Edge Servers you
add to the
Allowtab. This method offers the highest level of security,
but does not offer ease of management. For example, if a fully
qualified domain name (FQDN) of an Edge Server changes, you must
manually change the FQDN of the server in the Allow list.
How Federated Traffic Is Evaluated When Using Automatic Discovery
If you choose to use automatic discovery of federated partners, the Edge Server automatically evaluates incoming federated traffic in the following way:
- If a federated party has sent requests to more than 1000
Uniform Resource Identifiers (URIs) (either valid or invalid) in
the local domain, the connection is placed on the Watch list.
Any additional requests are blocked by the Edge Server. - If the Edge Server detects suspicious traffic on a connection,
it will limit the federation partner to a low message rate of 1
message per second. The Edge Server detects suspicious traffic by
calculating the ratio of successful to failed responses. The Edge
Server also limits legitimate federated partner connections (that
is, unless they are added to the allow list) to 20 messages per
second.
If you know that you will have more than 1000 requests sent by a legitimate federated partner or a volume of over 20 messages per second sent to your organization, to allow these volumes, you must add the federated partner to the Allowtab.
After configuring federation, you can use Office Communications Server 2007 R2 administrative tools to monitor and manage federated partner access on an ongoing basis.
Enabling discovery of federated partners
If you did not enable discovery of federated partners when you configured your Edge Server, you can use the Computer Management snap-in to do so. If you already selected this option during setup, you do not need to perform this step.
You must have Office Communications Server 2007 R2 administrative tools installed to perform this procedure. For details about how to install the tools, see the Installing Administrative Toolsin the Administering Office Communications Server 2007 R2 documentation.
To enable discovery of federated partners
-
Log on to the Edge Server as a member of the RTC Local Administrators group or a group with equivalent user rights.
-
Open Computer Managementby clicking Start, clicking All Programs, clicking Administrative Tools, and then clicking Computer Management.
-
In the console tree, expand Services and Applications, right-click Microsoft Office Communications Server 2007 R2, and then click Properties.
-
On the Access Methodstab, select the Allow discovery of federated partnerscheck box.
Add a Trusted Federated Partner
Use the following procedure to add a trusted federated partner domain and the FQDN of its Edge Server (optional), use the following procedure.
To add trusted federated partners
-
Log on to the Edge Server as a member of the RTC Local Administrators group or a group with equivalent user rights.
-
Open Computer Managementby clicking Start, clicking All Programs, clicking Administrative Tools, and then clicking Computer Management.
-
On the Allowtab, click Add.
-
In the Add Federated Partnerdialog box, do the following:
- In the
Federated partner domain namebox, type the domain of each
federated partner domain.
- (Optional) In the
Federated partner Access Edge Serverbox, type the FQDN of
the Edge Server that you want to add to your
Allowlist. If you configure the FQDN of a partner's Edge
Server and the FQDN changes, you must manually update your
configuration for this partner.
- Click
OK.
- In the
Federated partner domain namebox, type the domain of each
federated partner domain.
-
Repeat this procedure for each federated partner you want to add to your Allow list, and then click OK.