Office Communications Server 2007 R2 uses TLS and MTLS to encrypt instant messages. All server-to-server traffic requires MTLS, regardless of whether the traffic is confined to the internal network or crosses the internal network perimeter. TLS is optional but recommended between the Mediation Server and media gateway, If TLS is configured on this link, MTLS is required. Therefore, the gateway must be configured with a certificate from a CA that is trusted by the Mediation Server.

Requirements for client-to-client traffic depend on whether that traffic crosses the internal corporate firewall. Strictly internal traffic can use either TLS, in which case the instant message is encrypted, or TCP, in which case it is not.

If you enable public IM connectivity, be aware that while communications between Office Communications Server and the public IM server are encrypted, communications between the public IM server and the public IM client might not be encrypted, depending on whether encryption is provided by the public IM provider. For details, see the Knowledge Base article Known issues that occur with public instant messaging after you install Live Communications Server Service Pack 1 at .

The following table summarizes the protocol requirements for each type of traffic.

Table 1. Traffic Protection

Traffic type Protected by





Instant messaging and presence

TLS (if configured for TLS)

Audio and video and desktop sharing of media


Desktop sharing (signaling)


Web conferencing


Meeting content download, address book download, distribution group expansion


Media Encryption

All media traffic is encrypted using Secure RTP (SRTP), a profile of Real-Time Transport Protocol (RTP) that provides confidentiality, authentication, and replay attack protection to RTP traffic. In addition, media flowing both directions between the Mediation Server and its internal next hop is also encrypted using SRTP. Media flowing in both directions between the Mediation Server and a media gateway is not encrypted. The Mediation server can support encryption to the media gateway, but the gateway must support MTLS and storage of a certificate.