In Communicator Web Access, the same token is used for the session token and the authentication token. You can secure tokens by using short time-outs on Communicator Web Access virtual servers that service external requests. You can set different time-out values for public and private computers in the external virtual server’s properties.

The following are the requirements and recommendations regarding encryption:

• You must use TLS/MTLS for all communications between Communicator Web Access servers and servers that are running Office Communications Server 2007 R2.
  
  
• You should always use HTTPS unless SSL offloading is used for performance reasons and effective security safeguards are in place.
  
  
• You may use HTTP for communications between a hardware load balancer or other device and the Communicator Web Access server if SSL offloading is used for performance reasons. In this case, the physical link should be secured.
  
  
• Do not use HTTP between the client and the Communicator Web Access server.