The sessions between clients and the Communicator Web Access server can be secured through session time-outs and encryption. This section discusses ways to secure sessions between the client and Communicator Web Access.

Securing Tokens

In Communicator Web Access, the same token is used for the session token and the authentication token. You can secure tokens by using short time-outs on Communicator Web Access virtual servers that service external requests. You can set different time-out values for public and private computers in the external virtual server’s properties.

Using Encryption

The following are the requirements and recommendations regarding encryption:

  • You must use TLS/MTLS for all communications between Communicator Web Access servers and servers that are running Office Communications Server 2007 R2.

  • You should always use HTTPS unless SSL offloading is used for performance reasons and effective security safeguards are in place.

  • You may use HTTP for communications between a hardware load balancer or other device and the Communicator Web Access server if SSL offloading is used for performance reasons. In this case, the physical link should be secured.

  • Do not use HTTP between the client and the Communicator Web Access server.