Security requirements for Office Communications Server 2007 R2 include the following:

Administrative Credentials

The following table outlines the permissions required to deploy the various server roles.

Note:
By default, membership in the Domain Admins group is required to deploy or activate a server that is joined to an Active Directory domain. If you do not want to grant this level of privilege to the group or users deploying Office Communications Server, you can use the setup delegation wizard to provide a specific group the subset of permissions required for this task.

Table 1. Administrative Credentials Required for Deployment Tasks

Procedure Administrative credentials or roles required

Standard Edition

 

Install prerequisite software

RTCUniversalServerAdmins group

Domain Admins group

Prepare Active Directory Domain Services (AD DS)

Member of Schema Admins group and Administrator rights on the schema master

Member of EnterpriseAdmins group for the forest root domain

Member of EnterpriseAdmins or DomainAdmins group

Prepare Windows for setup

Administrators group

Create and verify DNS records

DNS Admins group

Deploy and activate Standard Edition server and applications

RTCUniversalServerAdmins group

Domain Admins group

Configure Standard Edition server

RTCUniversalServerAdmins group

Configure certificates for Office Communications Server

Administrators group

RTCUniversalServerAdmins group

Start the services

RTCUniversalServerAdmins group

Validate server configuration

RTCUniversalServerAdmins group

Optionally, configure A/V and Web conferencing

RTCUniversalServerAdmins group

Enterprise Edition, Consolidated Topology

 

Install prerequisite software

RTCUniversalServerAdmins group

Domain Admins group

Prepare AD DS

Member of the Schema Admins group and Administrator rights on the schema master

Member of the EnterpriseAdmins group for the forest root domain

Member of the EnterpriseAdmins or DomainAdmins group

Prepare Windows for setup

Administrators group

Install SQL Server

Local Administrator

Configure SQL Server for Office Communications Server

SQL Server administrator

Local administrator

Optionally, configure a load balancer for the pool

Load balancer administrator

Create and verify DNS records

DNS Admins group

Create the pool

RTCUniversalServerAdmins group

Domain Admins group

Configure the pool and applications

RTCUniversalServerAdmins group

Add servers to the pool

Administrators group

RTCUniversalServerAdmins group

Domain Admins group

Configure certificates for Office Communications Server

Administrators group

RTCUniversalServerAdmins group

Start the services

RTCUniversalServerAdmins

Validate the server and pool configuration

RTCUniversalServerAdmins

Dial-in Conferencing

 

Install and activate Office Communications Server 2007 R2

Administrators group

RTCUniversalServerAdmins group

Domain Admins group

Activate Conferencing Attendant and Conferencing Announcement Service applications

RTCUniversalServerAdmins group

Domain Admins group

Install, activate, and configure the 2007 R2 version of Microsoft Office Communicator Web Access server

Administrators group

Domain Admins group

Optionally, enable remote user access to Communicator Web Access

Administrators group

Domain Admins group

Test the Dial-in Conferencing Web page

Office Communications Server 2007 R2 user

Create one or more location profiles

RTCUniversalServerAdmins group

Configure a global policy to support dial-in conferencing

RTCUniversalServerAdmins group

Deploy a Mediation Server

RTCUniversalServerAdmins group

Deploy a third-party basic media gateway

OR

Configure the Mediation Server to perform SIP trunking

RTCUniversalServerAdmins group (to configure Mediation Server)

Administrator of the SIP trunking provider

Response Group Service

 

Install and activate Office Communications Server 2007 R2

Administrators group

RTCUniversalServerAdmins group

Domain Admins group

Activate the Response Group Service application

RTCUniversalServerAdmins group

Domain Admins group

Add agents, create agent groups, and create queues for the server pool

RTCUniversalServerAdmins group

Create the workflows

RTCUniversalServerAdmins group

Configure the Response Group tab

Domain Admins group

Archiving Server

 

Install prerequisite software

Administrators group and Domain Admins group (to install Message Queuing with Active Directory integration enabled)

Install and activate Archiving Server

Administrators group

Domain Admins or RTCUniversalServerAdmins group

Configure Archiving Server associations

Administrators group

Configure users for archiving

RTCUniversalUserAdmins group

Start the archiving services

RTCUniversalUserAdmins Group

Monitoring Server

 

Install prerequisite software

Administrators group

Domain Admins group (to install Message Queuing with Active Directory integration enabled)

Install and activate Monitoring Server

Administrators group

Domain Admins or RTCUniversalServerAdmins group

Start the services

Administrators group

Deploy Monitoring Server reports

Administrators group

Configure Monitoring Server associations

Administrators group

Communicator Web Access

 

Install and activate

Domain Admins

Create virtual server

Domain Admins, or RTCUniversalServerAdmins and local Administrators

Publish Communicator Web Access URLs

Domain Admins, or RTCUniversalServerAdmins and local administrators

Manage Communicator Web Access settings

Domain Admins, or RTCUniversalServerAdmins and local administrators

Group Chat

 

Create SQL Server database

Database administrator

Set up Group Chat accounts and permissions

Administrators group

Obtain certificates for Group Chat

Administrators group

Install Group Chat

Administrators group

Configure Web site settings in IIS

Administrators group

Connect the Group Chat Administration Tool to Group Chat

Administrators group

Channel service administrator

Configure Group Chat user access

Administrators group

Deploy archiving and compliance support

Database administrator

Administrators group

Administrative Tools

 

Install Administrative Tools on a centralized administrative console that is not running Office Communications Server

Administrators group

Domain Admins group

Configure user account settings

RTCUniversalUserAdmins

Configure all other settings (other than user account settings)

RTCUniversalServerAdmins

Edge Server

 

Set up the infrastructure for Edge Servers

Administrators group

Set up Edge Servers

Administrators group

Domain Admins or RTCUniversalServerAdmins group

Configure the environment

Administrators group

Domain Admins or RTCUniversalServerAdmins group

Validate edge configuration

Administrators group

Domain Admins or RTCUniversalServerAdmins group

Communicator Mobile for Windows Mobile

 

Install prerequisites

Administrator

Install Communicator Mobile for Windows Mobile

Administrator

Install self-signed certificates

Administrator

Configure the client

Administrator

Test IM and presence

Administrator

Communicator Mobile for Java

 

Verify that prerequisites and dependencies are met

Administrator

Deploy the Communicator Mobile component

Administrator

Install Communicator Mobile for Java client software

Administrator

Configure and use the client

Administrator

Test IM and presence

Administrator

Outside Voice Control

 

Install and activate Office Communications Server 2007 R2

Administrators group

RTCUniversalServerAdmins group

Domain Admins group

Activate Outside Voice Control application

RTCUniversalServerAdmins group

Domain Admins group

Start the application

RTCUniversalServerAdmins group

Test Outside Voice dialing on a supported mobile client

Office Communications Server 2007 R2 user

Enterprise Voice with PBX Coexistence

 

Deploy Office Communications Server, including Mediation Server that connects to the PBX

  • Create Enterprise pool: RTCUniversalServerAdmins and Domain Admins or equivalent credentials

  • Configure pool: RTCUniversalServerAdmins

  • Add server to pool: RTCUniversalServerAdmins

  • Configure certificate: RTCUniversalServerAdmins

  • Configure Web Components Server certificate: Local Administrator credentials

  • Validate server and pool functionality: RTCUniversalServerAdmins

Deploy Office Communicator 2007

Administrator on the computer on which Office Communicator is being installed

Enable users for IM and presence

RTCUniversalUserAdmins group

Configure Communications Server for Enterprise Voice

RTCUniversalServerAdmins group

Configure PBX to fork calls to Office Communications Server

RTCUniversalServerAdmins (to get information from AD DS to convert an extension into the correct telephone URI)

Deploy media gateways (if required)

Media gateways are external systems their own authentication and authorization schemes. If the media gateway requires creation of trusted service entries, you must be at least a member of the RTCUniversalServerAdmins group.

Deploy RCC gateway (if required)

RCC gateways are external systems their own authentication and authorization schemes. You must be at least a member of the RTCUniversalServerAdmins group to create the required trusted service entries.

Enable users for Enterprise Voice and PBX integration

RTCUniversalUserAdmins group

Enterprise Voice stand-alone (no PBX coexistence)

 

Deploy Office Communications Server

  • Create enterprise pool: RTCUniversalServerAdmins and Domain Admins or equivalent credentials

  • Configure pool: RTCUniversalServerAdmins

  • Add server to pool: RTCUniversalServerAdmins

  • Configure certificate: RTCUniversalServerAdmins

  • Configure Web Components Server certificate: Local Administrator credentials

  • Validate server and pool functionality: RTCUniversalServerAdmins

Deploy Office Communicator 2007

Administrator on the computer on which Office Communicator is being installed

Configure Office Communications Server for Enterprise Voice

RTCUniversalUserAdmins group

Deploy Exchange Server 2007 Unified Messaging and configure to integrate with Office Communications Server

  • For Office Communications Server: RTCUniversalServerAdmins group

  • For Exchange Server: Exchange Organization Administrators permissions are sufficient when Office Communications Server and Exchange Server are running in the same forest.

    Note:
    The user account used to configure Exchange Unified Messaging must have READ access to Office Communications Server pools in AD DS and READ/WRITE access on the Exchange configuration containers (First Organization\UM Dial Plan Container, UM IP Gateway Container, UM Auto Attendant Container, and so on).

Deploy media gateways

Media gateways are external systems their own authentication and authorization schemes. If the media gateway requires creation of trusted service entries, you must be at least a member of the RTCUniversalServerAdmins group.

Enable users for Enterprise Voice

RTCUniversalUserAdmins group

Device Update Service

 

Deployment

Device Update Service is automatically installed on the Web Components Server. There are no specific deployment permissions needed outside those required to deploy Standard Edition or Enterprise Edition.

Security Levels

The security levels required for deploying Office Communications Server 2007 R2 depend on the components your organization plans to deploy.

Exchange UM Security Levels

An Exchange Unified Messaging (UM) dial plan supports three different security levels: Unsecured, SIPSecured, and Secured. You configure security levels by means of the VoipSecurityparameter of the UM dial plan. The following table shows appropriate dial plan security levels depending on whether mutual TLS (MTLS) and/or Secure Real-Time Transport Protocol (SRTP) are enabled or disabled.

Table 2. VoipSecurity Values for Various Combinations of Mutual TLS and SRTP

Security level Mutual TLS SRTP

Unsecured

Disabled

Disabled

SIPSecured

Enabled (required)

Disabled

Secured

Enabled (required)

Enabled (required)

When integrating Exchange UM with Communications Server 2007 R2, you need to select the most appropriate dial plan security level for each voice profile. In making this selection, you should consider the following:

  • MTLS is required between Exchange UM and Office Communications Server. Therefore, the dial plan security level must not be set to Unsecured.

  • When dial plan security is set to SIPSecured, SRTP is disabled. In this case, the Office Communicator 2007 R2 client encryption level must be set to either rejected or optional.

  • When setting dial plan security to Secured, SRTP is enabled and is required by Exchange UM. In this case, the Office Communicator 2007 R2 client encryption level must be set to either optional or required.

Media Gateway Security

Media flowing both directions between the Mediation Server and Communications Server network is encrypted using SRTP. Organizations that rely on IPsec for packet security are strongly advised to create an exception on a small media port range if they are to deploy Enterprise Voice. The security negotiations required by IPsec work for normal UDP or TCP connections, but they can slow call setup to unacceptable levels.

Because a media gateway receives calls from the PSTN that can present a potential security vulnerability, the following are recommended mitigation actions:

  • Enable TLS on the link between the gateway and the Mediation Server. This will assure that signaling is encrypted end to end between the gateway and your internal users.

  • Physically isolate the media gateway from the internal network by deploying the Mediation Server on a computer with two network adapters: the first accepting traffic only from the internal network, and the second accepting traffic from a media gateway. Each card is configured with a separate listening address so that there is always clear separation between trusted traffic originating in the Communications Server network and untrusted traffic from the PSTN.

    The internal edge of a Mediation Server should be configured to correspond to a unique static route that is described by an IP address and a port number. The default port is 5061.

    The external edge of a Mediation Server should be configured as the internal next-hop proxy for the media gateway. It should be identified by a unique combination of IP address and port number. The IP address should not be the same as that of the internal edge, but the default port is 5060.