Security requirements for Office Communications Server 2007 R2 include the following:
- Administrative credentials
- Security levels
- Media gateway security
Administrative Credentials
The following table outlines the permissions required to deploy the various server roles.
 Note: |
|---|
| By default, membership in the Domain Admins group is required to deploy or activate a server that is joined to an Active Directory domain. If you do not want to grant this level of privilege to the group or users deploying Office Communications Server, you can use the setup delegation wizard to provide a specific group the subset of permissions required for this task. |
Table 1. Administrative Credentials Required for Deployment Tasks
| Procedure | Administrative credentials or roles required | ||
|---|---|---|---|
|
Standard Edition |
|
||
|
Install prerequisite software |
RTCUniversalServerAdmins group Domain Admins group |
||
|
Prepare Active Directory Domain Services (AD DS) |
Member of Schema Admins group and Administrator rights on the schema master Member of EnterpriseAdmins group for the forest root domain Member of EnterpriseAdmins or DomainAdmins group |
||
|
Prepare Windows for setup |
Administrators group |
||
|
Create and verify DNS records |
DNS Admins group |
||
|
Deploy and activate Standard Edition server and applications |
RTCUniversalServerAdmins group Domain Admins group |
||
|
Configure Standard Edition server |
RTCUniversalServerAdmins group |
||
|
Configure certificates for Office Communications Server |
Administrators group RTCUniversalServerAdmins group |
||
|
Start the services |
RTCUniversalServerAdmins group |
||
|
Validate server configuration |
RTCUniversalServerAdmins group |
||
|
Optionally, configure A/V and Web conferencing |
RTCUniversalServerAdmins group |
||
|
Enterprise Edition, Consolidated Topology |
|
||
|
Install prerequisite software |
RTCUniversalServerAdmins group Domain Admins group |
||
|
Prepare AD DS |
Member of the Schema Admins group and Administrator rights on the schema master Member of the EnterpriseAdmins group for the forest root domain Member of the EnterpriseAdmins or DomainAdmins group |
||
|
Prepare Windows for setup |
Administrators group |
||
|
Install SQL Server |
Local Administrator |
||
|
Configure SQL Server for Office Communications Server |
SQL Server administrator Local administrator |
||
|
Optionally, configure a load balancer for the pool |
Load balancer administrator |
||
|
Create and verify DNS records |
DNS Admins group |
||
|
Create the pool |
RTCUniversalServerAdmins group Domain Admins group |
||
|
Configure the pool and applications |
RTCUniversalServerAdmins group |
||
|
Add servers to the pool |
Administrators group RTCUniversalServerAdmins group Domain Admins group |
||
|
Configure certificates for Office Communications Server |
Administrators group RTCUniversalServerAdmins group |
||
|
Start the services |
RTCUniversalServerAdmins |
||
|
Validate the server and pool configuration |
RTCUniversalServerAdmins |
||
|
Dial-in Conferencing |
|
||
|
Install and activate Office Communications Server 2007 R2 |
Administrators group RTCUniversalServerAdmins group Domain Admins group |
||
|
Activate Conferencing Attendant and Conferencing Announcement Service applications |
RTCUniversalServerAdmins group Domain Admins group |
||
|
Install, activate, and configure the 2007 R2 version of Microsoft Office Communicator Web Access server |
Administrators group Domain Admins group |
||
|
Optionally, enable remote user access to Communicator Web Access |
Administrators group Domain Admins group |
||
|
Test the Dial-in Conferencing Web page |
Office Communications Server 2007 R2 user |
||
|
Create one or more location profiles |
RTCUniversalServerAdmins group |
||
|
Configure a global policy to support dial-in conferencing |
RTCUniversalServerAdmins group |
||
|
Deploy a Mediation Server |
RTCUniversalServerAdmins group |
||
|
Deploy a third-party basic media gateway OR Configure the Mediation Server to perform SIP trunking |
RTCUniversalServerAdmins group (to configure Mediation Server) Administrator of the SIP trunking provider |
||
|
Response Group Service |
|
||
|
Install and activate Office Communications Server 2007 R2 |
Administrators group RTCUniversalServerAdmins group Domain Admins group |
||
|
Activate the Response Group Service application |
RTCUniversalServerAdmins group Domain Admins group |
||
|
Add agents, create agent groups, and create queues for the server pool |
RTCUniversalServerAdmins group |
||
|
Create the workflows |
RTCUniversalServerAdmins group |
||
|
Configure the Response Group tab |
Domain Admins group |
||
|
Archiving Server |
|
||
|
Install prerequisite software |
Administrators group and Domain Admins group (to install Message Queuing with Active Directory integration enabled) |
||
|
Install and activate Archiving Server |
Administrators group Domain Admins or RTCUniversalServerAdmins group |
||
|
Configure Archiving Server associations |
Administrators group |
||
|
Configure users for archiving |
RTCUniversalUserAdmins group |
||
|
Start the archiving services |
RTCUniversalUserAdmins Group |
||
|
Monitoring Server |
|
||
|
Install prerequisite software |
Administrators group Domain Admins group (to install Message Queuing with Active Directory integration enabled) |
||
|
Install and activate Monitoring Server |
Administrators group Domain Admins or RTCUniversalServerAdmins group |
||
|
Start the services |
Administrators group |
||
|
Deploy Monitoring Server reports |
Administrators group |
||
|
Configure Monitoring Server associations |
Administrators group |
||
|
Communicator Web Access |
|
||
|
Install and activate |
Domain Admins |
||
|
Create virtual server |
Domain Admins, or RTCUniversalServerAdmins and local Administrators |
||
|
Publish Communicator Web Access URLs |
Domain Admins, or RTCUniversalServerAdmins and local administrators |
||
|
Manage Communicator Web Access settings |
Domain Admins, or RTCUniversalServerAdmins and local administrators |
||
|
Group Chat |
|
||
|
Create SQL Server database |
Database administrator |
||
|
Set up Group Chat accounts and permissions |
Administrators group |
||
|
Obtain certificates for Group Chat |
Administrators group |
||
|
Install Group Chat |
Administrators group |
||
|
Configure Web site settings in IIS |
Administrators group |
||
|
Connect the Group Chat Administration Tool to Group Chat |
Administrators group Channel service administrator |
||
|
Configure Group Chat user access |
Administrators group |
||
|
Deploy archiving and compliance support |
Database administrator Administrators group |
||
|
Administrative Tools |
|
||
|
Install Administrative Tools on a centralized administrative console that is not running Office Communications Server |
Administrators group Domain Admins group |
||
|
Configure user account settings |
RTCUniversalUserAdmins |
||
|
Configure all other settings (other than user account settings) |
RTCUniversalServerAdmins |
||
|
Edge Server |
|
||
|
Set up the infrastructure for Edge Servers |
Administrators group |
||
|
Set up Edge Servers |
Administrators group Domain Admins or RTCUniversalServerAdmins group |
||
|
Configure the environment |
Administrators group Domain Admins or RTCUniversalServerAdmins group |
||
|
Validate edge configuration |
Administrators group Domain Admins or RTCUniversalServerAdmins group |
||
|
Communicator Mobile for Windows Mobile |
|
||
|
Install prerequisites |
Administrator |
||
|
Install Communicator Mobile for Windows Mobile |
Administrator |
||
|
Install self-signed certificates |
Administrator |
||
|
Configure the client |
Administrator |
||
|
Test IM and presence |
Administrator |
||
|
Communicator Mobile for Java |
|
||
|
Verify that prerequisites and dependencies are met |
Administrator |
||
|
Deploy the Communicator Mobile component |
Administrator |
||
|
Install Communicator Mobile for Java client software |
Administrator |
||
|
Configure and use the client |
Administrator |
||
|
Test IM and presence |
Administrator |
||
|
Outside Voice Control |
|
||
|
Install and activate Office Communications Server 2007 R2 |
Administrators group RTCUniversalServerAdmins group Domain Admins group |
||
|
Activate Outside Voice Control application |
RTCUniversalServerAdmins group Domain Admins group |
||
|
Start the application |
RTCUniversalServerAdmins group |
||
|
Test Outside Voice dialing on a supported mobile client |
Office Communications Server 2007 R2 user |
||
|
Enterprise Voice with PBX Coexistence |
|
||
|
Deploy Office Communications Server, including Mediation Server that connects to the PBX |
|
||
|
Deploy Office Communicator 2007 |
Administrator on the computer on which Office Communicator is being installed |
||
|
Enable users for IM and presence |
RTCUniversalUserAdmins group |
||
|
Configure Communications Server for Enterprise Voice |
RTCUniversalServerAdmins group |
||
|
Configure PBX to fork calls to Office Communications Server |
RTCUniversalServerAdmins (to get information from AD DS to convert an extension into the correct telephone URI) |
||
|
Deploy media gateways (if required) |
Media gateways are external systems their own authentication and authorization schemes. If the media gateway requires creation of trusted service entries, you must be at least a member of the RTCUniversalServerAdmins group. |
||
|
Deploy RCC gateway (if required) |
RCC gateways are external systems their own authentication and authorization schemes. You must be at least a member of the RTCUniversalServerAdmins group to create the required trusted service entries. |
||
|
Enable users for Enterprise Voice and PBX integration |
RTCUniversalUserAdmins group |
||
|
Enterprise Voice stand-alone (no PBX coexistence) |
|
||
|
Deploy Office Communications Server |
|
||
|
Deploy Office Communicator 2007 |
Administrator on the computer on which Office Communicator is being installed |
||
|
Configure Office Communications Server for Enterprise Voice |
RTCUniversalUserAdmins group |
||
|
Deploy Exchange Server 2007 Unified Messaging and configure to integrate with Office Communications Server |
|
||
|
Deploy media gateways |
Media gateways are external systems their own authentication and authorization schemes. If the media gateway requires creation of trusted service entries, you must be at least a member of the RTCUniversalServerAdmins group. |
||
|
Enable users for Enterprise Voice |
RTCUniversalUserAdmins group |
||
|
Device Update Service |
|
||
|
Deployment |
Device Update Service is automatically installed on the Web Components Server. There are no specific deployment permissions needed outside those required to deploy Standard Edition or Enterprise Edition. |
Security Levels
The security levels required for deploying Office Communications Server 2007 R2 depend on the components your organization plans to deploy.
Exchange UM Security Levels
An Exchange Unified Messaging (UM) dial plan supports three different security levels: Unsecured, SIPSecured, and Secured. You configure security levels by means of the VoipSecurityparameter of the UM dial plan. The following table shows appropriate dial plan security levels depending on whether mutual TLS (MTLS) and/or Secure Real-Time Transport Protocol (SRTP) are enabled or disabled.
Table 2. VoipSecurity Values for Various Combinations of Mutual TLS and SRTP
| Security level | Mutual TLS | SRTP |
|---|---|---|
|
Unsecured |
Disabled |
Disabled |
|
SIPSecured |
Enabled (required) |
Disabled |
|
Secured |
Enabled (required) |
Enabled (required) |
When integrating Exchange UM with Communications Server 2007 R2, you need to select the most appropriate dial plan security level for each voice profile. In making this selection, you should consider the following:
- MTLS is required between Exchange UM and Office Communications
Server. Therefore, the dial plan security level must not be set to
Unsecured.
- When dial plan security is set to SIPSecured, SRTP is disabled.
In this case, the Office Communicator 2007 R2 client encryption
level must be set to either rejected or optional.
- When setting dial plan security to Secured, SRTP is enabled and
is required by Exchange UM. In this case, the Office Communicator
2007 R2 client encryption level must be set to either optional or
required.
Media Gateway Security
Media flowing both directions between the Mediation Server and Communications Server network is encrypted using SRTP. Organizations that rely on IPsec for packet security are strongly advised to create an exception on a small media port range if they are to deploy Enterprise Voice. The security negotiations required by IPsec work for normal UDP or TCP connections, but they can slow call setup to unacceptable levels.
Because a media gateway receives calls from the PSTN that can present a potential security vulnerability, the following are recommended mitigation actions:
- Enable TLS on the link between the gateway and the Mediation
Server. This will assure that signaling is encrypted end to end
between the gateway and your internal users.
- Physically isolate the media gateway from the internal network
by deploying the Mediation Server on a computer with two network
adapters: the first accepting traffic only from the internal
network, and the second accepting traffic from a media gateway.
Each card is configured with a separate listening address so that
there is always clear separation between trusted traffic
originating in the Communications Server network and untrusted
traffic from the PSTN.
The internal edge of a Mediation Server should be configured to correspond to a unique static route that is described by an IP address and a port number. The default port is 5061.
The external edge of a Mediation Server should be configured as the internal next-hop proxy for the media gateway. It should be identified by a unique combination of IP address and port number. The IP address should not be the same as that of the internal edge, but the default port is 5060.