Configure Access for Federated Partners

[This is pre-release documentation and subject to change in future releases. This topic's current status is: Milestone-Ready]

Topic Last Modified: 2010-04-08

If you configured access for federated partners during deployment, you do not need to do so again unless you want to change the access method for Access Edge services of any or all of your federated partners.

Using Communications Server 2010, you can enable access by federated partners, such other other organizations . You can implement federation using the following methods:

Allow discovery of federated partners. This is the default option during initial configuration of an Access Edge service because it balances security with ease of configuration and management. For instance, when you enable discovery of federated partners for your Access Edge service, Communications Server 2010 automatically evaluates incoming traffic from discovered federated partners and limits or blocks that traffic based on trust level, amount of traffic, and administrator settings.
Do not allow discovery of federated partners, and limit access of federated partners to only those listed on the Allow list. Connections with federated partners are allowed only if the federated partner domain and, optionally, the partner’s Access Edge service FQDN are designated as allowed domains. This method offers the highest level of security, but it does not offer the ease of management and other features that are available with automatic discovery.

You can enable discovery of federated partners and specify federated partners as allowed domains. If you enable discovery, your Access Edge service can search for federated partners other than the ones that have been designated as allowed domains.

If you did not specify the appropriate federation method during Edge Server deployment or you now want to change the federation method, you can use one of the following two procedures to enable the appropriate method:

To allow discovery of Access Edge services, either with all federated partners or only for specific federated partner domains, use the first procedure in this section.
To prevent discovery, which restricts federated partner access to specific federated domains and their specified Access Edge services, use the second procedure in this section.

To enable discovery of Edge Servers of federated partners

Open Communications Server Control Panel.
Click External User Access, click Access Edge Configuration, click the appropriate policy listed in the table, and then click Modify.
In Edit Access Edge Configuration, do the following:
- Select the Enable federation check box.
- Select the Enable partner domain discovery check box.
- (Optional) Select Send archiving disclaimer to federated partners.
Click Commit.
Click Federated Domains, click New, and then click Allowed domain.

In New Federated Domains, do the following:

In Domain name (or FQDN), type the name of the federated partner domain.

Note:
This name must be unique, should not already exist as an allowed domain for this Access Edge service. The name cannot exceed 256 characters in length. The search on the federated partner domain name performs a suffix match. For example, if you type contoso.com, the search will also return the domain it.contoso.com. A federated partner domain cannot simultaneously be blocked and allowed. Communications Server 2010 prevents this from happening so that you do not have to synch up your lists.

Note:

This name must be unique, should not already exist as an allowed domain for this Access Edge service. The name cannot exceed 256 characters in length.

The search on the federated partner domain name performs a suffix match. For example, if you type contoso.com, the search will also return the domain it.contoso.com.

A federated partner domain cannot simultaneously be blocked and allowed. Communications Server 2010 prevents this from happening so that you do not have to synch up your lists.

(Optional) In Comment, type information that you want to share with other system administrators about this configuration.

Click Commit.
Repeat steps 5 through 7 for each federated partner that you want to allow.

To restrict federated partner access to specific Edge Servers

Open Communications Server Control Panel.
Click External User Access, click Access Edge Configuration, click the appropriate policy listed in the table, and then click Modify.
In Edit Access Edge Configuration, do the following:
- Select the Enable federation check box.
- Clear the Enable partner domain discovery check box.
- (Optional) Select Send archiving disclaimer to federated partners.
Click Commit.
Click Federated Domains, click New, and then click Allowed domain.

In New Federated Domains, do the following:

In Domain name (or FQDN), type the name of the federated partner domain.

Note:
This name must be unique, should not already exist as an allowed domain for this Access Edge service. The name cannot exceed 256 characters in length. The search on the federated partner domain name performs a suffix match. For example, if you type contoso.com, the search will also return the domain it.contoso.com. A federated partner domain cannot simultaneously be blocked and allowed. Communications Server 2010 prevents this from happening so that you do not have to synch up your lists.

Note:

(Optional) In Comment, type information that you want to share with other system administrators about this configuration.

Click Commit.
Repeat steps 5 through 7 for each federated partner that you want to allow.