Lync Edge is a role that makes Lync services available to external users and companies in a secure manner. A Lync Edge Server is not part of the internal domain, and in general, it is deployed in a Demilitarized Zone (DMZ) network with a series of limitations (for example, usually, the name resolution of the Lync Servers in the internal network is limited to local hosts file). The previously mentioned restrictions and other security features, however, are not enough to defend the server from some kind of Internet threats including Distributed Denial-of-Service (DDoS) and brute-force attacks. An extremely powerful instrument we have at our disposal to protect our Lync deployment is the Microsoft SIP Processing Language (MSPL). MSPL is a scripting language used specifically to filter and route SIP messages. Chris Norman, for example, has shared a really interesting MSPL script to block presence indicators with federated partner at http://voipnorm.blogspot.it/2013/01/mspl-script-blocking-federated-presence.html. The idea behind the script is to keep features we need running (such as IM), limiting the information we show to external users. The steps we will see (required to apply the previously mentioned solution) are the same every time we use an MSPL script.
Connect to a Lync Front End Server.
Open the Lync Server Management Shell and launch the following cmdlet to get a list of the existing server applications:
Get-CsServerApplication
Now, we can install the script (
BlockFederatedPresence.am).New-CsServerApplication -Identity "EdgeServe:cheshirecat.absoluteuc.corp/Simple" -Uri "http://sip.absoluteuc.org/BlockFederatedPresence" -ScriptName "C:\BlockFederatedPresence.am"-Enabled $true -Critical $false
The explanation of the preceding code is as follows:
The
Identityparameter indicates the Edge Server using the FQDN of the server. In our scenario, it is the Edge Servercheshirecat.absoluteuc.corp.Uri is a value we define in the
appUriparameter of the script (I customized the one in Chris Norman's script found athttp://sip.yourdomain.com/BlockFederatedPresence).ScriptName indicates the path to the
.amfile (in our scenario,C:\BlockFederatedPresence.am).Enabled
$trueor$falseis a switch to activate or deactivate the script.Critical
$trueor$falseis a switch to select whether Lync Server can start when our application does not start for any reason.
We have to restart the Lync services (
Stop-CsWindowsService|Start-CsWindowsService).
Rui Maximo wrote a post for Lync 2010 Edge Servers where he talks about DDOS to the Lync Edge Servers and points out how to use MSPL to handle this kind of threat Lync Server 2010: Security at the Edge at http://technet.microsoft.com/en-us/magazine/hh219285.aspx, Code4Lync at http://mohamedasakr.wordpress.com/, and Lync Development at http://blog.greenl.ee/ are two blogs, from Mohamed Sakr and Michael Greenlee, that have a lot of interesting posts dedicated to MSPL.