Book Image

Lync Server Cookbook

Book Image

Lync Server Cookbook

Overview of this book

Related Content you might be interested in

Current Title:

Small book image
Lync Server Cookbook
Jan, 2015 | 392 pages
No titles found
Table of Contents (19 chapters)
Lync Server Cookbook
Lync Server Cookbook
Credits
Credits
About the Authors
About the Authors
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Lync 2013 Security
Lync 2013 Security
Introduction
Controlling administrative rights with RBAC and custom cmdlets
Hardening Lync Servers
Hardening Lync databases
Enhancing conferencing security
Managing certificates for the authentication of desk-phones
Deploying a secure Lync Edge
Applying ethical walls for federation security
Using Application Request Routing to configure a reverse proxy for Lync Server 2013
2
Lync 2013 Authentication
Lync 2013 Authentication
Introduction
Configuring passive authentication for Lync
Enabling two-factor authentication
Adding the app password for mobile clients
Authenticating with online services using DirSync
Managing Windows Azure Directory for Lync Online
Configuring server-to-server authentication
Troubleshooting with client authentication logging
3
Lync Dial Plans and Voice Routing
Lync Dial Plans and Voice Routing
Introduction
Introducing dial plans and voice routing
Defining dial plans
Configuring PSTN usage – voice policy
Configuring PSTN usage – Location-Based Routing
Enabling routes
Validating trunks
Configuring load balancing, failover, and least cost routing
Controlling call forwarding
4
Lync 2013 Integration with Exchange
Lync 2013 Integration with Exchange
Introduction
Configuring the Unified Messaging integration
Configuring OAuth between Lync 2013 and Exchange 2013
Configuring Lync 2013 and Exchange 2013 as partner applications
Configuring Lync 2013 to use Exchange 2013 for archiving
Configuring Lync 2013 to use the Exchange 2013 Unified Contact Store
Integrating Lync 2013 with the Exchange 2013 Outlook Web App
5
Scripts and Tools for Lync
Scripts and Tools for Lync
Introduction
Installing Lync prerequisites and more – Set-Cs2013Features
Creating a fully functional voice configuration – Lync Dialing Rule Optimizer
Switching between multiple Lync identities with a click – Profiles for Lync (P4L)
Tracing made easier – Lync 2013 Centralized Logging Tool
Identifying recurrent issues – Lync Pilot Deployment Health Analysis
Managing phone numbers – Search-LineURI and Get-UnusedNumbers
Managing Call Pickup Groups – Lync2013CallPickupManager 1.01
6
Designing a Lync Solution – The Overlooked Aspects
Designing a Lync Solution – The Overlooked Aspects
Introduction
Meeting your users' expectations
User training
Gathering the users' requirements
Weighing up around Lync virtualization
Network readiness – introduction
Defining personas for the network
Defining sites for the network
Network readiness – reviewing and analyzing results
7
Lync 2013 in a Resource Forest
Lync 2013 in a Resource Forest
Introduction
Planning a resource forest
Using Exchange Online for a Lync resource forest
Configuring FIM in a Lync resource forest
Synchronizing forests with FIM
Deploying Azure Active Directory Synchronization services (AAD Sync) in a Lync resource forest
AAD Sync synchronization services and rules
8
Managing Lync 2013 Hybrid and Lync Online
Managing Lync 2013 Hybrid and Lync Online
Introducing Lync Online
Administering with the Lync Admin Center
Using Lync Online Remote PowerShell
Using Lync Online cmdlets
Introducing Lync in a hybrid scenario
Planning and configuring a hybrid deployment
Moving users to the cloud
Moving users back on-premises
Debugging Lync Online issues
9
Lync 2013 Monitoring and Reporting
Lync 2013 Monitoring and Reporting
Introduction
Installing Lync 2013 monitoring reports
Selecting the right kind of report
Call Diagnostic Reports
Media Quality Diagnostic Reports
Call Leg Media Quality Report
Lync 2013 with System Center 2012 R2 Operations Manager
Configuring a watcher node and synthetic transactions
10
Managing Lync 2013 Backup and Restore
Managing Lync 2013 Backup and Restore
Introduction
Topology information
Configuration information
User database
Persistent Chat database
The Location Information LIS database
The Response Group Services configuration
Certificates
Backend databases
Voice dial plans, policies, and settings
File services
Don't forget the infrastructure – the greater recovery plan
11
Controlling Your Network – A Quick Drill into QoS and CAC
Controlling Your Network – A Quick Drill into QoS and CAC
Introduction
Gathering data about your network
Creating network bandwidth policies
Adding networks to the topology
Creating region links and routes
Enabling CAC
Preparing servers and clients for DSCP tagging
Controlling/limiting the port ranges for traffic
Media bypass
12
Lync 2013 Debugging
Lync 2013 Debugging
Introduction
Using Snooper to examine log files
Investigating Call Flow with Snooper Flow Chart
Reviewing Lync information with OCSLogger
Tracing from a command line with OCSTracer
Customizing CLS scenarios using CLSController
Testing our setting with Best Practices Analyzer
Capturing network traffic with Wireshark
Troubleshooting clients with the Microsoft Lync Connectivity Analyzer
Verifying a deployment with the Microsoft Remote Connectivity Analyzer
Index
Index

Hardening Lync Servers

Talking about Lync Server 2013, we are interested in applying a defense-in-depth approach, using multiple defense layers against security threats. Various security solutions are applied to make bypassing of one of the layers more difficult. We are also able (at least) to buy time on the different layers before someone is able to access the next level of security. Our servers are the last layer before internal data and files of Lync are compromised. Hardening a Lync Server requires a series of steps, and we will see how to use the Security Configuration Wizard (SCW), a tool that makes it easier to fix some common misconfigurations and security flaws.

Getting ready

To increase the security of the operating system, we can use the SCW (if we are using Windows 2012 or Windows 2012 R2 SCW it is an integrated tool). In the previously mentioned OS, the Configuration Wizard is part of the Tools menu.

Note

While the following steps have been tested on a single installation Front End (Lync Server 2013 Standard Edition), we have to select the settings that best fit our specific security requirements, and verify them in a lab. Using SCW on a production environment without sufficient verification is a risky approach.

How to do it...

  1. The Security Configuration Wizard option is accessible from the Tools menu in Server Manager, as we can see in the following screenshot:

  2. In the first screen, we have to click on Next and then on Create a new security policy.

  3. Select the name of the Lync Server that will act as a baseline (in our scenario, Madhatter).

  4. We can select Next in the Role-Based Service configuration screen and again Next in the Select Server Roles screen until we arrive at Select client features. Flag all the options and select Next.

  5. In the Select Administration and Other Options screen, select Background Intelligent Transfer Service BITs and Windows Audio.

  6. In the Select Additional Services menu, flag all the services and click on Next.

  7. Select Do not change the startup mode of the service and then select Next.

  8. In the Confirm Service Change screen, accept the default value and select Next.

  9. Flag the Skip this section in the Network Security screen (we have to leave the flag box clear if we want to use the Windows firewall too).

  10. Click on Next in the Registry Settings screen (if we don't have a legacy operating system that needs to connect to the Lync Server).

  11. In the Require SMB Security Signatures screen, we can clear the second flag as shown in the following screenshot. If the server has enough unused processing resources, digital signature is a security option that we can consider:

  12. As we can see in the following screenshot, in the Outbound Authentication Methods screen, we can leave the default settings as is if we are not going to use local accounts to authenticate with other servers:

  13. In the Outbound Authentication using Domain Accounts screen, we can leave the default settings as is and select Next with no changes also in Registry Settings Summary.

  14. If we are not going to use auditing, we can select Skip this section in the Audit Policy screen, and then click on Next in the Save Security Policy screen.

  15. Type a name for the policy (for example, LyncTemplate), optionally adding a description, and click on Next.

  16. Select Apply Now, and then click on Next and Finish in the Completing the Security Configuration Wizard screen.

  17. It is advisable to reboot the server in order to verify that the new settings have impacted the Lync Server startup phase.

How it works...

If any issue arises with the SCW, we are able to roll back to the previous configuration. If we don't have access to the local server, we can launch the SCW on another server and revert to the configuration remotely. The option is the one we can see in the following screenshot:

There's more...

SCW can close TCP ports 8080 and 4443 on the Lync Front End. Running the Enable-CsComputer cmdlet, we are able to open again the required ports on the Windows Firewall. The same result can be obtained by using Lync Server Deployment Wizard or Bootstrapper.exe. For more details, see Re-activate server after Security Configuration Wizard closes ports in IIS (http://technet.microsoft.com/en-us/library/gg398851.aspx).

SCW can disable the RDP access. We are able to restore the feature with various solutions, for example, by selecting Remote Desktop from the Installed options list in the Select Administration and Other Options screen, as we can see in the following screenshot:

See also

One of the obvious steps to enhance server security is the installation of an antivirus application. To avoid issues with Lync, we should follow the guidelines in this post Antivirus scanning exclusions for Lync Server 2013 post at http://technet.microsoft.com/en-us/library/dn440138.aspx.

Previous Section
End of Section 4
Next Section