One definite ‘must’ with Lync (or any other server) is knowing where & how to increase security. There’s (sadly) too many reasons to list!

Obviously, you’ll have already configured security in the server room first – firewall setup, security apps and/or appliances. I’m not talking about that today.

I’m talking about increasing the security requirements for accessing Lync services themselves.

Now, you may not need to do this. If you have good network security, Lync communications should be fine. Deploy Lync’s Monitoring Server if you aren’t sure of the need.

If you’re subject to a lot of break-in attempts, or you have a lot of remote users, then you might want additional security.

I’ll cover two security increases today: Creating a new Registrar, and adding a new Web Service.

Registrar: Proxy Server Authentication

A Registrar will demand authentication from Lync clients, using proxies. You have three options: Kerberos, NTLM or Certificate authentication.
Kerberos is best for enterprise clients – but if you use it, add NTLM as well. That way remote clients (on smartphones) won’t need to go through Kerberos authentication all the time.

We use and recommend Certificate authentication. It’s a little faster, and easy to work with.

Whatever you choose, you’ll need to set up a Registrar in Lync to operate it. This is how you do that:

  • Log on (as Administrator) to any Lync-connected computer.
  • Open the Lync Server Control Panel in a browser.
  • Click Security in the left navigation bar.
  • Click Registrar.
  • On the Registrar page, click New.
  • Under Select a Service, click the service you want to apply the new Registrar to. Click OK.
  • Under New Registrar Setting, choose 1 (or more) of the options. Remember to consider client capabilities, and what your server environment would support:
    • Enable Kerberos Authentication
    • Enable NTLM Authentication
    • Enable Certificate Authentication
  • Click Commit.

Web Service: Protecting Server Access

The term “Web Service” means something a little different than what you’re used to. In Lync Server 2010, a Web Service is an authentication policy governing access to Lync servers and web-based services. Easy to set up, too.

  • Log on (as Administrator) to any Lync-connected computer.
  • Open the Lync Server Control Panel in a browser.
  • Click Security in the left navigation bar.
  • Click Web Service.
  • On the Web Service page, click New.
  • Select either Site Configuration or Pool Configuration.
    • Site Configuration configures the new Web Service policy for a Lync Site. Under Select a Site, click the site to which the Web Service policy will be applied, and click OK.
    • Pool Configuration configures the new Web Service policy for a Lync pool. Under Select a Service, click the service to which the Web Service policy will be applied, and click OK.
  • Under Windows authentication, select one: Negotiate, NTLM, or None.
  • Check 1 (or more) of the boxes below. Remember to consider client capabilities, and what your server environment would support:
    • Enable PIN Authentication – Clients can authenticate using PIN numbers.
    • Enable Certificate Authentication – Servers in the pool issue certificates to clients.
    • Enable Certificate Chain Download – Servers presented with an authentication certificate download the certificate chain for it.
    • Show Lync Attendee Download Link – Users are given the option to download Lync 2010 Attendee.
    • Show the Link for User to Join Meeting Using Legacy Client – Users are given the option to join meetings using Office Communicator 2007 (or older).
  • Click Commit.

Personally, I like the idea of a Certificate registrar and a PIN Authentication Web Service. Not too much configuration needed, and doubled protection.

What do you think? What kind of security have you deployed in your Lync Server?

Increase Lync Security: 20 Tasks Every Lync Administrator Must Know
Facebooktwitterlinkedinmail

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.