Updated 5-20-11 with new independent security tests against Lync Server 2010
I sometimes get asked by telecom teams how secure is the voice traffic in Lync and is the conferencing traffic secure both on the internal network or externally. Note: diagrams and a few excerpts taken from our whitepapers
What type of secure communications are used with Lync?
Server to server Lync Server 2010 communications is encrypted by default. By requiring all servers to use certificates and by using Kerberos authentication, TLS, Secure Real-Time Transport Protocol (SRTP), and other industry-standard encryption techniques, including 128-bit Advanced Encryption Standard (AES) encryption, virtually all Lync Server data is protected on the network.
Lync Clients to Server traffic uses TLS for SIP traffic and SRTP for media such as audio, video and desktop sharing.
The following is a matrix showing the secure traffic types:
This diagram from the whitepaper shows how clients communicate securely using audio and video SRTP and TLS and Lync servers communicate securely with MTLS
Can someone sniff the packets and get access to my Lync voice/data?
By using TLS it would render a sniff/man in the middle attack very difficult to impossible to achieve within the time period in which a given conversation could be attacked. TLS authenticates all parties and encrypts all traffic. This does not prevent listening over the wire, but the attacker cannot read the traffic unless the encryption is broken. Additionally, by enabling SRTP voice, video and desktop sharing traffic will be encrypted.
How do I secure my voice traffic?
Are there Lync Server GPOs I can use to lock things down?
Yes, there is a communicator.adm file located in the %windir%\inf folder that you can leverage.
What are tips to secure my Lync Edge servers?
What do I need to exclude from my antivirus program running on my Lync Server 2010?
· Lync Server 2010 processes:
· IIS processes:
· SQL Server processes:
· %ProgramFiles%\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\SQLServr.exe
· %ProgramFiles%\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Services\ReportServer\Bin\ReportingServicesService.exe
· %ProgramFiles%\Microsoft SQL Server\MSAS10.MSSQLSERVER\OLAP\Bin\MSMDSrv.exe
Download the excellent Lync Security Guide available here.
Independent Lync Server 2010 security attacks conducted from Miercom here in Section 6.0.
This has been a hot topic for some of my customers and I’m very happy to see it’s release. The whitepaper for Client Virtualization can be found here.
Products from both Microsoft and Citrix are detailed in the paper including Remote Desktop Services (RDS), App-V, and Citrix’s XenDesktop and XenApp. The paper goes on to describe 3 different options for virtualization Full Desktop Remoting, Application Remoting, and Application Streaming.
…cut/paste from whitepaper…
Full Desktop Remoting
Application Streaming 
Sharing PowerPoint Presentations
Desk phone paired using USBR
 Application Streaming was verified on Microsoft products. For details, see the “Vendor Support” section earlier in whitepaper. Audio is supported only in a VDI environment. Audio is not supported in a session-based desktop delivery environment such as Microsoft RDS. Communication modes for Online Meetings are limited by peer-to-peer communication modes supported for the specified architecture. For example, if audio is not supported on the specified architecture, audio will not work in Online Meetings. Joining online meetings from Microsoft Outlook meeting reminder and/or meeting invitation is not supported.
This was asked by a university in California. The answer is yes it is possible with Exchange 2010 and Microsoft IT has been running in a backupless state for all mailboxes in production since the beta of Exchange 2010. Note: pics from our documentation
What backup and recovery requirements did MS IT have?
Support mailbox capacities of 5 GB.
Reduce backup costs by eliminating third-party backups.
Reduce administrative overhead by simplifying the mail restore process.
Provide recovery of mail items up to 30 days old.
What were the objectives MS IT had to meet to move to this state?
A minimum of 30 days of data available to be recovered at any time
The ability to recover any single item that was deleted within those last 30 days
The ability to hold information for longer than 30 days if active litigation required it
The safety to know that if one or two copies of the data went offline, the e-mail system data could still operate or be recovered
How did MS IT accomplish backupless Exchange 2010?
1) Implement Exchange 2010 DAG for high availability and general resiliency
2) Leverage the new dumpster and additional feature called single item recovery
How do I recover something from single item recovery?
Administrators can recover purged items from Exchange Control Panel E-Discovery UI (Ent. CAL) or Search-Mailbox cmdlet (Std. CAL). Below are your options:
Is a lagged database copy needed?
Initially, MS IT implemented this during the beta however it did not really align with their core objectives such as reduced complexity, lack of quick recovery, and if logical data corruption occurred reseeding is required which, in effect, loses the lagged aspect of the copy. Non-lagged DAG database replicas better met the objectives of MS IT and also allowed for recovery during a rare case of logical data corruption. Read more here on seeding, lagged copies, etc.
What is the general DAG and makeup of an MS IT mailbox server?
Exchange Native Data Protection – no backups
4 real time DB copies on JBOD – see more on JBOD decision here
Single item recovery set to 30 days
5 GB mailbox quota
Approx 300 users per DB
35 DBs per server
Variable number of nodes per DAG (up to 16)
Backup cost savings?
MS IT reduced its backup costs from ~$5 per mailbox per year using daily incremental backups to disk to $0 per mailbox after the move to Exchange 2010.
Read more on MS IT’s backupless approach here.
A university moving away from Modular Messaging to Exchange 2010 UM wanted to know. Yes, the Exchange team has posted all of the Exchange 2010 UM validated PBXes and SIP gateways config notes here.
These technotes have detailed config information for NEC, Cisco, Avaya, Nortel, Siemens, and many others.
Excerpts from the Exchange 2010 UM connecting to an Avaya Aura 5.2.1 technote:
Cisco Call Manager 7.x technote excerpts:
Nortel CS1000 excerpts:
Audiocodes SIP gateway config example:
CS1000 config example:
Step 7: Pilot Number Configuration OVL000 >ld 87 ESN000 MEM AVAIL: (U/P): 2340726 USED U P: 617730 88967 TOT: 3047423 DISK RECS AVAIL: 1151 REQ prt CUST 0 FEAT cdp TYPE dsc DSC 3333 DSC 3333 FLEN 4 DSP LSC RRPA NO RLI 13 NPA NXX MEM AVAIL: (U/P): 2340726 USED U P: 617730 88967 TOT: 3047423
Yes, Bill found some additional end user self paced training for Lync.
Here is the course agenda:
Getting Started with Lync 2010
Grab the 1hr and 30 minute self paced training here.
The Lync Server product team has completed testing of Lync Server 2010 and SQL Server 2008 R2. The product now fully supports SQL Server 2008 R2 on all Lync Server monitoring, archiving, and front-end server databases. At this time, SQL Server 2008 R2 is not supported for group chat databases.
The Lync Server 2010 Supportability Guide and other relevant content in the Lync Server Technical Library will be updated shortly to align to our updated supportability stance.
You couldn’t until today. Now you can grab the Lync Server 2010 Web Scheduler.
Here is what the Lync Web Scheduler can do:
Here are the Lync web scheduler deltas vs. the Conferencing Add-In for Microsoft Outlook:
Grab it here.
This was asked by a few universities. The answer is yes using our Microsoft XMPP gateway.
Where do I grab the XMPP gateway?
It is free here and there is also an updated fix to the XMPP gateway here. Some more XMPP config information here .
It says it is for OCS R2 does it work with Lync?
Yes, it functions with Lync. The XMPP deployment guide has OCS R2 screenshots but can be applied to Lync. The OCS guy did a step by step Lync walkthrough here.
Any tweaks to the Microsoft XMPP gateway that will help?
Here are a few gateway configuration settings you can make that have helped with Google Talk federation:
1. Enable ‘Never Close Idle Connection’ 2. Set XMPP Refresh Connection Timer to 1 hour 3. Under session, set subscription refresh timer to 1 hour
What can I do with Jabber or Google Talk user when federated with Lync via the XMPP gateway?
The Microsoft XMPP gateway allows Lync users to add XMPP capable IM contacts, see presence, and conduct 1 to 1 two-way instant messaging back and forth. Voice and Video federation only works with Windows Live Messenger or Live@edu or other Lync/OCS federated organization.
What if I want voice and video federation or richer domain granularity, etc between Lync and XMPP IM systems?
I found third party company called NextPlane that can help with a XMPP cloud federation service or on prem gateway if you require some of these richer XMPP federation features:
As discussed with a lot of my customers Exchange UM no longer uses System Center (SCOM). Exchange 2010 with SP1 now has built-in reporting.
Call Data Records (CDR) are generated after each call. The server collects audio quality metrics with the same metrics that are used for the Monitoring server for Lync. Once the audio metrics are received they are stored in the e-discovery mailbox. They also have a lifetime of 90 days at which time they are automatically erased. This value can’t be changed but if you need them longer your can simply import them into a CSV file.
UM reporting features are done via EMC toolbox. If you are a tenant UM Admin you can also see them in ECP.
Call statistics provide stats about calls received or sent by UM Servers. In this case, to generate the CDRs, UM needs to read the CDR, and also need to calculate stats based on the period of time, type of call, dialplan, gateway, etc.
Call Stats are generated once per day and can be filtered by month or day for past 90 days.
More info on Call Statistics and individual call logs can be found here.
A common question for multi-datacenter deployments is how can we configure a DAG where failure will enable a DAG member locally vs. the other datacenter. This requires DAC mode. DAC or Datacenter Activation Mode is a property of the DAG that can be turned on or off and is disabled by default.
In Exchange 2010 SP1, DAC Mode has been extended to support two-member DAGs that each have a member in a separate datacenter. Bottom-line – you can now use DAC with DAG members in same or different AD Sites allowing the capability of using DAC with two or more members of a DAG.
A common deployment I have is with 4 members of DAG, 2 servers in each datacenter. FSW is in the primary Datacenter and will be quorum. Now Primary Datacenter has power outage. Manually, Exchange admin activates the secondary datacenter with an alternate file share witness.
When the power is restored in the primary site. When the two DAG members and witness server comes online, it has a quorum (majority) and will try to activate the databases. This will cause a “split brain syndrome” where both datacenters think that they are hosting the active databases.
DAC mode is used to avoid this and if enabled when the DAG members come online they will leverage Datacenter Activation Coordination Protocol (DACP) before trying to mount databases.
For more information on how this works check out the following Technet article. http://technet.microsoft.com/en-us/library/dd979790.aspx
DAG with Four-members in 2 datacenters with 2 AD Sites.
Great write-up from EighTwOne (821) here.