39,59 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Fachliteratur
- Sprache: Englisch
If you work with Lync on a daily basis or if you have to use a specific feature of Lync for a project, this is the book for you. For solutions architects, technical consultants, and administrators, if you have a Lync deployment and you want to upgrade, integrate, secure, or extend it to the cloud, you can get valuable information from the recipes in this book.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 423
Veröffentlichungsjahr: 2015
Ähnliche
Table of Contents
Lync Server Cookbook
Lync Server Cookbook
Copyright © 2015 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: January 2015
Production reference: 1210115
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham B3 2PB, UK.
ISBN 978-1-78217-347-2
www.packtpub.com
Credits
Authors
Fabrizio Volpe
Alessio Giombini
Lasse Nordvik Wedø
António Vargas
Reviewers
Pantelis Apostolidis
Gianluca Bellu
Tonino Bruno
Randy Chapman
Desmond LEE
Clinton Mann
Johan Veldhuis
Commissioning Editor
Taron Pereira
Acquisition Editor
Kevin Colaco
Content Development Editor
Neeshma Ramakrishnan
Technical Editor
Indrajit A. Das
Copy Editors
Karuna Narayanan
Alfida Paiva
Project Coordinator
Danuta Jones
Proofreaders
Simran Bhogal
Maria Gould
Ameesha Green
Paul Hindle
Indexer
Priya Sane
Production Coordinator
Shantanu N. Zagade
Cover Work
Shantanu N. Zagade
About the Authors
Fabrizio Volpe is a Lync MVP and an experienced IT professional, with more than 15 years of experience working in the IT department of large-scale banking and financial companies. He has been working as a network and systems administrator in various firms of the Iccrea Banking Group (one of the top banking groups in Italy) since 2000. From 2011 to 2013, before moving his focus to Unified Communications, Fabrizio received the MVP award for Directory Services.
Over the past few years, Fabrizio has participated as a speaker at many events and conferences (both Italian and international). He creates IT-focused content on different platforms that have received good feedback. His works are available on YouTube (http://www.youtube.com/user/lync2013), on his personal blog (http://www.absoluteuc.org), and on SlideShare (http://www.slideshare.net/fabriziov).
Fabrizio has published three books with Packt Publishing: Getting Started with FortiGate, Getting Started with Microsoft Lync Server 2013, and Instant Microsoft Forefront UAG Mobile Configuration Starter. He has also authored a successful free e-book, Microsoft Lync Server 2013: Basic Administration, available in the TechNet Office gallery (http://bit.ly/1jbzpfo), which has been downloaded more than 25,000 times.
Questo libro è dedicato a mia moglie, Antonella.
Alessio Giombini is a solutions architect, with a strong focus on Microsoft and Unified Communications area. He has over 15 years' worth of study and hands-on experience delivering small- to large-scale projects for major enterprise industries, mainly based on Microsoft and leading-edge technologies, systems applications, and operations running on top of them. He has a broad and mixed technical background in the IT infrastructure and communications field, systems integration, systems management, security, as well as an in-depth understanding of the business of computing and networking in enterprise organizations.
Alessio Giombini currently works for Intercall EMEA, based in the United Kingdom, as a solutions architect for Unified Communications platforms. He designs and deploys UC infrastructures based on Microsoft Lync and related technologies, including private and public cloud-based hosted solutions on multitenanted and dedicated Lync architectures. He also loves talking about Lync through presales, by delivering technical presentations and workshops, solution designs, writing HLD and LLD documents, delivering proof of concepts, and designing the solution through to implementation.
I wish to deeply thank my family, the lights of my life, Roberta, Carlotta, Giorgio and Nico, for their love and patience.
Lasse Nordvik Wedø has more than 14 years of experience working with large-scale IT infrastructure, specializing in planning, deploying, and supporting Unified Communications systems from both Microsoft and Cisco.
He previously specialized in planning, deploying, and supporting Windows Active Directory solutions, where security and messaging were his main areas of focus. He has recently been made a Microsoft P-TSP in Norway. In his spare time, he contributes to the Lync community through his own blog (http://tech.rundtomrundt.com), where he likes to share his thoughts and helpful scripts. He is also a contributor to a blog dedicated to helping admins organize their Enterprise Voice number plans (http://lyncnumbers.com). He was a speaker at Norwegian Lync day 2014 and TechEd Europe 2014.
António Vargas is a Microsoft Certified Solutions Master in Exchange 2013 with 15 years of experience as a Microsoft consultant, designing and deploying large-scale projects for customers across all industry sectors.
The main focus of his Microsoft projects is on the Unified Communications portfolio, more specifically on Microsoft Exchange, Microsoft Office 365, and Microsoft Lync.
Currently, Antonio works for Intercall EMEA, based in the United Kingdom, as a Microsoft Unified Communications architect, planning, designing, and delivering migrations and greenfield deployments of Microsoft Exchange and Microsoft Office 365 environments. Most of his work also includes configuring all levels of integration between Microsoft Lync and Microsoft Exchange, on premises or on Office 365.
About the Reviewers
Pantelis Apostolidis is an IT professional who is passionate and has been working for a decade with almost all Microsoft IT Pro services, including the Domain, Exchange, Lync, System Center, Office 365, and Azure. His educational background includes a diploma in tourism management from the Technological Educational Institute (TEI) of Thessaloniki, and a diploma in computer network engineering from the IEK of Thessaloniki. He is a Microsoft Certified Solutions Expert (MCSE) Private Cloud. He has other certifications, which include MCSA 2012, MCITP EMA 2010, MCTS, MBSS, MS, MCSA 2003, and MCP. During his free time, he enjoys playing the guitar and reading fiction, but most of all, he enjoys spending time with his wife and two kids. He also blogs at http://proximagr.wordpress.com.
Gianluca Bellu started his IT career in 2001 in Rome (Italy) as a system engineer and a developer, and focused on Microsoft infrastructures for Line of Business applications at Nextiraone, Italy, which is a system integrator company with its presence in 15 countries.
In 2004, he was an IVR developer and a call center engineer at Alcatel Technologies. From 2006, he started working on Microsoft Office Communications Server 2007 (as it was in the beta version), and he was responsible for the business proposals and presales/postsales activities based on Microsoft UC as a new and innovative technology.
In 2014, he was hired by BT Switzerland Ltd. as a UCC Specialist in the BT Advise team based in Zurich.
Gianluca Bellu is now a Microsoft Certified IT Professional (MCITP) on Lync Server and a Microsoft Certified Application Developer (MCAD); during his career, he has also achieved Cisco CCNA certification, Snom certification (SCE), and many more on Audiocodes, Cycos, and Genesys.
He's the owner and blogger at http://msucblog.wordpress.com, in which he shares his know-how on Microsoft Unified Communications.
Tonino Bruno is a Microsoft Certified Master in messaging and a subject-matter expert on large-scale, complex, and cross-premises messaging solutions based on Microsoft Exchange and Lync Server. With over 13 years of experience as a subject matter expert, Tonino has become a trusted advisor for many of Belgium's largest and even international corporations. After having worked for 9 years at Compaq/HP, Tonino has successfully launched his own consulting firm and has been working in close collaboration with Microsoft Services in Belgium and Luxembourg for the past 5 years.
Randy Chapman is a Lync architect, evangelist, and blogger. Randy has worked with computers since the early 80s. Randy has done everything from sales and support, demonstration and design, installation, and training of everything from PCs and servers to communications systems for very small to very large companies. He has worked for over 15 years as a voice consultant and over 10 years as a Microsoft consultant with good knowledge, spanning the entire Microsoft stack. He has worked extensively with Exchange Server since 2000 and with System Center since 2008. He has been working with Microsoft-based Unified Communications for over 5 years. Over the years, he has designed, delivered, and supported many deployments of Lync 2010 and 2013. He has also integrated and replaced many PBXs from vendors such as Cisco, Avaya, Mitel, Alcatel, Ericsson, and Bosch to name a few, and provided training for end users, sales and support staff, as well as the next generation of UC consultants. He is a competent and confident speaker, who has spoken and demonstrated at Love Lync Events throughout the UK. Randy is active on many forums, including LinkedIn and TechNet, and his contribution to the TechNet Gallery has been downloaded thousands of times. Randy's Lync blog, http://lynciverse.com, gets more than 1,800 visitors a month.
Randy works for MeetingZone as a senior Lync architect and subject-matter expert. He helps companies all over the UK visualize and realize the benefits of Microsoft Lync-based UC solutions.
I would like to thank my wife, Tammy, for allowing me to continue to feed my obsession with all things Lync and Unified Communications. I would like to thank Simon, Stuart, and James for my start and for your help and support over the years. I would also like to thank all of the great Lync pros out there for fueling my passion. Finally, a special thanks to Fabrizio Volpe for giving me the opportunity to work on a project I feel so passionately about.
Desmond LEE specializes in end-to-end enterprise infrastructure and cloud solutions built around proven business processes and people integration across various industries. He is recognized as a Microsoft Most Valuable Professional (MVP Lync Server) for his passion and volunteer work in the IT community. Desmond is a long-time Microsoft Certified Trainer (MCT) and founder of the Swiss IT Pro User Group (www.swissitpro.com), an independent, non-profit organization for IT pros by IT pros championing Microsoft technologies.
An established speaker at major international and regional events and known for his real-world insights, Desmond contributes frequently to several highly rated publications, and acts as a moderator in popular Microsoft public forums/newsgroups. You can follow his IT adventures at www.leedesmond.com.
Clinton Mann has over 16 years of professional experience in the field of IT, and over those 16 years, he has worn many hats, and man, does he like his hats. With each of the hats he has worn, Clinton has always made it a point to learn and share new technologies with anyone who would listen, and most people benefit from his expertise. Clinton has a technolust like none before him; he truly does live and breathe technology.
Clinton currently works as an IT systems engineer at the Wyss Institute for Biologically Inspired Engineering at Harvard University. You can also find him living the digital dream on the Internet, of all the places, at https://www.linkedin.com/in/clintonmann. You can find him on Twitter at @manncl, and his website can be found at http://clintonmann.com.
I would like to thank Packt Publishing for giving me the opportunity to check an item off my bucket list: Review a book. I would also like to express my deepest gratitude to my wife, who is the North Star in my life and who always provides me with her light, support, and guidance. I would also like to thank my own wolf pack, Hendrix, Rizzio, and Rams.
Johan Veldhuis works as a Premier Field Engineer (PFE) for Microsoft. In his current role, he delivers both proactive and reactive services to customers from Microsoft for both Microsoft Exchange and Lync.
In his spare time, Johan spends time blogging via his own website (www.johanveldhuis.nl). Besides blogging, Johan is a member of the UC Architects (www.theucarchitects.com), which is a biweekly podcast, where Exchange and Lync freaks discuss both Exchange- and Lync-related topics.
www.PacktPub.com
Support files, eBooks, discount offers, and more
For support files and downloads related to your book, please visit www.PacktPub.com.
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at <[email protected]> for more details.
At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.
https://www2.packtpub.com/books/subscription/packtlib
Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can search, access, and read Packt's entire library of books.
Why subscribe?
Free access for Packt account holders
If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib today and view 9 entirely free books. Simply use your login credentials for immediate access.
Instant updates on new Packt books
Get notified! Find out when new books are published by following @PacktEnterprise on Twitter or the Packt Enterprise Facebook page.
Preface
This is the first cookbook dedicated to Lync Server 2013. While there are a few books dedicated to Lync (and Packt Publishing has published a couple of them), this is the first time that someone has tried to write down more than 300 pages of practical recipes, hints, and tips dedicated to this Unified Communication software.
While writing this book, we, as authors, know that Skype for Business will be available during this year, and a part of the existing features and interfaces could change to some extent. We are confident, anyway, that Lync Server 2013 will stay relevant for a long time, and we believe that people working on solutions based on Lync around the world will value the time and effort we have put into this cookbook.
We have tried to include in this book as much useful information as possible, to help Lync administrators in their everyday tasks and in planning, deploying, and managing some of the most complex scenarios and features. The coming years will see an increase in the use of cloud computing, and Lync, right now, integrates in many ways with Azure and Office 365. We have tried to explain the cloud-related features and options, in addition to the more traditional on-premises settings. As authors, we accept the risk that the ever-changing nature of the Microsoft Cloud might require updates to the material in this book, because our commitment is to provide you with the most relevant information.
As we said, this book is something new both in terms of format and content. We hope it will be like a tool that you will keep on your "desk", and consult over and over as the need arises.
What this book covers
Chapter 1, Lync 2013 Security, is dedicated to the hardening techniques for the Lync infrastructure and to some recipes to raise the level of security for some of the available features. This chapter includes a configuration guide to use Application Request Routing as a reverse proxy for Lync.
Chapter 2, Lync 2013 Authentication, focuses on the authentication protocols used in Lync for the various devices and identities that have access to the server features. This chapter contains recipes dedicated to authentication configuration and management, both on-premises and on the cloud.
Chapter 3, Lync Dial Plans and Voice Routing, discusses Enterprise Voice, which is the most complex feature to plan and administer in Lync Server 2013. Although a complete overview of such a vast topic is not possible, this chapter focuses on the management of dial plans and voice routing, introducing a series of real-world suggestions and recipes.
Chapter 4, Lync 2013 Integration with Exchange, requires comprehension of Exchange to deliver features such as Unified Messaging integration and Lync archiving with Exchange and the Unified Contact Store. The recipes in this chapter will help you in the tasks related to Lync / Exchange integration.
Chapter 5, Scripts and Tools for Lync, contains an overview of useful tools that every Lync administrator should know. The software and scripts presented in this chapter are so important that, in some cases, we have used them in a more extensive manner in other feature-focused chapters.
Chapter 6, Designing a Lync Solution – The Overlooked Aspects, takes care of some aspects that are often ignored during the design phase of a Lync solution. The human factor (such as training and assessment of user requirements) and more technical aspects are examined in this chapter.
Chapter 7, Lync 2013 in a Resource Forest, explores the different solutions available to maximize our Lync deployment with the use of a resource forest. The scenarios proposed include both on-premises and hybrid solutions to deliver Lync features to the users' forests.
Chapter 8, Managing Lync 2013 Hybrid and Lync Online, gives an overview of the tools and techniques required to manage Lync Online and to administer a hybrid deployment of Lync. There are recipes dedicated to help Lync administrators perform the most common administrative tasks in the previously mentioned scenarios.
Chapter 9, Lync 2013 Monitoring and Reporting, covers the concept of monitoring, which is a crucial aspect of a Lync production environment. Lync offers some default reports to monitor the health of our deployment and the quality of the audio and video experience that we offer to our users. The recipes in this chapter are dedicated both to the use of the previously mentioned information and to the configuration of additional controls.
Chapter 10, Managing Lync 2013 Backup and Restore, covers the Lync architecture, which contains mechanisms that grant a high level of continuity. Anyway, we have to provide a consistent plan to prevent data loss and configuration corruptions. This chapter is focused on identifying the information that we need to back up and explaining the ways to restore our working environment.
Chapter 11, Controlling Your Network – A Quick Drill into QoS and CAC, grants the best experience to our users, which is one of the most important aspects in every Lync deployment. Delivering audio and video services with no use of quality of service and no call control is a risky decision, which usually leads to offering services with a low level of performance. We have some important recipes in this chapter that cover the configuration and use of QOS and CAC in Lync Server 2013.
Chapter 12, Lync 2013 Debugging, discusses the concept of troubleshooting in Lync, which is usually a complicated task. This last chapter of the book lists and explains some of the best tools available to resolve different kinds of problems that we could face in a Lync environment.
What you need for this book
To deploy Lync, the list of required software (also counting the additional software) includes the following:
Who this book is for
This book is dedicated to Lync administrators, no matter the size of their deployment. People involved in a Lync project can use the book both for a specific recipe or to have an overview of some specific scenarios and configurations.
Sections
In this book, you will find several headings that appear frequently (Getting ready, How to do it, How it works, There's more, and See also).
To give clear instructions on how to complete a recipe, we use these sections as follows:
Getting ready
This section tells you what to expect in the recipe, and describes how to set up any software or any preliminary settings required for the recipe.
How to do it…
This section contains the steps required to follow the recipe.
How it works…
This section usually consists of a detailed explanation of what happened in the previous section.
There's more…
This section consists of additional information about the recipe in order to make the reader more knowledgeable about the recipe.
See also
This section provides helpful links to other useful information for the recipe.
Conventions
In this book, you will find a number of text styles that distinguish between different kinds of information. Here are some examples of these styles and an explanation of their meaning.
Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: "In our example, we have the resource forest (wonderland.lab) and the user forest (forest.lab)."
A block of code is set as follows:
Any command-line input or output is written as follows:
New terms and important words are shown in bold. Words that you see on the screen, for example, in menus or dialog boxes, appear in the text like this: "The UK-London-Local policy allows all forwarding."
Note
Warnings or important notes appear in a box like this.
Tip
Tips and tricks appear like this.
Reader feedback
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of.
To send us general feedback, simply e-mail <[email protected]>, and mention the book's title in the subject of your message.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide at www.packtpub.com/authors.
Customer support
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
Downloading the example code
You can download the example code files from your account at http://www.packtpub.com for all the Packt Publishing books you have purchased. If you purchased this book elsewhere, you can visit http://www.packtpub.com/support and register to have the files e-mailed directly to you.
Errata
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you could report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/submit-errata, selecting your book, clicking on the ErrataSubmissionForm link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website or added to any list of existing errata under the Errata section of that title.
To view the previously submitted errata, go to https://www.packtpub.com/books/content/support and enter the name of the book in the search field. The required information will appear under the Errata section.
Piracy
Piracy of copyrighted material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works in any form on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at <[email protected]> with a link to the suspected pirated material.
We appreciate your help in protecting our authors and our ability to bring you valuable content.
Questions
If you have a problem with any aspect of this book, you can contact us at <[email protected]>, and we will do our best to address the problem.
Chapter 1. Lync 2013 Security
In this chapter, we will cover the following topics:
Introduction
There is a high level of security inherent in all the Lync Server features. Unified communications, from a customer's point of view, require a special level of privacy and control, and Lync is designed with mechanisms to answer to this need in a clear manner. Lync updates (both on the client and on the server side) have added to the software a flexibility in design, so that it is now possible, for example, to use certificate authentication or passive authentication for mobility scenarios, or to add a two-factor authentication (as we will see in Chapter 2, Lync 2013 Authentication). In this chapter, we are going to talk about some of the security aspects related to the infrastructure. Lync 2013 security has two different scopes, one related to the network where the servers are located, and one related to the services we make available to the external users. The recipes regarding Role-Based Access Control and servers and database hardening are more relevant to protect our deployment from threats that come from the corporate network, while the topics related to ethical walls, reverse proxy, and edge security are fundamental aspects when the communication extends to the Internet.
A fundamental document that you should read as a starting point is the Security Framework for Lync Server 2013 post (http://technet.microsoft.com/en-us/library/dn481316.aspx), which will give you a high-level overview of the security features inside Lync Server 2013.
Controlling administrative rights with RBAC and custom cmdlets
Lync Server 2013 administration usesRole-Based Access Control (RBAC) to assign different levels of access privileges to the users, and to enable them to perform specific administrative tasks. The idea behind RBAC in Lync 2013 is that adding a user to a specific group not only defines the features and administrative tasks they are able to manage but also limits the cmdlets they are able to use in the Lync Management Shell. There are some built-in administrative roles, and we are able to add custom groups for more granular control. Another operation we are able to perform is adding authorized cmdlets to both kinds of groups, expanding the allowed tasks for a specific RBAC role.
Getting ready
In our example, we will use both of the previously mentioned customizations, creating a new customized user group, CsUserModifier, based on the default group CsViewOnlyAdministrator, and adding access to the Set-CsUser cmdlet (to modify properties for existing user accounts).
How to do it...
The cmdlet will clone the permissions of the CsViewOnlyAdministrator group to the custom group.
Launch the following cmdlet to verify the list of administrative tasks delegated to the new group:The output will be similar to what is shown in the following screenshot:
Now, we are able to use the cmdlet customization, adding the Set-CsUser cmdlet to the available tasks:There's more...
As important as it is for security, RBAC has a severe limitation because it is effective only for users that are working with Lync administrative tools from a remote workstation (http://technet.microsoft.com/en-us/library/gg425917.aspx). The controls are not enforced for users who are working locally on the Lync Server (or using a remote PowerShell session). Physical security of our servers is an important topic, and we should address it with all the available solutions (smart card access, doors, cameras, strong passwords, lights-out servers with no physical keyboard or monitor available, and so on).
Hardening Lync Servers
Talking about Lync Server 2013, we are interested in applying a defense-in-depth approach, using multiple defense layers against security threats. Various security solutions are applied to make bypassing of one of the layers more difficult. We are also able (at least) to buy time on the different layers before someone is able to access the next level of security. Our servers are the last layer before internal data and files of Lync are compromised. Hardening a Lync Server requires a series of steps, and we will see how to use the Security Configuration Wizard (SCW), a tool that makes it easier to fix some common misconfigurations and security flaws.
Getting ready
To increase the security of the operating system, we can use the SCW (if we are using Windows 2012 or Windows 2012 R2 SCW it is an integrated tool). In the previously mentioned OS, the Configuration Wizard is part of the Tools menu.
Note
While the following steps have been tested on a single installation Front End (Lync Server 2013 Standard Edition), we have to select the settings that best fit our specific security requirements, and verify them in a lab. Using SCW on a production environment without sufficient verification is a risky approach.
How to do it...
How it works...
If any issue arises with the SCW, we are able to roll back to the previous configuration. If we don't have access to the local server, we can launch the SCW on another server and revert to the configuration remotely. The option is the one we can see in the following screenshot:
There's more...
SCW can close TCP ports 8080 and 4443 on the Lync Front End. Running the Enable-CsComputer cmdlet, we are able to open again the required ports on the Windows Firewall. The same result can be obtained by using Lync Server Deployment Wizard or Bootstrapper.exe. For more details, see Re-activate server after Security Configuration Wizard closes ports in IIS (http://technet.microsoft.com/en-us/library/gg398851.aspx).
SCW can disable the RDP access. We are able to restore the feature with various solutions, for example, by selecting Remote Desktop from the Installed options list in the Select Administration and Other Options screen, as we can see in the following screenshot:
See also
One of the obvious steps to enhance server security is the installation of an antivirus application. To avoid issues with Lync, we should follow the guidelines in this post Antivirus scanning exclusions for Lync Server 2013 post at http://technet.microsoft.com/en-us/library/dn440138.aspx.
Hardening Lync databases
Lync Server 2013 uses SQL Server as a repository for key information such as the Central Management Store (CMS), which contains our Lync topology. Lync Standard Edition uses a collocated SQL Server Express backend database that we are not able to move on a different server. Although this configuration reduces the number of machines required for the Lync Server setup, this also limits the options we have to protect our databases. The suggestions in the There's more... and See also sections are usable for both the Standard Edition and Enterprise Edition of Lync Server. The steps in the How to do it... section are applicable only to Lync Server 2013 Enterprise Edition, which has a configuration based on SQL Server that runs on a separate server (with cluster and mirroring supported as a continuity solution).
There are different ways to protect a SQL server, including security measures for the filesystem and best practices, which we will see after the How to do it… section. The steps we will see now are meant to make it more difficult to attack our SQL database from the network. SQL server uses a standard port (TCP 1433 ) for the default database instance, and TCP 1434 for the SQL Browser Service, which allows for connections to named instances of SQL Server that use dynamic ports. Using SQL Browser Service allows us to connect to a database without knowing what port each named instance is using. We will modify the default port for an instance, and disable the SQL Browser Service so that the only way for an attacker to find the TCP port used by our SQL instances is to perform port scanning (which is easier to detect).
Note
There is a TechNet post that talks about a similar solution, Deploying a SQL Server nonstandard port and alias in Lync Server 2013, at http://technet.microsoft.com/en-us/library/dn776290.aspx. However, if we have more than a single instance on the same SQL Server, it makes sense also to disable the SQL Browser Service. If the service is running, discovering its TCP port will also give information about the ports used by the various instances.
How to do it...
Now, we are able to use the .reg file to import the same server alias settings on all the Lync Servers that require a connection to the database.
How it works...
Customizing and limiting the TCP/IP service ports used by SQL server will make it easier to protect the database, especially when we are using a firewall to protect the server. The SQL Server Browser service answers to requests for SQL resources and redirects the caller to the port where SQL server is listening. If this service is disabled, an external attack will be more complex. Aliases will be used in the Lync Topology to connect our deployment to the databases that we have secured.
There's more...
As we mentioned before, there are other ways to protect our database, for example, at the single file level, using a SQL server feature known as Transparent Data Encryption (TDE). TDE performs real-time encryption and decryption of the data and logfiles. It is supported in Lync Server 2013 as stated in the Lync Server 2013 supports TDE in SQL Server 2008 or a later version on a backend server post found at http://support.microsoft.com/kb/2912342.
See also
Enhancing conferencing security
Conferencing, in Lync Server 2013, has the same default security configuration that we had in Lync Server 2010. Justin Morris, in a post dedicated to Lync Server 2010 conferencing (http://www.justin-morris.net/understanding-conference-security-in-lync-server-2010/
