Share via

How to apply External Access Policy in Lync Server 2013

  • Article

If a user has been enabled for Lync Server, you can configure SIP federation, XMPP federation, remote user access, and public instant messaging (IM) connectivity in the Lync Server Control Panel by applying the appropriate policies to specific users. For example, if you created an external access policy and you are in a closed federation, you can allow or restrict users from collaborating and contacting external users of a federated domain using external access policies for the users.

 

 Note:
 The <Automatic> settings apply the default server or global policy settings

To apply an external user policy to a user account

  1. From a user account that is assigned to the CsUserAdministrator role or the CsAdministrator role, log on to any computer in your internal deployment or log on to a Lync Server.

  2. Open a browser window, and then enter the Admin URL to open the Lync Server Control Panel. For details about the different methods you can use to start Lync Server Control Panel, see Open Lync Server 2013 administrative tools. Alternatively, if you are logged into the Lync Server, you can open the Lync Server Control Panel directly.

  3. In the left navigation bar, click Users, and then search on the user account that you want to configure.

  4. In the table that lists the search results, click the user account, click Edit, and then click Show details.

  5. In Edit Lync Server User under External access policy, select the user policy that you want to apply.

Assigning Per-User or Bulk External Access Policies by Using Lync Management Shell or Windows PowerShell Cmdlets:

Enables you to assign an external access policy to a user or a group of users. External access policies determine whether or not your users can: 1) communicate with users who have Session Initiation Protocol (SIP) accounts with a federated organization; 2) communicate with users who have SIP accounts with a public instant messaging (IM) provider such as MSN; and, 3) access Skype for Business Server over the Internet, without having to log on to your internal network.

**Step 1 **
=====
Check the existing external access policies applied to a user account using the below command
Get-CSEffectivePolicy –Identity “Maaz Siddiqui”

**Step 2 **
=====
Apply the external access policy which you want to the user account using the below command

 Grant-CsExternalAccessPolicy -Identity "Maaz Siddiqui" -PolicyName “Allow Federation Access”

**Step 3 **
=====
Check the applied external access policies for the account again to verify the changes

**Assigning External Access Policy for Bulk users or to the entire Organizational Unit (OU)
**

We will first try to pull the distinguished name or path for the OU to be applied with the policy. This can be achieved by going to the attribute editor of any object inside that OU and looking for "Distinguished Name"

Example:
-----------
“ad.kloudbaba.com/1Global/APAC/Commercial Property/Internal/Users/” 

Let us now convert the above OU into its ADDS Naming Context. For details about ADDS Naming context see here

So once we convert the above Distinguished Name or the path into its naming context we get:
***"OU=Users,***OU=Internal,*OU=Commercial Property,OU=APAC,OU=1Global,DC=ad,DC=kloudbaba,DC=com"
*
Once we have the naming context of the Organizational Unit, we can pipe the Get-CSUser command with Grant-CSExternalAccessPolicy to apply the external access policy on the entire OU. 

Get-CsUser -OU "OU=Users,OU=Internal,OU=Commercial Property,OU=APAC,OU=1Global,DC=ad,DC=kloudbaba,DC=com" | Grant-CsExternalAccessPolicy -PolicyName “Allow Federation Access”  

Thanks all!
Your's
Maaz Siddiqui
LinkedIn Profile

How to apply external access policy for bulk users in Lync 2013 by Maaz Siddiqui