Addressing Threats to On-Premises Conferences
Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2 will reach end of support on January 9, 2018. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Office Communications Server 2007 R2 introduces the capability for enterprise users both inside and outside the firewall to create and join real-time Web conferences that are hosted on internal Office Communications Server 2007 R2 servers. Enterprise users can also invite external users who do not have an Active Directory Domain Services account to participate. Users who are employed by federated partners with a secure and authenticated identity can also join conferences and, if promoted to do so, can act as presenters. Anonymous users cannot create or join a conference as a presenter, but they can be promoted to presenter after they join.
On-premises Web conferencing is built on top of the Office Communications Server basic security framework:
All servers are trusted.
All server connections are MTLS.
All communications are encrypted.
All users are authenticated.
Internal A/V Conferencing Servers in an expanded pool configuration connect to Front End Servers and Mediation Servers over MTLS. Internal Web Conferencing Servers connect to Front End Servers and the Web Conferencing Edge service over MTLS. On a Standard Edition server or in a consolidated pool configuration, conferencing servers are collocated on Front End Servers, but MTLS is still required for communication between the collocated components.
Enabling outside users to participate in on-premises Web conferences greatly increases the value of this feature, but it also entails some security risks. To address these risks, Office Communications Server provides the following additional safeguards:
Participant roles determine conference control privileges.
Participant types allow you to limit access to specific meetings.
Defined meeting types determine which types of participants can attend.
Conference scheduling is restricted to users who have Active Directory credentials in the internal network and are enabled for Office Communications Server 2007 R2.
Anonymous, that is, unauthenticated, users must present a unique conference passwords and pass digest authentication to join a meeting. Passwords are unique per conference.
Participant Roles
Meeting participants fall into three groups, each with its own privileges and restrictions:
Organizer. The user who creates a meeting, whether impromptu or by scheduling. An organizer must be an authenticated enterprise user and have control over all end-user aspects of a meeting.
Presenter. A user who is authorized to present information at a meeting, using whatever media is supported. A meeting organizer is by definition also a presenter and determines who else can be a presenter. An organizer can make this determination when a meeting is scheduled or while the meeting is under way.
Attendee. A user who has been invited to attend a meeting but who is not authorized to act as a presenter.
A presenter can also promote an attendee to the role of presenter during the meeting.
Participant Types
Meeting participants are also categorized by location and credentials. You can use both of these characteristics to specify which users can have access to specific meetings. Users can be divided broadly into internal and external users:
Internal users have Active Directory credentials within the enterprise and connect from locations inside the corporate firewall.
External users are those who temporarily or permanently connect to an enterprise from locations outside the corporate firewall. They might have Active Directory credentials. Office Communications Server 2007 R2 provides conferencing support for the following types of external users:
Remote usershave a persistent Active Directory identity within the enterprise. They include employees who are working at home or on the road, and others, such as employees of trusted vendors, who have been granted enterprise credentials for their terms of service. Remote users can create and join conferences and act as presenters.
Federated users possess valid credentials with federated partners and are therefore treated as authenticated by Office Communications Server 2007 R2. Federated users can join conferences and be promoted to presenters after they have joined the meeting, but they cannot create conferences in enterprises with which they are federated.
Anonymous users do not have an Active Directory identity and are not federated with the enterprise. For conferencing, public cloud users are treated as anonymous users.
Customer data shows that many conferences involve external users. Those same customers also want reassurance about the identity of external users before allowing those users to join a conference. As the following section describes, Office Communications Server 2007 R2 limits meeting access to those user types that have been explicitly allowed and requires all user types to present appropriate credentials when entering a meeting.
Meeting Types
You can configure Office Communications Server 2007 R2 to support meetings that include the following types of users:
Internal users only. If you do not deploy edge servers, all participants have persistent Active Directory identities within the enterprise and can connect only from within your organization’s firewall.
Authenticated users only. All participants have Active Directory identities within the enterprise or within a federated enterprise, and they can connect from inside or outside your organization’s firewall.
Meetings that are open only to authenticated users can be one of two types:
Invite Within Network. All enterprise users can join the meeting. They join as attendees unless they have been designated as presenters by the meeting organizer. Federated users can join the meeting as attendees if they are invited by the organizer. Federated users cannot join the meeting as a presenter, but they can be promoted to presenter during the meeting.
Invite Within Network (Restricted). Only users with valid Active Directory credentials in the enterprise and who are on the meeting organizer’s presenter and attendee lists are allowed to attend a closed authenticated meeting. For example, a workgroup or business unit might use this designation for its regularly scheduled meeting. Federated and anonymous users are not permitted to join this type of meeting.
Invite Anyone. A meeting to which anonymous users can be invited. The meeting organizer must be authorized to invite anonymous users to create a meeting of this type. Enterprise users join as attendees unless they are designated as presenters by the meeting organizer. Anonymous users join only as attendees, although they can be promoted to the presenter role by the meeting organizer after entering the meeting. To enter a meeting, anonymous users must present a conference key, which they receive in an e-mail meeting invitation. They must also pass digest authentication. For details about digest authentication, see Authentication for Office Communications Server 2007 R2.