OCS Federated Partner

I recently discovered the concept of ‘Trust Level’ with OCS federated partners (I thought all partners were treated equal once they were added as a federated partner).  It turns out that one partner can be ‘trusted’ more than another partner depending on how the federation is configured on the OCS 2007 R2 Access Edge.

The element of trust comes into play when the Access Edge evaluates the federation traffic.  Here are the important points:

  • The Edge evaluates all federation activity for all partners.
  • The Edge detects ‘suspicious’ activity by looking at the ratio of successful to failed responses.
  • If the Edge server detects suspicious traffic it can limit the activity to 1 message per second throughput for that federated partner.
  • The Edge limits federated partner activity to 20 messages per second unless the federated SIP domain is explicitly added to the Allow List.
  • The Edge also limits any one federated partner to send requests to “no more than 1000 Uniform Resource Identifiers (URIs) (either valid or invalid)” to your local SIP domain unless they are explicitly on the Allow list. I interpret this limit as traffic to 1000 unique SIP addresses, and over what time period, I am not sure, but the rule to follow is to add the federated partner to the Allow list if you trust them, to avoid hitting this limit. You can see which federated domains are on the watch list by viewing the “Open Federation” tab in the 2007 R2 Access Edge management console. 
  • If a traffic from a federated partner does hit the 1000 limit, traffic from this domain will be dropped. This is to prevent potential attacks on your SIP domain.
  • Explicitly specifying an Access Edge along with a federated partner SIP domain on the Allow list grants the highest level of security - the partner is trusted from the persective of the Edge evaulating that partner’s traffic and explicitly specifying the FQDN of a federated partner’s Access Edge Server reduces the chances of a security breach such as a man-in-the-middle attack via DNS poisoning.
  • If you are adding an audio conferencing provider (ACP) as a federated partner, you need to specific both the SIP domain and the FQDN of the ACP as the associated Partner Access Edge.

If you are new to federation, there are two ways to configured federated communication with an external OCS deployment:

1) “Allow automatic discovery of federated partners”.

On the “Access Methods” tab on the Access Edge server | Properties (in the OCS 2007 R2 Access Edge management console):

Edge_Tab_1

2) Explicitly specify the SIP domain of the federated partner in the allow list (on the “Allow” tab):

Edge_Tab_2

Note: Specific SIP domains can be BLOCKED by adding them in the Domains section of the Block tab.

References

Share and Enjoy:
  • Twitter
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • LinkedIn
  • MySpace
  • Reddit
  • Technorati

5 comments to OCS Federated Partner Trust Level

  • Nicksp

    Hi Dino, in your post ypu mencioned “My understanding of the ability to specify the Edge Server parameter in the Allow List along with the SIP domain was for cases when the corporation chose not to publish the appropriate SRV record for the domain in question”. Have you a Microsoft Document that confirm that this configuration avoid the need of SRV DNS Record?

    Thanks in advance.

  • Hi Dino,
    Good question – which highlighed an incorrect choice of words in the post. Specifically adding the FQDN of the federated partner Edge along with the SIP domian grants the highest level of *security* because the OCS Edge will only accept traffic for that partner from that specific remote FQDN. To my knowledge it does not grant any higher level of trust (in terms of evaluating the traffic for suspicious activity) than if you added a partner with just the SIP domain.

    Points #3, #4, and #5 explain what the higher level of trust means when a federated partner is added to the Allow list in general – versus just using Enhanced Federation (i.e. which is discovery via the DNS SRV federation records).

    I’ve updated the entry to clear that up. Thanks, Curtis

  • Thanks Curtis. About the statement “Explicitly specifying an Access Edge along with a federated partner SIP domain on the Allow list grants the highest level of trust” – can you elaborate on what more this grants? My understanding of the ability to specify the Edge Server parameter in the Allow List along with the SIP domain was for cases when the corporation chose not to publish the appropriate SRV record for the domain in question. I view addind a SIP domain in the Allow list the same level of trust as adding one AND speficying the FQDN as well.
    Regards,
    Dino

  • [...] OCS Federated Partner (InsideOCS) Share and Enjoy: [...]

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>