TCP vs TLS for only certain clients?

21. september 2009 19:17

0

We're trying to hook a Cisco VTC into OCS. Our OCS servers only allow TLS connections, and we'd rather not add TCP. The Cisco video teleconferencing server that we're attempting to integrate apparently won't do TLS.

Is there a way to enable our OCS servers to accept TCP connections from one particular client and require TLS for all others?

Regards,
Ethan

Alle besvarelser

21. september 2009 20:09

Redaktør

1

The only way to do that would be to enable the software firewall on the OCS Front-End server and then limit inbound TCP 5060 connections from only the Cisco server. Once you add TCP 5060 as a configured port on the OCS Front-End Server than it would allow connection attempts from any remote host.
Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
22. september 2009 00:38

Redaktør

1

Another option is to enforce this via Group Policy by forcing Communicator to connect over TLS.
Mike Stacy | Evangelyze Communications | http://www.evangelyze.net/cs/blogs/mike
25. september 2009 03:36

Redaktør

0

Hi
Any update for your issue?
Jeff and Mike gave some good suggestions!

Regards!
28. september 2009 12:33

0

Thanks to both of you for your replies. I will look at both of those options.

Regards,
Ethan
30. september 2009 12:19

Redaktør

1

Mike has a good point with that suggestion but I just wanted to point out that any workstations on the network that do not inherit that Group Policy setting would still be able to connect to the server via TCP. The only way to completely limit it would be to block it at the listening source; the server itself. But if you don't require absolute limits and are okay if a few non-domain connected hosts were somehow able to connect to the server than that will work fine.

Another possibility (unsupported) would be to add a second IP address on the server and configure one for TLS and the other for TCP. Then use a firewall or internal routing to prevent clients from reaching the TCP-enabled IP address. But moving to multiple IPs on a Front-End server can sometimes cause other unwanted issues with core OCS communications.
Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
1. oktober 2009 15:03

0
I think we'll push the vendor for TLS support rather than go with any of these options. We'd be adding a lot of complexity trying to enable TCP but keep all of the OC clients away from it.

Thanks!

-Ethan
- Markeret som svar af Gavin-ZhangModerator 6. oktober 2009 10:08
1. oktober 2009 23:19

Redaktør

0

Definitely a good idea if you can keep everything TLS. And Jeff is absolutely right that a group policy does no good for machines that aren't part of your domain. I personally hate running firewalls on internal machines which is why I mentioned that as an option. It would be nice if we had the same flexibility in OCS as Exchange does for defining how connectors are used.
Mike Stacy | Evangelyze Communications | http://www.evangelyze.net/cs/blogs/mike