locked
TCP vs TLS for only certain clients? RRS feed

  • Question

  • We're trying to hook a Cisco VTC into OCS. Our OCS servers only allow TLS connections, and we'd rather not add TCP. The Cisco video teleconferencing server that we're attempting to integrate apparently won't do TLS.

    Is there a way to enable our OCS servers to accept TCP connections from one particular client and require TLS for all others?

    Regards,
    Ethan
    Monday, September 21, 2009 7:17 PM

Answers

  • I think we'll push the vendor for TLS support rather than go with any of these options. We'd be adding a lot of complexity trying to enable TCP but keep all of the OC clients away from it.

    Thanks!

    -Ethan
    Thursday, October 1, 2009 3:03 PM

All replies

  • The only way to do that would be to enable the software firewall on the OCS Front-End server and then limit inbound TCP 5060 connections from only the Cisco server.  Once you add TCP 5060 as a configured port on the OCS Front-End Server than it would allow connection attempts from any remote host.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Monday, September 21, 2009 8:09 PM
    Moderator
  • Another option is to enforce this via Group Policy by forcing Communicator to connect over TLS.
    Mike Stacy | Evangelyze Communications | http://www.evangelyze.net/cs/blogs/mike
    Tuesday, September 22, 2009 12:38 AM
    Moderator
  • Hi
    Any update for your issue?
    Jeff and Mike gave some good suggestions!

    Regards!
    Friday, September 25, 2009 3:36 AM
    Moderator
  • Thanks to both of you for your replies. I will look at both of those options.

    Regards,
    Ethan
    Monday, September 28, 2009 12:33 PM
  • Mike has a good point with that suggestion but I just wanted to point out that any workstations on the network that do not inherit that Group Policy setting would still be able to connect to the server via TCP.  The only way to completely limit it would be to block it at the listening source; the server itself.  But if you don't require absolute limits and are okay if a few non-domain connected hosts were somehow able to connect to the server than that will work fine.

    Another possibility (unsupported) would be to add a second IP address on the server and configure one for TLS and the other for TCP.  Then use a firewall or internal routing to prevent clients from reaching the TCP-enabled IP address.  But moving to multiple IPs on a Front-End server can sometimes cause other unwanted issues with core OCS communications.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Wednesday, September 30, 2009 12:19 PM
    Moderator
  • I think we'll push the vendor for TLS support rather than go with any of these options. We'd be adding a lot of complexity trying to enable TCP but keep all of the OC clients away from it.

    Thanks!

    -Ethan
    Thursday, October 1, 2009 3:03 PM
  • Definitely a good idea if you can keep everything TLS.  And Jeff is absolutely right that a group policy does no good for machines that aren't part of your domain.  I personally hate running firewalls on internal machines which is why I mentioned that as an option.  It would be nice if we had the same flexibility in OCS as Exchange does for defining how connectors are used.
    Mike Stacy | Evangelyze Communications | http://www.evangelyze.net/cs/blogs/mike
    Thursday, October 1, 2009 11:19 PM
    Moderator