locked
Concept of Federation RRS feed

  • Question

  • Hi, All!

     

    I recently posted a question here about enabling federated clients to use Office Communications Server 2007. The answer helped a lot, but now i have a most serious doubt: what is exactly the concept of "Federation"?

     

    I found a definition  like this in technet: "A trust relationship between two or more SIP domains that permits users in separate organizations to communicate in real-time across network boundaries as federated partners". I thought that the communications servers needed to be configured only in one domain, then the users of the other domain could connect to Office Communications Server 2007 and start instant messaging and audio and video conferencing.

     

    After configuring an Access Edge Server, enabling federation and enabling the partner domain to federate with mine, i couldn’t start instant messaging talk using accounts of the partner’s domain. I´ve checked the Access Server configuration and found that if the federated partner doesn´t publish federation records for discovery i had to type the partner´s Access Edge Server name in the configuration. In my understanding, this means that the partner should have a Microsoft Office Communications Server 2007 infrastructure also. Am I right or I missed something? Thanks in advance!

     

    Eder

     

    Thursday, November 13, 2008 6:12 PM

Answers

  • You are correct - federation requires OCS servers on both sides of the connection.  Remote access is the concept of connecting external Communicator users to your environment via an Edge server.  You can extend your OCS environment to people outside your company using remote access but to be compliant you must purchase External Connector licenses for each server to which you are allowing access for users who are not employees of your organization.

    Thursday, November 13, 2008 7:05 PM
    Moderator

All replies

  • You are correct - federation requires OCS servers on both sides of the connection.  Remote access is the concept of connecting external Communicator users to your environment via an Edge server.  You can extend your OCS environment to people outside your company using remote access but to be compliant you must purchase External Connector licenses for each server to which you are allowing access for users who are not employees of your organization.

    Thursday, November 13, 2008 7:05 PM
    Moderator
  • Ok and thank you, Mike. Talking about external users, they need to have an account in my Active Directory to access the Office Communications Server, right? If not, how they should connect to the server?

     

    The best solution that i see for my case is to install and configure the Microsoft Identity and Integration Server 2003, as described in an article posted here. It´s an expensive solution (Windows Server enterprise), but i think this will work fine. Did somebody here installed and configured this server in an production environment? Any problems found?

     

    Friday, November 14, 2008 2:02 PM
  • Eder.

    If the partner company also has OCS or LCS then you need just allow them to "Federate" with you.  If the partner company does not have OCS then they would need an account in your Active Directory which is probably not the preferred method for you and your company from a security standpoint.  So I guess the first big questions is:  Do both companies have OCS or LCS deployed?

     

    Friday, November 14, 2008 3:05 PM
  • No, Mark, only our company has the OCS installed. If I had no option, I will configure an account for each partner’s user in the AD. I’m testing all the possible options before to make a decision and install the Microsoft Identity and Integration Server seems to be a god one. With this server, I can map the user accounts of the partner’s AD to contacts in our AD in a synchronous way, allowing them to use our server for instant messaging and audio and video conferencing. The problem is the cost and I need to know if I can install Office Communications Server 2007 an Identity and Integration Server in the same hardware. This could spare one server machine and on server license. Do you know if this configuration works?

     

    Friday, November 14, 2008 4:12 PM
  • Unless I missed something here your solution with MIIS does require a trust relationship with the partner AD forst. Is this something you are willing to do ?

     

    Basically the way you will setup MIIS is by provisioning contact objects in your Active Directory forest. However on that contact objects there will be an attribute that contains the SIP address of the account located in the partner AD. However in order to authorize that SID information the OCS Server will need to contact a domain controller in the partner account forest which is why you need the trust. Furthermore you will need connectivity between your OCS server and certain domain controllers in the partner AD environment which is also not likely going to be possible.

     

    The best way for you would be to either provision them with a new user account and enable them for OCS and provide them with the necessarry information to sign-in or convince them to deploy OCS as well and inititate federation.

     

    Sincerely,

    Tonino Bruno

    Sunday, November 16, 2008 8:48 AM
  • If you haven't already read the OCS 2007 Multiple Forest Deployment Guide, I'd suggest doing so: http://www.microsoft.com/downloads/details.aspx?FamilyId=1D7CF1E6-6770-422F-B744-E1764F5666AE&displaylang=en

     

    Also, to perform User/Contact objects synchronization between forests you don't need to purchase the entire MIIS (now called ILM in the latest release) as you can simply use the free GALsync feature (think it is as MIIS-lite).

     

    Take a look at the section called "Implementing the LCS Configuration" in this ILM document:

    http://technet.microsoft.com/en-us/library/cc708674.aspx

     

    Sunday, November 16, 2008 2:52 PM
    Moderator