Hi all,
we have a security problem in our OCS EE Expanded Edition scenario.
(2 FEs over F5 BigIP, 1Backend, 1Web Component, 1 Web Conferencing, 1 A/V Conferencing, Exchange 2007)
It is possible to forward a "closed authenticated" created meeting invitation internally and entering this meeting over the forwarded invitation link. Also if the receiver is not on the original invitation list! If the calender entry is forwared, OK, than the originator of the meeting gets this (forwarding) information and can react (delete the user from the invitation list), but if only the invitation content is copied and pasted into a mail there's no information before.
Why is this possible? As far as I understand, a closed authenticated conference is only reachable from clients who are on the invitation list in contrast to a open authenticated invitation where ereveryone can enter the meeting who gets the link, has an AD account and is RTC enbaled (has a SIP URI).
Any ideas?
