3. Assigning External Access Policies
After the new user policy is created, it must
be assigned to a user account. If the external policy is created with a
site scope, this step is not required.
1. Open the Lync Server Control Panel.
2. Select Users in the navigation pane.
3. Search for a user, highlight the account, click Modify, and click Assign Polices.
4. In the External
Access Policy section, select the new external access policy, and click
OK. An example of this configuration is shown in Figure 2.
Figure 2. Assign an External Access Policy.
The Lync Server Management Shell can also be used to assign a policy to a user:
Grant-CSExternalAccessPolicy randy@companyabc.com -PolicyName "Allow all features"
4. Managing Federation
After enabling user accounts for federation,
administrators can manage the organizations with which they want to
federate through Lync Server. If partner discovery lookups are allowed
on the Access Edge configuration, all domains are automatically
allowed. Adding allowed domains can still be done to grant a higher
level of trust to partners, but is not required. If partner discovery
is not allowed, administrators must manually add all federated partners
to the allow list.
Blocking a federated domain can be used to
prevent internal users from communicating with specific partners. This
is used in situations in which federation should be allowed globally,
but blocked to only a few specific domain names. To allow or block a
federated domain, use the following steps:
1. Open the Lync Server Control Panel.
2. Select Federation and External User Access in the navigation pane.
3. Click SIP Federated Domains.
4. Click New and then select either Allowed Domain or Blocked Domain.
5. Enter the SIP domain name of the federated domain allowed or blocked, as shown in Figure 3, and click OK.
Figure 3. Adding an allowed domain for SIP federation.
Caution
When you are adding an allowed domain, the
option exists to add the FQDN of the partner’s Access Edge Server. This
field is not required, but when it is used it grants a higher level of
trust to the domain by allowing more requests per second from the
domain. Be careful when using this field because if a partner changes
its FQDN later, the name will no longer be valid.
The Lync Server Management Shell can also be
used to perform these tasks. To allow a new domain, use the following
command. The only required parameter is the domain name, but a comment
and partner’s Access Edge Server FQDN can also be specified. In
addition, the MarkForMonitoring parameter can be set to enable quality monitoring to this domain by a Monitoring Server role.
New-CSAllowedDomain –Domain <SIP Domain
Name> -Comment <Comment string> -ProxyFQDN <Partner Access
Edge FQDN> -MarkForMonitoring <True|False>
To block a domain from sending or receiving messages, use the following command:
New-CSBlockedDomain –Domain <SIP Domain Name>
