#Lync Question 20: how can I control federation on a user group, domain or modality basis?

I get asked this question over and over again by customers, it is usually 6-12 months into their deployment, although with larger customers it is usually in as a compliance or security requirement from the beginning.

With federation it is pretty much an all or nothing scenario, if a user enabled for federation they are use any available modality to communication with any available federated domain. Even with a closed federation model then to users on only limited to the allowed federated domains.

Why is this a concern?  Well it is do so with compliance and data security (or leakage).  With Instant Messaging, Archiving will record the instant messaging communication, with the exception of Ink based IM from Tablet PC’s, although this can be disabled through the client policy.  However for all other communication then this isn’t recorded.

With File Transfer the November 2011 cumulative update (CU4) for Lync Server 2010 enables the control of the file transfer through the Access Edge service in a Lync Server 2010 environment, KB 2621840 details it http://support.microsoft.com/kb/2621840 so this can be blocked at the edge server.

You can argue with a compliance team that It isn’t any different from email that a user can communication and send anything to any people in the world, however will email then over the last few releases of Exchange server then the compliance features have been added to protect organisations from these risks.   The same can be said for users using a traditional phone or mobile.

For some sectors then call recording is mandatory and there are 3rd party solutions out in the market (another Lync Question there, I think)

It would be nice if that we could control the SIP federation relationships and the services available maybe something like this:


It is possible to somewhat do this via MSPL scripting, but I’m not sure I’d want to recommended that for a deployment.

Or even between ideally we could do with a Grant-CsSipFederatedDomainPolicy cmdlet so can govern and control who can speak to who and using what modality so effect setup an Ethical Wall, for example:

  • User Group A can communicate with domain Z and Y via Instant Messaging only
  • User Group B can communicate with domain Y and X via Instant Messaging, Voice and Video
  • User Group C can communicate with domain Z, X and W via Instant Messaging, Voice, Video and Application Sharing

This a feature I get asks for over and over again.

The only two products I am aware of with this level of control and more are:

However it would be nice that these compliance features are added in a future release of Lync Server as they have been with Exchange Server.

2 thoughts on “#Lync Question 20: how can I control federation on a user group, domain or modality basis?

  1. Pingback: #Lync Question 20: how can I control federation on a user group, domain or modality basis? | ariprotheroe | JC's Blog-O-Gibberish

  2. Great topic covered, Ari. The Security Federation Filter (www.lync-solutions.com) developed this year addresses exactly this problem. It allows controlling presence information and which modalities are permitted on a per user, SIP domain or per AD group level. Would love to get your feedback on it.

    Rui Maximo

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s