I get asked this question over and over again by customers, it is usually 6-12 months into their deployment, although with larger customers it is usually in as a compliance or security requirement from the beginning.
With federation it is pretty much an all or nothing scenario, if a user enabled for federation they are use any available modality to communication with any available federated domain. Even with a closed federation model then to users on only limited to the allowed federated domains.
Why is this a concern? Well it is do so with compliance and data security (or leakage). With Instant Messaging, Archiving will record the instant messaging communication, with the exception of Ink based IM from Tablet PC’s, although this can be disabled through the client policy. However for all other communication then this isn’t recorded.
With File Transfer the November 2011 cumulative update (CU4) for Lync Server 2010 enables the control of the file transfer through the Access Edge service in a Lync Server 2010 environment, KB 2621840 details it http://support.microsoft.com/kb/2621840 so this can be blocked at the edge server.
You can argue with a compliance team that It isn’t any different from email that a user can communication and send anything to any people in the world, however will email then over the last few releases of Exchange server then the compliance features have been added to protect organisations from these risks. The same can be said for users using a traditional phone or mobile.
For some sectors then call recording is mandatory and there are 3rd party solutions out in the market (another Lync Question there, I think)
It would be nice if that we could control the SIP federation relationships and the services available maybe something like this:
It is possible to somewhat do this via MSPL scripting, but I’m not sure I’d want to recommended that for a deployment.
Or even between ideally we could do with a Grant-CsSipFederatedDomainPolicy cmdlet so can govern and control who can speak to who and using what modality so effect setup an Ethical Wall, for example:
- User Group A can communicate with domain Z and Y via Instant Messaging only
- User Group B can communicate with domain Y and X via Instant Messaging, Voice and Video
- User Group C can communicate with domain Z, X and W via Instant Messaging, Voice, Video and Application Sharing
This a feature I get asks for over and over again.
The only two products I am aware of with this level of control and more are:
- MultiUx Ethical Wall for Lync http://www.multiux.com/products/multiux-ethical-wall-for-lync.html
- Actiance Vantage http://www.actiance.com/products/vantage
However it would be nice that these compliance features are added in a future release of Lync Server as they have been with Exchange Server.