Search This Blog

Friday, September 30, 2011

Lync 2010 Policies and settings

It is pretty obvious that Lync is a very complicated product, that aligns with many features in a corporate network. For example, Lync integrates or provides telephone, provides numerous forms of collaboration and presence.
We are not going to talk about the various features in Lync, Which have been widely discussed on other blogs. But lets talk about the numerous policies and configurations that help you manage this product. We clearly put the focus on policies, and add the configuration as a bonus, as many settings link to configuration settings.

When talking about policies we have following policy scopes in mind:
  1. Client Policies
  2. Location Policies
  3. Voice Policies
  4. Conferencing Policies
  5. Presence Policies
  6. Archiving Policies
  7. Pin Policies
  8. External Access Policies
  9. Hosted Voice Mail Policies
  10. Client Version Policies
Each scope will be discussed as a separate article.

1. Client Policies

We start off by discussing client policies.
Client policies apply to the Lync client as the name suggests. But before starting to describe what can be applied using client policies, it is interesting to look at how policies are applied in Lync 2010.

When talking about client policies, we have to make an distinction between two types of policies. Namely the "Out-of-band provisioning" policies and the "In-band provisioning" policies.

1.1 Precedence
As we are talking about client settings, the settings can be applied at several levels. The settings can be done by tattooing the registry, group policies, Lync policies, or configuring the options by hand in the client. It is important to understand which setting takes precedence when being set.

The precedence is set from 1 to 4, in which 1 takes precedence over 2, 3, and 4.
  1. HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Communicator 
  2. HKEY_CURRENT_USER\Software\Policies\Microsoft\Communicator
  3. Lync Server In-brand provisioning
  4. Lync Option Dialog box
Note: Another important thing to say is that lync allows policies to be set at certain levels, an example of this is the client policy and the voice policy. The voice policy will overrule the client policy if the user is voice enabled. An example is delegations in outlook when scheduling an on-line meeting. If you want your users to be able to schedule a online meeting you have to set the client policy to EnableExchangeDelegateSync to true. However if the user who has delegated his calendar is voice enabled, we have to make sure that "DelegationEnabled" is set to true in the voice policy for that user. If the voice policy for that user still states "DelegationEnabled: False", delegates will be unable to schedule an online meeting for the voice enabled user.


1.2  "Out-of-band provisioning" policies
"Out-of-band provisioning" or group policies have been replaced by "In-Band provisioning" policies. Out-of-band provisioning" policies are applied using group policy, and therefore have the limitation that come with group policies. "In-Band provisioning" do not use group policies and therefore do not have the limitations of group policies. Does this mean that group policies are gone? No, they are not, Goup Policies can still be used, and are applied to the client before the client logs on the Lync infrastructure.

These policies are available as a ADM file which is part of the Lync 2010 client download from the partner website. This communicator.adm file can be imported in any group policy template and applied to a computer, set of computers, user or off course a set of users.

The communicator.adm file contains 15 policy settings:
  1. Specify Transport and server: Allows you to specify the name of your front-end and edge server. This way you do not need to provide the DNS names required for client Autodiscovery on the WAN or LAN.
  2. Enable Strict DNS naming for server name: When not set, or disabled the client will connect to the SIP server that has the domain name of the SIP address. Meaning that if your SIP address is sip:Me@example.com, the sip server should be sip.example.com. If you enable this setting, the client will communicate with whatever server that has the SIP domain configured. In case the policy is enabled the client could communicate with a server called whatever.example.com, in which you would allow a potential risk for spoofers to mimic the sip server. Does only apply when TLS is used (default).
  3. Configure SIP security mode: If you enable this policy the client requires TLS to be used, in which the client will not fall back to TCP in case TLS cannot be used. This setting if enabled also requires the client to authenticate using Kerberos or NTLM. If this setting is enabled all communications must run through the SIP server, in which peer 2 peer communications are disabled.
  4. Configure SIP compression mode: whether or not to use SIP compression. By default the network adapter speed specifies whether compression is or is not used. Enabling this setting could increase logon time.  
  5. Prevent users from running Microsoft Lync: States whether or not the lync client can be used by that particular user or machine.
  6. Allow storage of user password: If you enable this policy setting, Microsoft Lync can store a password on request from the user. If you disable this policy setting, Microsoft Lync cannot store a password. If you do not configure this policy setting and the user logs on to a domain, Microsoft Lync does not store the password. If you do not configure this policy setting and the user does not log on to a domain (for example, if the user logs on to a workgroup), Microsoft Lync can store the password.
  7. Require logon credentials: Requires the user to provide logon credentials for Microsoft Lync rather than automatically using the Windows credentials when Microsoft Lync authenticates the user using NTLM or Kerberos. If you enable this policy setting, Microsoft Lync requires the user to provide logon credentials. If you disable or do not configure this policy setting, Microsoft Lync authenticates the user based on the logon credentials for Windows.
  8. Disable HTTP fallback for SIP connection: Prevents from HTTP being used for SIP connection in case TLS or TCP fail.
  9. Disable version Server check: Prevents Microsoft Lync from checking the server version before signing in.
  10. Additional Server version support: Specify a semicolon separated list of server version names,
    e.g. RTC/2.8;RTC/2.9, to which Microsoft Lync allows logon in addition to the server versions that are supported by default. Space character is treated as part of the version string.
  11. Enable using BITS to download address book service files: This policy allows Microsoft Lync to use BITS (Background Intelligent Transfer Service) to download the Address Book Services files.
  12. Use compact DELTA file for GAL: This policy allows Microsoft Lync to use compact delta file for GAL.
  13. Help menu: This policy is used to extend the Help Menu in Microsoft Lync. An administrator can specify a help web site for Microsoft Lync using these keys. Help Menu Text is a string value that specifies the text to display to the user in the Help Menu for the help web site. Help Menu URL is a string value that specifies which web site to open when the user selects the Help Menu Text item in the Help Menu. Note that both Help Menu Text and Help Menu URL need to be specified in order for the Help Menu item to appear in Microsoft Lync.
  14. Launch Microsoft Link First Run: This policy defines the behavior of the Microsoft Lync First Run. Whether it's enabled or not, whether it should be launched automatically or not.
  15. Turn on tracing for Lync: Turn on tracing for Lync, primarily for use to assist customer problem solving. If this policy is not configured, then the user can specify the choice in Lync options. Otherwise, the corresponding behavior is enforced and the user has no choice.
Note: policy 1, 2, 3, 5, 6, and 7 can be configured on both the user as the computer level of the policy. Yet the computer policy takes precedence over the user policy. All other policies only apply on the computer level of the policy.

Now explaining how group policies work and how they are applied is really not the scope of this article. Yet i do want to point out why group policies have a certain disadvantage, and why Microsoft moved away from group policies and implemented the new way of assigning policies (in-band provisioning). Group policies are typically applied at logon, and are refreshed every 90 to 120 minutes by default (90+ random offset of 30 minutes). So when applying new settings this setting are not automatically applied, unless the policies are refreshed manually on the client. A second disadvantage is that you are not really sure that the policies set are actually applied. It could be that a corporate user who logs on to the network using VPN, does not get his/her policies applied, due to slow link detection. Or that the remote user logs on to the network using a computer that has not been subjected to group policies (home computer, none Windows system). 

1.3 In-band provisioning
Microsoft acknowledged the problem with group policies, and developed a new way of assigning policies in Lync 2010. The new way is known as in-band provisioning. The policies are applied through Lync itself and the policies are stored in the Lync CMS store and replicated to the local copy of the database.

The policies are applied as soon as replication has been done, and the policy is assigned to a certain level. The levels to which a policy can be applied is Global, Site, and Tag.
  1. Global: The global Lync infrastructure, in this case every lync client.
  2. Site: A Lync site, every client within a Lync site. The Lync organization can have multiple Lync Sites. 
  3. Tag: the tag can be a user, group or service.
The client policy can only be set by using the Lync Management Shell and not by the Lync Control Panel. Most of the settings that determine Microsoft Lync 2010 features and functionality are configurable through Microsoft Lync Server 2010 Control Panel. However, there are several essential policies and settings that significantly impact client functionality and that can be configured only by using Group Policy or Lync Server Management Shell.

The following CMDlets are used to manage the client policies:
  • Get-CsClientPolicy: Get the client policies which are configured, if you do not specify a name all client policies are returned.
  • Grant-CsClientPolicy: Assigns the policy to a level (Global, Site, Tag). If you do not specify an identity the client policy is applied Global.
  • New-CsClientPolicy: Creates a new client policy. Among other things, client policies help determine the features of Microsoft Lync 2010 that are made available to users; for example, you might give some users the right to transfer files while denying this right to other users.
  • Remove-CsClientPolicy: Removes an existing client policy. Among other things, client policies help determine the features of Microsoft Lync 2010 that are available to users; for example, you might give some users the right to transfer files while denying this right to other users.
  • Set-CsClientPolicy: Modifies the property values of an existing client policy. Among other things, client policies help determine the features of Microsoft Lync 2010 that are available to users; for example, you might give some users the right to transfer files while denying this right to other users.
  • New-CsClientPolicyEntry: Allows you to assign new options to the client policy.

Information on the settings and applying the policy can be found here: http://technet.microsoft.com/en-us/library/gg398300.aspx

No comments:

Post a Comment