Configuring support for external user access in Lync Server 2013
Topic Last Modified: 2013-02-21
Deploying an Edge Server or Edge pool is the first step to supporting external users. For details about deploying Edge Servers, see Deploying external user access in Lync Server 2013 in the Deployment documentation. An important consideration for the configuration of policies is to understand the precedence of policies and how the policies are applied. Lync Server policy settings that are applied at one policy level can override settings that are applied at another policy level. Lync Server policy precedence is: User policy (most influence) overrides a Site policy, and then a Site policy overrides a Global policy (least influence). This means that the closer the policy setting is to the object that the policy is affecting, the more influence it has on the object.
After completing the setup of an Edge Server or Edge pool, you must enable the types of external user access that you want to provide, and configure the settings for the external access. In Lync Server 2013, you enable and configure external user access and policies using the Lync Server Control Panel, the Lync Server Management Shell or both, based on the task requirements.
To support external user access, you must do both of the following:
Enable support for your organization To enable support for external user access in your deployment, you enable each type of external access that you want to support. You enable and disable support for external user access by editing the global settings or creating and configuring a site or user policy on the External Access Policy page in the Federation and External Access group of the Lync Server Control Panel or by using the Lync Server Management Shell and associated cmdlets. Cmdlets for managing the External Access Policy are found in the topic Federation and external access cmdlets in Lync Server 2013. Enabling support for external access specifies that your servers running the Lync Server Access Edge service support communications with external users and servers. Internal and external users cannot communicate while external user access is disabled or if policies have not yet been configured to support it.
Configure and assign one or more policies To support external user access, you configure policies to address requirements that include:
External access policies Created with either a site or user scope (a global policy exists by default and has no enabled settings). You create and configure policies to control the use of one or more types of external user access, including, federated user access (including, if selected, federated XMPP domains)remote users user access, and supported public IM service providers. You configure external policies in Lync Server Control Panel using the global policy or one or more administratively created site and user policies, on the External Access Policy page in the Federation and External Access group. The global policy cannot be deleted. You create and configure any site and user policies that you want to use to limit external user access for specific sites or users. Global and site policies are automatically assigned. If you create and configure a user policy, you must then assign it to the specific users by using the user configuration page in the Lync Server Control Panel on the Users page. Find the user or users that you want this policy to apply to and assign the policy. to whom you want it to apply. To assign a configured user policy to a user, see Assign an external user access policy to a Lync enabled user in Lync Server 2013. Each external user access policy can support one or more of the following: remote user access, SIP federated user access, XMPP federated user access and public IM connectivity.
Conferencing policies You create and configure policies to control conferencing in your organization, including which users in your organization can invite anonymous users to conferences that they host. On the Lync Server Control Panel Conferencing page are policy settings at the global, site and user scope that control settings for the actual conferences. For details, see Managing meetings and conferences in Lync Server 2013. You enable anonymous users for conferencing, remote users and federated users on the Access Edge Configuration page. The policy on the Access Edge Configuration is global in scope. There are no options to define a site or user policy. The scope is controlled on the External Access Policy page through the use of global, site, or user policy settings.
For example, if you want to allow users to create, invite and manage conferencing with remote users, you must set Enable communications with remote users on the External Access Policy global, site or user policy, and Enable Communications with remote users on the Access Edge Configuration page. Similarly, to allow conferencing with anonymous users or federated partners that you have a defined relationship with (such as configured federated SIP domains and providers – XMPP federation does not support conferencing), you set Enable communications with public users and Enable communications with federated users in the External Access Policy global, site or user policy. You then select complimentary global policy settings Enable anonymous user access to conferences and Enable federated and public IM connectivity on the Access Edge Configuration page.
You can configure external user access settings, including any policies that you want to use to control external user access, even if you have not enabled external user access for your organization. However, the policies and other settings that you configure are in effect only when you have external user access enabled for your organization. External users cannot communicate with users of your organization when external user access is disabled or if no external user access policies are configured to support it.
Your edge deployment authenticates the types of external users (except for anonymous users, who are authenticated by the conference ID and a passkey that is sent to the anonymous participant when you create the conference and invite participants) and controls access based on how you configure your edge support. In order to control communications, you can configure one or more policies and configure settings that define how users inside and outside your deployment communicate with each other. The policies and settings include the default global policy for external user access, in addition to site and user policies that you can create and configure to enable one or more types of external user access for specific sites or users.