Control Access by Individual Federated Domains
Topic Last Modified: 2011-03-16
If you have configured support for federated partners, you can manage which specific domains can federate with your organization by doing either or both of the following:
Configure one or more specific external domains as allowed federated domains. To do this, add each domain to the list of allowed domains. Even if partner discovery is enabled for your organization, do this if the domain is a federated partner that might need to communicate with more than 1,000 of your users or might need to send more than 20 messages per second. If partner discovery is not enabled for your organization, only users of external domains that you add to the allowed domains list can participate in IM and conferencing with users in your organization. If you want to restrict access for a federated domain to a specific server running the Access Edge service of the federated partner, you can specify the domain name of the server running the Access Edge service for each domain in the list of allowed domains.
Block one or more external domains from connecting to your organization. To do this, add the domain to the list of blocked domains.
Note
This procedure describes how to configure support for specific domains, but implementing support for federated users also requires that you enable support for federated users for your organization, and configure and apply policies to control which users can collaborate with federated users. For details about enabling support for federated users, see Enable or Disable Federation for Your Organization in the Deployment documentation or the Operations documentation. For details about configuring policies to control federation, see Configure Policies to Control Federated User Access in the Deployment documentation or the Operations documentation.
To add an external domain to the list of allowed domains
From a user account that is a member of the RTCUniversalServerAdmins group (or has equivalent user rights), or is assigned to the CsAdministrator role, log on to any computer in your internal deployment.
Open a browser window, and then enter the Admin URL to open the Lync Server Control Panel. For details about the different methods you can use to start Lync Server Control Panel, see Open Lync Server Administrative Tools.
In the left navigation bar, click External User Access, and then click Federated Domains.
On the Federated Domains page, click New, and then click Allowed domain.
In New Federated Domains, do the following:
In Domain name (or FQDN), type the name of the federated partner domain.
Note
This name must be unique and cannot already exist as an allowed domain for this server running the Access Edge service. The name cannot exceed 256 characters in length.
The search on the federated partner domain name performs a suffix match. For example, if you type contoso.com, the search will also return the domain it.contoso.com.
A federated partner domain cannot simultaneously be blocked and allowed. Lync Server 2010 prevents this from happening so that you do not have to synch up your lists.If you want to restrict access for this federated domain to users of a specific server running the Access Edge service, in Access Edge service (FQDN), type the FQDN of the federated domain’s server running the Access Edge service.
If you want to provide additional information, in Comment, type information that you want to share with other system administrators about this configuration.
Click Commit.
Repeat steps 4 through 6 for each federated partner domain that you want to allow.
To enable federated user access, you must also enable support for federated user access in your organization. For details, see Enable or Disable Federation for Your Organization in the Deployment documentation or the Operations documentation.
Additionally, you must configure and apply the policy to users that you want to be able to collaborate with federated users. For details, see Configure Policies to Control Federated User Access in the Deployment documentation or the Operations documentation.
To add an external domain to the list of blocked domains
From a user account that is a member of the RTCUniversalServerAdmins group (or has equivalent user rights), or is assigned to the CsAdministrator role, log on to any computer in your internal deployment.
Open a browser window, and then enter the Admin URL to open the Lync Server Control Panel. For details about the different methods you can use to start Lync Server Control Panel, see Open Lync Server Administrative Tools.
In the left navigation bar, click External User Access.
Click Federated Domains, click New, and then click Blocked domain.
In New Federated Domains, do the following:
In Domain name (or FQDN), type the name of the federated partner domain that you want to block.
Note
The name cannot exceed 256 characters in length.
The search on the federated partner domain name performs a suffix match. For example, if you type contoso.com, the search will also return the domain it.contoso.com.
A federated partner domain cannot simultaneously be blocked and allowed. Lync Server 2010 prevents this from happening so that you do not have to synch up your lists.(Optional) In Comment, type information that you want to share with other system administrators about this configuration.
Click Commit.
Repeat steps 4 through 6 for each federated partner that you want to block.