By default, Lync provides a pretty open conferencing experience for users. It allows a fair degree of flexibility in terms of functionality after you’ve first deployed it; and I suppose this is to provide the most complete experience to users when they first try it out. In this post, I’m going to talk about why we would want to modify this default behaviour and how we can make Lync conferences more secure. The two main default behaviours that would make you want to increase conference security are:
- The same meeting URL and conference ID is assigned for the user for every meeting by default.
- PSTN callers will bypass the lobby when they join a meeting and do not need to be admitted to the meeting by a presenter. This contradicts the behaviour of a lot of audio conferencing providers today, where everybody must wait for the leader to arrive until the conference begins.
Together, these behaviours may represent a security risk to some organisations. Let’s go through how we can mitigate them.
Increasing Conference Security
This will be a pretty common requirement for an organisation that discusses sensitive information on calls, has lots of users using dial-in conferencing or is just used to this functionality from an existing provider. To do this, we need to use a Meeting Configuration. Meeting configurations in Lync can either be defined globally (so they apply to all pools everywhere), at site level (say, for all pools/users in the US or UK site) or at service level (per pool/server). I love just how granular you can get with policies/configurations in Lync. Firstly, I’m going to create a new Meeting Configuration for my St Albans site by running the cmdlet New-CsMeetingConfiguration -identity Site:StAlbans. I’m doing this because I don’t want to modify the Global Meeting Configuration.
We can see that a new meeting configuration has been created for the St Albans site with the defaults set. Now, let’s explain what all of these do and what we want to set them to to secure our Lync conferences.
Setting this to True ($true) or False ($false) will define whether PSTN callers can bypass the lobby or not when they join an audio conference. If they are placed in the lobby, they have to admitted by a presenter before they can join the conference. By default, this is set to True.
This defines whether users are allowed to schedule public meetings. Setting it to True ($true) means they can schedule public meetings, setting it to False ($false) means they will only be able to schedule private meetings. By default, this is set to True.
If you set this to True ($true), users will scheduled public meetings by default. Set it to False ($false) and users will schedule private meetings by default. By default, this is set to True.
What’s the difference between a public meeting and a private meeting?
So you’re probably saying just that – what’s the difference? For a Public Meeting, the conference ID and meeting link stay the same from meeting to meeting. When the meeting is a Private Meeting, the conference ID and meeting link will change from meeting to meeting. The latter is considered a bit more secure because it avoids users that weren’t sent the meeting invite dialling into your conference. For example, if I schedule one call for 11:00am Monday and another for 4:00pm Tuesday, each will have different meeting URLs and conference IDs.
This determines what category of user is allocated presenter rights in a meeting when they join. The default is Company (i.e. anyone else on Lync in your organisation) but you may want to set this None so only the organiser has presenter rights. Or if you’re very liberal, you can set it to Everyone.
The Difference Between a Presenter and an Attendee
Just to clarify, when we say Presenter, we’re talking about one of two roles in a meeting – Presenter or Attendee. Being a Presenter means that the participant has full control over what content is shared, can mute other participants, remove others from the meeting, change meeting settings etc. If you’re just an Attendee, you can do none of these things (only view content and participate in the call).
This setting defines whether anonymous (i.e. non-authenticated) users are admitted into the conference. By default this is set to True. If your organisation plans on only using conferences for internal staff, then you might want to set this to False so users that have not authenticated with a PIN or with AD credentials aren’t able to join conferences.
Modifying the Meeting Configuration
So once I’ve defined how secure I want to make my Lync conferences, I’m going to make changes to the Meeting Configuration. In my case, I want to make sure users do not schedule public meetings and that the meeting URL and conference ID change from meeting to meeting, so I run this cmdlet: Set-CsMeetingConfiguration -identity Site:StAlbans -EnableAssignedConferenceType $false -AssignedConferenceTypeByDefault $false
If you want to modify the Global Meeting Configuration, just omit the -identity Site:SiteName portion of the cmdlet.
To verify that the change was made, I run the cmdlet Get-CsMeetingConfiguration -identity Site:StAlbans.
We can see that the site-level meeting configuration has been modified so public conferences can no longer be used in Lync.
The User Experience
Below is where all of this is reflected on the client side – the Online Meeting Options in Outlook.
After we’ve made changes to the Meeting Configuration in Lync Server Management Shell above, you’ll see that the default settings in the Online Meeting Options change. If you change the DesignateAsPresenter setting in the Meeting Configuration, you’ll see this reflected under Presenters. If you change PstnCallersBypassLobby, you’ll see this reflected in the Access section, and so on.
As we can see, there are lots of variables available here in Lync to customise the conference experience for your organisation so that it both meets security requirements and remains easy to use for your users. You can learn more about conference security on the Lync Server 2010 TechNet Library. If you have any questions about this functionality, drop me a line in the comments below.