Haiku #181

Grab your beach towel

And sunscreen: we're going to

Allow some domains!


Well, it's another beautiful day here in Park City, UT. Of course, it's not even 9:00 AM here in Park City, UT: how do we know it's another beautiful day? That's easy: because it's always a beautiful day in Park City, UT. (We'll ignore the fact that, in a few months, the city will be buried under 300 feet of snow.) In the three-plus weeks that the author of today's haiku has been away from home, the temperature has always ended up in the 80s, and the sun has never once failed to shine. Admittedly, one day we did get a couple of raindrops, but it was literally that: a couple of raindrops. After that the rain clouds slunk away ashamed and embarrassed and the sun came out once again.


Meanwhile, the forecast for the Seattle area calls for partly cloudy skies and a high temperature of 68 degrees. Needless to say, the author of today's haiku can hardly wait to get back home.


Of course, you might be wondering, "OK, so you're in Park City, UT on a beautiful summer day: what exactly do you do in Park City, UT on a beautiful summer day." Well, you know what they say: when in Rome, do as the Romans do. And that can only mean one thing: when in Park City, UT on a beautiful summer day, you sit inside and play around with the CsAllowedDomain cmdlets (Get-CsAllowedDomain, New-CsAllowedDomain, Remove-CsAllowedDomain, and Set-CsAllowedDomain).


Note. Is that really how the author of today's haiku plans to spend his day? Hey, what else would he do? Go hiking through the Wasatch Mountains and then spend the evening sitting in an outdoor amphitheater listening to music? As if!


You know, we were hoping someone would ask that question: what is an allowed domain? To explain the concept of an allowed domain, we first need to talk a little bit about federation. As you know, federation provides a way for users to exchange instant messages and presence information with people from other domains. If you want to allow your users to communicate with people from any domain, you simply need to use the Set-CsAccessEdgeConfiguration cmdlet to enable federation and to enable "partner discovery." Do that, and your users will be able to communicate with people from any domain in the known universe.


OK, so then what is an allowed domain, especially if every domain seems to be an allowed domain? Well, the concept of an allowed domain comes into play in two ways. First, Lync Server is designed to guard against SPAM, SPIM, and other malicious activities by monitoring the number of messages sent from a domain: if that number gets too high, then Lync Server will block any messages originating from the offending domain.


That's good … provided that the domain in question really is SPAMMING or SPIMMING you. On the other hand, suppose those messages are legitimate, suppose this is a domain your users communicate with on a regular basis? Well, in that case, you can add the domain to the Allowed Domains list. That tells Lync Server, hey, this domain is OK: you can let them send a ton more messages than you let other domains send.


Note. Does that mean an allowed domain can send unlimited messages? Not quite. For more information on how this works, see the article Federation Safeguards for Lync Server 2010.


Alternatively, you can turn off partner discovery; if you do that, then your users will only be allowed to communicate with people from domains that are on the Allowed Domains list.


What that means, of course, is that you might end up needing a way to manage your Allowed Domains list. Is that what the CsAllowedDomain cmdlets are for? Let's hope so; if it's not, then today's haiku is going to make even less sense than usual.


Difficult as that might be to believe.


Let's kick things off by talking about adding a domain to the allowed list. To begin with, we should note that you have only one Allowed Domains list; you can't set up separate allowed lists for, say, different sites. If you want to add a domain to this list all you have to do is run a command similar to this one:


New-CsAllowedDomain -Identity "fabrikam.com" -ProxyFqdn "proxyserver.fabrikam.com"


As you can see, there really isn't much to that command: the Identity for the allowed domain is simply the domain's fully qualified domain name, and the ProxyFqdn is the fully qualified domain name of the allowed domain's proxy server. This, by the way, is optional: if you don't use this parameter then DNS SRV discovery procedures are used to determine the location of the SIP proxy server.


About the only other thing you might want to do is enable the MarkForMonitoring property. When this property is set to True, the federation connection between your domain and the allowed domain is monitored by Monitoring Server. You say you want to monitor that federation connection? That's fine; just use this command instead:


New-CsAllowedDomain -Identity "fabrikam.com" -ProxyFqdn "proxyserver.fabrikam.com" –MarkForMonitoring $True


That's all you have to do. As long as fabrikam.com isn't already on the Allowed Domains list (or on the Blocked Domains list) then the command should run without fail and fabrikam.com will be added to the list.


Note. If you get a weird error message like this one:


New-CsBlockedDomain : There is a duplicate key sequence 'FABRIKAM.COM' for the 'urn:schema:Microsoft.Rtc.Management.Settings.Edge.2008:FederatedDomainName' key or unique identity constraint.


That typically means fabrikam.com is already on either the allowed list or the blocked list.


And sure, there's an easy way to verify that fabrikam.com really was added to the list: just run the Get-CsAllowedDomain cmdlet. You know, like this:




But suppose you have a falling-out with fabrikam.com, and you no longer want them to be on your Allowed Domains list; what then? Well, then you should run the Remove-CsAllowedDomain cmdlet:


Remove-CsAllowedDomain -Identity "fabrikam.com"


And yes, we know: that does seem kind of harsh. But they asked for it!


Last (and possibly least) we have the Set-CsAllowedDomain cmdlet. Typically domains don't change much from day-to-day, but you never know; for example, fabrikam.com might set up a brand-new proxy server. If that happens, you're going to have to modify fabrikam's entry on the Allowed Domains list. And that, as you already guessed, is a job for Set-CsAllowedDomain:


Set-CsAllowedDomain -Identity "fabrikam.com" -ProxyFqdn "newproxyserver.fabrikam.com"


Etc., etc.


That's pretty much all there is to say about the CsAllowedDomain cmdlets. Wow, it's still early, we've finished today's haiku, the sun is shining and the mountains are beckoning. What are we going to do now? The only thing we can do: tackle the CsDeviceUpdateRule cmdlets! Is this gonna be a great day or what?


See you tomorrow.






Skip to main content