I have blogged about Hosted Exchange as well as Hosted Windows SharePoint Services so far and I think it is only fair that I should write a little bit about Hosted Office Communications Server 2007 (OCS) as well. My primary focus will be more on what HMC has introduced to a default OCS deployment for multi-tenant enablement.
What is multi-tenancy and what does it mean to OCS?
I had this in my previous post but I thought it will be nice to restate this. From Wikipedia, "Multitenancy refers to a principle in software architecture where a single instance of the software runs on a software-as-a-service (SaaS) vendor's servers, serving multiple client organizations (tenants)."
When we introduce HMC into OCS, it is about enabling OCS to service multiple tenants in that same infrastructure. Now, the good news is this, although like Hosted Exchange, there are various client applications for Hosted Office Communications Server 2007 (such as Microsoft Office Communicator 2007, Microsoft Office Communicator Web Access, Microsoft Office Communicator Mobile and Microsoft Office Live Meeting client), there are not heavy amount of changes required to be made on the infrastructure to enable it for multi-tenants.
Before we look into what it means by enabling OCS for multi-tenant, let’s quickly look at what are the primary services offered by Hosted OCS 2007, as written in the help file,
· Instant Messaging (IM)
· Group IM
· PC-Based Audio and Video Conferencing
· PC-Based Web Conferencing
As with the rest of the products in the HMC solutions, OCS’s default deployment is designed primarily for a corporate environment. In order to enable it for multi-tenant, we need to introduce a few changes to it so that there are appropriate isolation and segregation. From a very high level, here are what HMC intends to achieve,
· Contact Tenant Isolation – In a default OCS installation, domain users are allowed to search each other without restriction. That is obviously a problem in a hosted environment. Hence one of HMC’s goals is to make sure that proper contact tenant isolation is achieved.
· Address Book Isolation - Each company should only be allowed to access the address book that is meant for their company only. However, they should not be restricted from adding users from all other companies or even users using public instant messaging like AOL, MSN or Yahoo.
· Web Meeting and Conferencing Settings – Different organizations will obviously have different meeting and conferencing settings. Hence it is important to ensure that the enforcement is executed either on a per organization basis or per user basis.
· Presence Information Isolation – OCS provides the infrastructure to enable client applications to publish and subscribe to extended, or “enhanced,” presence information. The presence information may include things like status, location, or calendar state which most organization may want to limit it to just the users in their own organization.
So as you can see, there isn’t a lot to do and the good news is that most of the above can be easily achieved. Nonetheless, I also like to highlight that there may be some limitations too. Let's take a closer look.
What is HMC doing to OCS for Hosting?
At a high level, really not a great deal. Unlike Hosted Exchange, there is no specific customized HMC component introduced by HMC solutions into the OCS infrastructure for Hosting purposes (perhaps there should be some, I will explain later). On top of that, most of the isolation requirements mentioned above can be achieved easily with a few tweaking.
My intention is to briefly explain some of those tweaking in the deployment walkthrough so that we all understand a little bit better why we are doing some of those tasks.
As you walk through the deployment process, you probably have realized that the OCS infrastructure deployment isn’t very different as compared to deploying OCS on a corporate environment. In fact, you will find many references in the help file pointing you back to the OCS deployment guide.
You will find that you only need to make a few simple changes to the OCS infrastructure for hosting purposes. To be specific, after you have completed the deployment of the OCS infrastructure, you need to execute the following procedures,
Deploy Provisioning for Hosted Office Communications Server 2007
Procedure W08-DWHO.56 to W08-DWHO.58
The above procedures deploy the OCS Administrative tools and then the MPS OCS namespaces required to make OCS calls. The HMC deployment tools do not make any change to the OCS environment. Next you will execute the following procedures,
Configure Security for Office Communications Server 2007 Edge Services
Procedure W08-DWHO.59 to Procedure W08-DWHO.71
I think the name of this section needs to be changed because it does more than just configuring the security of OCS 2007 Edge services. In fact, it covers all major the configurations required for Hosted OCS.
I will skip some of the items or steps that are self explanatory in the above procedures and for the purpose of this blog, I will organize my points based on isolations and segregations,
(1) Contact Tenant Isolation
As we know, the default OCS deployment is catered for corporate environment. It means by default, all domain users (or all authenticated users) are allowed to search each other without restriction. This is obviously not acceptable in a hosted environment.
Fortunately, OCS uses a property set to determine whether a user is authorized to search other users in the organization using the Find functionality in OCS. The property set is RTCUserSearchPropertySet.
RTCUserSearchPropertySet is composed of a single attribute,
So, in order to ensure that only the authorized users can perform the search, the procedures will have you to remove the Authenticated users from the top so that it will not inherit downwards. And in order to allow authorized users to search that, you will notice that AllUsers@<domain> will be granted permission to that property set on their respective Organization OU.
(2) Address Book Isolation
If you have used Microsoft Office Communicator 2007 before, you will notice that you have access to a contact list, rich with information about people in your organization such as office locations, job titles, multiple phone numbers and etc. This information (contact list or most often we call it address book) is generated from the Active Directory and it is being distributed to the Communicator by Address Book Server through IIS.
If you think about it, this is actually similar to Hosted Exchange where out of the box; we have a Default Global Address List that consists of everyone. Of course, there is absolutely no relationship between Hosted Exchange address list and OCS address book, other than the fact that they are generated from the same source, Active Directory.
The Microsoft Office Communications Server 2007 Address Book server contains the following set of address book files that Communicator 2007 can download:
· A full file that contains all contacts.
· Delta files that contain the changes from the current full file and from each previous full file.
Now, by default, it consists of just a single address book. This is obviously not acceptable in a Hosted environment.
Fortunately, OCS comes with a feature called Partition ABS data by Organizational Unit and create individual ABS files per OU. One of the deployment steps is to enable this using a tool called ABSConfig.exe.
Note: If you encounter error “System.ArgumentOutofRangeException” when running this tool, please refer to this article, http://support.microsoft.com/kb/954749.
What this option (ABS data by Organizational Unit and create individual ABS files per OU) does is that, instead of creating a single address book, it will create multiple address books based on OU and it will create the appropriate OU structure in the address book output location during synchronization. For example in my test lab, my ABS output location looks like the following,
So, that’s on the Address Book Server side. What about on the Communicator side? How does Communicator know which path to go to? We know that the distribution is through IIS, so, if I am user from AlpineSkiHouse, for example, will Communicator know how to get to the link say for example,
How does Communicator know how to get there? The truth is, Communicator does not know. Communicator will only know how to get to one link that you specified during deployment, which is https://web.consolidatedmessenger.com/Abs/Ext/Handler and it will attempt to get F-0b72.lsabs file. By default it will just point you to the default address book just as your default installation. In order to make sure Communicator know how to get to the right path, you have to configure in the web.config in the ABS server to perform a redirect (this is specified in Procedure W08-DWHO.68).
Here is an example of how it works. Once the redirect is set, if I am a user in AlpineSkiHouse, when I logon using Communicator and try to perform a contact search, Communicator will try to go to https://web.consolidatedmessenger.com/Abs/Ext/Handler/F-0b72.lsabs to locate the address book, the IIS will perform a search based on my logon ID and redirect the Communicator to https://web.consolidatedmessenger.com/Abs/fabrikam.com/Hosting/ ConsolidatedMessenger/Alpineskihouse/F-0b72.lsabs.
The Communicator will then download and cache the address book on the workstation in this location, %APPDATA%\Microsoft\Communicator\Galcontact.db
So, there you go, this is the biggest part of the segregation process for Hosted OCS 2007.
Note: I should also highlight that the address book server will synchronized with the Active Directory on a daily basis. Hence, a contact may take up to 24 hours before it appears in an address book. If you can’t wait, you can always call ABServer.exe -syncNow (located in %programfiles%\Microsoft Office Communications Server 2007\Server\Core)
In addition to the Address Book (from Active Directory), Communicator provides access to information in your Outlook Contacts folder, and in the Windows Address Book.
(3) Web Meeting and Conferencing Settings
Now, here is a direct cut and paste from the HMC help file, “Office Communications Server 2007 allows for either per user policies or per forest policies to be configured for both Voice and Meetings.
The default setting for both of these is to support per forest settings and anonymous participants in a meeting is disabled.
In a HMC environment it is likely that different services will be offered to different business and thus it is necessary to configure each user with the correct settings. To change the default behavior you will need to make the following changes.”
I thought the above has said it all. I don’t need to add much to this.
(4) Presence Information Isolation
I like to spend a tiny bit of time on this. When you run through your deployment, one of the procedures (to be specific W08-DWHO.65) is to Disable Non-Contacts Presence Information Display. As provided in the description in the help file, this procedure ensures users who are not in the users contact list cannot view presence information.
Unfortunately, it is actually more complicated than that. It seems that this option doesn’t work well in the context of Enhanced Presence feature. As a result, I would say this is currently a limitation in the Hosted OCS 2007.
While the directory search and address book have been properly segregated, the presence information may not if the user enter the full sip address of the user correctly in to the search box. It means, if I am a user in AlpineSkihouse and I put in a full sip address of another user in another organization in the same Hosted environment, say email@example.com, I can actually see his presence information right away even though I am not part of his company. HMC 4.5 out of the box right now does not have lock that down. Individual user can lock that down by using Access Levels Management. However, it should be noted that the display name may still show.
Note: You should also know that, once you enable enhanced presence for a user and the user signs in to Office Communications Server using the Office Communicator 2007 client, the user account is converted to use enhanced presence. The user will then no longer be able to sign in to Live Communications Server 2005 with SP1 and cannot use any previous version of Communicator to sign in. This means that the user will not be able to sign in by using the 2005 version of Communicator Web Access or Communicator Mobile version 1.
One of the features of OCS is that it has the capability of archiving and call details recordings (CDRs). This is provided through CDR server and by default it has the following capabilities:
· Archiving of all instant messaging (IM)
· Archiving of call detail records (CDR)
However, it should be noted that Hosted Office Communications Server 2007 supports archiving of CDR. Deployment of the IM archiving are out of scope for Hosted Office Communications Server 2007.
Obviously, the above is a simplified version of the whole Hosted Office Communications Server solution. There are more to it in HMC such as offering Hosted OCS through Organization and User Plan, configurations and policies of Live Meeting components, additional server roles such as Director in a slightly larger environment, inclusion of IP telephony devices and etc. that may add to the complexity of the solutions.