Home > Uncategorized > Lync 2010 – Multi-tenanancy

Lync 2010 – Multi-tenanancy

As we deploy Lync internally, one of the requirements I discovered was to provide telephony for a few people outside of our company. This is a small group of people who had been provided voice service from a branch PBX (CUCM). Because Lync is user-centric, and not phone-centric, providing equivalent functionality to outside users isn’t straight-forward. For example, on CUCM this group only needed a network connection and a desk phone for basic services. Lync 2010 has no multi-tenant documentation, so carving out an OU just for them doesn’t appear to be viable.

We are, however, deploying the NET UX2000 SBA at all branches. This gives us the option of simply registering their existing Cisco IP phones to the UX2000 for inbound & outbound calling. Are their any gaps with this solution? Short answer: yes. The biggest of which are voice mail and conferencing. Conferencing may be addressed by an external solution (Web Ex, GotoMeeting, even voice-only conferencing solutions). However, voice mail isn’t as easy. Without actually being on a PBX (hard or soft), there is no logic to route calls to a voice mail server. The UX2000 is a great piece of technology, but for pure SIP devices it’s limits are registration and call routing.

Enter this post. I think providing Lync to these users would be infinitely more supportable than the direction above. For one, our company isn’t deploying any pure SIP devices (that is, non-OCS/Lync compatible devices). As a result, any problems reported by these users would be foreign to our support team. Secondly, kludging together a voice mail solution for these users, and having to support that, would be just as bad. With this issues laid out, the task ahead is finding a multi-tenant configuration for Lync that will (a) provide basic call features + voice mail and (b) isolate these users to themselves in such a way as not to expose them to the rest of the company, nor the company to them.

Where to start?

Providing basic call features and voice mail is really the easy part.  Provision accounts & mailboxes in a separate OU within Active Directory, give them a Lync Phone Edition device that registers via Edge servers (see Jeff Schertz’ great bit here), and they have full functionality.  Isolating these users is the hard part.

First, we can exclude them from the Exchange GAL by setting the msExchHideFromAddressLists user attribute to true.  This will hide them at the Exchange level within the company.  No one will stumble upon them in their address book.

Second, we can isolate their Lync address book so that they can only discover themselves.  This is accomplished with another user attribute: msRTCSIP-GroupingID.  This attribute is a 16-character GUID which, if present, only returns contacts that also have the same GUID value present on their account.  In other words, if John has this attribute set to 1111111111111111, then he can only search for and discover other users (by name) that also have the same value for this attribute.  It should be noted that, just like federation, if John were to enter the full SIP URI of a user, he would find them.  So while it can’t be considered complete isolation, it provides enough isolation to satisfy our needs.  That is, not exposing internal users to this external group.

Address Books, check.  What else?

Categories: Uncategorized
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: