That's one way, but it could be circumvented. You can just disable those features on the mailbox of folks you don't want connecting: http://technet.microsoft.com/en-us/library/bb125264.aspx
And you can maintain the ABQ list for devices that can/can't connect: http://blogs.technet.com/b/exchange/archive/2010/11/15/3411539.aspx - Will On Thu, Jul 5, 2012 at 8:17 AM, <[email protected]> wrote: > Thanks for the great comments. I’ll revisit the design with the vendor > helping me implement the solution. It seems clear that I should be using a > commercial cert for the edge services - access.xyz.com, webcon.xyz.com, > av.xyz.com.**** > > ** ** > > In addition to the needs for my Lync installation, I had originally > intended to use an internal CA to issue certs to company laptops and cell > phones in the case where management chooses to want to limit access to > outlook anywhere and activesync to only company issued devices. Does that > sound reasonable or is there a better way to limit access to such things to > company issued devices should that be their whim? **** > > ** ** > > Jim **** > > ** ** > > *From:* William Robbins [mailto:[email protected]] > *Sent:* Wednesday, July 04, 2012 9:21 AM > > *To:* NT System Admin Issues > *Subject:* Re: Certificate authority**** > > ** ** > > I'd have to concur, especially if federating is in your Lync future. > > Besides that if you are utilizing smart phones/3rd party software it's * > much* easier to use certs from an already trusted external CA. Otherwise > you'll need to install Root CA chains on your devices for your internal CA. > > We ended up using a hybrid of internal and external certs, but our > internal PKI is mature, and we used 3rd party certs for all the Edge's. > > - Will > > **** > > On Wed, Jul 4, 2012 at 11:04 AM, Brian Desmond <[email protected]> > wrote:**** > > *Why does installing Lync necessitate a CA? Just get the certs from a > commercial CA. ***** > > * ***** > > *Thanks,***** > > *Brian Desmond***** > > *[email protected]***** > > * ***** > > *w – 312.625.1438 | c – 312.731.3132***** > > * ***** > > *From:* [email protected] [mailto:[email protected]] > *Sent:* Tuesday, July 03, 2012 5:49 PM**** > > > *To:* NT System Admin Issues**** > > *Subject:* Certificate authority**** > > **** > > We will be installing Microsoft Lync here very soon and I need to have a > certificate authority running. To date, we’ve not had a need to stand one > up and from the research I’ve done, it seems there are a number of ways to > go – three tier, two, standalone.**** > > **** > > Our needs are for Lync, maybe some certs for some smart phones and some > internal software we’ve written so it’s not a complicated system from our > perspective. At least not for the short term. I obviously don’t want to > do something that I’ll regret later and was looking for some advice from > other who have traveled these roads and learned what to do, and what not to > do.**** > > **** > > From my research, I think a two tier system will work but I’m not real > clear at this point how you have an offline CA (for security purposes) and > subordinate CA’s to hand our certs. Still reading up on all that.**** > > **** > > Am I overthinking all this as my Lync installer suggests? He said that I > should just install the certificate role on a DC and that would be that. I > think they might be better at installing and configuring Lync than they are > at designing certificate authorities as my research indicates doing that is > not the best way to go.**** > > **** > > Can anyone share their experiences as time is short and I need to decide > what CA to stand up.**** > > **** > > Any advice would be appreciated.**** > > **** > > Thanks**** > > **** > > Jim**** > > **** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > ** ** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
