Configuring User Federation, Remote Access, and Public IM in Lync

If you are configuring the Federation, Remote Access, or Public IM (PIC) features for Lync users in a script (i.e. that is part of a nightly process), you might be confused by 3 potentially different methods of configuring these features:

1) Lync External Access Policies

  • Set with the New-CsExternalAccessPolicy cmdlet

2) Lync User Attributes

  • Available on the Get-CsUser Powershell cmdlet:
    • EnabledForFederation
    • EnabledForInternetAccess
    • PublicNetworkEnabled

3) User AD Settings for Federation and Remote Access

  • msRTCSIP-FederationEnabled
  • msRTCSIP-InternetAccessEnabled
  • msRTCSIP-OptionFlags (contains a bitmask value which sets the PIC feature)

If you have a background administering user features in OCS, you might be tempted to reuse an existing OCS script for Lync to configure these feature by setting one of the above AD attributes on the associated AD user object.  Do not do this.

Here is the golden rule:  Always use the Lync External Access Policy to configure these features for Lync users.

The AD attributes listed above have no bearing on a the associated Lync user functionality – they are only used for backward compatibility reasons. Specifically, if the Lync topology contains an OCS 2007 or 2007 R2 Director, it will look at these AD settings for traffic that passes through it.  These AD settings are set to TRUE by default for new Lync users, which tells the Director to pass the request to the Lync home pool of the user to let Lync evaluate the request using the Lync External Access policy settings.

The 3 related Lync user attributes available on the Get-CsUser cmdlet, mimic the AD attributes. They can only be read through Get-CsUser, and only exist for backward compatibility reasons.

For example, this will return a parameter not found error:

  • Set-CsUser -Identity “Curtis Johnstone” -EnabledForFederation $False

The applicable Lync External Access policy determines the feature configuration, not these attributes.

Other Notes:

  1. If the user is assigned the default Global Lync External Access Policy, the Get-CsUser command returns nothing for the “External Access Policy” property.
  2. The default External Access Policy that ships with Lync does not have Federation, Remote Access, or PIC enabled (set to TRUE).


2 comments to Configuring User Federation, Remote Access, and Public IM in Lync

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>