This article is a brief clarification about a topic that still occasionally leads to some confusion going back to the original release of Office Communications Server. Basically the wording of one of the options contained in the External Access Policy settings of OCS or Lync Server is oddly written and tends to describe behavior that is not at all what it actually controls.
The following screenshot is from the External Access Policy page located in the Federation and External Access section of the Lync Server Control Panel.
The available settings describe allowing communications with the following types of users: Federated, XMPP (new in Lync 2013), Remote, and Public. Now in classic Sesame Street style, one of these things just does not belong. Well, technically it belongs but the phrasing is not correct at all on the ‘Remote users’ option.
For each of the other settings the description is exactly what the option does: it controls the ability for users assigned to this policy to communicate with those other types of users. Meaning that a Lync user account assigned to this policy would be able to communicate directly with other federated Lync users, external XMPP contacts, and any contacts on supported public instant messaging platforms like Skype or AOL.
But the "Enable communications with External Users’ option is a bit perplexing. On the surface it seems to indicate that this option would also allow or prevent the assigned Lync user from communicating directly with other Lync users in the same organization which were at the time registered externally. For anyone who has ever used or deployed OCS or Lync this concept is absurd. Lync is designed to transparently allow both internal and external users to work in concert across multiple modalities in a effort to overcome the typical limits of a mobile workforce. External users can sign-in to Lync without VPN clients and perform the same tasks and have access to the same features as when inside the corporate network.
So why include an option to inhibit this behavior and potentially create mass-confusion among the users by preventing co-workers from communicating when one of them happens to be outside the office for some time? Simply, there is no option to do this, as it does not make any sense.
Clearly the wording of this option is misleading as it has no bearing on the ‘communication’ behavior with external users. All this setting controls is the ability for Lync users to sign-in to Lync desktop clients directly from external networks (e.g. the Internet). So clients which attempt to register to an Access Edge Server will need to be assigned to an external access policy in which this setting is enable, otherwise the Edge Server will reject the sign-in attempt. But once the allowed users are registered they can communicate with all other Lync users in the same organization regardless of where that other user is registered to, inside or outside.
Long ago it was suggested to the Lync product team to rename this option to something like "Enable Remote client registration’ or a similar, accurate description to avoid this confusion. Maybe it will be updated in a future version of the product, but for now it still stands.
You know, the only time I've ever paid attention to that checkbox was when people were complaining they couldn't sign in from the outside. Now that I've actually READ the description and thought about it (thanks to your post) did I realize that it doesn't make sense. Good work.
Ken
Yeah, most don't get caught up on it but for the beginner it's very confusing. It was worse in OCS when external sign-in failures due to this setting being disabled for a user's policy would just fail with a generic error. Since Lync the error message was more descriptive.
[…] http://blog.schertz.name/2013/07/lync-remote-user-definition/ […]
Nice one. Echo Ken's comments. I've always thought of it as what enabled a user to sign on when connected to external networks. While I believe Microsoft does a fantastic job providing amazing documentation there is always room for improvement 🙂