...
In order to reach the Ethical wall settings, please go to your Access Admin Portal Admin Area → Settings → Ethical Wall, or by using the following URL: /admin/settings?category=settings_federation_webservice_category_header
...
| Option | Explnation |
|---|---|
| Run Ethical Wall on | Choose where you have the SIP Filter installed, Skype for Business Front-End or Edge. Please note the Bastion option is only available if your Bastion server has a LAC filter which supports Ethical wall. |
| Skype for Business Front End servers FQDNs | Enter the FQDN of your Front-Ends, this is only relevant when you have the SIP Filter installed on the Front-End servers. This is used in order to ignore SIP messages from the Front-Ends which cause unnecessary traffic. |
| Policy rules memory cache time (minutes) | Set the number of minutes for the SIP Filter to save policies and policy cache locally on the server before refreshing and fetching updated policies from the Database. |
| Access Skype for Business contact list | If set to "Yes", policies based on the contact list will be available (This requires UCMA configuration unless installed on the front-end. How to configure UCMA integration with SphereShield?) |
| Contact list cache period (minutes) | Set the number of minutes for the SIP Filter to save a user's contact list locally on the server before fetching it again. |
| Internal domain list | Enter the SIP domains of your environment. |
| Operation Mode | Set the operation mode on which the SIP Filter runs (Live, Learning or Dummy). |
| Calculated Policy cache validity period (hours) | Set the number of hours for policy cache records to remain valid, after this expires the non-valid records will get invalid records are deleted. |
| Ethical Wall scope | The scope of the Ethical Wall, External controls federated users, while internal controls internal users communications. |
| Admin notification type | Choose the type of notification for notifying admins about Ethical Wall incidents (IM Requires UCMA integration and IM Notifications configuration). |
| User notification type | Choose the type of notification for notifying users about Ethical wall incidents they have caused (IM Requires UCMA integration and IM Notifications configuration). |
| User notification message | Enter the message to be sent to users after they have caused an Ethical Wall Incident. |
| Ignore handling presence | If set to "Yes", any Ethical Wall Policy with a presence rule set to it, will not apply and will be ignored (hence presence will always be seen), choose "Yes" for Internal Ethical Wall control. Ignoring presence reduces the load from the system. |
Ethical Wall Policies
In order to To configure Ethical Wall policies, please go to the Access Admin Portal Admin Area → Ethical Wall Policy, or by using the following URL: /admin/federationpolicy
Ethical Wall policies can be set to apply internally (on users and groups within the organization that communicate with other users or groups within the organization). Alternatively, policies can also be set to apply externally (For federated domains).
Ethical Wall policies can be applied to specific groups within the domain that the Access Portal can pull from the Active Directory, this feature requires an LDAP connection string to be set. When setting an Ethical Wall, it will create a default policy for P2P communication and conference communication, these policies cannot be moved up/down and cannot be deleted. Use it as a baseline for when none of the policies apply. There are 2 default policies for internal Ethical wall and another 2 default policies for the external Ethical wall (for P2P and conference both internally and externally).
Policy order
Policies are enforced from top to bottom, where the first policy will take precedent over the policies below it
It can be configured that a policy will only apply one rule by changing the rule to be with control
Policy creation
The policy creation process is split into two stages:
- Polices condition - Setting the scope of the users implicated by the policy and additional modalities. the The scope of the policy is versatile and can be set based on groups, individual SIP addresses, or domains.
- Policy rules - Setting the type of communication that will be handled by the policy
...
Policy conditions
Policies are created first by defining the communication conditions, the set of relationships between Users, AD Security Groups, Domains. as well based on an additional modality whether they are present in the contact list of the user.
...
| Info |
|---|
It is required to configure UCMA integration in order to apply policies based on the Contact list |
Side B policy condition
Configuration The other side of the communication
...
These policies are policies that are applied when a certain user chooses to communicate with another user not via a conference, by searching the appropriate contact in the user’s client and starting a conversation.
Communication
...
rule types
Communication tules rule types are the type of communication that can be configured within the scope of the Policy
Chat | The ability to initiate a chat. The side with the |
Audio | The Ability to initiate a VoIP conversation over Skype for Business. Works the same as the Chat restrictions. |
| Video | The ability to initiate a video call over Skype for Business. Works like the chat and the Audio. |
| File Sharing | The ability to share a file Via Skype for Business. If the policy is set in the same manner as the Chat example, side A will be able to send a file to side B, while side B won't be able to send a file even after a file has been already sent. |
| Conference | The ability to start or invite users to a conference. This setting work like Chat, Audio, and Video |
See presence | The ability to see the presence (Statuses like “Busy”, “Available”, “In a meeting” etc.) of the other party. When this feature is deployed externally it can be set only to block federated users from seeing the internal user’s presence and not the other way around. |
| Contact Card | The contact card policy rule refers to the vCard you may see when choosing someone’s name. This policy rule allows blocking federated users from seeing the internal user’s contact cards. Just like the presence control, this feature can only be applied to block federated users seeing internal user’s contact cards and not vice versa. Within this feature, SphereShield also offers the ability to control what information exactly is shown to the other side (Name, Title, Email, Phone, etc.) This feature is not available when running the SIP Filter on the Front End. |
| Desktop Sharing | The ability to perform a screen presentation and whiteboard. |
| Program Sharing | The ability to perform a screen presentation that presents only a certain program within the computer rather than the entire monitor |
Conference Policy
Conference policies are policies that are applied for meetings both Ad-Hoc and organized
...
When setting an Ethical Wall policy it is set between 2 sides (Side A, Side B). Side A Should be an internal SIP domain Group, Side B can be either an Internal SIP domain or an external SIP Domain.
Communication rules types
| Chat | The ability to initiate a chat. In conferences, this rule can be set to allow both sides or block both sides. |
Audio | The Ability to initiate a VoIP conversation over Skype for Business. Works the same as the Chat restrictions. |
Video | The ability to initiate a video call over Skype for Business. Works like the chat and the Audio |
Data collaboration | The ability to share PowerPoint presentations, File transfer, QA, Whiteboards, and polls. This setting can also be defined either to allow both sides or to block both sides |
| File transfer | A way to exclude only file transfer from the Data Collaboration. This feature requires the usage of SphereShield's Content manager (This rule exists only if Data Collaboration is allowed). |
| Present Desktop | The ability to present the screen. This feature can be set to block or allow incoming and outgoing independently. Will also apply for Present Program. |
| Remote control | Blocking this feature will grey-out the “Request control” button in a chat. This feature can be set to block or allow incoming and outcoming independently (This rule exists only if Present Desktop is allowed). |
...
| Info |
|---|
Present Desktop is controlled by all the other user-defined policies |
Communication rules types
| Chat | The ability to initiate a chat. In conferences, this rule can be set to allow both sides or block both sides. |
| Data collaboration | The ability to share PowerPoint presentations, File transfer, QA, Whiteboards, and polls. This setting can also be defined either to allow both sides or to block both sides |
| Conference | The ability to start or invite users to a conference. This setting work like Chat, Audio, and Video |
| File transfer | A way to exclude only file transfer from the Data Collaboration. This feature requires the usage of SphereShield's Content manager (This rule exists only if Data Collaboration is allowed). |
| Present Desktop | Taken from all the other user-defined policies |
...
| Info |
|---|
You cannot configure the granularity of the users that will receive this policy, all internal users connected using a mobile phone will be enforced under this policy outside |
Communication rules types
| Chat | The ability to initiate a chat. In conferences, this rule can be set to allow both sides or block both sides. |
| Audio | The Ability to initiate a VoIP conversation over Skype for Business. Works the same as the Chat restrictions. |
| Video | The ability to initiate a video call over Skype for Business. Works like the chat and the Audio. |
| Present Desktop | The ability to present the screen. This feature can be set to block or allow incoming and outgoing independently. Will also apply for Present Program. |
| See presence | not supported in mobiles |
...