How to create a minimum permissions database user for the components running in DMZ?

Security might require changing the permissions given to the users connecting to the DB from DMZ. This could be achieved using an SQL script located in the installer payload.

Use the following procedure:

1. Edit the relevant SQL file from the SphereShield Setup folder.

For LAC Filter only (Filter deployed on Bastion server) use FilterUserScript.sql 

For SIP Filter only (Filter deployed on Edge server) use SipFilterUserScript.sql

For LAC filter and SIP filter (Filters deployed on Bastion and Edge servers) use LacFilterAndSipFilterUserScript.sql (Download here)

2. Change the value for DECLARE @dbName nvarchar(MAX) = N'your_db_name' to match you database name (usually AccessPortal)'

3.The default values for credentials are FilterUser and your_Pas5w0rd - consider changing them, especially when using both scripts (LAC and Sip filters) since both scripts declare the same username by default.

4. Execute the SQL Script

1. Edit the Lync_Access_Control.xml from the Bastion Filters folder

3. Save the file

4. Restart the Bastion Service

1. Edit the AgatSfbSipFilter.yaml (FKA SkypeShieldSIPFilter,yaml) from the SIP filter folder

2. Change the value of connection-string: Data Source=<<SQLSERVER>>;Initial Catalog=<<DataBaseName>>;Persist Security Info=True;User ID=<<username>>;Password=<<password>> to the new ID and Password

3. Save the file 

4. Restart the SIP Filter Service

5. Edit the AgatSIPFilterAgent.config from the Tools folder

6. Change the value of <add key="ConnectionString" value="Data Source=[SQLSERVER];Initial Catalog=[DataBaseName];Persist Security Info=True;User ID=[username];Password=[password]" /> to the new ID and Password

7. Save the file

8. Restart the SIP Filter Agent Service