Components (SIP front end/ Edge / Bastion) that need to be installed for each scenario

Internal / external - Describes if the user is part of the company domain or a federated / guest user

Remote/ Local - Describes the location from which a user is connecting from - local or remote network

Incoming/ Outgoing - Defines the direction of the traffic relative to the internal SIP domain

Business Case Example	Preferred Setup
Prevent sensitive info from reaching users who are not members of the company, except Anonymous Guests	SIP Filter on the Skype for Business Edge
Prevent sensitive data from reaching mobile devices of an employee	Bastion HTTPS proxy
Block communication between different groups inside the company	SIP on the Skype for Business Front End
Prevent sensitive data from reaching devices of an employee outside to corporate network	Bastion HTTPS proxy and SIP Filter on the Skype for Business Edge
Block file transfer for Anonymous Conference guests and for Federated Peers	Bastion HTTPS proxy and SIP Filter on the Skype for Business Edge
Directional screen sharing in conference	When using directional screen sharing in a conference with SipFilter, if the internal participant is not allowed to share their screen and they override existing sharing externally (that IS allowed to share), if there is another external participant in the conference, they will be able to see the screen of the internal participant. There is no new invite that we can block for preventing this scenario. The only way is to manage external users in the meeting and block the sharing in the FE. Therefore, if you want to solve this issue you must to do the following steps: SipFilter must be installed on FE and EGDE (version 3.1.9.2 or higher) the field manage-meeting-external-users must be in the YAML and set to true in both FE and EDGE The EDGE will manage the users in the database (who join and who leave) and the FE will force the screenshare based on that If the customer would like to block external participants from seeing Desktop of internal for anonymous (done through webapp) - Bastion is required If the customer would like to block external participants from seeing Desktop of internal to Windows client - only sip should be installed on FE and Edge servers (Bastion is not required) If the customer would like to block external participants from seeing Desktop of internal to mobile client - only sip should be installed on FE and Edge servers (Bastion is not required)

Installing SIP Filter on the Front End may cause resource consumption and should be done following Ethical Wall Best Practice Tips

Browser not supported