Configuration

Configuration

Allowed Domains

Allowed domains refers to those hosting a UCWA web application.

xframe is used only for browser-based web applications, where cross-domain scripting is a security concern. This means that it will be used by most JavaScript snippets, however NodeJS does not need it.

What is a domain?

Browser-based UCWA applications require server-side configuration before they will work. For security, an allowed list is maintained on the server to protect Skype for Business Server from malicious third-party domains (see Cross-Domain for more information). Domains, or origins, are defined in RFC 6454 as scheme, host, and port.

Item
Example
Scheme https
Host apps.contoso.com
Port 80

According to the definition, all four of the following are different:

  • http://contoso.com
  • http://contoso.com:8080
  • https://contoso.com
  • https://apps.contoso.com

Given these nuances, an admin must be careful when editing the allowed list.

The samples will indicate that the host domain is not on the allowed list by alerting the following string, sent by the server in the headers of a 403 response:

Service does not allow a cross domain request from this origin.
    

Viewing the Allowed List

From the Skype for Business Server Management Shell on each server (front end, edge, and director), execute the following command:

Get-CsWebServiceConfiguration | select -ExpandProperty CrossDomainAuthorizationList

Editing the Allowed List

From the Skype for Business Server Management Shell on each server (front end, edge, and director), execute the following commands (replacing the text in {} with your values):

$x = New-CsWebOrigin -Url "https://apps.contoso.com"
Set-CsWebServiceConfiguration -Identity "{YOUR_IDENTITY}" -CrossDomainAuthorizationList @{Add=$x}
    

If you do not know the value of Identity for your Skype for Business Server, you can run the following command to see all identities configured on the server:

Get-CsWebServiceConfiguration | select identity
    

Upgrading Lync Server 2013 to CU1 and Enabling UCWA

After upgrading to CU1, you must also run the bootstrapper on each front end, edge, and director. Running Enable-CsTopology isn't enough.

From the Lync Server Management Shell on each server, execute the following commands:

%ProgramFiles%\Microsoft Lync Server 2013\Deployment\Bootstrapper.exe