Limiting Exchange 2010 Impersonation to a security group of user accounts.
- Open the Active Directory Users and Computers.
- Create a global windows security group named “VisualView Users”.
Add all users and rooms as members of the security group that you would like to have access to use VisualView.
To configure Exchange Impersonation for a group of users in an organization
- Open the Exchange Management Shell.
Run the Remove -ManagementRoleAssignment cmdlet to remove the permission to impersonate if configured originally. The following example shows how to remove Exchange Impersonation.
Remove-ManagementRoleAssignment impersonationAssignmentName - Run the New-ManagementScope and New-ManagementRoleAssignment cmdlet to add the permission to impersonate. The following example shows how to configure Exchange Impersonation for a group of users in an organization. Modify the following code with your proper domain CN and DC values.
-
New-ManagementScope -Name:"VisualViewScope" -RecipientRestrictionFilter {memberofgroup -eq "CN=VisualView Users,CN=Users,DC=VisualView,DC=Com"}
New-ManagementRoleAssignment -Name:"VisualViewImpersonation" -Role:ApplicationImpersonation -User:serviceAccount -CustomRecipientWriteScope:"VisualViewScope"Configure Windows Firewall to only allow Cisco IP Phone networks.
- Open Windows Firewall with Advanced Security (wf.msc) from an administrator account.
- Right click on the =”World Wide Web Services (VisualView)” inbound rule and then click properties.
- Select the “Scope” tab and “Remote ip address” then add the ip network address that phones are using to access the web service from.
-
Or use following method to add multiple networks at one time:
- Open Command Window (cmd.exe) from an administrator account.
- Enter the following command to set new remoteip address.
netsh advfirewall firewall set rule name="World Wide Web Services (VisualView)" new enable=yes remoteip=172.16.27.0/24,172.16.28.0/24,172.16.29.0/24