Secure Lync mobile Authentication

http://www.mobility-shield.com
http://LyncShield.com

V5

Background & Overview

Connecting external devices

(mobile/computers) to the corporate network

raises security risks related the Active
Directory exposure.
Typically there is no control over apps
installed on employees smartphones and the
networks that these devices are connected to.
LyncShield is a server side solution with not
additional client install supporting all devices.

2 Slide

Security requirement and

solutions
Requirement
Secure external
authentication

Solution
Two Factor Authentication
based adding the device
factor

Protect Active Directory

password from leaking

Avoid AD credentials on
device Dedicated App
credentials log

Protect agaist Account

lockout & DDoS attack

Soft lockout in DMZ

Blocking false
authentication attempts
from reaching the Active
Directory
3 Slide

Security issues and solutions

(cont)
Requirement
Solution
Limit Lync to approved /
corporate devices

Control device registration

by certificate or manual
admin

Limit Lync to devices

with MDM

Bind Lync usage to MDM

control

All the solutions are available for both mobile and external PC/ Laptops
4 Slide

[1] - Two Factor

authentication

Based on Device ID sent by client

Several registration/ enrolment options to

enforce access control policy based on

matching the device and the user.
Protects both Lync & Exchange (EWS)
blocking any request passing to network
servers unless coming from an approved
device

5 Slide

Access Control Enrollment

Support several access control policies:
Automatic Registration Device ID is registered
upon first use of account.
Two steps registration process:
Self Service / Two Step Registration User
registers on internal site and then must sync within
a defined time frame to complete registration.
Admin Manual Enrollment Admin
management of user list using training mode and
rejected auditing list.
6 Slide

Two Step Registration

7 Slide

Two Factor Authentication

architecture

8 Slide

Access Portal main Settings

View approved & blocked devices
Restrict registration and ongoing connection by IP

range
Access Rule black / White list
Allow / Block guest users
Filter by device type & OS
Allow / Block Web app login
Define number of devices per user
Registration policy (Two steps/ Manual/ Automatic)
Failed login auditing & Soft Lockout management

9 Slide

Access Portal main Settings

(cont)
Require re-authentication by time -Session

termination
Save password policy management
Multi LDAP support (for HA & distributed implantation)
Support of Multi level admin management
Web service for external event to lock/ approve
device/user
House keeping service
Notification settings
Reports & Search

10 Slide

Access Portal admin control

11 Slide

[2]- AD credential protection

approach
Lync Shield introduces a new approach for

protecting the Active Directory credentials

With Lync Shield the connection to Lync is
done by using App dedicated Lync credentials
that are created by the user rather than the
regular network Active Directory credential
Lync Shield completely eliminates the need to
store Active Directory passwords on the device
Supports work against Exchange & Lync with
one App credentials
12 Slide

Active Directory App login

The user creates dedicated Lync credentials

on a self service internal web site for use on

device, instead of Active Directory credentials.

13 Slide

Lync App credentials architecture

14 Slide

Mobile Smart Card solution

Many organizations that smart card for

network login do not have a username and

password for Active Directory.
LyncShield allows the usage of Lync without the
need to manage Active Directory credentials.
With the dedicated login solution, the user logs
into the Access Portal authenticating with his
smart card from his network computer and
creates dedicated SharePoint credentials for
use on the mobile device.

15 Slide

RSA integration
Mobile users enter their RSA Token

authentication code instead of Active

Directory password
LyncShield verifies password
against RSA Authentication
Manager and impersonate user
against Lync
Desktop users Authenticate in web
site from Browser and than can login
from Lync desktop client

16 Slide

[3]- Account Lockout

protection
Account lockout can be the result of the

following:
The user changed the Active Directory

password, but did not change the settings on

the device.
The username (without the password) being
obtained by a hacker who tried to log in several
times
DDoS , Dos , brute force attacks- Such attacks
can result in the network becoming unavailable

17 Slide

Account lockout protection

(cont)
LyncShield blocks the failed attempts on

the gateway server side, before reaching

the Active Directory
LyncShield offers a multi-site defense

approach covering all authentication channels

Unified solution that protects all distributed
resources.
Failed attempts are counted and stored in a
central database table which is shared by all
LyncShield components.
18 Slide

[5] MDM binding

LyncShield can limit the usage of Lync to managed

devices only devices with MDM

Compatible with any MDM solution supporting one
of the following capabilities:
Certificate enrollment
Application management (MAM)
VPN triggering / control

These are available from most of the vendors

around the market including Microsoft Intune,

AirWatch, MobileIron, MASS360, Good, XenMobile
and more.
19 Slide

LyncShield MDM app

20 Slide

VPN support for Lync

MSFTs recommendation is to keep all voice

and video traffic going through the Edge and

not over the VPN
LyncShield offers an Hybrid solution requiring
the authentication to be done over VPN and
routing the Video/Audio to go through the
Edge over the internet.
Does not require VPN splitting

21 Slide

Lync traffic splitting over

VPN

22 Slide

Product architecture Bastion

Proxy
LyncShield solution offers as part of the solution the
dedicated reverse proxy Bastion developed by AGAT.
The Lyncshield filters are plugged into Bastion to
extend access control and content filtering
capabilities
Cross-platform- Windows / Linux
Scalable Event-Driven Architecture.
Can publish multiple servers in parallel/ mulita

channels.
Highly efficient asynchronous architecture.
Supports high availability deployment

23 Slide

Bastion (cont)
Main characteristics :
Geared towards full-featured HTTP filtering.
HTTPS - Decrypt SSL
Supports many HTTP scenarios: Chunked, gzip
and deflate Transfer-Encodings
Pipelining.
Supports filtering content, blocking content or

generating proxy responses anytime during

the filtering chain (unlike TMG and UAG).

24 Slide

LyncShield Road map

Federation Firewall
Access rules based on Active Directory group
membership
General access control
Specific operations such as file sharing
Privacy

Lync SIEM - Security Information Event

Management
Security alerts based on geolocation information and

usage patterns

25 Slide

LyncShield Road map

(cont)

Lync Application FirewallSanitize all non authenticated requests in DMZ:

Verify request type, content type headers, content
length, URL validation, validate request structure,
characters etc.
Break any direct request to enter domain- session
termination
Google Authenticator Two Factor Authentication for
Lync on premise
Lync online (Office 365)
26 Slide

LyncShield Road map

(cont)

DLP engine
Apply content rules policy on IM data
Examples of content handled in messages:
Social security numbers
Credit card numbers
ID numbers

Support Skype for Business

On going as MS release new clients

27 Slide

AGAT products- Overview

AGAT Software is a company focusing on security

solutions for authentication and content filtering while

externally connecting devices to company network.
The companies Mobility-Shield core product suite
secures applications such as Skype / Lync/ SharePoint
and other apps based on Active Directory
authentication.
LyncShield is part of MobilityShield AGATs Security
suite.
AGAT also offers secure browser and digital signature
mobile applications for mobile PKI requirements.
28 Slide

To learn more about our solutions

please visit our website at
http://mobility-shield.com
http://LyncShield.com
http://AGATSoftware.com
info@agatsoftware.com

29 Slide