Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Lync mobile Authentication

Similar presentations

Presentation on theme: "Secure Lync mobile Authentication"— Presentation transcript:

1 Secure Lync mobile Authentication

2 Background & Overview Connecting external devices (mobile/computers) to the corporate network raises security risks related the Active Directory exposure. Typically there is no control over apps installed on employees’ smartphones and the networks that these devices are connected to. LyncShield is a server side solution with not additional client install supporting all devices. The product is available on TMG or Bastion reverse proxy

3 Security issues and solutions
Problem Two Factor Authentication Connecting non authorized devices Avoid AD credentials on device – dedicated log in Active Directory password leakage Blocking false authentication attempts in DMZ proxy before the Active Directory Account lockout /DDoS All the solutions are available for both mobile and external PC/ Laptops

4 [1] - Two Factor authentication
Based on Device ID sent by client Several registration/ enrolment options to enforce access control policy based on matching the device and the user.

5 Access Control – Enrollment
Support several access control policies: Automatic Registration – Device ID is registered upon first use of account. Two steps registration process:  Two Step Registration – User registers on internal site and then must sync within a defined time frame to complete registration. Admin Manual Enrollment – Admin management of user list using training mode and rejected auditing list.

6 Two Step Registration

7 Two Factor Authentication architecture

8 Access Portal admin View approved & blocked users
Restrict registration and ongoing connection by IP range Allow / Block Web app login Access Rule black / White list Allow / Block guest users Number of devices per user SMTP notification Product settings- Registration, Authentication… Two level admin - local domain admin Reports & Search

9 Access Portal admin control

10 [2]- AD credential protection approach
Lync Shield introduces a new approach for protecting the Active Directory credentials With Lync Shield the connection to Lync is done by using dedicated Lync credentials that are created by the user rather than the regular network Active Directory credential Lync Shield completely eliminates the need to store Active Directory passwords on the device

11 Active Directory dedicated login
The user creates dedicated Lync credentials on a self service internal web site for use on device, instead of Active Directory credentials.

12 Dedicated Lync credentials architecture

13 Mobile Smart Card solution
Many organizations that smart card for network login do not have a username and password for Active Directory. LyncShield allows the usage of Lync without the need to manage Active Directory credentials. With the dedicated login solution, the user logs into the Access Portal authenticating with his smart card from his network computer and creates dedicated SharePoint credentials for use on the mobile device.

14 [3]- Active Directory Account Lockout protection
Account lockout can be the result of the following: The user changed the Active Directory password, but did not change the settings on the device. The username (without the password) being obtained by a hacker who tried to log in several times Ddos , Dos , brute force attacks- Such attacks can result in the network becoming unavailable LyncShield eliminates these threats by blocking the failed attempts on the gateway server side, before reaching the Active Directory

15 Coming soon- RSA / ADFS / Office 365
RSA integration User will authenticate in a web site using RSA User will need to connect device within short time (5 minutes for example) to complete registration RSA Authentication will be valid for a limited configurable time (like one day). Two Factor Authentication for Office 365 / Device registration Solution for using Lync with ADFS without breaking Exchange connectivity Solutions planned to be released by end of Q4, 2014

16 Coming soon- - EWS Protector
Exchange Web Service Protector is an independent product securing the Exchange services required for Lync meeting information Offers currently: DDos protection/ account lockout protection for EWS authentication services (available) Two Factor Authentication (available) Password protection (using Lync credentials and not AD)- to be released soon (available) Filter by operations – allowing only meeting requests (soon)

17 Bastion Reverse proxy forwarding traffic to the configured backend servers. Cross-platform- Windows / Linux Pluggable filtering architecture. Filters HTTP(S). Scalable Event-Driven Architecture. Can publish multiple servers in parallel. Highly efficient asynchronous architecture. Bi-directional content filtering.

18 Bastion (cont) Geared towards full-featured HTTP filtering.
Most reverse proxy solutions are geared towards web acceleration. Supports many HTTP features and scenarios. Chunked, gzip and deflate Transfer-Encodings. Pipelining. Supports filtering content, blocking content or generating proxy responses anytime during the filtering chain (unlike TMG and UAG).

19 AGAT Security suite - Overview
LyncShield and MobilityShield are part of AGAT’s Security suite. AGAT Security suite is a set of unique components that allow extending Forefront (ISA/TMG IAG/UAG) functionality to solve complex architectures and requirements, typically implemented in large, complex and well secured networks. The solution is also available on Bastion reverse proxy without the use of Forefront.

20 To learn more about our solutions please visit our website at

Download ppt "Secure Lync mobile Authentication"

Similar presentations

Ads by Google