1. Secure Skype for Business http://AGATSoftware.com V6.2 http://SkypeShield.com

2. Slide 2 Background & Overview Connecting external devices (mobile/computers) to the corporate network raises security risks related the authentication and data. Company does not have full control over devices in use outside of the corporate network as well as the network that traffic goes through SkypeShield offers a solution with a core server side engine securing any external access by any device or client type.

3. Slide 3 SkypeShield high level feature list Two Factor Authentication – Add the device as the second factor for authentication. Protect both SfB & Exchange EWS Account lockout protection – Block attacks sending failed login attempts to authentication service Application firewall - Intercepting, inspecting and validating all anonymous requests in the DMZ Device Access Control – manage devices connected using device enrollment process

4. Slide 4 SkypeShield feature list (cont) MDM binding – Verify only devices that are managed by MDM can connect to SfB server Active Directory credential protection – Avoid using domain password by creating dedicated app password Ethical Wall- granular policy for all activities (IM, File sharing, presence …) controlling external (Federation) and internal traffic DLP- inspect content passing through Skype for Business again DLP policy

5. Slide 5 SkypeShield feature list (cont) RSA integration – Use RSA authentication code instead of domain password VPN traffic splitter – Split authentication from SIP to allow secure and efficient deployment over VPN

6. Slide 6 Two Factor authentication Based on end point ID sent by client Several registration/ enrolment options to enforce access control policy based on matching the device and the user. Protects both Skype for Business & Exchange (EWS) – blocking any request passing to network servers unless coming from an approved device

7. Slide 7 Access Control – Enrollment Support several access control policies: Automatic Registration – Device ID is registered upon first use of account. Two steps registration process: Self Service / Two Step Registration – User registers on internal site and then must sync within a defined time frame to complete registration. Admin Manual Enrollment – Admin management of user list using training mode and rejected auditing list.

8. Slide 8 Two Step Registration

9. Slide 9 Two Factor Authentication architecture

10. Slide 10 TFA+ Access control - main Settings View approved & blocked devices Restrict registration and ongoing connection by IP range Access Rule black / White list Allow / Block guest users Filter by device type & OS Allow / Block Web app login Define number of devices per user Registration policy (Two steps/ Manual/ Automatic)

11. Slide 11 TFA+ Access control settings (cont) Require re-authentication by time -Session termination Save password policy management Multi LDAP support (for HA & distributed implantation) Support of Multi level admin management Web service for external event to lock/ approve device/user House keeping service- AD sync, cleanup, notification Reports & Search

12. Slide 12 Access Portal admin control

13. Slide 13 Account Lockout problem Account lockout can be the result of the following: The user changed the Active Directory password, but did not change the settings on the device. The username (without the password) being obtained by a hacker who tried to log in several times DDoS, Dos, brute force attacks- Such attacks can result in the network becoming unavailable Multi protocol – HTTPS/ SIP Multi method- Basic, NTLM, SOAP Multi channel – Sign in, meeting, web api, Exchange

14. Slide 14 Account lockout protection (cont) SkypeShield blocks the failed attempts in DMZ Unified defense solution protecting all protocols, methods and channels Failed login auditing & Soft Lockout management Device pre authentication- Only authentication request coming from registered device will reach Active Directory Multi location site support

15. Slide 15 Application firewall Intercepting, inspecting and validating all anonymous requests in the DMZ Blocking malicious requests Protocol Level Sanitization Application data validation in DMZ including meeting ID Rewriting requests by session termination For domain users - Device pre-authentication

16. Slide 16 MDM binding SkypeShield can limit the registration of SfB to managed devices only – devices with MDM Compatible with any MDM solution supporting one of the following capabilities: WIFI access control Application management (MAM) VPN triggering / control These are available from most of the vendors around the market including Microsoft Intune, AirWatch, MobileIron, MaaS360, Good, XenMobile and more.

17. Slide 17 SkypeShield MDM app

18. Slide 18 VPN support for Skype for Business MSFTs recommendation is to keep all voice and video traffic going through the Edge and not over the VPN SkypeShield offers an Hybrid solution requiring the authentication to be done over VPN and routing the Video/Audio to go through the Edge over the internet. Does not require VPN splitting

19. Slide 19 Lync traffic splitting over VPN

20. Slide 20 MDM conditional access Automatically and immediately block SfB access for devices that have become Out Of Compliance Removed from MDM control Available for MobileIron AirWatch MaaS360 XenMobile GOOD (soon for BES12)

21. Slide 21 MDM conditional access topology

22. Slide 22 Ethical wall- Federation & internal

23. Slide 23 Ethical Wall Solves ethical and compliance regulations, security and data protection issues controlling both Federation with external companies Internal communication between different groups Condition based on the following parameters: Active Directory group Active Directory user External user External domain In contact list

24. Slide 24 Ethical wall (cont) Control specific modalities Presence IM File transfer Desktop Sharing IM user notification of Ethical wall activity/ policy External user is not able to reach you External user not able to see your presence User blocked from specific operation Activity auditing registration - table, logs and admin email notifications Meeting Audio Video

25. Slide 25 DLP engine Server side solution inspecting content going through any channel

26. Slide 26 DLP (cont) Content policy rules base on content such as Social security numbers Credit card numbers ID numbers Actions – Block, Mask, Notify Group membership based rules Commercial DLP integration – Symantec Websense Any standard ICAP interface DLP engine

27. Slide 27 DLP notification sample

28. Slide 28 AD credential protection SkypeShield introduces a new approach for protecting the Active Directory credentials With SkypeShield the connection to Skype is done by using App dedicated Skype credentials that are created by the user rather than the regular network Active Directory credential SkypeShield completely eliminates the need to store Active Directory passwords on the device Supports work against Exchange & Skype with one App credentials

29. Slide 29 Active Directory App login The user creates dedicated Skype credentials on a self service internal web site for use on device, instead of Active Directory credentials.

30. Slide 30 Skype App credentials architecture

31. Slide 31 Mobile Smart Card solution Many organizations that smart card for network login do not have a username and password for Active Directory. SkypeShield allows the usage of Skype without the need to manage Active Directory credentials. With the dedicated login solution, the user logs into the Access Portal authenticating with his smart card from his network computer and creates dedicated Skype for Business credentials for use on the mobile device.

32. Slide 32 RSA integration Mobile users enter their RSA Token authentication code instead of Active Directory password SkypeShield verifies password against RSA Authentication Manager and impersonate user against Skype Desktop users Authenticate in web site from Browser and than can login from Skype desktop client

33. Slide 33 Product architecture - Bastion Proxy SkypeShield solution offers as part of the solution the dedicated reverse proxy Bastion developed by AGAT. The SkypeShield filters are plugged into Bastion to extend access control and content filtering capabilities Cross-platform- Windows / Linux Scalable Event-Driven Architecture. Supports HA Highly efficient asynchronous architecture SSL termination Geared towards full-featured HTTP filtering Can publish multiple servers in parallel/ multi channels

34. Slide 34 Bastion (cont) Main characteristics : Geared towards full-featured HTTP filtering. HTTPS - Decrypt SSL Supports many HTTP scenarios: Chunked, gzip and deflate Transfer-Encodings Pipelining. Supports filtering content, blocking content or generating proxy responses anytime during the filtering chain (unlike TMG and UAG).

35. Slide 35 Office 365 Device access control Content filtering ( Federation & DLP ) Biometric authentication – Touch ID, Finger scanner No password authentication Anti virus integration Secure meeting- Authenticating guests SkypeShield Road map

36. Slide 36 SkypeShield Road map (cont) Mobile direct smart card authentication (Gemalto/Feitian) Soft token TFA Authentication Based on Google authenticator / Azure authenticator Can authentication without domain password or in addition Skype for Business Authentication risk engine Security alerts and action based on geolocation information and behavior profiling Anti spam integration

37. Slide 37 AGAT products- Overview AGAT Software is a company focusing on security solutions for authentication and content filtering while externally connecting devices to company network. The companies Mobility-Shield core product suite secures applications such as Skype and other apps based on Active Directory authentication like outlook. SkypeShield is part of MobilityShield AGAT’s Security suite. AGAT also offers secure browser and digital signature mobile applications for mobile PKI requirements.

38. Slide 38 To learn more about our solutions please visit our website at http://SkypeShield.com http://AGATSoftware.com info@agatsoftware.com