Secure Skype for Business

Slides:



Advertisements
Similar presentations
Enabling Secure Internet Access with ISA Server
Advertisements

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
The Natural way for Secure Mobile v.1.4
Secure Lync mobile Authentication
Secure SharePoint mobile connectivity
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
SharePoint Server Exchange Server CORPORATE NETWORK Mobile devices PCs Browsers INTERNET DMZ Active Directory Policies Filter EAS Filter web access.
Introduction To Windows NT ® Server And Internet Information Server.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.
Windows Server 2012 R2 Capabilities for BYOD Scenario Yuri Diogenes Senior Knowledge Engineer Data Center, Devices & Enterprise Client – CSI Team’s Page:
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
1 Enabling Secure Internet Access with ISA Server.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Course 201 – Administration, Content Inspection and SSL VPN
Securing Microsoft® Exchange Server 2010
Hands-On Microsoft Windows Server 2008
Chapter 13 – Network Security
70-411: Administering Windows Server 2012
Extending Forefront beyond the limit TMG UAG ISA IAG Security Suite
20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Presentation: 60 minutes Lab: 60 minutes After completing this module,
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.
Integrating and Troubleshooting Citrix Access Gateway.
Extending ISA/IAG beyond the limit. AGAT Security suite - introduction AGAT Security suite is a set of unique components that allow extending ISA / IAG.
1 Installing and Maintaining ISA Server Planning an ISA Server Deployment Understand the current network infrastructure. Review company security.
Access and Information Protection Product Overview Andrew McMurray Technical Evangelist – Windows
Secure Lync mobile Authentication V5V5.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
David B. Cross Product Unit Manager Microsoft Corporation Session Code: SIA303 Donny Rose Senior Program Manager.
Tomaž Čebul Principal Consultant Microsoft Bring Your Own Device, kaj pa je to?
1 Web Technologies Website Publishing/Going Live! Copyright © Texas Education Agency, All rights reserved.
Skype.
Secure Skype for Business V6.2
ArcGIS for Server Security: Advanced
Secure Connected Infrastructure
Deployment Planning Services
Module 3: Enabling Access to Internet Resources
Munix for Education Content Filter, Bandwidth Control, Location Mapping, Movement Analysis, User Self Management Portal, Time Analysis, and much more ….
Enabling Secure Internet Access with TMG
Configuring Windows Firewall with Advanced Security
Modernizing your Remote Access
Securing the Network Perimeter with ISA 2004
Threat Management Gateway
Power BI Security Best Practices
Enhanced ADFS Protection for Securing Cloud Services
Secure Skype for Business
What’s New in Fireware v12.1.1
Unit 27: Network Operating Systems
Azure AD Application Proxy
Office 365 Identity Management
11/15/2018 3:42 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Microsoft Ignite /20/2018 2:21 PM
Access and Information Protection Product Overview October 2013
Getting Started.
Getting Started.
K!M SAA LOGICAL SECURITY Strong Adaptive Authentication
4/9/2019 5:05 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS.
System Center Marketing
Designing IIS Security (IIS – Internet Information Service)
Securing web applications Externally
Microsoft Virtual Academy
Presentation transcript:

Secure Skype for Business http://SkypeShield.com http://AGATSoftware.com V6

Background & Overview Connecting external devices (mobile/computers) to the corporate network raises security risks related the authentication and data. Company does not have full control over devices in use outside of the corporate network as well as the network that traffic goes through SkypeShield offers a solution with a core server side engine securing any external access by any device or client type.

SkypeShield high level feature list Two Factor Authentication – Add the device as the second factor for authentication. Protect both SfB & Exchange EWS Account lockout protection – Block attacks sending failed login attempts to authentication service Device Access Control – manage devices connected using device enrollment process MDM binding – Verify only devices that are managed by MDM can connect to SfB server

SkypeShield feature list (cont) Active Directory credential protection – Avoid using domain password by creating dedicated app password Federation Ethical Wall- granular policy control based on users/groups/domain for each modality (IM, File sharing, Application sharing, Audio, Video, meetings) Application firewall - Intercepting, inspecting and validating all anonymous requests in the DMZ DLP- inspect content passing through Skype for Business again DLP policy

SkypeShield feature list (cont) RSA integration – Use RSA authentication code instead of domain password VPN traffic splitter – Split authentication from SIP to allow secure and efficient deployment over VPN Soft token integration – Support authentication based on Google authenticator or Microsoft Azure authenticator

Two Factor authentication Based on end point ID sent by client Several registration/ enrolment options to enforce access control policy based on matching the device and the user. Protects both Skype for Business & Exchange (EWS) – blocking any request passing to network servers unless coming from an approved device

Access Control – Enrollment Support several access control policies: Automatic Registration – Device ID is registered upon first use of account. Two steps registration process:  Self Service / Two Step Registration – User registers on internal site and then must sync within a defined time frame to complete registration. Admin Manual Enrollment – Admin management of user list using training mode and rejected auditing list.

Two Step Registration

Two Factor Authentication architecture

Access Portal main Settings View approved & blocked devices Restrict registration and ongoing connection by IP range Access Rule black / White list Allow / Block guest users Filter by device type & OS Allow / Block Web app login Define number of devices per user Registration policy (Two steps/ Manual/ Automatic) Failed login auditing & Soft Lockout management

Access Portal main Settings (cont) Require re-authentication by time -Session termination Save password policy management Multi LDAP support (for HA & distributed implantation) Support of Multi level admin management Web service for external event to lock/ approve device/user House keeping service Notification settings Reports & Search

Access Portal admin control

Account Lockout protection Account lockout can be the result of the following: The user changed the Active Directory password, but did not change the settings on the device. The username (without the password) being obtained by a hacker who tried to log in several times DDoS , Dos , brute force attacks- Such attacks can result in the network becoming unavailable

Account lockout protection (cont) Device pre authentication- Only authentication request coming from registered device will reach Active Directory SkypeShield blocks the failed attempts in DMZ Multi channel defense approach offering a unified solution protecting all distributed resources- HTTPS, SIP, NTLM, SOAP Multi location site support

MDM binding SkypeShield can limit the usage of Lync to managed devices only – devices with MDM Compatible with any MDM solution supporting one of the following capabilities: Certificate enrollment Application management (MAM) VPN triggering / control These are available from most of the vendors around the market including Microsoft Intune, AirWatch, MobileIron, MASS360, Good, XenMobile and more.

SkypeShield MDM app

VPN support for Skype for Business MSFTs recommendation is to keep all voice and video traffic going through the Edge and not over the VPN SkypeShield offers an Hybrid solution requiring the authentication to be done over VPN and routing the Video/Audio to go through the Edge over the internet. Does not require VPN splitting

Lync traffic splitting over VPN

Federation Ethical Wall Solves ethical and compliance regulations , security and data protection issues Apply federation policies based on specific users , groups and domains/companies Specific modality policy control- IM, File transfer, Meeting, Audio, Video Enforces policy in the DMZ and blocks non-approved traffic

Federation Ethical wall

Application firewall Intercepting, inspecting and validating all anonymous requests in the DMZ Rewriting requests by session termination Blocking malicious requests Protocol Level Sanitization Application data validation in DMZ including meeting ID Device pre-authentication

DLP engine Server side solution inspecting content going through any channel

DLP (cont) Content policy rules base on content such as Social security numbers Credit card numbers  ID numbers Actions – Block , Mask , Notify Group membership based rules Commercial DLP integration – Symantec Websense Any standard ICAP interface DLP engine

AD credential protection SkypeShield introduces a new approach for protecting the Active Directory credentials With SkypeShield the connection to Skype is done by using App dedicated Skype credentials that are created by the user rather than the regular network Active Directory credential SkypeShield completely eliminates the need to store Active Directory passwords on the device Supports work against Exchange & Skype with one App credentials

Active Directory App login The user creates dedicated Skype credentials on a self service internal web site for use on device, instead of Active Directory credentials.

Skype App credentials architecture

Mobile Smart Card solution Many organizations that smart card for network login do not have a username and password for Active Directory. SkypeShield allows the usage of Skype without the need to manage Active Directory credentials. With the dedicated login solution, the user logs into the Access Portal authenticating with his smart card from his network computer and creates dedicated Skype for Business credentials for use on the mobile device.

RSA integration Mobile users enter their RSA Token authentication code instead of Active Directory password SkypeShield verifies password against RSA Authentication Manager and impersonate user against Skype Desktop users Authenticate in web site from Browser and than can login from Skype desktop client

Product architecture - Bastion Proxy SkypeShield solution offers as part of the solution the dedicated reverse proxy Bastion developed by AGAT. The SkypeShield filters are plugged into Bastion to extend access control and content filtering capabilities Cross-platform- Windows / Linux Scalable Event-Driven Architecture. Can publish multiple servers in parallel/ mulita channels. Highly efficient asynchronous architecture. Supports high availability deployment

Bastion (cont) Main characteristics : Geared towards full-featured HTTP filtering. HTTPS - Decrypt SSL Supports many HTTP scenarios: Chunked, gzip and deflate Transfer-Encodings Pipelining. Supports filtering content, blocking content or generating proxy responses anytime during the filtering chain (unlike TMG and UAG).

SkypeShield Road map Skype for Business Authentication risk engine Security alerts and action based on geolocation information and behavior profiling Soft token TFA Authentication Based on Google authenticator / Azure authenticator Office 365 Device access control Content filtering ( Federation & DLP )

AGAT products- Overview AGAT Software is a company focusing on security solutions for authentication and content filtering while externally connecting devices to company network. The companies Mobility-Shield core product suite secures applications such as Skype and other apps based on Active Directory authentication like outlook. SkypeShield is part of MobilityShield AGAT’s Security suite. AGAT also offers secure browser and digital signature mobile applications for mobile PKI requirements.

To learn more about our solutions please visit our website at http://SkypeShield.com http://AGATSoftware.com info@agatsoftware.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.