Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Lync Deployments

Published byCatharina Engel Modified over 6 years ago

Similar presentations

Presentation on theme: "Securing Lync Deployments"— Presentation transcript:

1 Securing Lync Deployments
Microsoft Lync 11/17/2018 Securing Lync Deployments Aaron Steele | Microsoft Brian Ricks | BriComp Computers © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 Meet Aaron Steele | @steeleaaron
11/17/2018 Meet Aaron Steele Senior Consultant Been with Microsoft for 3 years Focused on Lync and specifically voice In computers and MS technology for 18+ years Started in Higher Education Wife and two kids, lives in Chicago, IL © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3 Meet Brian Ricks | @bricomp
11/17/2018 Meet Brian Ricks Lead Architect, BriComp Computers Unified communications architect Microsoft Certified Solutions Master Microsoft MVP since 2006 Enterprise Microsoft collaboration solution design, development, configuration, administration and maintenance More than 20 years experience in IT industry Network Infrastructure Corp., Resolute, Phelps, Dodge Independent since 2009 © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4 Setting Expectations Target Audience
11/17/2018 Setting Expectations Target Audience IT and telecommunications professionals who design, plan, deploy, and maintain solutions for unified communications (UC) Experienced professionals that are looking to better understand the new features and capabilities of Lync introduced since RTM © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 Microsoft Lync 11/17/2018 Suggested Resources Course 20336, Core Solutions of Microsoft Lync Server 2013 Course 20337, Enterprise Voice and Online Services with Microsoft Lync Server 2013 © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 Know Your Stuff? Get Certified
Microsoft Lync 11/17/2018 Know Your Stuff? Get Certified Microsoft Certified Solutions Expert (MCSE) Exam : Core Solutions of Microsoft Lync Server 2013 Exam : Enterprise Voice and Online Services with Microsoft Lync Server 2013 Microsoft Learning Partners—Learn from the Pros! – Find a Class: © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7 Course Topics Securing Lync Deployments 01 | Lync – Secure By Design
04 | Two-Factor Authentication 02 | Perceived Threat Scenarios 05 | Reverse Proxy Futures 03 | Customer Approaches

8 Lync – Secure by Design Microsoft Lync 11/17/2018
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9 Lync – Secure by Design All communication is secured by default
Microsoft Lync 11/17/2018 Lync – Secure by Design All communication is secured by default Including signaling (Session Initiation Protocol - SIP), media (Secure Real-time Transport Protocol - SRTP), content, web traffic (Secure Hypertext Transfer Protocol - HTTPS), and inter-server traffic. An admin must make a change to the configuration to disable this if needed. Can be disabled only for interoperability traffic; inter-server traffic cannot be unsecure. No accounts are enabled by default Account enabling requires admin interaction. No users are admin by default No groups are ever added to the admin groups, not even the enterprise admin groups. External access is disabled by default This access includes mobile devices, devices from home, and federated partners. PINs are required on phones Users must configure a PIN on phones that they use. Built-in limits to ease the load on Edge Servers Federated partners can send only 20 messages per second; if spam is detected, it is reduced to one message per second. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10 Microsoft Lync 11/17/2018 Lync Trusted Servers The fully qualified domain name (FQDN) of the server occurs in the topology stored in Central Management store (CMS). The server presents a valid certificate from a trusted CA. If either of these criteria is missing, the server is not trusted and connection with it is refused. This double requirement prevents a possible, if unlikely, attack in which a rogue server attempts to take over a valid server’s FQDN. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11 Microsoft Lync 11/17/2018 Certificate Changes Lync Server 2013 relies on a public key infrastructure (PKI). Public certificates issued after November 1, 2015 must follow these rules: No private IP No private DNS names The Subject Name / Common Name field is deprecated and discouraged for use Q: What does this mean when your servers are installed in the contoso.local domain? A: You must deploy an internal enterprise CA. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12 Open to Secure Third-Party Products
Microsoft Lync 11/17/2018 Open to Secure Third-Party Products Not Security through Obscurity All specifications are available on MSDN Redline documentation We actively encourage vendors to build devices and services that interact with Lync securely SNOM Polycom Lync Room System vendors Audiocodes NET Dialogic And so on > © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13 Perceived Threat Scenarios
Microsoft Lync 11/17/2018 Perceived Threat Scenarios © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14 Perceived Threat Scenarios
Microsoft Lync 11/17/2018 Perceived Threat Scenarios Threat Probability to affect Lync Mitigation solutions Compromised-key attack Low Protect private PKI keys Network denial-of-service attack Use firewall to throttle Internet Eavesdropping Very low Identity spoofing/IP address spoofing Transport Layer Security (TLS) protects from spoofing IP addresses Man-in-the-middle attack Protect Active Directory from adding MIM as trusted server RTP replay attack Lync maintains an index of received SRTP packets SPIM (spam over Internet Messaging, or IM) Block SPIM-offending IP at firewall or disable federation during the attack. Edge server also automatically throttles down requests if failure/success ratio becomes too high for IM. Personally identifiable information Train users to only accept federation requests from known and trusted individuals. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15 Company Policies Greatest challenge when securing Lync
Microsoft Lync 11/17/2018 Company Policies Greatest challenge when securing Lync Policies dictate what is and is not secure “But policy dictates us to… “ © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16 Customer Approaches Microsoft Lync 11/17/2018
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17 Lync Perimeter as Recommended
Tech Ready 15 11/17/2018 Lync Perimeter as Recommended Authentication methods Based on standard guidelines Remote clients are allowed Perimeter servers talk to internal server(s) Internet Federated/ Anonymous user Remote user Mobile user Perimeter Edge Server Reverse Proxy Remote user Anonymous user Access Edge server NTLM or TLS-DSK No authentication Reverse proxy Basic, NTLM, or TLS-DSK Front End Server Internal © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18 They are not Microsoft-recommended approaches
Tech Ready 15 11/17/2018 Customer Variations Addition of Director server No Edge server, no reverse proxy Edge for federation and anonymous “Public” Edge and “private” Edge Customer-specific MSPL scripts These are customer variations to make Lync comply with customer security policies They are not Microsoft-recommended approaches © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19 Addition of Director Server
Tech Ready 15 11/17/2018 Addition of Director Server Customer policy No direct contact between production servers and perimeter servers Bridgehead server/Session Border Controller (SBC) between perimeter and internal servers to proxy requests from the Internet Topology changes Addition of Director server Director server becomes primary point of login Internet Federated/ Anonymous user Remote user Mobile user Perimeter Edge Server Reverse Proxy Considerations Director server is no longer required or recommended in the default scenario Adds administrative / hardware overhead If an external attack were to bring down the bridgehead server, this would be the Director User experience impact Minor delay in sign-in due to redirection Director Server Internal Director Server Front End Server © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20 No Edge Server, No Reverse Proxy
Tech Ready 15 11/17/2018 No Edge Server, No Reverse Proxy Customer policy All communication from external must run in a VPN tunnel No exposure allowed for any services except for VPN concentrator Topology changes Removal of Edge server Removal of reverse proxy Addition of VPN concentrator Internet Federated/ Anonymous user Remote user Mobile user Perimeter VPN User experience impact User has to sign in to VPN before signing in to Lync externally All media will travel over VPN (double encryption), adding overhead and serious quality issues No federation, no anonymous participants in conferences, no Lync Mobile Considerations Media over a VPN is always discouraged Alternative could be to implement an Edge server just for media and use a split tunnel VPN Internal Front End Server © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21 Edge for Federation and Anonymous
Tech Ready 15 11/17/2018 Edge for Federation and Anonymous Customer policy Remote users must always use a tunnel (VPN) when connecting to corporate resources Federation/anonymous users are allowed (for meetings and so on) Topology changes Addition of VPN concentrator Disabling of remote access for Lync users Internet Federated/ Anonymous user Remote user Mobile user Perimeter VPN Edge Server Reverse Proxy User experience impact User has to sign in to VPN before signing in to Lync externally If split tunnel is not implemented, media quality will be severely affected when using VPN No Lync Mobile possible Considerations Customer still wants to do meetings with anonymous participants and do federation Adds complexity to maintaining and troubleshooting Internal Front End Server © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

22 “Public” Edge and “Private” Edge Servers
Tech Ready 15 11/17/2018 “Public” Edge and “Private” Edge Servers Customer policy No anonymous user can use any of the infrastructure that the authenticated users use Topology changes Addition of second set of Edge servers with private certs Requires manual configuration on Lync clients Internet Federated/ Anonymous user Remote user Mobile user Signaling only Perimeter VPN Edge Server Reverse Proxy Edge Server Reverse Proxy User experience impact No Lync Mobile possible unless certificates are being deployed to those devices New devices have to get all private root certs before using Lync externally Considerations Dual Edge servers are difficult to maintain Requires manual configuration to control signaling and media flow Cannot guarantee the media flow to not traverse the public edge Internal Front End Server © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23 Customer-Specific MSPL Scripts
Tech Ready 15 11/17/2018 Customer-Specific MSPL Scripts Customer policy Block IP if more than three wrong passwords are entered Topology changes Create customer specific MSPL (Microsoft SIP Processing Language) script running on the Edge, Director, Front End or any combination of servers that achieves this. Internet Federated/ Anonymous user Remote user Mobile user Perimeter Edge Server Reverse Proxy User experience impact No user experience impact if servers are properly scaled0 Considerations Customers can engage either a partner or Microsoft to create a MSPL script to achieve this capability MSPL resides on the SIP processing engine and can inspect, change, and act upon anything in SIP messages Front End Server Internal © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

24 Customer Approaches Summary
Microsoft Lync 11/17/2018 Customer Approaches Summary Lync is secure by default but might not fit your organization’s policies. Customers use the versatility of Lync to fit their organization’s needs. Multiple roads lead to Rome… © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

25 Two-Factor Authentication
Microsoft Lync 11/17/2018 Two-Factor Authentication © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

26 Introduction Common request from customers
Microsoft Lync 11/17/2018 Introduction Common request from customers Requires July 2013 update for Lync Server and client Only works for Lync 2013 client Lync Phone Edition, web client, Mac client do not support two-factor authentication Lync mobile adds support for passive authentication Includes support for redirection to third party authentication party such as ADFS to enable two factor authentication Is essentially smart card authentication for Lync client © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

27 Two-Factor Authentication
Tech Ready 15 11/17/2018 Two-Factor Authentication Customer policy Remote users must use two-factor authentication when signing in to Lync Internal users must use two-factor authentication when signing in to Lync Topology changes Create custom web service configuration on Lync pools Disable common authentication mechanisms on Director, Front End and Edge servers. Will require separate pools for users with and without two-factor authentication Internet Federated/ Anonymous user Remote user Mobile user Perimeter Edge Server Reverse Proxy Background Two-factor authentication was added because of customer requests to comply with internal customer policies in the July 2013 update. Has major impact on Lync client functionality, such as Unified Contact Store, changing PIN ,and other functionality. User experience impact User has to be provisioned for smart card (two factor) authentication before using Lync externally Lync Mobile does not work If the user has not been configured for two-factor authentication, external access does not work Front End Server Internal Internal user © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

28 ADFS & Lync - High Level Internal
Microsoft Lync 11/17/2018 ADFS & Lync - High Level Internal The user connects to the Lync Front End Lync Front End redirects the client to ADFS for Authentication ADFS Authenticates and the client can register External The Client connects to the Lync Edge The Edge forwards the request to the Next Hop (Lync pool or Director The client connects to the ADFS Proxy The ADFS Proxy forwards the request to ADFS © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

29 Topology Requirements
Microsoft Lync 11/17/2018 Topology Requirements Configuration type Service type Server role Authentication type to disable Web service WebServer Director Kerberos, NTLM, and Certificate Front End Proxy EdgeServer Edge Kerberos and NTLM Registrar More information: © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

30 User Experience Two-factor authentication with the Lync 2013 client
Microsoft Lync 11/17/2018 User Experience Two-factor authentication with the Lync 2013 client User starts Lync client User enters SIP address User inserts smart card (if physical) User enter smart card password instead of domain password Successful sign-in © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

31 Reverse Proxy Futures Microsoft Lync 11/17/2018
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

32 Reverse Proxy Requirements
Microsoft Lync 11/17/2018 Reverse Proxy Requirements “Any reverse proxy is expected to work with Lync Server” Currently qualified reverse proxies: Threat Management Gateway (TMG ) (licensing stopped November 2012) Internet Information Services Application Request Routing (IIS ARR) Source : © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

33 But My Reverse Proxy Isn’t Listed
Microsoft Lync 11/17/2018 But My Reverse Proxy Isn’t Listed True, but… “Any reverse proxy is expected to work with Lync Server.” Reverse proxy vendors can get their solution qualified. Example: Forefront Unified Access Gateway (UAG) – not qualified. Works except for mobile. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

34 IIS Application Request Routing
Microsoft Lync 11/17/2018 IIS Application Request Routing LAB N will be transitioning Lync RP connections from TMG to an IIS farm with ARR © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

35 IIS Application Request Routing
Microsoft Lync 11/17/2018 IIS Application Request Routing Many Lync enterprise customers deployed Microsoft TMG just to host Lync reverse proxy connections. It is possible to use IIS in Windows 2008 Application Request Routing 2.5 as a reverse proxy replacement. Setup guide: arr-as-a-reverse-proxy-for-lync-server-2013.aspx © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

36 Microsoft Lync 11/17/2018 © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

37 11/17/2018 © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Securing Lync Deployments"

Similar presentations

The following 10 questions test your knowledge of Internet-based client management in Configuration Manager 2007. Configuration Manager 2007 Internet-Based.

The following 10 questions test your knowledge of Internet-based client management in Configuration Manager Configuration Manager 2007 Internet-Based.
Understanding Active Directory

Understanding Active Directory
Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.

Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.
Identity and Access Management Business Ready Security Solutions.

Identity and Access Management Business Ready Security Solutions.
Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.

Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.
Damian Leibaschoff Support Escalation Engineer Microsoft Becky Ochs Program Manager Microsoft.

Damian Leibaschoff Support Escalation Engineer Microsoft Becky Ochs Program Manager Microsoft.
Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.

Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.
Shai Tirosh Windows Server Regional Director artNET Experts.

Shai Tirosh Windows Server Regional Director artNET Experts.
Mario D’Silva National Technology Specialists Unified Communications UNC307.

Mario D’Silva National Technology Specialists Unified Communications UNC307.
Office 365: Identity and Access Solutions Suresh Menon Technology Specialist – Office 365 Microsoft Corporation India.

Office 365: Identity and Access Solutions Suresh Menon Technology Specialist – Office 365 Microsoft Corporation India.
Exchange Deployment Planning Services Exchange 2010 Complementary Products.

Exchange Deployment Planning Services Exchange 2010 Complementary Products.
Microsoft ® Lync™ Server 2010 Setup and Deployment Module 04 Microsoft Corporation.

Microsoft ® Lync™ Server 2010 Setup and Deployment Module 04 Microsoft Corporation.
David B. Cross Product Unit Manager Microsoft Corporation Session Code: SIA303 Donny Rose Senior Program Manager.

David B. Cross Product Unit Manager Microsoft Corporation Session Code: SIA303 Donny Rose Senior Program Manager.
Microsoft Virtual Academy Talbott Crowell | Chief Architect, ThirdM.com Rob Latino | Program Manager in Office 365 Support, Microsoft.

Microsoft Virtual Academy Talbott Crowell | Chief Architect, ThirdM.com Rob Latino | Program Manager in Office 365 Support, Microsoft.
Planning Engagement Kickoff

Planning Engagement Kickoff
Microsoft Virtual Academy

Microsoft Virtual Academy
Office 365 is cloud-based productivity, hosted by Microsoft.

Office 365 is cloud-based productivity, hosted by Microsoft.
Introduction to Windows Azure AppFabric

Introduction to Windows Azure AppFabric
Enterprise Security in Practice

Enterprise Security in Practice
Lync Network Assessment Methodologies

Lync Network Assessment Methodologies

Similar presentations

Ads by Google