Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Skype for Business

Published byShavonne Webster Modified over 9 years ago

Similar presentations

Presentation on theme: "Secure Skype for Business"— Presentation transcript:

1 Secure Skype for Business
V6

2 Background & Overview Connecting external devices (mobile/computers) to the corporate network raises security risks related the authentication and data. Company does not have full control over devices in use outside of the corporate network as well as the network that traffic goes through SkypeShield offers a solution with a core server side engine securing any external access by any device or client type.

3 SkypeShield high level feature list
Two Factor Authentication – Add the device as the second factor for authentication. Protect both SfB & Exchange EWS Account lockout protection – Block attacks sending failed login attempts to authentication service Device Access Control – manage devices connected using device enrollment process MDM binding – Verify only devices that are managed by MDM can connect to SfB server

4 SkypeShield feature list (cont)
Active Directory credential protection – Avoid using domain password by creating dedicated app password Federation Ethical Wall- granular policy control based on users/groups/domain for each modality (IM, File sharing, Application sharing, Audio, Video, meetings) Application firewall - Intercepting, inspecting and validating all anonymous requests in the DMZ DLP- inspect content passing through Skype for Business again DLP policy

5 SkypeShield feature list (cont)
RSA integration – Use RSA authentication code instead of domain password VPN traffic splitter – Split authentication from SIP to allow secure and efficient deployment over VPN Soft token integration – Support authentication based on Google authenticator or Microsoft Azure authenticator

6 Two Factor authentication
Based on end point ID sent by client Several registration/ enrolment options to enforce access control policy based on matching the device and the user. Protects both Skype for Business & Exchange (EWS) – blocking any request passing to network servers unless coming from an approved device

7 Access Control – Enrollment
Support several access control policies: Automatic Registration – Device ID is registered upon first use of account. Two steps registration process:  Self Service / Two Step Registration – User registers on internal site and then must sync within a defined time frame to complete registration. Admin Manual Enrollment – Admin management of user list using training mode and rejected auditing list.

8 Two Step Registration

9 Two Factor Authentication architecture

10 Access Portal main Settings
View approved & blocked devices Restrict registration and ongoing connection by IP range Access Rule black / White list Allow / Block guest users Filter by device type & OS Allow / Block Web app login Define number of devices per user Registration policy (Two steps/ Manual/ Automatic) Failed login auditing & Soft Lockout management

11 Access Portal main Settings (cont)
Require re-authentication by time -Session termination Save password policy management Multi LDAP support (for HA & distributed implantation) Support of Multi level admin management Web service for external event to lock/ approve device/user House keeping service Notification settings Reports & Search

12 Access Portal admin control

13 Account Lockout protection
Account lockout can be the result of the following: The user changed the Active Directory password, but did not change the settings on the device. The username (without the password) being obtained by a hacker who tried to log in several times DDoS , Dos , brute force attacks- Such attacks can result in the network becoming unavailable

14 Account lockout protection (cont)
Device pre authentication- Only authentication request coming from registered device will reach Active Directory SkypeShield blocks the failed attempts in DMZ Multi channel defense approach offering a unified solution protecting all distributed resources- HTTPS, SIP, NTLM, SOAP Multi location site support

15 MDM binding SkypeShield can limit the usage of Lync to managed devices only – devices with MDM Compatible with any MDM solution supporting one of the following capabilities: Certificate enrollment Application management (MAM) VPN triggering / control These are available from most of the vendors around the market including Microsoft Intune, AirWatch, MobileIron, MASS360, Good, XenMobile and more.

16 SkypeShield MDM app

17 VPN support for Skype for Business
MSFTs recommendation is to keep all voice and video traffic going through the Edge and not over the VPN SkypeShield offers an Hybrid solution requiring the authentication to be done over VPN and routing the Video/Audio to go through the Edge over the internet. Does not require VPN splitting

18 Lync traffic splitting over VPN

19 Federation Ethical Wall
Solves ethical and compliance regulations , security and data protection issues Apply federation policies based on specific users , groups and domains/companies Specific modality policy control- IM, File transfer, Meeting, Audio, Video Enforces policy in the DMZ and blocks non-approved traffic

20 Federation Ethical wall

21 Application firewall Intercepting, inspecting and validating all anonymous requests in the DMZ Rewriting requests by session termination Blocking malicious requests Protocol Level Sanitization Application data validation in DMZ including meeting ID Device pre-authentication

22 DLP engine Server side solution inspecting content going through any channel

23 DLP (cont) Content policy rules base on content such as
Social security numbers Credit card numbers  ID numbers Actions – Block , Mask , Notify Group membership based rules Commercial DLP integration – Symantec Websense Any standard ICAP interface DLP engine

24 AD credential protection
SkypeShield introduces a new approach for protecting the Active Directory credentials With SkypeShield the connection to Skype is done by using App dedicated Skype credentials that are created by the user rather than the regular network Active Directory credential SkypeShield completely eliminates the need to store Active Directory passwords on the device Supports work against Exchange & Skype with one App credentials

25 Active Directory App login
The user creates dedicated Skype credentials on a self service internal web site for use on device, instead of Active Directory credentials.

26 Skype App credentials architecture

27 Mobile Smart Card solution
Many organizations that smart card for network login do not have a username and password for Active Directory. SkypeShield allows the usage of Skype without the need to manage Active Directory credentials. With the dedicated login solution, the user logs into the Access Portal authenticating with his smart card from his network computer and creates dedicated Skype for Business credentials for use on the mobile device.

28 RSA integration Mobile users enter their RSA Token authentication code instead of Active Directory password SkypeShield verifies password against RSA Authentication Manager and impersonate user against Skype Desktop users Authenticate in web site from Browser and than can login from Skype desktop client

29 Product architecture - Bastion Proxy
SkypeShield solution offers as part of the solution the dedicated reverse proxy Bastion developed by AGAT. The SkypeShield filters are plugged into Bastion to extend access control and content filtering capabilities Cross-platform- Windows / Linux Scalable Event-Driven Architecture. Can publish multiple servers in parallel/ mulita channels. Highly efficient asynchronous architecture. Supports high availability deployment

30 Bastion (cont) Main characteristics :
Geared towards full-featured HTTP filtering. HTTPS - Decrypt SSL Supports many HTTP scenarios: Chunked, gzip and deflate Transfer-Encodings Pipelining. Supports filtering content, blocking content or generating proxy responses anytime during the filtering chain (unlike TMG and UAG).

31 SkypeShield Road map Skype for Business Authentication risk engine
Security alerts and action based on geolocation information and behavior profiling Soft token TFA Authentication Based on Google authenticator / Azure authenticator Office 365 Device access control Content filtering ( Federation & DLP )

32 AGAT products- Overview
AGAT Software is a company focusing on security solutions for authentication and content filtering while externally connecting devices to company network. The companies Mobility-Shield core product suite secures applications such as Skype and other apps based on Active Directory authentication like outlook. SkypeShield is part of MobilityShield AGAT’s Security suite. AGAT also offers secure browser and digital signature mobile applications for mobile PKI requirements.

33 To learn more about our solutions please visit our website at

Download ppt "Secure Skype for Business"

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
The Natural way for Secure Mobile Email v.1.4 www.AGATSolutions.com.

The Natural way for Secure Mobile v.1.4
Secure Lync mobile Authentication

Secure Lync mobile Authentication
Secure SharePoint mobile connectivity

Secure SharePoint mobile connectivity
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
SharePoint Server Exchange Server CORPORATE NETWORK Mobile devices PCs Browsers INTERNET DMZ Active Directory Policies Filter EAS Filter web access.

SharePoint Server Exchange Server CORPORATE NETWORK Mobile devices PCs Browsers INTERNET DMZ Active Directory Policies Filter EAS Filter web access.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.

Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.
Windows Server 2012 R2 Capabilities for BYOD Scenario Yuri Diogenes Senior Knowledge Engineer Data Center, Devices & Enterprise Client – CSI Team’s Page:

Windows Server 2012 R2 Capabilities for BYOD Scenario Yuri Diogenes Senior Knowledge Engineer Data Center, Devices & Enterprise Client – CSI Team’s Page:
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Managing Client Access

Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
Securing Microsoft® Exchange Server 2010

Securing Microsoft® Exchange Server 2010

Similar presentations

Ads by Google