SkypeShield allows organizations to safely connect users to Skype for Business (Lync) servers from smartphones, tablets and any other external device outside the organization, while taking care of several important security issues related to the Skype for Business topology/architecture.
Connecting to the server using the Skype for Business client from smartphones, tablets and any other mobile device outside the organization poses several risks. These risks derive from using and storing the user’s active directory credentials on the mobile device and are therefore exposed to the threat of being hacked from the device while being used in public networks and from personal devices. In addition, the network is exposed to account lockout threat because of the requirement to externally publish the Active Directory authentication services.
Moreover, many organizations are not satisfied with using only the user’s credentials for authentication and are looking for a Two Factor solution to avoid anyone who knows the Active Directory credentials, from being able to connect from any device and to avoid a valid user from connecting from a non-authorized device.
To mitigate the above risks, and allow workers to use their own devices, SkypeShield has developed an innovative solution that prevents unauthorized mobile devices from connecting to the corporate network, avoids the usage of Active Directory credentials and protects against account lockout.
SkypeShield offers the following security features:
- Active Directory credentials protection – avoid usage of active directory credentials on the device by defining specific credentials for Skype for Business that are different from the AD credentials.
- Two Factor Authentication– verify that connection is done only from registered devices. The solution includes a web site with several registration workflows offering either a self-service enrollment or a central management approval process to register devices.
- Block DDoS attacks & prevent account lockout – prevent account lockout situation in a Denial-of-Service (DoS), Distributed Denial-of-Service (DDoS) and brute force attacks, or in case of domain password change
- Reverse Proxy – A scalable, high efficient reverse proxy for publishing Skype for Business on both Windows and Linux without TMG. The proxy (branded as Bastion) supports multi channels, SSL, bi directional filtering and is designed for security missions of content inspections and authentication verifications.
- Restrict Skype for Business to corporate devices – enable limited access to the organization’s Skype for Business server only to corporate devices by restricting the registration process to be completed from a specific network (IP range Filtering). The IPF can be implemented at the registration process or during the ongoing usage of Lync.
- Smart card login – offer a solution for organizations with a network policy requiring smart card login to allow authentication and user Skype for Business mobile.
- RSA Token Authentication – eliminate the need to use AD credentials for users of secure tokens wishing to connect to Skype for Business servers from external devices and enable Two Factor Authentication based on the token.
- Edge Access Control – allow secure connectivity to Skype for Business Edge servers from desktops and laptops outside the organization’s network while eliminating the risk of account lockout and verifying that only a registered client can access.
- Exchange Protection – protect the Exchange Web Services (EWS) against account lockout and limit the access to the EWS only from registered device (TFA).
- Authentication for VPN – An ideal solution for organizations seeking to leverage their existing VPN infrastructure to secure Skype for Business deployment. The solution offers device access control in the case of VPN access being controlled by Mobile Device Management (MDM) or certificate, which are available for approved devices only.
- MDM Binding – Limiting Skype for Business usage only to devices with Mobile Device Management (MDM) installed. It enables users to verify that using Active Directory credentials for Skype for Business is only achieved from a device that is compatible with the company’s security policy.
- Federation Ethical Wall – Offering granular control over federation to address security and data protection when federating with external companies. This is a great solution for organizations wishing to extend communication outside the company boundaries, and to protect and control the different flows of data offered by Skype for Business.
- Application firewall – Securing guest and anonymous requests when entering corporate networks. The need for the new solution arose because, as part of the Skype for Business topology, requests are sent anonymously to the front server in the corporate network without being authenticated or inspected. Once allowed, these requests, which might contain malicious code, can pass through DMZ firewalls with no control.