My posting will have a little Lync sprint at the moments since we’re in the middle of Lync Conf 14. As I mentioned in my previous post, this post will be about securing your Lync 2013 deployment. More specifically it will focus on how to increase security when you publish your Lync to the Internet.
When publishing a default installed Lync deployment to the Internet, clients will authenticate directly to the Lync Front-End server using their domain credentials. While it’s true that the traffic is sent through a reverse proxy the actual authentication takes place at the Lync Front-End server.
This means that for instance you can lock any user’s AD account by just knowing its username, thereby inflicting a Denial-Of-Service, not only for Lync. On the mobile clients you can also choose to save the password in the client which means that a lost or stolen device has the domain credentials stored on the device. It’s also worth to notice that two-factor authentication is not possible without ADFS and a third-party identity provider.
For many, this just isn’t not good enough for a system that is published to the Internet. Looking back at past projects, which have included publishing a system to the internet, there are a two requirements that have been in common for almost all of them.
1) Domain credentials may not be used.
2) Two-factor authentication is mandatory for external access.
So, how do we fulfill these two requirements? There are two ways to solve this and both Requires integration from a third party. Both solutions have their advantages.
Deploying any of these solutions greatly increases the security of your Lync deployment.
My upcoming post will explain how to configure both solutions, starting with “Lync Passive Authentication with two-factor authentication”. Stay tuned for more Lync security!