The leading Skype for Business security solution treating external access security risks. SkypeShield offers Two Factor Authentication, Device access control, Account lockout protection, Exchange Web Service protection, MDM binding, VPN, DLP , Ethical Wall and application Firewall.

1. Leading Skype for Business Security
http://AGATSoftware.com
V6
http://SkypeShield.com

2. Slide2
Background & Overview
Connecting external devices (mobile/computers) to the
corporate network raises security risks related the Active
Directory exposure.
Typically there is no control over apps installed on
employees’ smartphones and the networks that these
devices are connected to.
SkypeShield is a server side solution with not additional
client install supporting all devices.

3. Slide3
SkypeShield high level feature list
Two Factor Authentication – Add the device as the
second factor for authentication.
Protect both SfB & Exchange EWS
Account lockout protection – Block attacks sending
failed login attempts to authentication service
Device Access Control – manage devices connected using
device enrollment process
MDM binding – Verify only devices that are managed by
MDM can connect to SfB server

4. Slide4
SkypeShield feature list (cont)
Active Directory credential protection – Avoid using
domain password by creating dedicated app password
Federation Ethical Wall- granular policy control based on
users/groups/domain for each modality (IM, File sharing,
Application sharing, Audio, Video, meetings)
RSA integration – Use RSA authentication code instead
of domain password
VPN traffic splitter – Split authentication from SIP to
allow secure and efficient deployment over VPN

5. Slide5
Two Factor authentication
Based on end point ID sent by client
Several registration/ enrolment options to enforce access
control policy based on matching the device and the user.
Protects both Skype for Business & Exchange (EWS) –
blocking any request passing to network servers unless
coming from an approved device

6. Slide6
Access Control – Enrollment
Support several access control policies:
Automatic Registration – Device ID is registered upon first
use of account.
Two steps registration process:
 Self Service / Two Step Registration – User registers on
internal site and then must sync within a defined time
frame to complete registration.
Admin Manual Enrollment – Admin management of user
list using training mode and rejected auditing list.

7. Slide7
Two Step Registration

8. Slide8
Two Factor Authentication architecture

9. Slide9
Access Portal main Settings
View approved & blocked devices
Restrict registration and ongoing connection by IP range
Access Rule black / White list
Allow / Block guest users
Filter by device type & OS
Allow / Block Web app login
Define number of devices per user
Registration policy (Two steps/ Manual/ Automatic)
Failed login auditing & Soft Lockout management

10. Slide10
Access Portal main Settings (cont)
Require re-authentication by time -Session termination
Save password policy management
Multi LDAP support (for HA & distributed implantation)
Support of Multi level admin management
Web service for external event to lock/ approve
device/user
House keeping service
Notification settings
Reports & Search

11. Slide11
Access Portal admin control

12. Slide12
Account Lockout protection
Account lockout can be the result of the following:
The user changed the Active Directory password, but did
not change the settings on the device.
The username (without the password) being obtained by a
hacker who tried to log in several times
DDoS , Dos , brute force attacks- Such attacks can result in
the network becoming unavailable

13. Slide13
Account lockout protection (cont)
SkypeShield blocks the failed attempts on the
gateway server side, before reaching the Active
Directory
SkypeShield offers a multi-site defense approach
covering all authentication channels
Unified solution that protects all distributed resources.
Failed attempts are counted and stored in a central
database table which is shared by all SkypeShield
components.

14. Slide14
MDM binding
SkypeShield can limit the usage of Lync to managed
devices only – devices with MDM
Compatible with any MDM solution supporting one of
the following capabilities:
Certificate enrollment
Application management (MAM)
VPN triggering / control
These are available from most of the vendors around the
market including Microsoft Intune, AirWatch, MobileIron,
MASS360, Good, XenMobile and more.

15. Slide15
SkypeShield MDM app

16. Slide16
VPN support for Skype for Business
MSFTs recommendation is to keep all voice and video
traffic going through the Edge and not over the VPN
SkypeShield offers an Hybrid solution requiring the
authentication to be done over VPN and routing the
Video/Audio to go through the Edge over the internet.
Does not require VPN splitting

17. Slide17
Lync traffic splitting over VPN

18. Slide18
Federation Ethical Wall
Solves ethical and compliance regulations , security and
data protection issues
Apply federation policies based on specific users , groups
and domains/companies
Specific modality policy control- IM, File transfer,
Meeting, Audio, Video
Enforces policy in the DMZ and blocks non-approved
traffic

19. Slide19
Federation Ethical wall

20. Slide20
AD credential protection
SkypeShield introduces a new approach for protecting
the Active Directory credentials
With SkypeShield the connection to Skype is done by
using App dedicated Skype credentials that are created
by the user rather than the regular network Active
Directory credential
SkypeShield completely eliminates the need to store
Active Directory passwords on the device
Supports work against Exchange & Skype with one App
credentials

21. Slide21
Active Directory App login
The user creates dedicated Skype credentials on a self
service internal web site for use on device, instead of
Active Directory credentials.

22. Slide22
Skype App credentials architecture

23. Slide23
Mobile Smart Card solution
Many organizations that smart card for network login do
not have a username and password for Active Directory.
SkypeShield allows the usage of Skype without the need
to manage Active Directory credentials.
With the dedicated login solution, the user logs into the
Access Portal authenticating with his smart card from his
network computer and creates dedicated Skype for
Business credentials for use on the mobile device.

24. Slide24
RSA integration
Mobile users enter their RSA Token authentication code
instead of Active Directory password
SkypeShield verifies password
against RSA Authentication
Manager and impersonate user
against Skype
Desktop users Authenticate in web
site from Browser and than can login
from Skype desktop client

25. Slide25
Product architecture - Bastion Proxy
SkypeShield solution offers as part of the solution the
dedicated reverse proxy Bastion developed by AGAT.
The SkypeShield filters are plugged into Bastion to
extend access control and content filtering capabilities
Cross-platform- Windows / Linux
Scalable Event-Driven Architecture.
Can publish multiple servers in parallel/ mulita channels.
Highly efficient asynchronous architecture.
Supports high availability deployment

26. Slide26
Bastion (cont)
Main characteristics :
Geared towards full-featured HTTP filtering.
HTTPS - Decrypt SSL
Supports many HTTP scenarios: Chunked, gzip and deflate
Transfer-Encodings
Pipelining.
Supports filtering content, blocking content or
generating proxy responses anytime during the filtering
chain (unlike TMG and UAG).

27. Slide27
Skype for Business SIEM
Security Information Event Management
Security alerts based on geolocation information and
behavior profiling
Skype for Business Application Firewall-
Sanitize all non authenticated requests in DMZ:
Verify request type, content type headers, content length,
URL validation, validate request structure, characters etc.
Break any direct request to enter domain- session
termination
SkypeShield Road map

28. Slide28
SkypeShield Road map (cont)
Soft token TFA Authentication (Google authenticator /
Azure authenticator) for :
 Lync on premise
Lync online (Office 365)
DLP engine
Apply content rules policy on IM data
Examples of content handled in messages:
 Social security numbers
 Credit card numbers
 ID numbers

29. Slide29
AGAT products- Overview
AGAT Software is a company focusing on security
solutions for authentication and content filtering while
externally connecting devices to company network.
The companies Mobility-Shield core product suite
secures applications such as Skype and other apps based
on Active Directory authentication like outlook.
SkypeShield is part of MobilityShield AGAT’s Security
suite.
AGAT also offers secure browser and digital signature
mobile applications for mobile PKI requirements.

30. Slide30
To learn more about our solutions
please visit our website at
http://SkypeShield.com
http://AGATSoftware.com
info@agatsoftware.com