Lync Conference: Securing External and Mobile Access in Lync

Here are the notes for another session I attended at the conference.

Unlocking Lync Mobile Deployments

Francois Doremieux (Microsoft)

Rui Maximo (Lync-Solutions)

Authentication in Earlier Mobile Versions

• To Lync server
  • Through Reverse Proxy
  • NTLM only
  • Re-authorize every 8 hours
• To EWS
• For voice mail, meetings, UCS in 2013
• NTLM only
• Authorization is required for each query

Recent Improvements

• Improvement Principles
  • Reduce or remove AD credential exposure
  • Two options for initial authorization
    • NTLM
    • Passive Authentication
  • Dissociate subsequent re-authorizations - personal Lync certificate issued by Lync server
  • No solution for EWS yet
    • Remains NTLM for every query
    • Can remove/disable EWS dependent capabilities
• Lync Certificate Authorization
  • Client obtains certificate on initial authorization
  • Method has been used for awhile with other clients (desktop, phone)
  • Admin can revoke a user's certificate at any time
  • Certificate lifetime and auto-renewal interval manageable by Lync admin
  • Certificate is scoped only to Lync - can't be used to gain access to anything else on the network
  • Sign-out, deleting client, upgrading client required intial sign-in again
• Initial Authentication
• NTLM
• Used to obtain web ticket from web ticket service

• Protecting AD Credentials
  • New policy to disable password storage
    • Set-CsMobilityPolicy -AllowSaveCredentials
  • Disable EWS
    • Set-CsMobilityPolicy -AllowExchangeConnectivity
    • Voicemails will still be in email, Meeting links in calendar
• Passive Authentication
• • New auth method introduced in Q1 CY2013
  • Lync server gets out of authentication
    • Server delegates authentication to trusted Security Token Service
    • STS serves custom authorization web page rendered in Lync app
    • Uses form entries in Trident page - not possible to use cert on device or smart card but can support forms based multifactor (password + OTP or SecurID)
    • STS passes token to client which it presents to Lync server
  • Set up server side
    • Can't be client policy as client would only get it after authentication
    • Server Policy - scope per pool, affects all users and all client types
    • Enable Passive, disable kerberos and NTLM
  • Experience - pop up window to authenticate

• 
  

  • • Not quite ready for all clients

  
  

  Other questions around mobile security

  • MDM discussion
    • Lync Mobile does not support MDM
      • No path to distribute
      • Rich, real-time behavior of app does not lend itself to complex integration
      • Distribution through App Store is most efficient way to get current release
    • What we endeavour instead
      • Why should app security depend on MDM?
      • Improvement on policies, authentication, protection of data at rest
      • Open to feedback toward closing possible remaining gaps
  • What does Lync mobile do for data security
    • Data transfers
      • Authenticated, encrypted at similar grade as encapsulating solutions
    • Data at rest
      • Very little data at rest
      • Not accessible to other apps
      • No local storing of address books
  • Pre-authentication in DMZ
    • All authentication done in network
    • Third party solutions available where Lync Mobile traffic is intercepted at reverse proxy

  
  Incremental capabilities through third party solutions

  • Lync-Solutions Security Filters
  • Modular security solution
  • Not just mobile but external access
  • Intercepts login traffic in DMZ, deep packet inspection and validation
  • Prevention of DoS and Brute Force attacks
  • User-device affinity
  • Logging, monitoring, alarming

  

  
  

  

  
  

• • • Authentication mechanism
      • kerberos contrained
      • Passive authentication
    • Addresses customer asks
      • Pre-authentication and validation in DMZ
      • Device restriction - enables verification of device used by user, can be combined with policies, alarming, etc

    
    

    
    

    
    
  • Random Trivia: 

  
  

  The Hoover Dam is made of enough concrete to make a two lane highway from New York to San Francisco, that’s around 4000 miles (2500 kilometres).

Lync Conference: Video- What In The World Are You Doing To My Network?

The videos from all of the various breakout sessions should be available soon. In the mean time, here are my notes from some of the sessions I attended.

Video- What in the World Are You Doing To My Network?

Jeff Schertz, Polycom

Foundational Concepts

• Video codecs in 2013
• RTV
• H.264 Scalable Video Coding
• Hardware acceleration 
• More resolutions up to 1080p
• Multiple panorama resolutions
• Temporal Scaling - mult frame rates in single encoded stream
• UCConfig mode - look at Jeff's blog for more info
• Client can send up to 5 possible concurrent streams per video source
• Very unlikely though
• Client can receive multiple streams as well

Disecting the Video Experience

• Views available in the Client
• Gallery view
• Speaker view
• Video Spotlight - presenter can lock view to his camera
• Compact view - Not showing any video
• Lync will selectively start/stop participant video as needed during conference if no one is viewing their stream to save on bandwidth/computing
• Smart Framing - This is basically smart cropping based on facial tracking
• Cropping - There is no square resolution in Lync, the client hides the edged for real estate
• Video is encoded and sent in full resolution
• Video Resolution - more is less - resolution goes down for each stream as more streams are shown 
• Pixel depth more important than screensize
• Unique experiences
• Dual monitors
• Lync room system - span 2 monitors
• Panoramic

Doing the Math

• Don't forget about audio!!
• Include payload and RTCP payload (5-15 Kbps)
• H.262 SVC - lot more options/resolutions, much cleaner display at any resolution
• Lync Bandwidth Calculator
• Conference calls typically use less bandwidth
• Default video stream is 320x240 15Kbps
• Have to manually resize vdeo for higher resolutions
• Controlling bandwidth
• Get-CsConferencingPolicy | fl *video*
• AllowIPVideo
• EnableP2PVideo
• MaxVideoConferenceResolution
• To disable gallery view
• AllowMultiview
• EnableMultiviewJoin
• Conferences with over 75 participants switch to only display active speaker automatically
• Limiting bit rates
• Default limit 50 Mbps for sent video
• Total receive default 50 Mbps
• Must be at least 420 Kbps to support gallerey view, may get weird behavior below this
• Bit rate is measured per video source - webcam, roundtable, etc

Actual Usage

• Usage at Microsoft
• Daily 6,000 minutes peer to peer
• Daily 226,000 minutes conferencing
• 11 million minutes of video in November 2013
• Users tend to keep default resolutions
• No bandwidth or CAC policy constraints in place

Summary

• Factors for growth
• Age - Younger workers like video as they tend to have grown up with it
• Ubiquity - Video is looking better than it ever has, much more common
• Culture
• Experience - As they use it, they want to use it more
• Importance of the Video modality
• Audio is the Pinnacle
• Content is King
• Video is a love/hate relationship

Lync Conference 2014 Wrap Up

The daily summaries didn't happen. In a way that's a good thing, because that means that I was really busy at the conference. I was able to attend a lot of interesting and very informative sessions, catch up with some old friends and coworkers and meet a lot of people, and had a lot of fun along the way.

The conference was attended by 1600 participants (up from 800 last year), offered 170 break sessions, 9 Hands-On labs, Lync Room System labs, and a variety of vendors in the Expo Hall.

Keynote Highlights

The keynote was really good, and had some big announcements, but there weren't any earth-shattering announcements this year. Below are some of the highlights.

• Lync has had 38 quarters of double-digit revenue growth
• 60% of enterprises have deployed it
• 1/3 of all global long distance calls occur on Skype

Up and Coming for Lync & Skype

• Speech recognition to control Lync Mobile
• "Show my meetings"
• "Join my current meeting"
• Mobile App for Android tablets
• Share PowerPoint presentations from tablets like iPad
• Anonymous join to meetings from tablets
• Windows 8.1 Modern App - Answer calls without unlocking the device
• Bing call extensions in browsers - Skype calls paid for by the business
• JavaScript wrapper to embed Skype functionality in websites
• Skype video to Lync within the next few months
• Lync Online will be able to make and receive PSTN calls
• Large-scale meetings (1000-2000 participants) will be brought to Lync Online

Gurdeep Singh Pall returned to the stage to wrap up the keynote. He talked about how the last decade has been the push for Unified Communications and has transformed the way we do a lot of things in our lives and the way we work. He feels we have closed out Unified Communications, and for the next decade we are moving into Universal Communications. This includes ideas like contect and application intelligence, global communications reach through the cloud, and video available everywhere.

A big thanks to Microsoft, the speakers/presenters, vendors and everyone involved who put together such a great event. Looking forward to next year!

Lync Conference 2014 has begun!

This year is the 2nd annual Lync Conference, being held in the beautiful Aria Hotel and Casino in Las Vegas. It officially started last night with the Welcome Reception, but today is when things will really get kicked off.

I'll be posting daily updates with some of my session notes, and you can follow it on twitter with #LyncConf14.