Forum Discussion

  • Specific question... Using the LTM as a reverse proxy, Would ASM be a good tool to protect against repeated unsuccessful login attempts, since Lync's lack of SAML compliance means that APM can't do the authentication for us. That authentication doesn't take place until the proxied connection gets all the way to the Lync Front End server that is part of internal AD domain. We have this running in a lab environment, and need to address this security issue prior to going to production.

     

    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP
      I would start a new question for a new question :) it seems ASM could help you, but it would depend on if you can get it to detect successful / failed login attempts on lync. if you got a lab setup just configure it and see: https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-4-0/21.html
  • Specific question... Using the LTM as a reverse proxy, Would ASM be a good tool to protect against repeated unsuccessful login attempts, since Lync's lack of SAML compliance means that APM can't do the authentication for us. That authentication doesn't take place until the proxied connection gets all the way to the Lync Front End server that is part of internal AD domain. We have this running in a lab environment, and need to address this security issue prior to going to production.

     

    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP
      I would start a new question for a new question :) it seems ASM could help you, but it would depend on if you can get it to detect successful / failed login attempts on lync. if you got a lab setup just configure it and see: https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-4-0/21.html
  • R Marc is correct. ASM wouldn't play much against the SIP portions of Lync, and would only potentially protect the Lync web services defined against the front end "External web services" and "Internal web services". Since we'd assume using LTM as the reverse proxy, it may or may not be benefit to use ASM in this instance; especially since any "issues" may not be supported by MSFT until ASM is removed from the config. We are however, certified for reverse proxy by MSFT.

     

  • R_Marc's avatar
    R_Marc
    Icon for Nimbostratus rankNimbostratus
    There's not much to protect. The only HTML component is the web portal. The Lync communications (SIP and other) would not be applicable. For the HTML part, a standard ASM profile would be sufficient, IMO. What ever you would require to satisfy your audit/security requirements.