Friday, March 20, 2015

Skype for Business External Security

My friend Mika Ullgren who runs a good blog on Lync and security at
have demonstrated PointSharps "Mobile Gateway for Lync" for me.

This product is a reverse proxy for Lync / Skype for business on steroids! You can replace your current Lync reverse proxy with this special one from PointSharp, or use it from day 1. Nothing needs to be installed or configured on the clients, and all types of external clients (using the reverse proxy) are supported. Please note that Lync mobile clients are always logging in via the reverse proxy and can therefore always be regarded as external no matter if they are using an internal WiFi network or not.

The reverse proxy (Mobile Gateway) will catch login attempts from clients and can do various functions with the request before passing in on to the internal front-end server(s). This allows the gateway to add functions such as application specific passwords, two factor authentication and device control. If the user is supposed to only use an iPhone to login to the system, the gateway will check this with an internal PointSharp server and deny the request if it is coming from another type of device. Each device is registered by the PointSharp system and tied to an authenticated user, creating a partnership that is validated continuously.

Also a specific password used only to login to Lync/Skype for business can be assigned to the user. This way the external user does not need to use the actual AD password or store it on a mobile device. Two factor authentication can be achieved by using a static application specific password and a code from some type of two factor token. Lockouts of AD accounts due to "password guessing" via the Edge server / reverse proxy can also be stopped by locking the application specific password after x erroneous attempts.

For more information on this solution - please check out PointSharps public information.

The GUI below is from the coming 4.4 version, and support for both Skype for business as well as for Lync is coming to the product soon.

Stay safe out there!


  1. Hi,

    thanks for that article.

    Does the PointSharp solution also secure the unauthenticated access to the simple URLs? Because these requets are passing the reverse proxy too.
    Does such a solution exist?

  2. Hi!

    All the simple URLs that require authentication are handled by the PointSharp solution. The anonymous requests required to reach the service and authenticate is another matter. Due to their nature, blocking them would render the service useless. Please let me know if you have more questions.