How to configure the UTM Web Application Firewall for Microsoft Lync Web Services connectivity

Similar documents
How to configure the UTM Web Application Firewall for Microsoft Remote Desktop Gateway connectivity

Sophos UTM Web Application Firewall For: Microsoft Exchange Services

Using AD360 as a reverse proxy server

Deploy Avi Vantage with Microsoft Lync 2013

DEPLOYMENT GUIDE DEPLOYING F5 WITH ORACLE ACCESS MANAGER

Load Balancing VMware Identity Manager

VMware Tunnel on Linux. VMware Workspace ONE UEM 1811

DEPLOYMENT GUIDE MICROSOFT SKYPE FOR BUSINESS SERVER 2015 DEPLOYMENT WITH THUNDER ADC USING APPCENTRIC TEMPLATES (ACT)

INSTALLING LYNC SERVER 2013 EE POOL ON WINDOWS SERVER 2012

Brocade Virtual Traffic Manager and Parallels Remote Application Server

Configuring the SFB 2015 Reverse Proxy Server for Express for Lync 3.0

Microsoft Exchange Server 2013 and 2016 Deployment

Load Balancing VMware Workspace Portal/Identity Manager

DEPLOYMENT GUIDE Version 1.2. Deploying the BIG-IP System v10 with Microsoft IIS 7.0 and 7.5

Sophos Mobile. installation guide. Product Version: 8.5

Sophos Mobile. installation guide. product version: 8.6

Sophos Mobile as a Service

Android Mobile Single Sign-On to VMware Workspace ONE. SEP 2018 VMware Workspace ONE VMware Identity Manager VMware Identity Manager 3.

Deploying the BIG-IP System v10 with Oracle s BEA WebLogic

How to Set Up External CA VPN Certificates

Installing and Configuring vcloud Connector

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Planning, Deploying, and Monitoring Mobility Microsoft Lync Server 2010

Sophos Mobile. installation guide. product version: 9

How to Configure SSL VPN Portal for Forcepoint NGFW TECHNICAL DOCUMENT

VMware Tunnel Guide Deploying the VMware Tunnel for your AirWatch environment

Setting up the Sophos Mobile Control External EAS Proxy

VMware Horizon View Deployment

EXAM Core Solutions of Microsoft Lync Server Buy Full Product.

Sophos Mobile SaaS startup guide. Product version: 7.1

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

Load Balancing Microsoft Remote Desktop Services. Deployment Guide v Copyright Loadbalancer.org

Sophos Mobile. installation guide. Product Version: 8

How to Configure SSL Interception in the Firewall

Deployment of Unified Communication - Lync Server 2013 Steps: Lync Front End Server in a Domain. Few Screen Shots. Scroll down to start your drill

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

Mitel MiVoice Connect Security Certificates

DEPLOYMENT GUIDE DEPLOYING THE BIG-IP SYSTEM WITH BEA WEBLOGIC SERVER

DEPLOYMENT GUIDE Version 1.0. Deploying F5 with Oracle Fusion Middleware WebCenter 11gR1

DEPLOYMENT GUIDE Version 1.2. Deploying the BIG-IP System v9.x with Microsoft IIS 7.0 and 7.5

Okta Integration Guide for Web Access Management with F5 BIG-IP

VMware AirWatch Content Gateway for Windows. VMware Workspace ONE UEM 1811 Unified Access Gateway

DEPLOYMENT GUIDE. Load Balancing VMware Unified Access Gateway

VMware Enterprise Systems Connector Installation and Configuration. JULY 2018 VMware Identity Manager 3.2 VMware Identity Manager VMware AirWatch 9.

Hypersocket SSO. Lee Painter HYPERSOCKET LIMITED Unit 1, Vision Business Centre, Firth Way, Nottingham, NG6 8GF, United Kingdom. Getting Started Guide

MS Lync Deployment Guide

INUVIKA TECHNICAL GUIDE

For those who might be worried about the down time during Lync Mobility deployment, No there is no down time required

epldt Web Builder Security March 2017

ITCorporation HOW TO DOWNLOAD, INSTALL AND SET UP SONICWALL ANALYZER DESCRIPTION RESOLUTION. Knowledge Database KNOWLEDGE DATABASE

Configure the IM and Presence Service to Integrate with the Microsoft Exchange Server

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Load Balancing Nginx Web Servers with OWASP Top 10 WAF in Azure

App Orchestration 2.6

How to Setup Total Application Security

Load Balancing Microsoft Lync 2010 / Deployment Guide v Copyright Loadbalancer.org

DEPLOYMENT GUIDE Version 1.1. Deploying the BIG-IP Access Policy Manager with IBM, Oracle, and Microsoft

scconnect v1.x ADMINISTRATION, INSTALLATION, AND USER GUIDE

IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.

Sophos Mobile Control SaaS startup guide. Product version: 7

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

Sophos Mobile Control SaaS startup guide. Product version: 6.1

Setting up Microsoft Exchange Server 2016 with Avi

VMware AirWatch Content Gateway for Linux. VMware Workspace ONE UEM 1811 Unified Access Gateway

Release Notes Version 7.8

Integrate NGINX. EventTracker v8.x and above

Building Block Installation - Admins

GlobalMeet Audio for Skype for Business. Administrator Guide

Load Balancing Microsoft IIS. Deployment Guide v Copyright Loadbalancer.org

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

VMware AirWatch Content Gateway Guide for Windows

VMware AirWatch Content Gateway Guide for Windows

DomainTools App for QRadar

Installing and Configuring vcloud Connector

Migrating vrealize Automation 6.2 to 7.2

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Connectra Virtual Appliance Evaluation Guide

Sophos Mobile in Central

3. In the upper left hand corner, click the Barracuda logo ( ) then click Settings 4. Select the check box for SPoE as default.

Load Balancing VMware App Volumes

Vidyo Server for WebRTC. Administrator Guide

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP Access Policy Manager v with Oracle Access Manager

VMware Content Gateway to Unified Access Gateway Migration Guide

DEPLOYMENT GUIDE. Deploying F5 for High Availability and Scalability of Microsoft Dynamics 4.0

Secure Web Appliance. SSL Intercept

O365 Solutions. Three Phase Approach. Page 1 34

AD FS v3. Deployment Guide

DPI-SSL. DPI-SSL Overview

Workspace ONE UEM Notification Service 2. VMware Workspace ONE UEM 1811

VMware AirWatch Content Gateway Guide for Windows

Workspace ONE UEM Integration with OpenTrust CMS Mobile 2. VMware Workspace ONE UEM 1811

Lync 2013 Depth Support Engineer Course. Day(s): 5. Overview

This document describes the configuration of Secure Sockets Layer (SSL) decryption on the FirePOWER Module using ASDM (On-Box Management).

Using the Terminal Services Gateway Lesson 10

VMware AirWatch Content Gateway Guide for Windows

Secure Access Troubleshooting Rewrite related issues (Core/Web Based Access)

Best Practices for Security Certificates w/ Connect

DEPLOYMENT GUIDE. DEPLOYING F5 WITH ORACLE APPLICATION SERVER 10g

Cloud Help for Community Managers...3. Release Notes System Requirements Administering Jive for Office... 6

Transcription:

How to configure the UTM Web Application Firewall for Microsoft Lync Web Services connectivity This article explains how to configure your Sophos UTM to allow access Microsoft s Lync Web Services (the so-called Simple URLs) that require the use of a reverse proxy, through the Web Application Firewall. These services are used by your mobile and clientless users to provide presence, chat and online meeting services. The WAF currently does not support the use of Lync 2013 s mobile voice implementation, and as such, any configurations for these services are excluded from this guide. Configuring your Windows 2008/2012 server or Lync infrastructure is outside the scope of this guide; this article assumes you ve already setup your Lync infrastructure and that you have copies of your applicable SSL certificates available in PFX format. Known to apply to the following Sophos product(s) and version(s) Sophos UTM 9.3 Operating systems Microsoft Windows Server 2008 R2 2012, Lync 2010-2013 What To Do A. Import the required certificates While it should go without saying, we d like to point out that Lync requires the use of SAN certificates for its frontend services, including the Simple URLs. It is therefore highly recommended to import a dedicated Lync SAN certificate into your UTM, even when you may or may not already have a wildcard certificate available for the same domain. 1. Go to the Webserver Protection menu in the UTM Web admin console and select Certificate Management 2. Click New Certificate and select Upload in the Method: dropdown box

3. Fill in a name, the required password and a comment (if needed) 4. Click the folder next to the upload field to select the PFX file you wish to import 5. Click save to upload the PFX and complete the import B. Optional: Import the root Certificate In case your PFX file does not include the root certificate you need to manually import it in order for the UTM to be able to use it. 1. Go to certificate management and navigate to the Certificate Authority tab. 2. Click the Import CA button and fill in the name, description and type (this should usually be Verification CA ) 3. Click the folder next to the upload field to select the certificate to upload (both PFX and CER format are supported) 4. Click save to upload the certificate and complete the import

C. Configuring the Firewall Profile Lync makes extensive use of cookies and dynamic URLs (with loads of parameters) to work properly. Enabling anything related to cookie signing, URL hardening and XSS attacks tends to break Lync s functionality. On top of that, Lync deals with real-time traffic, and generally takes very unkindly to AV products messing with in-stream data. 1. Go to the Webserver Protection menu in the UTM Web admin console and select Web 2. Navigate to the Firewall Profiles tab and click the New Firewall Profile button 3. Fill in a Name for the profile and select the appropriate firewall action (Reject or Monitor) from the Mode: dropdown menu (Monitor logs the traffic and allows it, Reject drops the traffic and informs the end user s browser) 4. Enable Common threats filter 5. (Optional) Block suspect hosts by enabling the Block clients with bad reputation feature 6. Disable all Threat Filter Categories and leave the SQL injection attacks category enabled 7. Click Save to store the profile and continue The following screenshot displays our recommended settings:

D. Creating the Real Webserver(s) Lync uses the TCP port used by the client to determine whether the client is internal or external. The external ports are TCP 8080 for externally generated Lync traffic over HTTP and TCP Port 4443 for HTTPS traffic. The clients are unaware of this, so it is of key importance to translate the port number to the proper service-associated ports (as we will see later on). As a result of this setup, we will need to configure two separate profiles for each Lync Frontend server we wish to publish. Please note that it is currently not possible to load balance multiple Lync Frontend servers through the WAF due to incompatibility between the cookie based persistency used by the WAF and Lync s implementation of this mechanism. Lync over HTTP 1. Go to the Webserver Protection menu in the UTM Web admin console and select Web 2. Navigate to the Real Webservers tab and click the New Real Webserver button 3. Fill in a Name for the new Real Webserver and select either a pre-existing Host object by clicking the folder icon or create one by clicking the + button 4. Set the Real Webserver connection type by selecting HTTP from the Type dropdown menu 5. After selecting the appropriate connection type the UTM will automatically fill in the associated port, which should be changed to 8080 in this particular case. 6. Set the HTTP keepalive timeout in the advanced tab to 600. Lync over HTTPS 7. Go to the Webserver Protection menu in the UTM Web admin console and select Web 8. Navigate to the Real Webservers tab and click the New Real Webserver button 9. Fill in a Name for the new Real Webserver and select either a pre-existing Host object by clicking the folder icon or create one by clicking the + button

10. Set the Real Webserver connection type by selecting HTTPS from the Type dropdown menu 11. After selecting the appropriate connection type the UTM will automatically fill in the associated port, which should be changed to 4443 in this particular case. 12. Set the HTTP keepalive timeout in the advanced tab to 600 E. Creating the Virtual Webservers As with the real servers, we will also need to configure multiple Virtual Web Servers to enable both HTTP and HTTPS traffic to the Lync Frontend server. In our example we use LyncExt.example.com as the Web Services FQDN, Lyncdiscover, Meet and Dial URLs are unchanged from the default settings in the infrastructure deployment wizard. Lync over HTTP 1. Go to the Webserver Protection menu in the UTM Web admin console and select Web 2. Navigate to the Virtual Webservers tab and click the New Virtual Webserver button 3. Fill in a Name for the Virtual server 4. Select the interface on which this Virtual Webserver should be created from the Interface dropdown menu, along with the protocol the end-users should use to connect to this server from the Type menu. Since we are configuring the HTTP based services, we select HTTP here. By setting this port to the default value of TCP port 80, we will also automatically enable rewriting of traffic from port 80 (externally) to 8080 (internally), thereby allowing Lync to determine the source of the traffic correctly. 5. Enter the desired domain names in the Domains: list by clicking the + button in the top right corner. 6. Select the Firewall Profile you ve created for the Lync HTTP traffic from the Firewall Profile dropdown menu 7. Enable the Pass Host Header option (this setting is very important because the Lync Frontend needs the client to use similar hostnames to the ones configured in the Infrastructure Deployment wizard in order to work properly) 8. Click the Save button to store the configuration and continue The following screenshot displays our recommended settings:

Lync over HTTPS 9. Go to the Webserver Protection menu in the UTM Web admin console and select Web 10. Navigate to the Virtual Webservers tab and click the New Virtual Webserver button 11. Fill in a Name for the Virtual server 12. Select the interface on which this Virtual Webserver should be created from the Interface dropdown menu, along with the protocol the end-users should use to connect to this server from the Type menu. Since we are configuring the HTTPS based services, we select HTTPS here. By setting this port to the default value of TCP port 443, we will also automatically enable rewriting of traffic from port 443 (externally) to 4443 (internally), thereby allowing Lync to determine the source of the traffic correctly. 13. Select the appropriate certificate from the Certificates: dropdown menu and select all the applicable names in the Domains: list 14. Select the Firewall Profile you ve created for the Lync HTTPS traffic from the Firewall Profile dropdown menu

15. Enable the Pass Host Header option (this setting is very important because the Lync Frontend needs the client to use similar hostnames to the ones configured in the Infrastructure Deployment wizard in order to work properly) 16. Click the Save button to store the configuration and continue The following screenshot displays our recommended settings:

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback