Security filter using isaScript RRS feed

  • Question

  • should i use isaScript for writing secuirty filter to deal with https authentication in lync2010 ?
    • Edited by D Hans Wednesday, February 15, 2012 9:19 AM
    Wednesday, February 15, 2012 9:18 AM


  • You'd need to deploy this on IIS on the Director/FE servers as this is where the authentication occurs.

    Justin Morris | Consultant | Modality Systems
    Lync Blog - www.justin-morris.net
    Twitter: @jm_deluxe
    If this post has been useful please click the green arrow to the left or click "Propose as answer"

    Friday, February 17, 2012 7:40 AM

All replies

  • Can you expand a bit more on what you're trying to achieve? Is this on the Lync Front End server or the Reverse Proxy?

    The reverse proxy doesn't do any authentication and passes the incoming HTTPS request straight to the Front End pool, so a ISAPI filter cannot be employed here to guard against DDoS etc.

    This old thread might provide some detail for you http://social.technet.microsoft.com/Forums/en-US/ocssecurity/thread/f4948068-0fb2-4ecc-827b-86314096e5a8

    Justin Morris | Consultant | Modality Systems
    Lync Blog - www.justin-morris.net
    Twitter: @jm_deluxe
    If this post has been useful please click the green arrow to the left or click "Propose as answer"

    Wednesday, February 15, 2012 5:42 PM
  • I am interested in writing security filter to deal with https requests. so can i integrate this security filter with tmg as third party or should i  deploy this filter on IIS on Director/FE pool.

    Adding further should i write web security filter which will deal with http requests authentication at TMG or should i write ISAPI filter which i can deploy on IIS ? i am developing this filter to deal with DOS attack for lync2010. i am not sure which one TMG SDK or IIS SDK  has those functionality for developing such a filter. I am little bit confused here. your guidence will help me a lot.

    Thanks for you rply in advance..

    • Edited by D Hans Friday, February 17, 2012 8:24 AM
    Friday, February 17, 2012 5:37 AM
  • You'd need to deploy this on IIS on the Director/FE servers as this is where the authentication occurs.

    Justin Morris | Consultant | Modality Systems
    Lync Blog - www.justin-morris.net
    Twitter: @jm_deluxe
    If this post has been useful please click the green arrow to the left or click "Propose as answer"

    Friday, February 17, 2012 7:40 AM
  •   Ok Thanks Justin....
    • Edited by D Hans Friday, February 17, 2012 10:49 AM
    Friday, February 17, 2012 10:39 AM
  • Hi D Hans

    I have the same problem but no one seems to be helping answer this. The TMG neither Lync has any security mechanism to protect the Active Directory or introduce two-factor authentication.

    I was also thinking of using IsaScript on TMG. I think you can catch the authentication request XML  (its a POST to the WebTicket Service) and it contains the base-64 encoded username and password.

    Then you could do some pre-authentication/pre-authorization with a lockout check with lockout counter in SQL and if OK pass the request on, else respond back with righly formated  XML response with "Invalid Password".(I am simplyiying)

    This would be easy to do using .net - I have it mostly done for another app,  but the IsaScript is not very straight forward so may be TMG is not the best product as the extensibility using c++ is not for normal humans.

    I am also thinking about using a simple IIS 7.5  as a reverse proxy and add do this filter in c# and do this filter using IHttpHandler.

    Another option is doing this using iRules if you have BigIP.

    Last think to figure out is how to add second-factor - when the Lync Web App silverlight client has fixed UI and you cannot add another fieldfor i.e. OTP.

    May be advise users to enter OTP+username into username and password into password, and then in the XML strip out the OTP from the username and validate, or some waylike this.

    I am disappointed Microsoft is not providing security in such a product that is targeted for the Enterprise.

    I am curious why other companies are not pushing Microsoft more in doing better job in this.

    I have yet to solve this for my deployment. If anyone has any more ideas, let me know...

    Wednesday, February 22, 2012 9:28 PM
  •     Hi Mimal,

         which one  will be good to write isapi filter or native module or managed module ?

         i am thinking of writing isapi filter.

    • Edited by D Hans Thursday, February 23, 2012 7:53 AM
    Thursday, February 23, 2012 7:25 AM
  • Hi D Hans

    I am just started writing this today using c# and iHTTPModule. This seems easy to load in IIS in the external WebTicket virtual directory, but eventually I would like to separate this onto a different server, probably as a separate web site on the director pool and have it forward the pre-authenticated requests to the pool web service.

    Here is what I have so far - not complete - it should give you an idea . Will continue on Saturday.

     If you work on this please share your experiences. Depending on your development skills you might prefer Isapi filter, for me this is the way.

    I still have to add some form of two-factor auth. Possibly you can validate the credentials, send the end user an email or SMS with one time passcode, let them logon again with the passcode instead of username and password, and then after validating rewrite the username with the original one before sending to Lync.

    How are others dealing with this issue?

    using System;
    using System.Collections.Generic;
    using System.Configuration;
    using System.IO;
    using System.Web;
    using System.Web.Hosting;
    using System.Text;
    using System.Xml;
    namespace LyncHTTPFilter
        public class LyncFilter : IHttpModule
            #region [ IHttpModule Members ]
            void IHttpModule.Dispose()
            void IHttpModule.Init(HttpApplication context)
                context.BeginRequest += new EventHandler(context_BeginRequest);
            private void context_BeginRequest(Object sender, EventArgs e)
               // String host = this.Request.Url.Host;
                byte[] buffer = new byte[Request.InputStream.Length];
                Request.InputStream.Read(buffer, 0, buffer.Length); 
                Request.InputStream.Position = 0; 
                string content = Encoding.ASCII.GetString(buffer); 
                long size = Request.InputStream.Length;
                string RawURL=Request.RawUrl.ToString();
                Logging.AddToDBLog( RawURL, Request.Headers.ToString(), Request.HttpMethod, content, size);
                if ((RawURL == @"/WebTicket/WebTicketService.svc/Auth") && (Request.HttpMethod=="POST"))
                    //lets get the credentials for pre-authentication/authorization
                    string enteredUsername = string.Empty;
                    string password = string.Empty;
                    GetCredentials(content, out enteredUsername, out password);
                    if (ValidCredentials(enteredUsername, password))  //we will need to figure out how to add two-factor here through OTP
                    // let request through
                    //TODO Block request and repond with unauthorised
            private void  GetCredentials(string xmlContent, out string enteredUsername, out string password)
                XmlDocument doc = new XmlDocument();
                doc.Load(new StringReader(xmlContent));
                XmlNodeList usernameToken = doc.GetElementsByTagName("UsernameToken");
                enteredUsername = string.Empty;
                password = string.Empty;
                foreach (XmlNode node in usernameToken)
                    XmlElement userTokenElement = (XmlElement)node;
                    enteredUsername = userTokenElement.GetElementsByTagName("Username")[0].InnerText;
                    password = userTokenElement.GetElementsByTagName("Password")[0].InnerText;
                byte[] bytes = Convert.FromBase64String(enteredUsername);
                enteredUsername = Encoding.UTF8.GetString(bytes);
                byte[] bytespw = Convert.FromBase64String(password);
                password = Encoding.UTF8.GetString(bytespw);
            #region [ Http Object Helpers ]
            private HttpContext Context { get{ return HttpContext.Current; } }
            private HttpRequest Request { get { return HttpContext.Current.Request; } }
            private HttpResponse Response { get { return HttpContext.Current.Response; } }
            private HttpServerUtility Server { get { return HttpContext.Current.Server; } }



    • Edited by mimal Thursday, February 23, 2012 10:07 PM
    Thursday, February 23, 2012 8:31 PM
  • Hi Micahel

    Have you gotten any further with this?

    I've thought a lot about this issue, and why Microsoft didn't design Lync to allow for pre-auth on the TMG e.g. Now the TMG is basically only works as a termination point when it comes to SSL-connections, but no more than that. It's an big issue that requests from the internet are just piped directly through the TMG and that all the authing is done on the internal front end..

    I know there are solutions for the Edge Server to protect against Ddos or brute force user passwords, but nothing for the reverse proxy. So very cool to see that you might actually do something different here! Thumbs up.



    Friday, March 23, 2012 9:54 AM
  • Hi Martin

    I have worked on this and determined some basic fuctionality should be applied easily through this approach - This is pre-authentication (soft-lockout) or blocking the authenticated requests. I can post the complete source when its done, but I will only work on it next month, I only did it as a "feasability study" so far.

    For more advanced scenarios where the HttpRequest needs to be modified, I run into programming challange with the HttpRequest stream content modification (and its size modification in particular). So I give up on this specific piece that was involving changes int the request.

    I have also discussed with MS and they, as expected ,are very discouraging me from this as it is unsupported, but I will do it anyway, as there is not anothing better.

    This httpModule needs to be registered in handlerMappings in IIS for the "Lync Server External Web Site" for the WebTicket virtual directory.

    Also my company requires that services that are exposed to the Internet, must be in isolated VLAN (behing FW). So that in case of the server being compromised, the attacker does not get access to the entire network. In case of Lync, the pool based web services would be directly opened to the Internet via RP. Meaning anyone can be attacking your front-end servers almost directly through the reach client or address book web services (As the reverse proxy is just doing basic checks on protocol level, if anything)

    So to satisfy both security requirements, I am planning to use additional front-end servers in the enterprise pool to be exposed to the Internet and run the httpfilter, and have those separated from the "normal" front-end servers in a using a firewall with just the necessery ports opened. It gets a little complex, but its more secure. At least of someone kills these exposed front-ends, I will still have the internal-only ones running, hopefully. There are a couple of other challanges but they are all workable.
    Also the custom code httpModule will be running on the "external" front-ends so potential issues would not impact internal servers.

    And I must add...May be Microsoft will listen to customers and and see what they are forced to do and architect the products to be more secure...and stop claiming it's all ok and great.

    Do you have some ideas on how else handle these issues?


    Monday, March 26, 2012 7:31 PM