locked
Security Framework for SFB RRS feed

  • Question

  • Which Security Framework for SFB?I know the following elements:

    Active Directory Domain Services (AD DS) provides a single trusted back-end repository for user accounts and network resources.<o:p></o:p>

    ·      Role-based access control (RBAC) enables you to delegate administrative tasks while maintaining high standards for security.<o:p></o:p>

    ·      Public key infrastructure (PKI) uses certificates issued by trusted certification authorities (CAs) to authenticate servers and ensure data integrity.<o:p></o:p>

    ·      Transport Layer Security (TLS), HTTPS over SSL (HTTPS), and mutual TLS (MTLS) enable endpoint authentication and IM encryption. Point-to-point audio, video, and application sharing streams are encrypted using Secure Real-Time Transport Protocol (SRTP).<o:p></o:p>

    ·      Industry-standard protocols for user authentication, where possible.<o:p></o:p>

    ·      Windows PowerShell provides security features that are enabled by default so that users cannot easily or unknowingly run scripts.

    In addition to these, what else can guarantee SFB security?<o:p></o:p>

    Thursday, May 24, 2018 1:07 PM

Answers

  • Hi Allegations,

    Directors are most useful to enhance security in deployments that enable external user access. The Director can authenticate requests before sending them on to internal servers. In the case of a denial-of-service attack, the attack ends with the Director and does not reach the Front End servers

    If you want to know about more details about Director ,you could refer to this link.

    https://technet.microsoft.com/en-us/library/gg398908(v=ocs.15).aspx


    Best Regards,
    Leon Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Friday, May 25, 2018 11:25 AM
  • Few more things to add.

    NAT.

    Skype for Business Server 2015 does not support the use of network address translation (NAT) on the internal interface of the Edge Server, but it does support placing the external interface of the Access Edge service, Web Conferencing Edge service, and A/V Edge service behind a router or firewall that performs network address translation (NAT) for both single and scaled consolidated Edge Server topologies. Multiple Edge Servers behind a hardware load balancer cannot use NAT. If multiple Edge Servers use NAT on their external interfaces, Domain Name System (DNS) load balancing is required. In turn, using DNS load balancing allows you to reduce the number of public IP addresses per Edge Server in an Edge Server pool.

    CMS Read only copies:

    In Skype for Business Server 2015, configuration data about servers and services is part of the Central Management store. The Central Management store provides a robust, schematized storage of the data needed to define, set up, maintain, administer, describe, and operate a Skype for Business Server deployment. It also validates the data to ensure configuration consistency. All changes to this configuration data happen at the Central Management store, eliminating "out-of-sync" issues.

    Read-only copies of the data are replicated to all servers in the topology, including Edge Servers and Survivable Branch Appliances. Replication is managed by a service that is, by default, run under the context of the Network service, reducing the rights and permissions to that of a simple user on the computer.

    More infomration:

    https://docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/security/key-security


    - Muralidharan. Please mark as answer/useful if my contribution helps you.

    • Marked as answer by Allegations Sunday, May 27, 2018 1:20 AM
    Friday, May 25, 2018 12:48 PM

All replies

  • Hi Allegations,

    Directors are most useful to enhance security in deployments that enable external user access. The Director can authenticate requests before sending them on to internal servers. In the case of a denial-of-service attack, the attack ends with the Director and does not reach the Front End servers

    If you want to know about more details about Director ,you could refer to this link.

    https://technet.microsoft.com/en-us/library/gg398908(v=ocs.15).aspx


    Best Regards,
    Leon Lu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Friday, May 25, 2018 11:25 AM
  • Few more things to add.

    NAT.

    Skype for Business Server 2015 does not support the use of network address translation (NAT) on the internal interface of the Edge Server, but it does support placing the external interface of the Access Edge service, Web Conferencing Edge service, and A/V Edge service behind a router or firewall that performs network address translation (NAT) for both single and scaled consolidated Edge Server topologies. Multiple Edge Servers behind a hardware load balancer cannot use NAT. If multiple Edge Servers use NAT on their external interfaces, Domain Name System (DNS) load balancing is required. In turn, using DNS load balancing allows you to reduce the number of public IP addresses per Edge Server in an Edge Server pool.

    CMS Read only copies:

    In Skype for Business Server 2015, configuration data about servers and services is part of the Central Management store. The Central Management store provides a robust, schematized storage of the data needed to define, set up, maintain, administer, describe, and operate a Skype for Business Server deployment. It also validates the data to ensure configuration consistency. All changes to this configuration data happen at the Central Management store, eliminating "out-of-sync" issues.

    Read-only copies of the data are replicated to all servers in the topology, including Edge Servers and Survivable Branch Appliances. Replication is managed by a service that is, by default, run under the context of the Network service, reducing the rights and permissions to that of a simple user on the computer.

    More infomration:

    https://docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/security/key-security


    - Muralidharan. Please mark as answer/useful if my contribution helps you.

    • Marked as answer by Allegations Sunday, May 27, 2018 1:20 AM
    Friday, May 25, 2018 12:48 PM
  • Hello Muralidharan,

    Thanks for your answer

    Sunday, May 27, 2018 1:21 AM