microsoft-exchange-security-solution-guid

7/29/2019 microsoft-exchange-security-solution-guid

1/10

Deploying a service-oriented

perimeter or Microsot Exchange

F5 PARTNERSHIP SOLUTION GUIDE

F5 and MicrosotExchange Security Solutions


2/10

WHAT'S INSIDE

Pre-Authentication

Mobile Device Security

Web Application Security

3

5

7


3/10

Go Beyond Network

Firewalls to Protect

Microsot ExchangeBusiness need and user demand or access to email anytime, anywhere,

and rom any device has created challenges or IT departments to keep

this business-critical application secure, ast, available, and compliant.

Extending your security perimeter outward can improve security and

availability or Microsot Exchange email services published over the

Internet (Outlook Web App, Exchange ActiveSync, Outlook Anywhere,and Exchange Web Services). F5 Application Delivery Controllers

(ADCs) oer an ICSA Labs certied network and application rewall

solution that creates a service-oriented perimeter or Exchange. With

intelligent monitoring o trac, pre-authentication, and access control

or mobile devices, F5 helps you deploy highly available and secure

email services.


4/10

Avert threats beore they

reach the data center interior

Preventing invalid and potentially malicious trac rom entering your data center

can be challenging. Traditional network rewalls are designed to perorm a basic

level o ltering based on port, but are not designed to inspect and enorce highly

intelligent security policies using surrounding contextual knowledge about the

user, the application service being requested, or the device being used.

In act, SSL encrypted application trac needs to pass through the network

rewall and on to another device near or on an internal data center network

or terminationusually a hardware load balancer or even a specic application

server itsel. The challenge lies in enorcing eective security measures beore the

trac reaches the internal network when the inormation needed to make access

decisions is encrypted.

Relying on your servers to process the unnecessary and potentially malicious

requests wastes valuable resources, slows perormance, and leaves your business

vulnerable to attacks, so the next choice is the hardware load balancer.

Pre-Authentication

T H E C H A L L E N G E S

K E Y B E N E F I T S

Improve your security posture Ensure only authorized trac

reaches Exchange servers

Reduce cost to operate andmaintain security inrastructure

3


5/10

T H E S O L U T I O N

F5 BIG-IP Access Policy Manager (APM) extends your security perimeter so that threats

are eliminated beore they reach your data center. BIG-IP APM is certied by ICSA Labs as a

rewall device, but it is dierent rom traditional network rewalls because it can intelligently

inspect trac or inormation about users, devices, and applications to increase security.

For Microsot email services, including Outlook Web App (OWA), Exchange ActiveSync

(EAS), and Outlook Anywhere (OA), BIG-IP APM prevents invalid trac rom ever reaching

Exchange Server through pre-authentication, authorization, and device access control.

User credentials are cached by BIG-IP APM, which proxies connections to Windows Active

Directory and the Exchange Client Access server (CAS) array. These connections are made

up o a set o customized verications. For example, user name and password are used to

prove the authenticity o the user. This user account can then be used to determine whether

permissions are granted to access a given corporate resource such as Microsot Exchange.

Pre-authentication ensures that only authenticated and authorized trac reaches the internal

network where Exchange Client Access servers are located. Since only necessary trac enters

that network, processing load on servers is reduced, which helps their perormance.

Using BIG-IP APM Visual Policy Editor, a workfow-like access path can be designed with

orked logic and causal relationships to exactly represent corporate constraints or approved

access and customized responses or validation ailures. BIG-IP APM provides support

or dozens o types o queries out o the box, such as collecting dierent types o logon

inormation rom users and perorming queries into Microsot Active Directory to veriy

specic inormation about users, security group memberships, and prole settings.

After

MobileUsers

Client AccessServers

Hub MailboxServers

Attacker

Attacker

OWAOAEAS

EWS

BIG-IPLocal Traffic Manager

MobileUsers


Hub MailboxServers

ReverseProxy

Attacker

Attacker

OWAOA

EASEWS


Effective SecurityPerimeter on

Internal Network


Network Edge

BIG-IPAccess Policy Manager

Before


6/10

Provide secure access to email

rom mobile devices

The consumerization o IT and bring-your-own-device (BYOD) work policies have

created a huge increase in access to corporate email rom mobile devices. In

todays world, email must be accessible to known trusted devices as well as an

ever increasing assortment o unknown and untrusted devices.

According to a 2011 CIO.com report, network security breaches, possible loss o

customer enterprise data, potential thet o intellectual property, and diculty

meeting compliance requirements are among the top concerns IT departments

have about employees using personal devices or work.

MobileDeviceSecurity



Seamlessly support access tocorporate resources rom varioustypes o mobile devices

Implement advanced multi-actorauthentication

5


7/10

F5 BIG-IP Access Policy Manager (APM) provides a strategic point o control in

the data center, supporting a variety o approaches or granting or denying email

access to mobile devices. Building on its user authentication and authorization

capabilities, BIG-IP APM also supports the use o user and device security

certicates, Exchange ActiveSync User Policy settings, and other inormation stored

in Active Directory, as well as device inormation provided in the packet fow, suchas device type and device ID, to enorce multi-actor validation.

In Exchange Server, the Client Access server (CAS) role unctions as the access

point or all client trac, including mobile devices that use the Exchange

ActiveSync (EAS) protocol to access mailbox inormation over HTTPS. Using

BIG-IP APM, trac management decisions can be made and enorced at the

network perimeter on a group and or individual basis while still allowing or the

use o built-in Exchange security unctionality such as ActiveSync policies and

remote device wipe.

BIG-IP APM enables customers to enorce a customized security policy or

Exchange access by mobile devices using a fexible set o pre-dened actions

that represent their organizations requirements or access approvaleven rom

devices employees bring rom home.


After

MobileUsers


Hub MailboxServers

Attacker

Attacker

OWAOAEAS

EWS


MobileUsers


Hub MailboxServers

ReverseProxy

Attacker

Attacker

OWAOA

EASEWS



Internal Network


Network Edge

BIG-IPAccess Policy Manager

Before


8/10

Simpliy compliance and

protect sensitive data

Network-level attacks are highly visible and disruptive, but application-level attacks

are what threaten the core o a business. According to Gartner, 95 percent o

security investments are ocused on the network while 75 percent o attacks

happen at the application level. These attacks can leave sensitive datasuch as

employee records, condential inormation, intellectual property, and nancial

recordsvulnerable to thet.

In addition, resolving application-level breaches can be time-consuming and

expensive. According to a WhiteHat security report, the top 10 application

attacks are cross-site scripting, inormation leakage, content spoong, insucient

authorization, SQL injects, predictable resource location, session xation, cross-

site request orgery, insucient authentication, and HTTP response splitting. The

average time reported to resolve these vulnerabilities is 77 days. During those

weeks or months, a business must take down the application or risk its security

being compromised.

The prevalence o application-layer attacks against critical business applications

makes securing those applications and veriying compliance with security

and privacy regulations o paramount importance. Even those organizations

that employ dedicated sta to review compliance and the security posture o

applications preer deploying solutions that automatically and continually provide

compliance and reporting over manual human activity to achieve the same results.

WebApplicationSe

curity



Implement cost-eective PCIcompliance and reporting

Provide continual protectionand built-in remediation

Reduce OpEx by using theADC platorm

7


9/10

F5 BIG-IP Application Security Manager (ASM) oers advanced, built-in

security protection and remote auditing to help you comply with industry security

standards, including PCI DSS, HIPAA, Basel II, and SOX. The system can be

deployed in Learning mode and then switched to Enorcement, where it

provides continual protection.

The deployment, conguration, and operation o BIG-IP ASM delivers compliance

in a cost-eective waywithout requiring multiple appliances, application

changes, or rewrites. Detailed PCI reporting determines i PCI DSS compliance is

being met, and it guides you through the necessary steps to become compliant.



10/10

F5 Networks, Inc. 401 Elliott Avenue West, Seattle, WA 98119 888-882-4447 www.f5.com

L E A R N M O R E

To learn more about F5 solutions or Microsot,

please visit www.f5.com/microsoft.

Tech tips, discussion orums, ree samples,

and more can be ound on DevCentral,F5s global technical community, by visiting

devcentral.f5.com/microsoft.
http://www.f5.com/microsofthttp://localhost/var/www/apps/conversion/tmp/scratch_9/devcentral.f5.com/microsofthttp://localhost/var/www/apps/conversion/tmp/scratch_9/devcentral.f5.com/microsofthttp://www.f5.com/microsoft

Documents

microsoft-exchange-security-solution-guid