For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

GUIZ49_261118's avatar
GUIZ49_261118
Icon for Nimbostratus rankNimbostratus
Jun 25, 2016

mitigation of brute force attacks using ASM for lync autodiscover

Hi we do use LTM as reverse proxy to publish lync autodiscover service externally. however it cause a security issue as any person can download lync mobile client and cause account lockout after mult...
ASM Advanced WAF
devops
LTM
security
Chris_Grant's avatar
Chris_Grant
Icon for Employee rankEmployee
Jun 27, 2016

You might be able to do this, but the general consensus from most of my colleagues is that this is generally a bad idea. Lync is only partially HTTP and the ASM will simply refuse to pass any traffic that is not RFC compliant HTTP traffic. You might be able to protect the authentication, but you will still need an iRule to disconnect the ASM once that's done.

 

Also be aware that our Brute Force protection protects a specific URL, so you will need to know which page Lync is trying to hit for authentication.