Home
Microsoft

SfB Server Now Supports Blocking NTLM Externally

I am happy to announce that with the CU7 version of SFB Server 2015, we have added the ability to block external NTLM traffic.  This, along with the use of Cert Based Authentication, will allow you to protect your SFB servers from external DOS attacks using username/passwords.  Let me explain.

 

SfB server allows the following protocols that all accept username/passwords – NTLM, Forms Based Auth and Modern Authentication.  In order to combat the DOS attacks, you have to shut down all the external ways that allow username/password.  With the new Get/Set-CsAuthConfig cmdlets in CU7, you can shut down NTLM and Forms Based Auth externally.  Then, you configure your servers to only accept Certificate Based Auth externally. (NOTE: You need Modern Authentication to use CBA.)  Now all the username/password doors are shut and your users use CBA to get in externally.

 

Here is an article that explains the details: Turn off Legacy authentication methods internally and externally to your network.

4 Comments
Super Contributor

We used this to disable basic auth externally a few weeks ago in SfB Server 2015.  I noticed that FBA login on the dial in PIN page still works externally, outside of modern auth.  According to the documentation, this should be disabled.  Has anyone else tested?  Is there a step missing in the documentation?

Microsoft

Hi David, FBA login should definitely not be working.  Can you open a support case for this with logs, etc.  so that we can investigate?

Super Contributor

I have, thank you.  I was hoping to see if it was something unique with my environment or a bug.  My suspicion is there a step missing in the documentation.  I'm sure we will get it working!

Super Contributor

I just discovered that BlockWindowsAuthExternally also disables the ability for both internal and external users to sign in to the Skype Meetings App.  The link to sign in is gone in both scenarios.