ECP Throttling
ECP throttling provides a mechanism to identify and stop all duplicate ECP requests being sent to AD server for authentication thus preventing the user from AD account lock out.
For example, User changes AD password and if there are devices using ECP to access mail or other service from Service Provider (O365), which is not updated with the new password, then the ECP request is sent with old password.
The AD authentication fails and the IDP (Ivanti Connect Secure) gets flooded with ECP requests containing old password. The AD server locks the user account when it exceeds the number of configured wrong password attempts since all the requests are sent to AD.
As a result of AD account lock out, all other services will also get affected. To avoid this the admin can enable ECP throttling in IDP(PCS), which prevents users from sending their duplicate password credentials to AD thus avoiding the user from getting locked out.
IDP(PCS) will also maintain a table of such blocked ECP requests. In case of any brute force attack, the AD account will still be locked and thereby IDP(PCS) ensures capturing of such brute force attacks and blocking the user.
Enabling ECP Throttling
To enable ECP throttling:
1.Select System > Cloud secure > Cloud Secure Configuration > Applications.
2.Click Office 365.
3.Under Enhanced Client or Proxy Profile (ECP) Settings, Enable Detect duplicate ECP requests.
4.Enter the threshold limit for the user. This specifies the maximum number of duplicate ECP requests that can be blocked for a user. For example, if a user has n devices both sending the same old password (for example, pass1), then this is considered as one duplicate ECP request.
Similarly, if there are n devices and if one of the device is continuously sending wrong password (for example, pass2) and the other devices are sending an another wrong password (pass1), then this is considered as 2 duplicate ECP requests.
5.Enter the blocking time in minutes. On repeating multiple failed login attempts the user will be blocked for the specified amount of time.
Viewing Blocked ECP users
This report shows all the blocked ECP requests, which can be used to determine if the attack is due to a brute force attack or due to duplicate password requests.
It also gives information on the device through which the request is received so that the user can be notified to change the password in that device.
The Admin also has an option to unblock the user from the blocked ECP requests page. This option is very useful, if the password entered in the device is new but the AD failed to sync the new password because of any time synchronization issue.
1.Select Reports > Blocked Users Report to view the blocked ECP users.
The below table describes the columns in the Cloud Secure blocked ECP users report.
|
Column |
Description |
|
User Name |
Specifies the name of the user accessing the cloud application. |
|
Blocked Since |
Specifies the day, month, date, time and year since the user is blocked. |
|
Most Recent Request Time |
Specifies the most recent request time. |
|
Request Count |
Specifies the number of requests. |
|
Blocked till |
Specifies the time till the user is blocked. |
|
Recent ECP Request from |
Specifies the device details from which the request originated. |
|
Realm |
Displays the user realm for the blocked user. |