Toggle navigationAirlock Secure Access HubAbout this documentAbout Airlock Gateway Release notesGetting startedGeneral warnings and recommendationsBasic conceptsREST API based configuration and administrationConfiguration Center (GUI)Configuration examples and guidesIntegration of 3rd-party products and applicationsControl APIHeader-based session trackingCSRF protection for SPAsICAP configurationJWKS providers configurationGraphQL integrationLet’s Encrypt as certificate providerThreat intelligenceMicrosoft integrationPublishing Microsoft Exchange 2016Requirements and limitationsAbout Microsoft ExchangeConfiguring Gateway for OutlookCreate an Airlock Gateway virtual host for Outlook Web AccessCreate an Airlock Gateway back-end group for Outlook Web AccessCreate an Airlock Gateway mapping for Outlook Web AccessActivate Airlock Gateway configurationConfigure authentication enforcement for Outlook Web AccessAvailable authentication methods for Outlook Web AccessConfigure Basic Authentication for Outlook Web AccessRestrict access to the Outlook Web Access mappingRedirect Outlook Web Access's logout request to Airlock IAMCreate an Airlock Gateway back-end group for Airlock IAMCreate an Airlock Gateway mapping for Airlock IAMActivate Airlock Gateway configurationConfigure Airlock IAM for Outlook Web AccessConfigure Airlock Gateway for Outlook AnywherePrepare Outlook Anywhere for Airlock Gateway integrationRPC over HTTP: Install proxy feature on Windows ServerConfigure external FQDN for Outlook AnywhereCreate an Airlock Gateway virtual host for Outlook AnywhereCreate an Airlock Gateway back-end group for Outlook AnywhereCreate multiple Airlock Gateway mappings for Outlook AnywhereConfigure to terminate TCP connections by TCP-RST packetsConfigure the Airlock Gateway HardChild timeoutVerify the number of security gate processesActivate Airlock Gateway configurationConfigure authentication enforcement for Outlook AnywhereAvailable authentication methods for Outlook AnywhereConfigure Basic Authentication for AutodiscoverConfigure Basic Authentication for Web servicesConfigure Basic Authentication for Offline addressbookConfigure Basic Authentication for Outlook AnywhereRestrict access to the Outlook Anywhere mappingCreate an Airlock Gateway back-end group for Airlock IAMCreate an Airlock Gateway mapping for Airlock IAMActivate Airlock Gateway configurationConfigure Airlock IAM for Outlook AnywhereConfigure Airlock IAM for AutodiscoverConfigure Airlock Gateway for ActiveSyncCreate an Airlock Gateway virtual host for ActiveSyncCreate an Airlock Gateway back-end group for ActiveSyncCreate multiple Airlock Gateway mappings for ActiveSyncVerify the number of security gate processesActivate Airlock Gateway configurationConfigure authentication enforcement for ActiveSyncAvailable authentication methods for ActiveSyncConfigure Basic Authentication for ActiveSyncConfigure Basic Authentication for AutodiscoverRestrict access to the ActiveSync mappingCreate an Airlock Gateway back-end group for Airlock IAMCreate an Airlock Gateway mapping for Airlock IAMActivate Airlock Gateway configurationConfigure Airlock IAM for ActiveSyncConfigure Airlock IAM for AutodiscoverTips for troubleshootingKB – Sufficient security processes availableKB – Does the back-end server accept Basic AuthenticationKB – Does Outlook Anywhere work properlyKB – Using the Exchange Management ShellKB – Information about MAPI over HTTPKB – Information about RPC over HTTPKB – Configure Exchange AutodiscoverPublishing Microsoft Exchange 2019Requirements and limitationsAbout Microsoft ExchangeConfigure Outlook on the WebCreate an Airlock Gateway virtual host for Outlook on the WebCreate an Airlock Gateway back-end group for Outlook on the WebCreate an Airlock Gateway mapping for Outlook on the WebActivate Airlock Gateway configurationConfigure authentication enforcement for Outlook on the WebAvailable authentication methods for Outlook on the WebConfigure Basic Authentication for Outlook on the WebRestrict access to the Outlook on the Web mappingRedirect Outlook on the Web's logout request to Airlock IAMCreate an Airlock Gateway back-end group for Airlock IAMCreate an Airlock Gateway mapping for Airlock IAMActivate Airlock Gateway configurationConfigure Airlock IAM for Outlook on the WebConfigure Airlock Gateway for Outlook AnywherePrepare Outlook Anywhere for Airlock Gateway integrationRPC over HTTP: Install proxy feature on Windows ServerConfigure external FQDN for Outlook AnywhereCreate an Airlock Gateway virtual host for Outlook AnywhereCreate an Airlock Gateway back-end group for Outlook AnywhereCreate multiple Airlock Gateway mappings for Outlook AnywhereConfigure to terminate TCP connections by TCP-RST packetsConfigure the Airlock Gateway HardChild timeoutVerify the number of security gate processesActivate Airlock Gateway configurationConfigure authentication enforcement for Outlook AnywhereAvailable authentication methods for Outlook AnywhereConfigure Basic Authentication for AutodiscoverConfigure Basic Authentication for Web servicesConfigure Basic Authentication for Offline addressbookConfigure Basic Authentication for Outlook AnywhereRestrict access to the Outlook Anywhere mappingCreate an Airlock Gateway back-end group for Airlock IAMCreate an Airlock Gateway mapping for Airlock IAMActivate Airlock Gateway configurationConfigure Airlock IAM for Outlook AnywhereConfigure Airlock IAM for AutodiscoverConfigure Airlock Gateway for ActiveSyncCreate an Airlock Gateway virtual host for ActiveSyncCreate an Airlock Gateway back-end group for ActiveSyncCreate multiple Airlock Gateway mappings for ActiveSyncVerify the number of security gate processesActivate Airlock Gateway configurationConfigure authentication enforcement for ActiveSyncAvailable authentication methods for ActiveSyncConfigure Basic Authentication for ActiveSyncConfigure Basic Authentication for AutodiscoverRestrict access to the ActiveSync mappingCreate an Airlock Gateway back-end group for Airlock IAMCreate an Airlock Gateway mapping for Airlock IAMActivate Airlock Gateway configurationConfigure Airlock IAM for ActiveSyncConfigure Airlock IAM for AutodiscoverTips for troubleshootingKB – Sufficient security processes availableKB – Does the back-end server accept Basic AuthenticationKB – Does Outlook Anywhere work properlyKB – Using the Exchange Management ShellKB – Information about MAPI over HTTPKB – Information about RPC over HTTPKB – Configure Exchange AutodiscoverPublishing Microsoft SharePoint 2016Requirements and limitationsAbout Microsoft SharePointPrepare SharePoint for Airlock Gateway integrationExtend web applicationConfigure Alternate Access Mappings in SharePointConfigure Airlock Gateway for SharePointCreate an Airlock Gateway virtual host for SharePointCreate an Airlock Gateway back-end group for SharePointCreate an Airlock Gateway mapping for SharePointActivate Airlock Gateway configurationConfigure authentication enforcement for SharePointAvailable authentication methods for SharePointConfigure Basic Authentication in SharePointRestrict access to the SharePoint mappingRedirect SharePoints logout request to Airlock IAMCreate an Airlock Gateway back-end group for Airlock IAMCreate an Airlock Gateway mapping for Airlock IAMActivate Airlock Gateway configurationConfigure Airlock IAM for SharePointSingle Sign-On experience for Microsoft Office applicationsConfigure Airlock Secure Session TransferConfigure the Airlock Gateway session cookie persistentlyTips for troubleshootingKB – Does the back-end server accept Basic AuthenticationPublishing Microsoft SharePoint 2019Requirements and limitationsAbout Microsoft SharePointPrepare SharePoint for Airlock Gateway integrationExtend web applicationConfigure Alternate Access Mappings in SharePointConfigure Airlock Gateway for SharePointCreate an Airlock Gateway virtual host for SharePointCreate an Airlock Gateway back-end group for SharePointCreate an Airlock Gateway mapping for SharePointActivate Airlock Gateway configurationConfigure authentication enforcement for SharePointAvailable authentication methods for SharePointConfigure Basic Authentication in SharePointRestrict access to the SharePoint mappingRedirect SharePoints logout request to Airlock IAMCreate an Airlock Gateway back-end group for Airlock IAMCreate an Airlock Gateway mapping for Airlock IAMActivate Airlock Gateway configurationConfigure Airlock IAM for SharePointSingle Sign-On experience for Microsoft Office applicationsConfigure Airlock Secure Session TransferConfigure the Airlock Gateway session cookie persistentlyTips for troubleshootingKB – Does the back-end server accept Basic AuthenticationPublishing Microsoft WebDAVRequirements and limitationsAbout WebDAVPrepare WebDAV for Airlock Gateway integrationInstall WebDAV features on Windows ServerEnable WebDAV and add authoring ruleConfigure Airlock Gateway for WebDAVCreate an Airlock Gateway virtual host for WebDAVCreate an Airlock Gateway back-end group for WebDAVCreate an Airlock Gateway mapping for WebDAVActivate Airlock Gateway configurationConfigure authentication enforcement for WebDAVAvailable authentication methods for WebDAVConfigure Basic Authentication in Microsoft IIS for WebDAVRestrict access to the WebDAV mappingCreate an Airlock Gateway back-end group for Airlock IAMCreate an Airlock Gateway mapping for Airlock IAMActivate Airlock Gateway configurationConfigure Airlock IAM for WebDAVTips for troubleshootingKB – Installing and Configuring WebDAV on IISKB – Installing Desktop Experience on Windows serverKB – Troubleshooting the WebDAV redirectorKB – Does WebDAV work properlyKB – Does the back-end server accept Basic AuthenticationKerberos integrationRequirementsAbout Back-side Kerberos SSOOverviewConceptExampleSingle domain setupLimitationsPrepare Kerberos for Airlock Gateway integrationEnable Kerberos authenticationEnable Kerberos authentication in IIS 10.0Enable Kerberos authentication in IIS 8.5Enable Kerberos authentication in IIS 7.5Enable Kerberos authentication in IIS 6.0Register SPNRegister SPN for the service userDisable Kernel-mode authenticationDisable Kernel-mode authentication in IIS 10.0Disable Kernel-mode authentication in IIS 8.5Disable Kernel-mode authentication in IIS 7.5Register SPN for the machine accountMitigate the risk of broken authenticationKeepAlive configuration for back-end connectionsDisable authPersistNonNTLM in IIS 10.0Disable authPersistNonNTLM in IIS 8.5Disable authPersistNonNTLM in IIS 7.5Active Directory configurationSystem user for Kerberos constrained delegationCreate a system userEnable Kerberos constrained delegation for the system userAllow Kerberos constrained delegation in a single domain setupAirlock Gateway configurationCreate a Kerberos EnvironmentRestrict access to the Web application's mappingConfigure Kerberos Environment for the back-end groupCreate an Airlock Gateway mapping for Airlock IAMActivate Airlock Gateway configurationAirlock IAM configurationConfigure Airlock IAM for Web application'sCross-domain setupLimitationsPrepare Kerberos for Airlock Gateway integrationEnable Kerberos authenticationEnable Kerberos authentication in IIS 10.0Enable Kerberos authentication in IIS 8.5Enable Kerberos authentication in IIS 7.5Enable Kerberos authentication in IIS 6.0Register SPNRegister SPN for the service userDisable Kernel-mode authenticationDisable Kernel-mode authentication in IIS 10.0Disable Kernel-mode authentication in IIS 8.5Disable Kernel-mode authentication in IIS 7.5Register SPN for the machine accountMitigate the risk of broken authenticationKeepAlive configuration for back-end connectionsDisable authPersistNonNTLM in IIS 10.0Disable authPersistNonNTLM in IIS 8.5Disable authPersistNonNTLM in IIS 7.5Active Directory configurationSystem user for Kerberos constrained delegationCreate a system userEnable Kerberos constrained delegation for the system userAllow Kerberos constrained delegation in a cross-domain setupAirlock Gateway configurationCreate a Kerberos EnvironmentRestrict access to the Web application's mappingConfigure Kerberos Environment for the back-end groupCreate an Airlock Gateway mapping for Airlock IAMActivate Airlock Gateway configurationAirlock IAM configurationConfigure Airlock IAM for Web application'sAdvanced SetupBack-end Failover / Load BalancingSame Host Header / SPNDifferent Host Header / SPNTips for troubleshootingKB - Verify the Airlock Gateway license for Back-side Kerberos SSOKB - Verify the domain and forest functional levelKB - The delegation tab is not availableKB - Access the back-end server directlyKB - Look for Kerberos log messagesKB - Inspect the Airlock Gateway sessionKB - Verify Host Header sent corresponds to the IIS configurationKB - Does the back-end server accept KerberosKB - Verify the Back-side Kerberos SSO SetupKB - Verify time synchronizationKB - Delayed response from configured domain controllersKB - Broken authentication in back-endKB - Verify the DNS configuration for Back-side Kerberos SSOKB - Network analysis for Back-side Kerberos SSOKB - How to enable Kerberos event loggingOperation tasksReference documentationExpert settings collectionTips for troubleshootingIntegration of 3rd-party products and applicationsMicrosoft integrationMicrosoft integrationThis chapter contains documentation integration guides for various Microsoft products.Publishing Microsoft Exchange 2016Publishing Microsoft Exchange 2019Publishing Microsoft SharePoint 2016Publishing Microsoft SharePoint 2019Publishing Microsoft WebDAVKerberos integration
Publishing Microsoft Exchange 2016Publishing Microsoft Exchange 2019Publishing Microsoft SharePoint 2016Publishing Microsoft SharePoint 2019Publishing Microsoft WebDAVKerberos integration