Configuring authentication enforcement for Outlook Anywhere

If Airlock Gateway is not used for authentication enforcement, this chapter can be skipped.

Why authentication enforcement should be configured

Airlock Gateway has the ability to protect back-end applications from unauthorized access. This functionality is called authentication enforcement. For this purpose, Airlock Gateway is used in combination with Airlock IAM. Airlock Gateway makes sure that the users are authenticated against Airlock IAM and perform a sign-in on their behalf on the back-end application.

The following sections describe how authentication enforcement is configured for Outlook Anywhere. The sections illustrate a setup that uses Basic Authentication to propagate user identities from Airlock Gateway to the back-end application (this is called Identity Propagation).

If using different authentication mechanisms, just adapt the mentioned settings. This applies for Airlock Gateway, Airlock IAM and/or the back-end server.

Depending on the scope of the current Airlock Gateway or IAM license, it could also be required to upgrade or change the licensing for new authentication features, e.g. for back-side Kerberos SSO, front-side Kerberos, etc.

  1. Included steps:
  2. Configuring Basic Authentication.
  3. Restricting access to the Outlook Anywhere mapping.
  4. Creating an Airlock Gateway back-end group for Airlock IAM.
  5. Creating an Airlock Gateway mapping for Airlock IAM.
  6. Activating the authentication enforcement configuration in Airlock Gateway.
  7. Configuring Airlock IAM for Outlook Anywhere and Autodiscover.

Chapter-related prerequisites

  • Configuration takes place in the Airlock Gateway Configuration Center.
  • You must be logged in as admin.
  • The configuration of Airlock Gateway for Outlook Anywhere must already have been carried out (see also Configuring Airlock Gateway for Outlook Anywhere).

Configuring Basic Authentication

Outlook Anywhere can be configured with different authentication methods.

  • Possible authentication methods are:
  • Basic Authentication
  • NTLM
  • Kerberos

This section explains how to enable Basic Authentication for Outlook Anywhere and the components Autodiscover, Exchange Web Services (EWS) and the Offline Address Book (OAB).

  • Procedure-related prerequisites:
  • This configuration takes place in Outlook Anywhere.
  • You need to run the commands with administrative permissions.
  1. Proceed as follows:
  2. Open the Exchange Management Shell via Run as administrator.
  3. Run the following commands:
copy

Enabling Basic Authentication for Autodiscover

# List all Autodiscover virtual directories
Get-AutodiscoverVirtualDirectory

# Find out whether Basic Authentication is enabled
Get-AutodiscoverVirtualDirectory | `
  fl BasicAuthentication

# Enable Basic Authentication
Set-AutodiscoverVirtualDirectory `
  -Identity "Autodiscover (Default Web Site)" `
  -BasicAuthentication:$True

# Restart IIS to ensure these changes are active
iisreset /timeout:120 /noforce
copy

Enabling Basic Authentication for Exchange Web Services (EWS)

# List all WebServices virtual directories
Get-WebServicesVirtualDirectory

# Find out whether Basic Authentication is enabled
Get-WebServicesVirtualDirectory | `
  fl BasicAuthentication

# Enable Basic Authentication
Set-WebServicesVirtualDirectory `
  -Identity "EWS (Default Web Site)" `
  -BasicAuthentication:$True

# Restart IIS to ensure these changes are active
iisreset /timeout:120 /noforce
copy

Enabling Basic Authentication for the Offline Address Book (OAB)

# List all OAB virtual directories
Get-OabVirtualDirectory

# Find out whether Basic Authentication is enabled
Get-OabVirtualDirectory | `
  fl BasicAuthentication

# Enable Basic Authentication
Set-OabVirtualDirectory `
  -Identity "OAB (Default Web Site)" `
  -BasicAuthentication:$True

# Restart IIS to ensure these changes are active
iisreset /timeout:120 /noforce
copy

Enabling Basic Authentication for Outlook Anywhere

# List all OutlookAnywhere virtual directories
Get-OutlookAnywhere

# Find out whether Basic Authentication is enabled
Get-OutlookAnywhere | `
  fl InternalClientAuthenticationMethod, `
  ExternalClientAuthenticationMethod, `
  IISAuthenticationMethods
 
# Enable Basic Authentication
Set-OutlookAnywhere `
  -Identity "Rpc (Default Web Site)" `
  -InternalClientAuthenticationMethod Basic ` 
  -ExternalClientAuthenticationMethod Basic ` 
  -IISAuthenticationMethods Basic, Ntlm, Negotiate
 
# List all MAPI virtual directories
Get-MapiVirtualDirectory 

# Find out whether Basic Authentication is enabled 
Get-MapiVirtualDirectory | `
  fl IISAuthenticationMethods
 
# Enable Basic Authentication 
Set-MapiVirtualDirectory `
  -Identity "mapi (Default Web Site)" `
  -IISAuthenticationMethods NTLM, Negotiate, Basic
 
# Restart IIS to ensure these changes are active 
iisreset /timeout:120 /noforce

Restricting access to the Outlook Anywhere mapping

To secure the back-end server, restrict the Outlook Anywhere mapping to authenticated users only. This section explains how to configure this:

  1. In the Airlock Gateway Configuration Center, go to: Application Firewall >> Reverse Proxy.
  2. Edit the mappings listed below according to the instructions following the list:
    • Exchange Autodiscover
    • Exchange ESW
    • Exchange MAPI
    • Exchange OAB
    • Exchange Outlook Anywhere
  3. Change to the Access tab.
  4. Enter the exchange role under Access restrictions >> Restricted to Roles.
  5. This role is set by Airlock IAM after successful authentication.

  6. Select the Authentication flow One-Shot.
  7. Configure Denied access URL to /auth/login-oneshot.
  8. Under Credential Propagation >> SSO credential propagation, select Basic-Auth.
  9. Enable the checkbox Credential mandatory.

Creating an Airlock Gateway back-end group for Airlock IAM

To create an Airlock Gateway back-end group for Airlock IAM, proceed as follows:

If an Airlock IAM back-end group already exists, this section can be skipped.

  1. Go to: Application Firewall >> Reverse Proxy and click at the top of the Back-end Group column on the + sign.
  2. Enter a self-documenting name for Back-end Group Name.
  3. Set the following values:
    • Protocol: https
    • Back-end Host: iam.int.virtinc.com
    • Port: 8443
  4. A back-end group has been pre-configured.

Creating an Airlock Gateway mapping for Airlock IAM

Next, create an Airlock Gateway mapping for Airlock IAM.

If an Airlock IAM mapping already exists, check that the existing mapping is connected to the corresponding virtual host. If yes, skip the following steps.

  • Procedure-related prerequisites
  • The previously described configuration steps must have been carried out.
  1. Proceed as follows:
  2. Go to: Application Firewall >> Reverse Proxy and click at the top of the Mapping column on the + sign.
  3. Choose New from template >> Airlock IAM. Choose a template that matches your Airlock IAM release version and import it.
  4. A new mapping based upon the template has been created.
  5. Go to: Application Firewall >> Reverse Proxy.
  6. Connect the new Airlock IAM mapping with the corresponding virtual host, which is exchange.ext.virtinc.com.
  7. Connect the new Airlock IAM mapping to the corresponding back-end group.
  8. The mapping has been established.

Activating authentication enforcement in Airlock Gateway

You can now activate the configuration of the authentication enforcement in Airlock Gateway. Proceed as follows:

  1. Click the Activate button on top of the main menu of the Configuration Center.
  2. The configuration has been updated successfully.

Configuring Airlock IAM for Outlook Anywhere/Autodiscover

Next, configure Airlock IAM to authenticate the user and propagate its identity with Basic Authentication. You have to do this both for Outlook Anywhere and for Autodiscover.

  • Procedure-related prerequisites
  • You need to be logged in to the Airlock IAM Adminapp and be able to access the Config Editor.
  1. Proceed as follows:
  2. In the Airlock IAM Config Editor, go to: Login Application >> Authentication >> HTTP Request Authentication (One-Shot, REST).
  3. Configure a HTTP Request Authentication (using Gateway One-Shot Flow) plugin.
  4. Add a Target Application for Outlook Anywhere / Autodiscover.
  5. Configure the Basic Auth HTTP Header Extractor as Credential Extractor.
  6. Configure the correct Authenticator plugin as Authenticator.
  7. Configure the Basic Auth Error Mapper as Failure Responses.
  8. Configure a HTTP Basic Auth Identity Propagator (requires Gateway) as Identity Propagator.
  9. Enter a URL Pattern that matches the external URL:
    • Outlook Anywhere: https://exchange\.ext\.virtinc\.com/(rpc|mapi|ews|oab).*
    • Autodiscover: https://exchange\.ext\.virtinc\.com/autodiscover.*
  10. Under Identity Propagation and Authorization, configure the Airlock Credentials.
    • Airlock Credentials: exchange
  11. Click the Activate button.
  12. The configuration has been updated successfully.