If Airlock Gateway is not used for authentication enforcement, this chapter can be skipped.
Why authentication enforcement should be configured
Airlock Gateway has the ability to protect back-end applications from unauthorized access. This functionality is called authentication enforcement. For this purpose, Airlock Gateway is used in combination with Airlock IAM. Airlock Gateway makes sure that the users are authenticated against Airlock IAM and perform a sign-in on their behalf on the back-end application.
The following sections describe how authentication enforcement is configured for Outlook Anywhere. The sections illustrate a setup that uses Basic Authentication to propagate user identities from Airlock Gateway to the back-end application (this is called Identity Propagation).
If using different authentication mechanisms, just adapt the mentioned settings. This applies for Airlock Gateway, Airlock IAM and/or the back-end server.
Depending on the scope of the current Airlock Gateway or IAM license, it could also be required to upgrade or change the licensing for new authentication features, e.g. for back-side Kerberos SSO, front-side Kerberos, etc.
- Included steps:
- Configuring Basic Authentication.
- Restricting access to the Outlook Anywhere mapping.
- Creating an Airlock Gateway back-end group for Airlock IAM.
- Creating an Airlock Gateway mapping for Airlock IAM.
- Activating the authentication enforcement configuration in Airlock Gateway.
- Configuring Airlock IAM for Outlook Anywhere and Autodiscover.
Chapter-related prerequisites
- Configuration takes place in the Airlock Gateway Configuration Center.
- You must be logged in as admin.
- The configuration of Airlock Gateway for Outlook Anywhere must already have been carried out (see also Configuring Airlock Gateway for Outlook Anywhere).
Configuring Basic Authentication
Outlook Anywhere can be configured with different authentication methods.
- Possible authentication methods are:
- Basic Authentication
- NTLM
- Kerberos
This section explains how to enable Basic Authentication for Outlook Anywhere and the components Autodiscover, Exchange Web Services (EWS) and the Offline Address Book (OAB).
- Procedure-related prerequisites:
- This configuration takes place in Outlook Anywhere.
- You need to run the commands with administrative permissions.
- Proceed as follows:
- Open the Exchange Management Shell via Run as administrator.
- Run the following commands:
Restricting access to the Outlook Anywhere mapping
To secure the back-end server, restrict the Outlook Anywhere mapping to authenticated users only. This section explains how to configure this:
- In the Airlock Gateway Configuration Center, go to: Application Firewall >> Reverse Proxy.
- Edit the mappings listed below according to the instructions following the list:
- Exchange Autodiscover
- Exchange ESW
- Exchange MAPI
- Exchange OAB
- Exchange Outlook Anywhere
- Change to the Access tab.
- Enter the exchange role under Access restrictions >> Restricted to Roles.
- Select the Authentication flow One-Shot.
- Configure Denied access URL to /auth/login-oneshot.
- Under Credential Propagation >> SSO credential propagation, select Basic-Auth.
- Enable the checkbox Credential mandatory.
This role is set by Airlock IAM after successful authentication.
Creating an Airlock Gateway back-end group for Airlock IAM
To create an Airlock Gateway back-end group for Airlock IAM, proceed as follows:
If an Airlock IAM back-end group already exists, this section can be skipped.
- Go to: Application Firewall >> Reverse Proxy and click at the top of the Back-end Group column on the + sign.
- Enter a self-documenting name for Back-end Group Name.
- Set the following values:
- Protocol: https
- Back-end Host: iam.int.virtinc.com
- Port: 8443
- A back-end group has been pre-configured.
Creating an Airlock Gateway mapping for Airlock IAM
Next, create an Airlock Gateway mapping for Airlock IAM.
If an Airlock IAM mapping already exists, check that the existing mapping is connected to the corresponding virtual host. If yes, skip the following steps.
- Procedure-related prerequisites
- The previously described configuration steps must have been carried out.
- Proceed as follows:
- Go to: Application Firewall >> Reverse Proxy and click at the top of the Mapping column on the + sign.
- Choose New from template >> Airlock IAM. Choose a template that matches your Airlock IAM release version and import it.
- A new mapping based upon the template has been created.
- Go to: Application Firewall >> Reverse Proxy.
- Connect the new Airlock IAM mapping with the corresponding virtual host, which is exchange.ext.virtinc.com.
- Connect the new Airlock IAM mapping to the corresponding back-end group.
- The mapping has been established.
Activating authentication enforcement in Airlock Gateway
You can now activate the configuration of the authentication enforcement in Airlock Gateway. Proceed as follows:
- Click the Activate button on top of the main menu of the Configuration Center.
- The configuration has been updated successfully.
Configuring Airlock IAM for Outlook Anywhere/Autodiscover
Next, configure Airlock IAM to authenticate the user and propagate its identity with Basic Authentication. You have to do this both for Outlook Anywhere and for Autodiscover.
- Procedure-related prerequisites
- You need to be logged in to the Airlock IAM Adminapp and be able to access the Config Editor.
- Proceed as follows:
- In the Airlock IAM Config Editor, go to: Login Application >> Authentication >> HTTP Request Authentication (One-Shot, REST).
- Configure a HTTP Request Authentication (using Gateway One-Shot Flow) plugin.
- Add a Target Application for Outlook Anywhere / Autodiscover.
- Configure the Basic Auth HTTP Header Extractor as Credential Extractor.
- Configure the correct Authenticator plugin as Authenticator.
- Configure the Basic Auth Error Mapper as Failure Responses.
- Configure a HTTP Basic Auth Identity Propagator (requires Gateway) as Identity Propagator.
- Enter a URL Pattern that matches the external URL:
- Outlook Anywhere: https://exchange\.ext\.virtinc\.com/(rpc|mapi|ews|oab).*
- Autodiscover: https://exchange\.ext\.virtinc\.com/autodiscover.*
- Under Identity Propagation and Authorization, configure the Airlock Credentials.
- Airlock Credentials: exchange
- Click the Activate button.
- The configuration has been updated successfully.
Further information and links
- Internal links:
- Configuring Airlock Gateway for Outlook Anywhere