Configuring authentication enforcement for ActiveSync

If Airlock Gateway is not used for authentication enforcement, this chapter can be skipped.

Why authentication enforcement should be configured

Airlock Gateway has the ability to protect back-end applications from unauthorized access. This functionality is called authentication enforcement. For this purpose, Airlock Gateway is used in combination with Airlock IAM. Airlock Gateway makes sure that the users are authenticated against Airlock IAM and perform a sign-in on their behalf on the back-end application.

The following sections describe how authentication enforcement is configured for ActiveSync. The sections illustrate a setup that uses Basic Authentication to propagate user identities from Airlock Gateway to the back-end application (this is called Identity Propagation).

If using different authentication mechanisms, just adapt the mentioned settings. This applies for Airlock Gateway, Airlock IAM and/or the back-end server.

Chapter-related warnings

Depending on the scope of the current Airlock Gateway or IAM license, it could also be required to upgrade or change the licensing for new authentication features, e.g. for back-side Kerberos SSO, front-side Kerberos, etc.

  1. Included steps:
  2. Configuring Basic Authentication.
  3. Restricting access to the ActiveSync mapping.
  4. Creating an Airlock Gateway back-end group for Airlock IAM.
  5. Creating an Airlock Gateway mapping for Airlock IAM.
  6. Activating the authentication enforcement configuration in Airlock Gateway.
  7. Configuring Airlock IAM for ActiveSync and Autodiscover.

Chapter-related prerequisites

  • Configuration takes place in the Airlock Gateway Configuration Center.
  • You must be logged in as admin.
  • The configuration of Airlock Gateway for ActiveSync must already have been carried out (see also Configuring Airlock Gateway for ActiveSync).

Configuring Basic Authentication

ActiveSync can be configured with different authentication methods.

  • Possible authentication methods are:
  • Basic Authentication
  • NTLM
  • Kerberos

This section explains how to enable Basic Authentication for ActiveSync and the component Autodiscover.

  • Procedure-related prerequisites:
  • This configuration takes place in ActiveSync.
  • You need to run the commands with administrative permissions.
  1. Proceed as follows:
  2. Open the Exchange Management Shell via Run as administrator.
  3. Run the following commands:
copy

Enabling Basic Authentication for ActiveSync

# List all ActiveSync virtual directories 
Get-ActiveSyncVirtualDirectory
 
# Find out whether Basic Authentication is enabled 
Get-ActiveSyncVirtualDirectory | `
  fl BasicAuthentication
 
# Enable Basic Authentication 
Set-ActiveSyncVirtualDirectory `
  -Identity "Microsoft-Server- ActiveSync (Default Web Site)" `
  -BasicAuthentication:$True
 
# Restart IIS to ensure these changes are active 
iisreset /timeout:120 /noforce
copy

Enabling Basic Authentication for Autodiscover

# List all Autodiscover virtual directories
Get-AutodiscoverVirtualDirectory

# Find out whether Basic Authentication is enabled
Get-AutodiscoverVirtualDirectory | `
  fl BasicAuthentication

# Enable Basic Authentication
Set-AutodiscoverVirtualDirectory `
  -Identity "Autodiscover (Default Web Site)" `
  -BasicAuthentication:$True

# Restart IIS to ensure these changes are active
iisreset /timeout:120 /noforce

Restricting access to the ActiveSync mapping

To secure the back-end server, restrict the ActiveSync mapping to authenticated users only. This section explains how to configure this:

  1. In the Airlock Gateway Configuration Center, go to: Application Firewall >> Reverse Proxy.
  2. Edit the mappings listed below according to the instructions following the list:
    • Exchange ActiveSync
    • Exchange Autodiscover
  3. Change to the Access tab.
  4. Enter the exchange role under Access restrictions >> Restricted to Roles.

    5. This role is set by Airlock IAM after successful authentication.

  5. Select the Authentication flow One-Shot.
  6. Configure Denied access URL to /auth/login-oneshot.
  7. Under Credential Propagation >> SSO credential propagation, select Basic-Auth.
  8. Enable the checkbox Credential mandatory.

Creating an Airlock Gateway back-end group for Airlock IAM

To create an Airlock Gateway back-end group for Airlock IAM, proceed as follows:

If an Airlock IAM back-end group already exists, this section can be skipped.

  1. Go to: Application Firewall >> Reverse Proxy and click at the top of the Back-end Group column on the + sign.
  2. Enter a self-documenting name for Back-end Group Name.
  3. Set the following values:
    • Protocol: https
    • Back-end Host: iam.int.virtinc.com
    • Port: 8443
  4. A back-end group has been pre-configured.

Creating an Airlock Gateway mapping for Airlock IAM

Next, create an Airlock Gateway mapping for Airlock IAM.

If an Airlock IAM mapping already exists, check that the existing mapping is connected to the corresponding virtual host. If yes, skip the following steps.

  • Procedure-related prerequisites
  • The previously described configuration steps must have been carried out.
  1. Proceed as follows:
  2. Go to: Application Firewall >> Reverse Proxy and click at the top of the Mapping column on the + sign.
  3. Choose New from template >> Airlock IAM. Choose a template that matches your Airlock IAM release version and import it.
  4. A new mapping based upon the template has been created.
  5. Go to: Application Firewall >> Reverse Proxy.
  6. Connect the new Airlock IAM mapping with the corresponding virtual host, which is exchange.ext.virtinc.com.
  7. Connect the new Airlock IAM mapping to the corresponding back-end group.
  8. The mapping has been established.

Activating authentication enforcement in Airlock Gateway

You can now activate the configuration of the authentication enforcement in Airlock Gateway. Proceed as follows:

  1. Click the Activate button on top of the main menu of the Configuration Center.
  2. The configuration has been updated successfully.

Configuring Airlock IAM for ActiveSync/Autodiscover

Next, configure Airlock IAM to authenticate the user and propagate its identity with Basic Authentication. You have to do this both for ActiveSync and for Autodiscover.

  • Procedure-related prerequisites
  • You need to be logged in to the Airlock IAM Adminapp and be able to access the Config Editor.
  1. Proceed as follows:
  2. In the Airlock IAM Config Editor, go to: Login Application >> Authentication >> HTTP Request Authentication (One-Shot, REST).
  3. Configure a HTTP Request Authentication (using Gateway One-Shot Flow) plugin.
  4. Add a Target Application for ActiveSync / Autodiscover.
  5. Configure the Basic Auth HTTP Header Extractor as Credential Extractor.
  6. Configure the correct Authenticator plugin as Authenticator.
  7. Configure the Basic Auth Error Mapper as Failure Responses.
  8. Configure a HTTP Basic Auth Identity Propagator (requires Gateway) as Identity Propagator.
  9. Enter a URL Pattern that matches the external URL:
    • ActiveSync: https://exchange\.ext\.virtinc\.com/Microsoft-Server-ActiveSync.*
    • Autodiscover: https://exchange\.ext\.virtinc\.com/autodiscover.*
  10. Under Identity Propagation and Authorization, configure the Airlock Credentials.
    • Airlock Credentials: exchange
  11. Click the Activate button.
  12. The configuration has been updated successfully.