Configuring authentication enforcement for Outlook Web Access / Outlook on the Web

If Airlock Gateway is not used for authentication enforcement, this chapter can be skipped.

Why authentication enforcement should be configured

Airlock Gateway has the ability to protect back-end applications from unauthorized access. This functionality is called authentication enforcement. For this purpose, Airlock Gateway is used in combination with Airlock IAM. Airlock Gateway ensures that users are authenticated against Airlock IAM and performs a sign-in on their behalf on the back-end application.

The following sections describe how to configure authentication enforcement for Outlook Web Access / Outlook on the Web. The sections illustrate a setup that uses the authentication Basic Authentication between Airlock Gateway and the back-end application (called Identity Propagation).

If using a different authentication mechanism, adapt the mentioned settings accordingly. This applies for Airlock Gateway, Airlock IAM and/or the back-end server.

Depending on the scope of the current Airlock Gateway or IAM license, it could also be required to upgrade or change the licensing for new authentication features, e.g. for back-side Kerberos SSO, front-side Kerberos, etc.

  1. Included steps:
  2. Configuring Basic Authentication.
  3. Restricting access to the Outlook Web Access / Outlook on the Web mapping.
  4. Redirecting the logout request to Airlock IAM.
  5. Creating an Airlock Gateway back-end group for Airlock IAM.
  6. Creating an Airlock Gateway mapping for Airlock IAM.
  7. Activating the authentication enforcement configuration in Airlock Gateway.
  8. Configuring Airlock IAM for Outlook Web Access / Outlook on the Web.

Configuring Basic Authentication

Outlook Web Access / Outlook on the Web can be configured with different authentication methods.

  • Possible authentication methods are:
  • Form-Based Authentication (MSOFBA)
  • Basic Authentication
  • NTLM
  • Kerberos

This section explains how to enable Basic Authentication for Outlook Web Access / Outlook on the Web.

  • Procedure-related prerequisites:
  • This configuration takes place in Outlook Web Access / Outlook on the Web.
  • You need to run the commands with administrative permissions.
  1. Proceed as follows:
  2. Open the Exchange Management Shell via Run as administrator.

    3. For more information on the Exchange Management Shell, go to: KB – Using the Exchange Management Shell.

  3. Run the following commands:
copy
# List all OWA virtual directories.
Get-OwaVirtualDirectory

# Find out whether Basic Authentication is enabled
Get-OwaVirtualDirectory | `
  fl BasicAuthentication

# Enable Basic Authentication
Set-OwaVirtualDirectory `
  -Identity "owa (Default Web Site)" `
  -BasicAuthentication:$True

# Restart IIS to ensure these changes are active
iisreset /timeout:120 /noforce

Restricting access to the Outlook Web Access / Outlook on the Web mapping

To secure the back-end server, restrict the Outlook Web Access / Outlook on the Web mapping to authenticated users only. This section explains how to configure this:

  1. In the Airlock Gateway Configuration Center, go to: Application Firewall >> Reverse Proxy.
  2. Edit the Outlook Web Access / Outlook on the Web mapping:
    1. Change to the Access tab.
    2. Enter the exchange role under Access restrictions >> Restricted to Roles.

      3. This role is set by Airlock IAM after successful authentication.

    3. Select the Authentication flow Redirect.
    4. Configure Denied access URL to /auth/check-login.
    5. Under Credential Propagation >> SSO credential propagation, select Basic-Auth.
    6. Enable the checkbox Credential mandatory.

Redirecting the logout request to Airlock IAM

To terminate the user's session on Airlock Gateway, Airlock IAM and the back-end server, the logout request must be redirected to Airlock IAM's logout page. Proceed as follows:

  1. In the Airlock Gateway Configuration Center, go to: Application Firewall >> Reverse Proxy.
  2. Edit the Outlook Web Access / Outlook on the Web mapping:
    1. Change to the Response Actions tab.
    2. Enable the Rewrite Response Redirect Location rule that has the comment Rewrite for logout attached to it.

Creating an Airlock Gateway back-end group for Airlock IAM

To create an Airlock Gateway back-end group for Airlock IAM, proceed as follows:

If an Airlock IAM back-end group already exists, this section can be skipped.

  1. Go to: Application Firewall >> Reverse Proxy and click at the top of the Back-end Group column on the + sign.
  2. Enter a self-documenting name for Back-end Group Name.
  3. Set the following values:
    • Protocol: https
    • Back-end Host: iam.int.virtinc.com
    • Port: 8443
  4. A back-end group has been pre-configured.

Creating an Airlock Gateway mapping for Airlock IAM

Next, create an Airlock Gateway mapping for Airlock IAM.

If an Airlock IAM mapping already exists, check that the existing mapping is connected to the corresponding virtual host. If yes, skip the following steps.

  • Procedure-related prerequisites
  • The previously described configuration steps must have been carried out.
  1. Proceed as follows:
  2. Go to: Application Firewall >> Reverse Proxy and click at the top of the Mapping column on the + sign.
  3. Choose New from template >> Airlock IAM. Choose a template that matches your Airlock IAM release version and import it.
  4. A new mapping based upon the template has been created.
  5. Go to: Application Firewall >> Reverse Proxy.
  6. Connect the new Airlock IAM mapping with the corresponding virtual host, which is exchange.ext.virtinc.com.
  7. Connect the new Airlock IAM mapping to the corresponding back-end group.
  8. The mapping has been established.

Activating authentication enforcement in Airlock Gateway

You can now activate the configuration of the authentication enforcement in Airlock Gateway. Proceed as follows:

  1. Click the Activate button on top of the main menu of the Configuration Center.
  2. The configuration has been updated successfully.

Configuring Airlock IAM for Outlook Web Access / Outlook on the Web.

As a last step, configure Airlock IAM to authenticate the user and propagate its identity with Basic Authentication.

  • Procedure-related prerequisites
  • You need to be logged in to the Airlock IAM Adminapp and be able to access the Config Editor.
  1. Proceed as follows:
  2. In the Airlock IAM Config Editor, go to: Login Application >> Application Settings.
  3. Add a Target Application for Outlook Web Access / Outlook on the Web.
  4. Enter the Default URL with /owa/.
  5. Enter the URL Pattern with the pattern that matches the external URL.
    • URL Pattern: https://exchange\.ext\.virtinc\.com/(owa|ecp).*
  6. Configure a HTTP Basic Auth Identity Propagator as Identity Propagator.
  7. Configure the Airlock Credentials.
    • Airlock Credentials: exchange
  8. Click on the Activate button.
  9. The configuration has been updated successfully.