Microsofts Forefront TMG acts as a firewall, controlling access to resources on the internal network using normal Active Directory credentials. One of the resources that it is able to publish access to over the Internet is Exchanges Outlook Web Access. With the use of the AuthAnvil RADIUS server, it is possible to add strong authentication and provide identity assurance to these remote connections.
The rest of this document will step through the process to accomplish the publishing and protecting of OWA via RADIUS on a Windows based server running TMG. This document assumes that the AuthAnvil RADIUS Server has already been configured as per the AuthAnvil RADIUS Server Implementation Guide, and that working TMG and Exchange/OWA implementations are already in place.
Configuring Exchange to use Standard Authentication Methods
TMG replaces the login form for OWA, so OWA needs to be configured to use Standard Authentication Methods rather than forms-based authentication so that TMG can publish access to it. The procedure will be different on different versions of Exchange. This procedure will work for Exchange 2007 and Exchange 2010.
- On the Exchange server, load the Exchange Management Console (Start > All Programs > Microsoft Exchange Server 2007/2010 > Exchange Management Console).
- Under Server Configuration, Expand the Client Access role.
- Click on the Exchange server that you want to configure and click on the Outlook Web Access tab.
- Double-click on the OWA site that you would like to protect and go to the Authentication tab.
- Click the Use one or more standard authentication methods radio button, and deselect all of the options except Basic Authentication (password is sent in clear text).
- Click OK and close the Exchange Management Console.
Publishing OWA through TMG using RADIUS authentication
- Configure a RADIUS Shared Secret between the AuthAnvil RADIUS server and the internal IP Address of the TMG server, using the instruction in the AuthAnvil Radius Server Implementation Guide.
- On the TMG server, load the Forefront TMG Management Console (Start > All Programs > Microsoft Forefront TMG > Forefront TMG Management).
- Right-click on Firewall Policy and navigate to New > Exchange Web Client Access Publishing Rule.
- Give the rule a name and click Next.
- Choose your Exchange version, select Outlook Web Access, and click Next.
- Select whether you are publishing a single Web site or if you would like TMG to act as a load balancer, and click Next.
- Select whether you would like to connect using SSL (HTTPS) or an insecure connection (HTTP), and click Next.
Note: By default, OWA is published over HTTPS only.
- Enter the internal site name, making sure that it matches the name on the SSL certificate (if applicable), and click Next.
- Choose whether or not you would like to only accept requests for a specific domain name, and click Next.
- Click New to create a new web listener.
- Give the web listener a name, and click Next.
- Choose whether or not you would like to require this listener to communicate over SSL or not, and click Next. (We *STRONGLY* recommend using secure connections over the Internet whenever possible.)
- Choose which networks you would like the web listener to listen on, and click Next.
- (Only if you selected SSL in step 12) Select the certificate that you would like to use for this web listener, and click Next.
- On the Authentication Settings screen,
select HTML Form Authentication under Select how clients will provide credentials to Forefront TMG,
check the Collect additional delegation credentials in the form check box, and select RADIUS OTP under Select how Forefront TMG will validate client credentials, and click Next.
- Choose whether or not to enable SSO on websites published with this listener, and click Next.
- Click Finish.
- On the Select Web Listener screen, click Next.
- On the Authentication Delegation screen, select Basic Authentication, and click Next.
- Select the user sets that you would like to allow access to OWA, and click Next.
- Click Finish
- In the firewall policies list, double-click on the listener for the policy that you just created.
- Click the Authentication tab, and click Configure Validation Servers
- Click Add to add a new RADIUS server.
- Type the AuthAnvil RADIUS server IP address into the Server Name field, and a description into the Server Description field. Click Change to set the RADIUS shared secret, and set the Authentication Port to the port that your AuthAnvil server is listening on (If youve changed it). Finally, set the Time-out (seconds) field to 10 seconds or greater, do give the AuthAnvil server to respond. A timeout of less than this may cause the TMG server to prematurely resend the authentication request, invalidating the login. When done, click OK.
- Click OK on the Authentication Servers screen.
- Click OK on the listeners properties screen.
- Click Apply on the main TMG management console window.
- Give TMG a description of the change for the TMG change log and click Apply. Click OK once the changes have been applied.
- Open a browser and navigate to the OWA site that you just published. (typically https://<FQDN of TMG server>/owa) You can now log in to OWA by providing your Active Directory Username in the User name, your AuthAnvil passcode in the Passcode field, and your Active Directory Password in the Password field.
If you have any questions or need some help, we would be happy to assist. Open a case atkaseya.zendesk.com.