Note: This integration does not support the use of Push. You will need to use OTP.
Setting up MFA for RADIUS is a requirement for this integration. Please see this article for more information.
Microsofts Forefront TMG acts as a firewall, controlling access to resources on the internal network using normal Active Directory credentials. One of the resources that it is able to publish access to over the Internet is Exchanges Outlook Web Access. With the use of the AuthAnvil RADIUS agent, it is possible to add strong authentication and provide identity assurance to these remote connections.
The rest of this document will step through the process to accomplish the publishing and protecting of OWA via RADIUS on a Windows based server running TMG.
Configuring Exchange to use Standard Authentication Methods
TMG replaces the login form for OWA, so OWA needs to be configured to use Standard Authentication Methods rather than forms-based authentication so that TMG can publish access to it. The procedure will be different on different versions of Exchange. This procedure will work for Exchange 2007 and Exchange 2010.
- On the Exchange server, load the Exchange Management Console (Start > Programs and Features> Microsoft Exchange Server 2007/2010 > Exchange Management Console).
- Under Server Configuration, Expand the Client Accessrole.
- Click on the Exchange server that you want to configure and click on the Outlook Web Accesstab.
- Double-click on the OWA site that you would like to protect and go to the Authenticationtab.
- Click the Use one or more standard authentication methodsradio button, and deselect all of the options except Basic Authentication (password is sent in clear text).
- Click OK and close the Exchange Management Console.
Publishing OWA through TMG using RADIUS authentication
- Configure a RADIUS Shared Secret between the RADIUS agentand the internal IP Address of the TMG server.
- On the TMG server, load the Forefront TMG Management Console (Start > Programs and Features> Microsoft Forefront TMG > Forefront TMG Management).
- Right-click on Firewall Policyand navigate to New > Exchange Web Client Access Publishing Rule.
- Give the rule a name and click Next.
- Choose your Exchange version, select Outlook Web Access, and click Next.
- Select whether you are publishing a single Web site or if you would like TMG to act as a load balancer, and click Next.
- Select whether you would like to connect using SSL (HTTPS) and click Next.
Note: By default, OWA is published over HTTPS only.
- Enter the internal site name, making sure that it matches the name on the SSL certificate (if applicable), and click Next.
- Choose whether or not you would like to only accept requests for a specific domain name, and click Next.
- Click Newto create a new web listener.
- Give the web listener a name, and click Next.
- Choose whether or not you would like to require this listener to communicate over SSL and click Next.
- Choose which networks you would like the web listener to listen on, and click Next.
- Select the certificate that you would like to use for this web listener, and click Next.
- On the Authentication Settingsscreen, select HTML Form Authenticationunder Select how clients will provide credentials to Forefront TMG, check the Collect additional delegation credentials in the formcheck box, and select RADIUS OTPunder Select how Forefront TMG will validate client credentials, and click Next.
- Choose whether or not to enable SSO on websites published with this listener, and click Next.
- Click Finish.
- On the Select Web Listenerscreen, click Next.
- On the Authentication Delegation screen, select Basic Authentication, and click Next.
- Select the user sets that you would like to allow access to OWA, and click Next.
- Click Finish.
- In the firewall policies list, double-click on the listener for the policy that you just created.
- Click the Authenticationtab, and click Configure Validation Servers
- Click Addto add a new RADIUS server.
- Type the RADIUS agentIP address into the Server Namefield, and a description into the Server Descriptionfield.
Click Changeto set the RADIUS shared secret, and set the Authentication Portto the port that your RADIUSagentis listening on (If youve changed it).
Finally, set the Time-out (seconds)field to 10 seconds or greater, do give the RADIUS agentto respond. A timeout of less than this may cause the TMG server to prematurely resend the authentication request, invalidating the login. When done, click OK.
- Click OKon the Authentication Serversscreen.
- Click OKon the listeners properties screen.
- Click Applyon the main TMG management console window.
- Give TMG a description of the change for the TMG change log and click Apply.
Click OKonce the changes have been applied.
- Open a browser and navigate to the OWA site that you just published. (typically https://<FQDN of TMG server>/owa) You can now log in to OWA by providing your Active Directory Username in the User name, your MFApasscode in the Passcodefield, and your Active Directory Password in the Passwordfield.