Adding MFA to OWA with Forefront TMG 2010

Note: This integration does not support the use of Push. You will need to use OTP.


Setting up MFA for RADIUS is a requirement for this integration. Please see this article for more information.

Microsoft’s Forefront TMG acts as a firewall, controlling access to resources on the internal network using normal Active Directory credentials. One of the resources that it is able to publish access to over the Internet is Exchange’s Outlook Web Access. With the use of the AuthAnvil RADIUS agent, it is possible to add strong authentication and provide identity assurance to these remote connections.

The rest of this document will step through the process to accomplish the publishing and protecting of OWA via RADIUS on a Windows based server running TMG. 

Configuring Exchange to use Standard Authentication Methods

TMG replaces the login form for OWA, so OWA needs to be configured to use Standard Authentication Methods rather than forms-based authentication so that TMG can publish access to it. The procedure will be different on different versions of Exchange. This procedure will work for Exchange 2007 and Exchange 2010.

  1. On the Exchange server, load the Exchange Management Console (Start > Programs and Features > Microsoft Exchange Server 2007/2010 > Exchange Management Console).
  2. Under Server Configuration, Expand the Client Access role.
  3. Click on the Exchange server that you want to configure and click on the Outlook Web Access tab.
  4. Double-click on the OWA site that you would like to protect and go to the Authentication tab.
  5. Click the Use one or more standard authentication methods radio button, and deselect all of the options except Basic Authentication (password is sent in clear text).
  6. Click ‘OK’ and close the Exchange Management Console.


Publishing OWA through TMG using RADIUS authentication

  1. Configure a RADIUS Shared Secret between the RADIUS agent and the internal IP Address of the TMG server.
  2. On the TMG server, load the Forefront TMG Management Console (Start > Programs and Features > Microsoft Forefront TMG > Forefront TMG Management).
  3. Right-click on Firewall Policy and navigate to New > Exchange Web Client Access Publishing Rule.
  4. Give the rule a name and click Next.
  5. Choose your Exchange version, select Outlook Web Access, and click Next.
  6. Select whether you are publishing a single Web site or if you would like TMG to act as a load balancer, and click Next.
  7. Select whether you would like to connect using SSL (HTTPS) and click Next.
    Note: By default, OWA is published over HTTPS only.
  8. Enter the internal site name, making sure that it matches the name on the SSL certificate (if applicable), and click Next.
  9. Choose whether or not you would like to only accept requests for a specific domain name, and click Next.
  10. Click New to create a new web listener.
  11. Give the web listener a name, and click Next.
  12. Choose whether or not you would like to require this listener to communicate over SSL and click Next
  13. Choose which networks you would like the web listener to listen on, and click Next.
  14. Select the certificate that you would like to use for this web listener, and click Next.
  15. On the Authentication Settings screen, select HTML Form Authentication under Select how clients will provide credentials to Forefront TMG, check the Collect additional delegation credentials in the form check box, and select RADIUS OTP under Select how Forefront TMG will validate client credentials, and click Next.
  16. Choose whether or not to enable SSO on websites published with this listener, and click Next.
  17. Click Finish.
  18. On the Select Web Listener screen, click Next.
  19. On the Authentication Delegation  screen, select Basic Authentication, and click Next.
  20. Select the user sets that you would like to allow access to OWA, and click Next.
  21. Click Finish.
  22. In the firewall policies list, double-click on the listener for the policy that you just created.
  23. Click the Authentication tab, and click Configure Validation Servers…
  24. Click Add to add a new RADIUS server.
  25. Type the RADIUS agent IP address into the Server Name field, and a description into the Server Description field.
    Click Change to set the RADIUS shared secret, and set the Authentication Port to the port that your RADIUS agent is listening on (If you’ve changed it).
    Finally, set the Time-out (seconds) field to 10 seconds or greater, do give the RADIUS agent to respond. A timeout of less than this may cause the TMG server to prematurely resend the authentication request, invalidating the login. When done, click OK.
  26. Click OK on the Authentication Servers screen.
  27. Click OK on the listener’s properties screen.
  28. Click Apply on the main TMG management console window.
  29. Give TMG a description of the change for the TMG change log and click Apply.
    Click OK once the changes have been applied.
  30. Open a browser and navigate to the OWA site that you just published. (typically https://<FQDN of TMG server>/owa) You can now log in to OWA by providing your Active Directory Username in the User name, your MFA passcode in the Passcode field, and your Active Directory Password in the Password field.
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us