Microsoft’s Forefront TMG acts as a firewall, controlling access to resources on the internal network using normal Active Directory credentials. One of the resources that it is able to publish access to over the Internet is Exchange’s Outlook Web Access. With the use of the AuthAnvil RADIUS server, it is possible to add strong authentication and provide identity assurance to these remote connections.
The rest of this document will step through the process to accomplish the publishing and protecting of OWA via RADIUS on a Windows based server running TMG. This document assumes that the AuthAnvil RADIUS Server has already been configured as per the AuthAnvil RADIUS Server Implementation Guide, and that working TMG and Exchange/OWA implementations are already in place.
Configuring Exchange to use Standard Authentication Methods
TMG replaces the login form for OWA, so OWA needs to be configured to use Standard Authentication Methods rather than forms-based authentication so that TMG can publish access to it. The procedure will be different on different versions of Exchange. This procedure will work for Exchange 2007 and Exchange 2010.
- On the Exchange server, load the Exchange Management Console (Start > All Programs > Microsoft Exchange Server 2007/2010 > Exchange Management Console).
- Under ‘Server Configuration’, Expand the ‘Client Access’ role.
- Click on the Exchange server that you want to configure and click on the ‘Outlook Web Access’ tab.
- Double-click on the OWA site that you would like to protect and go to the ‘Authentication’ tab.
- Click the ‘Use one or more standard authentication methods’ radio button, and deselect all of the options except ‘Basic Authentication (password is sent in clear text)’.
- Click ‘OK’ and close the Exchange Management Console.
Publishing OWA through TMG using RADIUS authentication
- Configure a RADIUS Shared Secret between the AuthAnvil RADIUS server and the internal IP Address of the TMG server, using the instruction in the AuthAnvil Radius Server Implementation Guide.
- On the TMG server, load the Forefront TMG Management Console (Start > All Programs > Microsoft Forefront TMG > Forefront TMG Management).
- Right-click on ‘Firewall Policy’ and navigate to ‘New’ > ‘Exchange Web Client Access Publishing Rule’.
- Give the rule a name and click ‘Next’.
- Choose your Exchange version, select ‘Outlook Web Access’, and click ‘Next’.
- Select whether you are publishing a single Web site or if you would like TMG to act as a load balancer, and click ‘Next’.
- Select whether you would like to connect using SSL (HTTPS) or an insecure connection (HTTP), and click ‘Next’.
Note: By default, OWA is published over HTTPS only.
- Enter the internal site name, making sure that it matches the name on the SSL certificate (if applicable), and click ‘Next’.
- Choose whether or not you would like to only accept requests for a specific domain name, and click ‘Next’.
- Click ‘New’ to create a new web listener.
- Give the web listener a name, and click ‘Next’.
- Choose whether or not you would like to require this listener to communicate over SSL or not, and click ‘Next’. (We *STRONGLY* recommend using secure connections over the Internet whenever possible.)
- Choose which networks you would like the web listener to listen on, and click ‘Next’.
- (Only if you selected SSL in step 12) – Select the certificate that you would like to use for this web listener, and click ‘Next’.
- On the ‘Authentication Settings’ screen,
select ‘HTML Form Authentication’ under ‘Select how clients will provide credentials to Forefront TMG”,
check the “Collect additional delegation credentials in the form” check box, and select ‘RADIUS OTP’ under ‘Select how Forefront TMG will validate client credentials’, and click ‘Next’.
- Choose whether or not to enable SSO on websites published with this listener, and click ‘Next’.
- Click ‘Finish’.
- On the ‘Select Web Listener’ screen, click ‘Next’.
- On the ‘Authentication Delegation’ screen, select ‘Basic Authentication’, and click ‘Next’.
- Select the user sets that you would like to allow access to OWA, and click ‘Next’.
- Click ‘Finish’
- In the firewall policies list, double-click on the listener for the policy that you just created.
- Click the ‘Authentication’ tab, and click ‘Configure Validation Servers…’
- Click ‘Add’ to add a new RADIUS server.
- Type the AuthAnvil RADIUS server IP address into the ‘Server Name’ field, and a description into the ‘Server Description’ field. Click ‘Change’ to set the RADIUS shared secret, and set the ‘Authentication Port’ to the port that your AuthAnvil server is listening on (If you’ve changed it). Finally, set the ‘Time-out (seconds)” field to 10 seconds or greater, do give the AuthAnvil server to respond. A timeout of less than this may cause the TMG server to prematurely resend the authentication request, invalidating the login. When done, click ‘OK’.
- Click ‘OK’ on the ‘Authentication Servers’ screen.
- Click ‘OK’ on the listener’s properties screen.
- Click ‘Apply’ on the main TMG management console window.
- Give TMG a description of the change for the TMG change log and click ‘Apply’. Click ‘OK’ once the changes have been applied.
- Open a browser and navigate to the OWA site that you just published. (typically https://<FQDN of TMG server>/owa) You can now log in to OWA by providing your Active Directory Username in the ‘User name’, your AuthAnvil passcode in the ‘Passcode’ field, and your Active Directory Password in the ‘Password’ field.