Install and setup ESET Secure Authentication with Microsoft Outlook Web Access (OWA)
- Integrate ESET Secure Authentication with OWA
- Best practices for securing access to Microsoft Exchange services
The instructions below require the following prerequisites:
- A working OWA environment
- Access to an account with "Domain Administrator" privileges
- A valid ESET Secure Authentication license
Download the ESET Secure Authentication installer file.
On the system providing the OWA environment, run the installer file with Admin rights.
- Review the license agreement and click I accept.
- Make sure all startup checks are Successful and then click Next.
Select which components you want to install and click Next. The following components are required:
- Management Tools
- Microsoft Exchange Server 2013, 2010 or 2007
- Click Close when the installation completes.
Open the ESET Secure Authentication management console.
- Click your Windows Domain name in the left menu, type in your license details and then click Activate.
Click Basic Settings in the left menu, under Mobile Application specify a token name and then click Save.
Expand the Web Application Protection section and verify that both Protect Outlook Web Access with 2FA and Protect Exchange Control Panel with 2FA are selected.
For enhanced security, we recommend deselecting the check box next to Users without 2FA enabled may still log in.
Expand IP Whitelisting and select the check box next to Allow access without 2FA from. Type the following two addresses (for IPv6 and IPv4) to ensure that IT administrators cannot be completely locked out from the system if they are not able to use MFA:
- Ensure that the whitelist is enabled for both Outlook Web App and the Exchange Control Panel.
To allow access to ESET Secure Authentication, users need to be configured for one of the available Token Types. The most basic Token Type is SMS-Based OTP. To enable this token, make sure that all users have a mobile phone number configured for their account (using the Windows Server option "Active Directory Users and Computers").
If all users have their mobile phone number set, follow the instructions below.
Click the ESET Secure Authentication tab.
- Select the check box SMS-based OTPs and click Apply.
This user is now configured to use SMS-based OTPs. When the user attempts to log in to OWA, ESET Secure Authentication will request the user's OTP.
If you want to use a push token instead of the SMS-Based OTP, follow the instructions below.
Click the ESET Secure Authentication tab.
- Select the check box next to Push and then click Apply.
ESET Secure Authentication will display a randomly generated login ID and on the currently enrolled device the user will receive a push notification asking to Approve or Reject the authentication attempt.
This section provides some security best practices.
A default installation of Microsoft Exchange Server will also provide a number of other services to the internet including ActiveSync and Exchange Web Services (EWS). Research shows that some of these services can be used to bypass MFA solutions such as ESET Secure Authentication. To prevent this, we strongly recommend that you limit access to these services from outside the company network.
Microsoft ActiveSync allows mobile devices to easily connect to Microsoft Exchange. ESET Secure Authentication does not support Microsoft ActiveSync and therefore, we recommend that you limit access to this service.
We recommend that you specify only certain devices (for example, company phones) to connect via ActiveSync. This can be done through the Exchange Control Panel as well as the Exchange Management Shell.
For all publicly available services, we recommend that you restrict access to the following services based on IP addresses:
- To set these restrictions, open the OWA website in the Internet Information Services (IIS) Manager and navigate to IP Address and Domain Restrictions for each of the services listed above.
In the Actions window, click Edit Feature Settings.
From the Access for unspecified clients drop-down menu, select Deny.
From the Deny Action Type drop-down menu, select Not Found.
Click Add Allow Entry and in the Specific IP address field, add the following addresses (to prevent the system itself from being unable to access certain resources it might need during operation):
- Repeat steps 1– 5 for all services.