Microsoft IIS ARR Authentication to Exchange Integration with the WatchGuard Access Portal

Deployment Overview

You can configure the WatchGuard Access Portal to enable your users to log in through one portal and get access to multiple services. This document describes how to set up the WatchGuard Access Portal to use Microsoft IIS Application Request Routing (ARR) for authentication to the Outlook web application on an Exchange server.

Integration Summary

Hardware and Service versions:

  • IIS Application Request Routing (ARR) 3.0
  • Exchange 2016
  • WatchGuard Firebox M400:
    • Fireware OS v12.2
    • Feature key with an Access Portal license

Test Topology

Diagram of the network topology for this integration

This integration includes these components:

  • IIS Application Request Routing (ARR) Server — Provides authentication for single sign-on
  • Microsoft Exchange Server — uses IIS ARR for client authentication for access to the Outlook web application
  • Firebox — Hosts the Access Portal where clients authenticate for access to web applications

Configure IIS ARR

  1. Log in to IIS Manager.
  2. Navigate to IIS HOME.

Screen shot of IIS Manager

  1. To import certificates, click Server Certificates.
  2. Click Default Web Site.
  3. In the Actions list, click Bindings.

Screen shot of the Default Web Site Home settings

  1. Add an https Binding for the mail server certificate.

Screen shot of the HTTPS bindings settings

  1. Right click Server Farms, select Create Server Farm.

Screen shot of the Create Server Farm menu item

  1. Type the Farm name and Server address. The server is an Exchange server. The server address can be an FQDN or IP address.
    After the server is added, the server status should be Online.

Screen shot of the server status

  1. Select the added Server Farm, then click Health Test.

Screen shot of the Server Farm

  1. To test the URL, in the Health Test settings:
    • In the URL text box, type the URL of the mail server.
    • Click Verify URL Test.
    • Verify that the test result is Pass.

Screen shot of the Health Test results

Configure the Firebox and Access Portal

Add Firebox Users

If you want to make the ARR server available only to specific users, you must add those users to Firebox-DB.

  1. Log in to Fireware Web UI at https://<IP address of Firebox>:8080.
  2. Select Authentication > Servers > Firebox-DB
  3. Add a new user for Firebox-DB authentication. Specify the Username and Password. For more information, see Define a New User for Firebox Authentication.

Enable the Access Portal and Add the Web Application

  1. Select Subscription Services > Access Portal.
  2. Select the Enable Access Portal check box.

Screen shot of the Access Portal settings

  1. In the Applications tab, select Add > Web Application.
    The Add Web Application page appears.
  2. In the Name text box, type the application name (Exchange).
  3. In the Description text box, type a description for this application.
  4. To upload a custom icon for this application, select Custom Icon (optional).
  5. In the URL text box, type the URL of IIS ARR server.
  6. Click OK.

Configure the User Connection Settings

  1. Select the User Connection Settings tab.
  2. To give all users and groups permission to connect to all applications, select All applications are available to all users and groups authenticated with the Access Portal.
  3. To specify which users and groups can access which applications, select Specify the applications available to each user and group.
  4. Click Add, and select the Firebox-DB user which you added earlier.
  5. Select the application to make available to this user.

Screen shot of the Access Portal user or group settings

  1. Click OK.
  2. In the Authentication Servers list, select Firebox-DB.
  3. Click Save.

Add a Static NAT Action

Add a static NAT action for connections to the ARR server.

  1. Select Firewall > SNAT.
  2. Click Add.
  3. In the Name text box, type ARR.
  4. In the Description text box, type a description (optional)
  5. Set the Type to Static NAT.
  6. In the SNAT Members list, click Add.
    The Add Member dialog box appears.

Screen shot of the SNAT action settings

  1. From the IP Address or Interface drop-down list, select Any-External.

In Fireware v12.2 or lower, the IP Address or Interface drop-down list is named Externa/Optional IP Address.

  1. From the Choose Type drop-down list, select Internal IP Address
  2. In the Host text box, specify the IP address of the ARR server on the private network.
  3. Click OK.
    The SNAT member is added to the SNAT action.

Screen shot of the added SNAT member

  1. Click Save.

Add a Policy for Connections to the ARR Server

Add an HTTPS proxy policy for connections through the Firebox to the ARR server. This policy uses the SNAT action you created earlier.

  1. Select Firewall > Firewall Policies.
  2. Click Add Policy.
  3. In the Select a policy type settings, select Proxies.
  4. From the Proxies drop-down list, select HTTPS-proxy, and select the HTTPS-Client.Standard proxy action.

Screen shot of the Add Policy page

  1. Click Add Policy.
  2. In the From list, add Any-External and Any-Optional.
  3. In the To list, add Any-Trusted, and the ARR SNAT action that you added earlier.

Screen shot of the From and To lists in the HTTPS-Proxy policy

  1. Keep other policy settings at default values. Click Save.

Test the Integration

  1. In a browser, go do https://<Firebox URL>.

Screen shot of the Access Portal login page

  1. Type a User Name and Password to authenticate with the Firebox.
  2. Click Log In.
    The Access Portal appears.

Screen shot of the Exchange application in the Application Portal

  1. Click the Exchange application.
    The browser goes to the ARR server URL.
  2. Type the Username and Password to log in to the mail server.
  3. Verify that the application successfully opens.

Screenshot of the Mail application