Microsoft IIS ARR Authentication to Exchange Integration with the WatchGuard Access Portal

Deployment Overview

You can configure the WatchGuard Access Portal to enable your users to log in through one portal and get access to multiple services. This document describes how to configure the WatchGuard Access Portal to integrate with Microsoft IIS Application Request Routing (ARR) and Exchange Outlook Web Application.

Integration Summary

Hardware and Service versions:

  • IIS URL Rewrite Module 7.2
  • IIS Application Request Routing (ARR) 3.0
  • Exchange 2019
  • Microsoft Windows Server 2019
  • WatchGuard Firebox:
    • Fireware v12.7.1
    • Feature key with an Access Portal license

Test Topology

Diagram of the network topology for this integration

Before You Begin

  • Install AD DS & DNS and AD CS on your Windows server
  • Install Microsoft Exchange Server on your Windows server
  • Install IIS URL Rewrite Module and ARR on your Windows server
  • Publish certificate to domain member

Your Exchange server must be joined to the domain. Your ARR can bet joined to the domain, but this is optional. In this integration guide, our ARR sever is joined to the domain.

Configure IIS ARR

  1. Log in to IIS Manager.
  2. Navigate to IIS HOME.
  3. Click Server Certificates.

Screen shot of IIS Manager

  1. Click Import to import the Exchange certificate.

Screen shot of IIS Manager

  1. Click Default Web Site.
  2. In the Actions list, click Bindings.

Screen shot of the Default Web Site Home settings

  1. Add an https Binding using the Exchange certificate.

Screen shot of the HTTPS bindings settings

  1. Right click Server Farms, select Create Server Farm.

Screen shot of the Create Server Farm menu item

  1. Type the Server farm name and Server address. The server is the exchange server. The server address can be an FQDN or IP address.
    After the server is added, the server status should be Online.

Screen shot of the server status

  1. Select the added Server Farm, then click Health Test.

Screen shot of the Server Farm

  1. To test the URL, in the Health Test settings:
    • In the URL text box, type the URL of the Exchange server.
    • Click Verify URL Test.
    • Verify that the test result is Pass.

Screen shot of the Health Test results

Configure the Firebox

Add Firebox Users

If you want to make the ARR server available only to specific users or groups, you must add those users or groups to Firebox-DB.

In this example, we use Firebox-DB, but you can use another authentication server for the Access Portal.

  1. Log in to Fireware Web UI at https://<IP address of Firebox>:8080.
  2. Select Authentication > Servers > Firebox-DB
  3. Add a new user for Firebox-DB authentication. Specify the user name and password. For more information, see Define a New User for Firebox Authentication and Define a New Group for Firebox Authentication.

Enable the Access Portal and Add the Web Application

  1. Select Subscription Services > Access Portal.
  2. Select the Enable Access Portal check box.

Screen shot of the Access Portal settings

  1. In the Applications tab, select Add > Web Application.
    The Add Web Application page appears.
  2. In the Name text box, type the application name. In our example. this is Exchange.
  3. In the Description text box, type a description for this application.
  4. To upload a custom icon for this application, select Custom Icon (optional).
  5. In the URL text box, type the URL of the IIS ARR server.
  6. Click OK.

Configure the User Connection Settings

  1. Select the User Connection Settings tab.
  2. To give all users and groups permission to connect to all applications, select All applications are available to all users and groups authenticated with the Access Portal.
  3. To specify which users and groups can access which applications, select Specify the applications available to each user and group.
  4. Click Add, and select the Firebox-DB user or group which you added earlier.
  5. Select the application to make available to this user.

Screen shot of the Access Portal user or group settings

  1. Click OK.
  2. In the Authentication Servers list, select Firebox-DB.
  3. Click Save.

Add a Static NAT Action

Add a static NAT action for connections to the ARR server.

  1. Select Firewall > SNAT.
  2. Click Add.
  3. In the Name text box, type a name.
  4. In the Description text box, type a description (optional)
  5. Set the Type to Static NAT.
  6. In the SNAT Members list, click Add.
    The Add Member dialogue box appears.

Screen shot of the SNAT action settings

  1. From the IP Address or Interface drop-down list, select Any-External.

In Fireware v12.2 or lower, the IP Address or Interface drop-down list is named Externa/Optional IP Address.

  1. From the Choose Type drop-down list, select Internal IP Address
  2. In the Host text box, specify the IP address of the IIS ARR server on the private network.
  3. Click OK.
    The SNAT member is added to the SNAT action.

Screen shot of the added SNAT member

  1. Click Save.

Add a Policy for Connections to the ARR Server

Add an HTTPS proxy policy for connections through the Firebox to the ARR server. This policy uses the SNAT action you created earlier.

  1. Select Firewall > Firewall Policies.
  2. Click Add Policy.
  3. In the Select a policy type settings, select Proxies.
  4. From the Proxies drop-down list, select HTTPS-proxy, and select the HTTPS-Client.Standard proxy action.

Screen shot of the Add Policy page

  1. Click Add Policy.
  2. In the From list, add Any-External and Any-Optional.
  3. In the To list, add Any-Trusted, and the ARR SNAT action that you added earlier.

Screen shot of the From and To lists in the HTTPS-Proxy policy

  1. Leave the default value for other policy settings. Click Save.

Test the Integration

  1. In a browser, go to https://<Firebox External IP address or FQDN>.

Screen shot of the Access Portal login page

  1. Type your User Name and Password to authenticate to the Firebox.
  2. Click Log In.
    The Access Portal appears.

Screen shot of the Exchange application in the Application Portal

  1. Click the exchange application.
    The browser goes to the ARR server URL.
  2. Type the User name and Password to log in.
    Exchange OWA successfully opens with ARR server URL.

Screen shot of the Exchange application in the Application Portal

Screenshot of the Mail application