Microsoft IIS ARR Authentication to Exchange Integration with the WatchGuard Access Portal

Deployment Overview

You can configure the WatchGuard Access Portal to enable your users to log in through one portal and get access to multiple services. This document describes how to configure the WatchGuard Access Portal to integrate with Microsoft IIS Application Request Routing (ARR) and Exchange Outlook Web Application.

Test Topology

Before You Begin

• Install AD DS & DNS and AD CS on your Windows server
• Install Microsoft Exchange Server on your Windows server
• Install IIS URL Rewrite Module and ARR on your Windows server
• Publish certificate to domain member

Your Exchange server must be joined to the domain. Your ARR can bet joined to the domain, but this is optional. In this integration guide, our ARR sever is joined to the domain.

Configure IIS ARR

1. Log in to IIS Manager.
2. Navigate to IIS HOME.
3. Click Server Certificates.
   

4. Click Import to import the Exchange certificate.
   

5. Click Default Web Site.
   
6. In the Actions list, click Bindings.

7. Add an https Binding using the Exchange certificate.

8. Right click Server Farms, select Create Server Farm.

9. Type the Server farm name and Server address. The server is the exchange server. The server address can be an FQDN or IP address.
   After the server is added, the server status should be Online.

10. Select the added Server Farm, then click Health Test.

11. To test the URL, in the Health Test settings:
    • In the URL text box, type the URL of the Exchange server.
    • Click Verify URL Test.
    • Verify that the test result is Pass.

Configure the Firebox

Add Firebox Users

If you want to make the ARR server available only to specific users or groups, you must add those users or groups to Firebox-DB.

In this example, we use Firebox-DB, but you can use another authentication server for the Access Portal.

1. Log in to Fireware Web UI at https://<IP address of Firebox>:8080.
2. Select Authentication > Servers > Firebox-DB
3. Add a new user for Firebox-DB authentication. Specify the user name and password. For more information, see Define a New User for Firebox Authentication and Define a New Group for Firebox Authentication.

Enable the Access Portal and Add the Web Application

1. Select Subscription Services > Access Portal.
2. Select the Enable Access Portal check box.

3. In the Applications tab, select Add > Web Application.
   The Add Web Application page appears.
4. In the Name text box, type the application name. In our example. this is Exchange.
5. In the Description text box, type a description for this application.
6. To upload a custom icon for this application, select Custom Icon (optional).
7. In the URL text box, type the URL of the IIS ARR server.
8. Click OK.

Configure the User Connection Settings

1. Select the User Connection Settings tab.
2. To give all users and groups permission to connect to all applications, select All applications are available to all users and groups authenticated with the Access Portal.
3. To specify which users and groups can access which applications, select Specify the applications available to each user and group.
4. Click Add, and select the Firebox-DB user or group which you added earlier.
5. Select the application to make available to this user.

6. Click OK.
7. In the Authentication Servers list, select Firebox-DB.
8. Click Save.

Add a Static NAT Action

Add a static NAT action for connections to the ARR server.

1. Select Firewall > SNAT.
2. Click Add.
3. In the Name text box, type a name.
4. In the Description text box, type a description (optional)
5. Set the Type to Static NAT.
6. In the SNAT Members list, click Add.
   The Add Member dialogue box appears.

7. From the IP Address or Interface drop-down list, select Any-External.

In Fireware v12.2 or lower, the IP Address or Interface drop-down list is named Externa/Optional IP Address.

8. From the Choose Type drop-down list, select Internal IP Address
9. In the Host text box, specify the IP address of the IIS ARR server on the private network.
10. Click OK.
    The SNAT member is added to the SNAT action.

11. Click Save.

Add a Policy for Connections to the ARR Server

Add an HTTPS proxy policy for connections through the Firebox to the ARR server. This policy uses the SNAT action you created earlier.

1. Select Firewall > Firewall Policies.
2. Click Add Policy.
3. In the Select a policy type settings, select Proxies.
4. From the Proxies drop-down list, select HTTPS-proxy, and select the HTTPS-Client.Standard proxy action.

5. Click Add Policy.
6. In the From list, add Any-External and Any-Optional.
7. In the To list, add Any-Trusted, and the ARR SNAT action that you added earlier.

8. Leave the default value for other policy settings. Click Save.

Test the Integration

1. In a browser, go to https://<Firebox External IP address or FQDN>.

2. Type your User Name and Password to authenticate to the Firebox.
3. Click Log In.
   The Access Portal appears.

4. Click the exchange application.
   The browser goes to the ARR server URL.
5. Type the User name and Password to log in.
   Exchange OWA successfully opens with ARR server URL.