Recently I had the construction of a small exchange organization including the setup of Sophos UTM 9.4 for the publication of Exchange web services. In the comments to the articles, people asked about the possibility of performing authentication directly on the UTM and not first on the Exchange server. Microsoft Forefront TMG also had this function. The Sophos UTM feature for this is called „Reverse Authentication“ and can also be used in conjunction with Exchange:
Changeover Exchange 2016 for Basic Authentication
For the reverse authentication of the Sophos UTM to work, the authentication method for OWA and ECP must be changed to „Basic- Auth (standard authentication)“. The type of authentication can be set via the EAC:
The same applies to /ECP:
After the authentication for both virtual directories has been changed, the IIS must be restarted (iisreset):
Continue with the UTM
Configuration Sophos UTM for Reverse Authentication
The prerequisite for reverse authentication is a set up and functioning web server protection (WAF). I have already described how to set this up for Exchange 2016 here:
The configuration from the above article can now be used and extended to include the Reverse Authentication feature.
An authentication server of type „Ldap“ must be created so that Exchange users can be successfully authenticated on the UTM:
Note: The backend type here must be „LDAP“, with the backend type „Active Directory (adirectory)“, the login to OWA does not work and a login window pops up again and again. However, both types can be configured on the UTM, both Active Directory and LDAP.
Even if the backend type is „LDAP“, a domain controller or a domain controller pool is defined as the server. A normal domain user and their Distinguished Name (BindDN) are required for the query:
The fastest way to display the Distinguished Name is via Powershell:
Get-ADUser SophosUTM | fl name,DistinguishedName
The „User attribute“ field is changed to „>“ and the value „userPrincipalname“ is set in the „Custom“ field. A test should then be successful:
Configuration Sophos UTM WAF for Reverse Authentication
To perform authentication on the Sophos UTM, an authentication profile must be created:
The relevant settings can be seen in the screenshot. The following value is used as the logout URL „/owa/logoff.owa“.
In order for the Authentication Profile to be applied, two Site Path Routes must now be created, one for OWA and one for ECP:
As soon as the two Site Path Routes have been created, the Exchange form for entering the user name and password no longer appears when OWA is called up, but the UTM form instead:
In this case, the user name must be entered as the UPN:
The configuration of a suffix in the Authentication Profile does not seem to work.