Fortinet black logo

Securing OWA and ActiveSync with FortiWeb

Home FortiWeb 7.2.2 Securing OWA and ActiveSync with FortiWeb
7.2.2
7.2.2
7.0.7
6.4.2
6.3.22

Use Case 2: Managing Authentication and SSO to ActiveSync

Use Case 2: Managing Authentication and SSO to ActiveSync

Many organizations tightly control how Microsoft applications are used by publishing the application through TMG, Microsoft’s Threat Management Gateway that allows secure access to these applications. With TMG EOL’d and sunsetting customers can use FortiWeb as a replacement.

Customers that want to control the authentication and SSO for ActiveSync, usually as part of publishing other components of the Exchange server should use FortiWeb’s Site Publish feature.

First, make sure your Microsoft Exchange is configured correctly:

Exchange 2010

  1. Open IIS Manager.
    1. Go to Microsoft-Server-ActiveSync.
    2. Make sure Basic Authentication is enabled.
  2. Open Exchange Management Console.
    1. Go to Client Access.
    2. Switch to Exchange ActiveSync on the bottom panel.
    3. Double click Microsoft-Server-ActiveSync (Default Web Site).
    4. Make sure:
      1. URLs are configured correctly.
      2. Basic authentication is enabled.
      3. Client certificate is ignored.

Exchange 2013/2016/2019

  1. Open your browser, and access Exchange admin center HTTPS://<exchange.server.com>/ecp.
  2. Log in with administrator credentials.
  3. Go to Microsoft-Server-ActiveSync (Default Web Site).
  4. Make sure the configurations are the similar to those of Exchange 2010 above.

FortiWeb Configuration

First, configure a Site Publish policy:

  • Published Site should be the domain name of the URL above.
  • Path should be consistent with the URL above.
  • Cookieless should be enabled so that clients can access to Microsoft Exchange servers through Exchange ActiveSync.
  • Authentication Delegation only supports HTTP Basic.


    • Now, attach the Site Publish policy to the Web Protection Profile.

Next, create a new server policy. ActiveSync is usually used with SSL, so the front end and backend should be configured with HTTPS.

  1. Configure the front end (towards the client) options.
  2. Configure the backend (towards the server pool) options.

Now, open the mail application on your phone and test. The following uses iPhone as an example

  1. Open the Mail app.
  2. Choose Exchange.
  3. Input your credentials.
  4. Sometimes, a re-check form would pop up. Input your info again.
  5. If the FortiWeb certificate is not trusted, there will be a warning page. Press Continue.
  6. Access now is secured by FortiWeb.

Previous
Next

Use Case 2: Managing Authentication and SSO to ActiveSync

Many organizations tightly control how Microsoft applications are used by publishing the application through TMG, Microsoft’s Threat Management Gateway that allows secure access to these applications. With TMG EOL’d and sunsetting customers can use FortiWeb as a replacement.

Customers that want to control the authentication and SSO for ActiveSync, usually as part of publishing other components of the Exchange server should use FortiWeb’s Site Publish feature.

First, make sure your Microsoft Exchange is configured correctly:

Exchange 2010

  1. Open IIS Manager.
    1. Go to Microsoft-Server-ActiveSync.
    2. Make sure Basic Authentication is enabled.
  2. Open Exchange Management Console.
    1. Go to Client Access.
    2. Switch to Exchange ActiveSync on the bottom panel.
    3. Double click Microsoft-Server-ActiveSync (Default Web Site).
    4. Make sure:
      1. URLs are configured correctly.
      2. Basic authentication is enabled.
      3. Client certificate is ignored.

Exchange 2013/2016/2019

  1. Open your browser, and access Exchange admin center HTTPS://<exchange.server.com>/ecp.
  2. Log in with administrator credentials.
  3. Go to Microsoft-Server-ActiveSync (Default Web Site).
  4. Make sure the configurations are the similar to those of Exchange 2010 above.

FortiWeb Configuration

First, configure a Site Publish policy:

  • Published Site should be the domain name of the URL above.
  • Path should be consistent with the URL above.
  • Cookieless should be enabled so that clients can access to Microsoft Exchange servers through Exchange ActiveSync.
  • Authentication Delegation only supports HTTP Basic.


    • Now, attach the Site Publish policy to the Web Protection Profile.

Next, create a new server policy. ActiveSync is usually used with SSL, so the front end and backend should be configured with HTTPS.

  1. Configure the front end (towards the client) options.
  2. Configure the backend (towards the server pool) options.

Now, open the mail application on your phone and test. The following uses iPhone as an example

  1. Open the Mail app.
  2. Choose Exchange.
  3. Input your credentials.
  4. Sometimes, a re-check form would pop up. Input your info again.
  5. If the FortiWeb certificate is not trusted, there will be a warning page. Press Continue.
  6. Access now is secured by FortiWeb.

Previous
Next