Pages

Friday, June 1, 2018

Deploying SecurEnvoy 2FA with Exchange Server 2016 OWA

I recently had to deploy SecurEnvoy 2FA with Exchange Server 2016’s OWA and noticed that there wasn’t official documentation for the configuration so I thought I’d write this blog post to outline the steps I used.  Note that the steps outlined in the Exchange 2013 documentation is accurate and the steps below are the same but I’ve added additional post deployment tasks for customizing the login page.

Environment Information

SecurEnvoy: Version 9.1.501 (https://www.securenvoy.com/support/downloads.shtm)
Microsoft Exchange: Exchange 2016 CU8
Server Operating System: Windows Server 2016

Deployment Steps

Begin by downloading the SecurEnvoy package from the portal:

image

Extract the securenvoy.zip package and navigate into the Release9.1.501 folder::

imageimage

Proceed into the Agents folder and navigate into the Microsoft Server Agent folder:

imageimage

Run the setup.exe executable:

image

Install the agent:

imageimage

Configure the SecurEnvoy server or servers in the SecurEnvoy Servers tab:

image

Note that you’ll need to add the Exchange server to the SecurEnvoy server as a Radius client via the administration console:

image

Once configured, ensure that the Test Server option returns a Server OK status:

image

Click on the IIS Authentication tab and enable the Include SecurEnvoy Plugin in IIS option then click Update:

image

Answer OK to the prompt asking to install the CGI module:

imageimage

Restart IIS when asked:

imageimage

Launch IIS (Internet Information Services Manager), select the Default Web Site node and then double click the SecurEnvoy Two Factor Authentication node:

image

Enable the Enable Authentication On Site option and click Apply:

image

You will get an OK displayed to confirm the change:

image

Navigate the owa node and double click the SecurEnvoy Two Factor Authentication node:

image

Enable the Enable Authentication On /owa option, click Apply and restart IIS:

image

Hit the refresh button and SecurEnvoyAuth node should appear:

image

Right click on the SecurEnvoyAuth node, Manage Application then Advanced Settings…:

image

Verify that the Application Pool is configured as MSExchangeOWAAppPool:

image

Select the top node under Start Page and double click the SecurEnvoy Two Factor Authentication node:

image

Uncheck Allow non secure connections (http) option:

image

Add the following to the Logoff URL’s:

/owa/auth/logon.aspx
/owa/auth/logoff.aspx

image

Restart IIS when asked:

image

The portal should now display the SecurEnvoy login screen:

image

Assuming you would like users to use their username to login, ensure that you have configured a default domain for the portal with either of the following options:

Option #1 – Configure a default domain within the SecurEnvoy configuration

image

Option #2 – Configure a default domain within Exchange admin center

Navigate to the Exchange server’s C:\windows directory and open the file seiis.ini, locate the DefaultDomain= line and add the domain name:

image

-----------------------------------------------------------------------------------------------------------------------------------------------------

If the above is not configured and you use only the user name to log in then you would get the following loop:

imageimage

Message: Passcode OK

Redirecting to secured resource, please wait

If you don't redirect after a short time Click here

imageimage

-----------------------------------------------------------------------------------------------------------------------------------------------------

With the above configured, proceed to by backing up:

passcodeok.htm
auth.htm
accessdenied.htm

… located in \Program Files(x86)\SecurEnvoy\Microsoft IIS Agent\WEBAUTHTEMPLATE then copying the SecurEnvoy supplied OWA login page by navigating to

C:\Program Files (x86)\SecurEnvoy\Microsoft Server Agent\SAMPLES\OWA2016

… and copying the 3 htm files into:

C:\Program Files (x86)\SecurEnvoy\Microsoft Server Agent\WEBAUTHTEMPLATE

image

The login page should look as such:

image

I’m not completely sure why but the 4 deployments I’ve been in did not include the images so the following are the for the broken / missing images:

…/securenvoyauth/images/top.gif

…/securenvoyauth/images/heading_logo.gif

…/securenvoyauth/images/buttons/oneswipe.gif

…/securenvoyauth/images/buttons/send.gif

…/securenvoyauth/images/blackbottom.gif

image

I choose to remove the following images because:

…/securenvoyauth/images/heading_logo.gif – this icon did not seem necessary

…/securenvoyauth/images/buttons/oneswipe.gif – this button never worked for my deployments

The heading logo doesn’t look good and one Swipe doesn’t seem to work

The customizations I made to the page to look as such are as follows:

image

The pages to edit are:

Auth.htm
Accessdenied.htm
Realtime.htm

Initial Logon Page – auth.htm

  1. Copy blackbottom.gif into the directory C:\Program Files (x86)\SecurEnvoy\Microsoft Server Agent\WEB\images (this is to fix the broken banner at the bottom)
  2. Copy <yourLogo>.png into the directory: C:\Program Files (x86)\SecurEnvoy\Microsoft Server Agent\WEB\images
  3. Open auth.htm in the directory: C:\Program Files (x86)\SecurEnvoy\Microsoft Server Agent\WEBAUTHTEMPLATE
  4. Change the title between the <title> tags to <YourCompany> Webmail
  5. Search for the line referencing the image heading_log.gif and remove it

<IMG height="23" alt="" src="/securenvoyauth/images/heading_logo.gif" width="27" align="middle" border="0">

  1. Search for the line referencing the image oneswipe.gif and remove the following:

onload="se_oneswipe_init('placeFocus()', '/securenvoyauth/images/buttons/oneswipe.gif', 'USERID', 'PIN', '', 'send');"

  1. Search for the line referencing top.gif and replace it with <yourLogo>.png
  2. Search for the line setting the background colour #edf2f8 and change it to #ffffff (white)
  3. Add font-family: Arial; for style2, style4, style5 and style6
  4. Change all styles with x-small as the font size to small

**Note that I did a Google search of SecurEnvoy OWA pages and downloaded the missing blackbottom.gif and send.gif images.

Access Denied Page – accessdenied.htm - displayed if incorrect credentials are entered

Repeat a subset of the steps required for initial logon page.

  1. Open accessdenied.htm in the directory: C:\Program Files (x86)\SecurEnvoy\Microsoft Server Agent\WEBAUTHTEMPLATE
  2. Change the title between the <title> tags to <YourCompany> Webmail
  3. Search for the line referencing the image heading_log.gif and remove it

<IMG height="23" alt="" src="/securenvoyauth/images/heading_logo.gif" width="27" align="middle" border="0">

  1. Search for the line referencing top.gif and replace it with <YourLogo>.png
  2. Search for the line setting the background colour #edf2f8 and change it to #ffffff (white)
  3. Add font-family: Arial; for style2, style4, style5 and style6
  4. Change all styles with x-small as the font size to small

2FA Page - realtime.htm – displayed for SecurEnvoy code

  1. Open realtime.htm in the directory: C:\Program Files (x86)\SecurEnvoy\Microsoft Server Agent\WEBAUTHTEMPLATE
  2. Search for the line referencing top.gif and replace it with <YourLogo>.png
  3. Search for the line setting the background colour #edf2f8 and change it to #ffffff (white)
  4. Add font-family: Arial; for style1, auto-style1, auto-style2, auto-style3

I’ve tried logging out of the webmail portal and was sent back to the login screen so I don’t think modifications are required for the logout.htm file.

Hope this helps!

No comments: