Authentication Profiles - Configuring IWA Authentication

Updated

This article describes how to configure Integrated Windows Authentication (IWA) for Mimecast, including prerequisites, Exchange setup, authentication profile creation, IP range restrictions, and validation steps for secure user authentication.

Integrated Windows Authentication (IWA) verifies the identity of a user by their email address and a Windows security token, using Exchange Web Services as the authentication provider.

Windows Extended Protection is not supported by Mimecast for Outlook. If you have enabled or are intending to enable Windows Extended Protection on your exchange environment, we recommend moving using a different authentication method, such as SAML.

Prerequisites

To use IWA, you must have:

  • Exchange 2013 or later.
  • A Secure Socket Layers (SSL) Certificate is installed on your Exchange Client Access Server(s).
  • The Exchange Web Services must be accessible inbound using HTTPS on port 443 from the Mimecast IP Range.

Considerations

  • When using a reverse proxy server (e.g., Microsoft's Threat Management Gateway) to publish your Exchange Client Access Server(s) to the internet, a direct connection from the Mimecast IP Range is required to the Exchange Web Services (EWS) URL, bypassing the standard form-based authentication page that is typically presented.
  • If a forms-based authentication page is presented when a client connects to the EWS URL, Integrated Windows Authentication fails as this configuration is not supported.
  • All connections to the Exchange Web Services (EWS) from the Mimecast IP range must be routed to the same Client Access Server if you use load balancing. This is because of the challenge-response nature of the authentication process. For example, suppose the first request from the client is directed to one Client Access Server, and the second is directed to another. In that case, the second server receiving the challenge response token is unaware of the first connection, resulting in the authentication attempt failing.
  • While Integrated Windows Authentication (IWA) is still supported, it should be considered a legacy authentication method; other methods such as SSO and AD FS should be utilized as a priority if possible.

Configuring Your Exchange

Ensure the Exchange Client Access Server is directly accessible from the Mimecast IP range for your region. Additionally, check that the Negotiate authentication method is enabled on the Client Access Server(s). You can do this by using the following steps:

  1. Log on to the Exchange Client Access Server.
  2. Open the Internet Information Services (IIS) Manager administrative tool.
  3. Navigate to Server | Sites | Default Web Site | EWS.

  1. Ensure that Windows Authentication is enabled.
  2. Repeat this for all Client Access Servers in the organization.
  3. Select the Authentication icon from the feature view.

Creating / Amending an Authentication Profile

You can create an Authentication Profile by using the following steps:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Users & Groups | Applications.
  3. Click on Authentication Profiles.
  4. Either:
    • Click the New Authentication Profile button.
    • Select an existing Authentication Profile.
  1. Enter a Description for the profile.

Integrated Windows Authentication Settings

You can enable Integrated Windows Authentication for an Authentication Profile by using the following steps:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Users & Groups | Applications.
  3. Click on Authentication Profiles.
  4. Open the Authentication Profile where you wish to enable Integrated Windows Authentication.
  5. Select to Allow Integrated Windows Authentication (Mimecast for Outlook Only). This will expose two new fields where the Client Access Server URL(s) are entered.

  1. Enter the URL of the primary Client Access Server that the Mimecast for Outlook application should use for authentication. For example: https://myserver.mydomain.com/EWS/Exchange.asmx.
  2. If available, enter a secondary URL for redundancy. This will be used if the primary URL is offline or not accessible for any reason.
  3. Click the Save button.

Defining Permitted IP Ranges

To add a layer of security, Mimecast provides optional Permitted IP Range settings for the Mimecast Administration Console, End User Applications, and Gateway Authentication attempts.

Mimecast Administration Console

You can configure Permitted IP ranges for the Mimecast Administration Console by using the following steps:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Account | Account Settings.
  3. Open the User Access and Permissions section.
  4. In the Admin IP Ranges text box, enter the public IP address ranges you want to restrict access to in CIDR format, one range per line.
  5. Click the Save button.

End-User Applications

You can configure Permitted IP Ranges for End User Applications by using the following steps:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Users & Groups | Applications.
  3. Click on Authentication Profiles.
  4. Either:
    • Click the New Authentication Profile button.
    • Select an existing Authentication Profile
  1. Select the Permitted Application Login IP Ranges option. This displays an additional Application Login IP Ranges field.
  2. In the Application Login, IP Ranges text box, enter the public IP address range you want to restrict access to in CIDR format, one range per line.
  3. Click the Save and Exit button to apply the new settings.

Gateway Authentication Using SMTP or POP

You can configure Permitted IP Ranges for Gateway Authentication using SMTP or POP, by using the following steps:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Users & Groups | Applications.
  3. Click on Authentication Profiles.
  4. Either:
    • Click the New Authentication Profile button.
    • Select an existing Authentication Profile.
  1. Select the Permitted Gateway Login IP Ranges option. This displays an additional Application Login IP Ranges field.
  2. In the Gateway Login, IP Ranges text box, enter the public IP address range you want to restrict access to in CIDR format, one range per line.
  3. Click the Save and Exit button to apply the new settings.

Applying an Authentication Profile to an Application Setting

An Authentication Profile is applied to a group of users. A given user can only have one effective profile at a given time. Consequently, you may want to add additional authentication options to your Authentication Profile.

Once your Authentication Profile is complete, you need to reference it in an application setting for it to be applied, by using the following steps:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Users & Groups | Applications.
  3. Select the Application Setting that you want to use.
  4. Click the Lookup button to find the Authentication Profile you want to reference, and click the Select link on the lookup page.

  1. Select Save and Exit to apply the change.

Validating Your Configuration

You can validate the success of the configuration, by using the following steps:

  1. On a machine with Mimecast for Outlook installed, log in to Windows as a user who should have Integrated Windows Authentication applied and start Outlook.
  2. The Mimecast for Outlook status panel should indicate that the client is communicating with Mimecast.
  3. The Authentication Settings panel should change to having a tick indicating that authentication has been successful and is Active.

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.