1. INTRODUCTION
The mPass authentication server is an OATH-compliant comprehensive solution for enabling multi-factor authentication for enterprise applications such as VPN Systems, Outlook Web Access, Active Directory Federation Services, Windows/Linux systems or any in-house developed applications. mPass authentication server enables strong authentication via OATH-based One Time Passwords (OTP) via SMS and Mobile apps.
The mPass OWA agent is an add-on solution for enabling multi-factor authentication for accessing emails via Microsoft’s Exchange OWA (Outlook Web Access) and Exchange Control Panel (ECP).
1.1 Purpose
The purpose of this document is to help administrators understand the mPass OWA Agent installation and configuration process.
1.2 Other Reading Suggestions
The administrators are advised to read the other document titled ‘mPass Authentication Server Installation Guide’ before reading this document.
2. OVERVIEW
The mPass OWA agent is an add-on plugged into the authentication service of Microsoft Exchange Outlook Web Access (OWA) and Exchange Control Panel (ECP) applications to provide multi-factor authentication via SMS/mPass mobile app authenticators in addition to the default username and password.
This agent works along with the default credentials verification provided by OWA and ECP applications to enhance the security of the application access.
2.1 Deployment Architecture
3. SUPPORTED SYSTEMS
The mPass OWA agent can be installed on the following Exchange servers:
Type | Versions |
Microsoft Exchange Servers | 2013, 2016, and 2019 |
4. SYSTEM PRE-REQUISITES AND DEPENDENCIES
4.1 Software Requirements
S.No | Servers |
1 | Windows Exchange Server 2013 or 2016 Installed at Default Location (C:/Program Files/Microsoft/Exchange Server/V15) Also, supports installations at other locations |
2 | .NET Framework 4.6.1 or higher |
4.2 Network Requirements
From | To | Ports |
Exchange Server | mPass Authentication Server | 443 , 80 |
4.3 Other Requirements
The mPass authentication server should be configured and functioning properly before proceeding with this installation. All the users for which multi-factor authentication is desired should have an active mailbox in the Exchange Server.
In addition, a channel should be defined in the mPass authentication server having the IP of the Exchange server so that it will allow the requests coming from it.
5. MPASS OWA AGENT SETUP AND CONFIGURATION
To begin the installation, ensure that the pre-requisites are met and that the executing user has administrator privileges.
The following steps will guide you through the installation and configuration process of the mPass.
5.1 mPass OWA Agent Installation
Execute the setup file ‘mPass OWA Configuration Tool Setup.exe’.
Read the license agreement carefully click “I accept terms in the License Agreement” and then click Install.
The installation process will begin and after successful installation, the following dialog will be displayed and mPass OWA Configuration Tool will be installed.
Click finish to close the above displayed dialog box.
5.2 mPass OWA Agent Configuration
This section will explain how to perform configuration for mPass OWA Agent. The mPass OWA Configuration Tool installed in the previous step can be opened by the following ways.
- By clicking windows icon and searching for ‘mPass OWA Configuration Tool’
- By going to the installation directory “C:\Program Files\Cerebra\OWA\mPass OWA Configuration Tool” and clicking mPass OWA Configuration Tool.exe
Once the mPass OWA Configuration Tool is opened for the first time it will automatically detect a new installation and will ask to add multi-factor authentication to the Exchange (as shown below). Click “Yes” to proceed.
Once the mPass OWA Configuration Tool is opened for the first time it will automatically detect a new installation and will ask to add multi-factor authentication to the Exchange (as shown below). Click “Yes” to proceed.
After clicking “Yes”, the tool will open itself as shown below.
Note: The mPass OWA Configuration Tool is already pre-populated with default values to facilitate the user in configuration of their Exchange server.
The configuration tool has four sections described below.
2. Authentication Server Settings
3. Bypass Multi-factor Requests
4. IP Blacklisting
5.2.1 General Settings
In this section general settings related to the Exchange server on which the mPass configuration Tool is installed are configured. checking or Uncheckcking the MFA Enabled CheckBox will enable or disable multi-factor authentication respectively. Put Exchange Server IP in the OWA and ECP URL's section
5.2.2 Authentication Server Settings
In this section settings related to mPass Authentication Server are configured. Edit the values present in the Web Services URL to point to the mPass Authentication Server. Change the values for Channel and Data Key (defined in mPass Authentication Server. Kindly refer to mPass Authentication Server documentation to see how to define a channel).
5.2.3 Bypass Multi-factor Requests
If bypassing requests coming from IPs belonging to the internal network is required then this feature can be enabled by checking the Enabled checkbox in this section. Similarly, this feature can be disabled by unchecking the Enabled checkbox. Existing IPs are shown to inform the IPs (or IP ranges) which are configured to bypass multi-factor authentication. Additional IPs or IP ranges can be added by clicking the + button (as shown in the figure below).
Enter the IP or IP range in the mentioned format and click Save. Newly entered IP or IP range will be added to the existing IPs section.
Note: Bypass feature will only work if it is enabled.
5.2.4 IP Blacklisting
In contrast to bypassing requests from certain IPs, this feature blocks requests (request to access OWA) coming from certain IPs. Just like bypassing requests, this feature can be enabled and disabled by checking and unchecking the Enabled checkbox respectively. Existing IP’s are shown to inform the IP’s (or IP range) which are configured to be blacklisted from accessing OWA. Additional IP’s or IP range can be added by clicking + button (as shown in bypass multi-factor requests section above).
Note: IP Blacklisting feature will only work if it is enabled.
Once all the changes are done click Save. If the changes were saved successfully then a dialog box will appear stating that the settings were saved successfully but for some changes to be effected, IIS requires to be restarted. Click Yes to restart IIS immediately or No to restart manually.
Note: Multi-factor authentication might not work properly if IIS is not restarted.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article