For clientless mode deployment, DualShield Authentication must be enabled on the following IIS Web applications:

  • MAPI
  • EWS 

MAPI is for Outlook/Windows, EWS is for Outlook/Mac.

Please note, 2FA/MFA over RPC is not supported, however you might still want to enable DualShield 2FA on the RPC node to block requests coming to RPC.


In the IIS Manager, select "Default Web Site | MAPI"


Double click the "DualShield Authentication" icon

Enable the "Enable Two-Factor Authentication on the Current Node" option
Enable the "Apply Settings to Child Nodes" option
Select "Outlook Anywhere" from the "Service Type" list

Click the "Change" button in the "SSO Server" section:

Enter the Server Address of your DualShield SSO server.
Enable the "SSL" optiopn if your DualShield platform is operating on the SSL mode. 
Enable the "Enable Proxy" option.
Click OK.

In the "Application" list, select your DualShield application for the Outlook Anywhere service, e.g. "Outlook Anywhere".

Click the "Advanced Logon Settings" button


Select the "Outlook Anywhere" tab

Enable the "Enable Agent-Less Outlook Anywhere" option

 Advance Filter

If you want to enable the Outlook Anywhere on Mac platform but not Windows platform, you can set the following filter: 

Click "Add".

In "Header" field, enter: User-Agent.

In "Value" field, enter: ^.*MacOutlook.*$

Select "Use regular expression", and "enabled" on drop down list

Click "OK" to save this filter

Click "Add" again

In "Header" field, enter: User-Agent.

In "Value" field, enter: ^.*Windows.*Outlook.*$

Select "Use regular expression", and "disabled" on drop down list.

Click "OK" to save this filter.


Click "OK" to save advanced logon settings.

Finally, click "Apply" to apply the configurations.

Repeat the above steps on the "RPC" and "EWS" node if neccessary.