- Created by Adam Darwin, last modified by Jeffery Birks on Oct 13, 2022
To secure Exchange mails with MFA, you must install the DualShield IIS agent on every Exchange Mailbox Server or Exchange Client Access Server (CAS).
Install the DualShield IIS Agent
Prerequisites
- Windows 2012/2016/2019 Server with the latest Service Pack and Internet Information Services (IIS) 7.x/8.x installed.
- Exchange 2013/2016/2019 Server with the latest Service Pack, if the integration is for Exchange emails.
Install DualShield IIS Agent
The DualShield IIS Agent must be installed on the IIS server that is to be secured with multi-factor authentication.
Before installing the DualShield IIS Agent, you must exit the IIS Manager if it is running.
To install the DualShield IIS Agent, launch the installer “SetupDualIIS7_x64.xxx.yyyy-dotnet4.exe” (where xxx is the version number and yyyy the build number) and complete the following steps.
Establish Trust between DualShield IIS Agent and DualShield SSO Server
Follow the steps below to into the CA certificate of the DualShield SSO Server and test it
Download CA Certificate
On the machine where the DualShield IIS Agent is installed, launch a web browser and visit the DualShield SSO Server by entering the URL below:
https://dualshield-sso-server-fqdn:8074/sso/ping
* Replace "dualshield-sso-server-fqdn" with the FQDN of your DualShield SSO Server.
Click the certificate warning icon, then click "Certificate (invalid)" to show certificate
Now, click the "Certificate Path" tab
Then select the root certificate (which is usually named as "ca.xxx.yyy")
Now, click the "Details" tab
then, click "Copy to File" button.
The Certificate Export Wizard" will be launched.
Click "Next"
Select the option: "DER encoded binary X.509"
Enter a file name or use "Browser..." tol select the folder where the certificate file will be saved.
Click "Finish"
Install CA Certificate
Now that the CA certificate has been downloaded and saved in the local drive, it needs to be imported into the Windows certificate store.
In the File Explorer, navigate to the folder where the certificate is saved.
Right click on the certificate to bring up the context menu
Select "Install Certificate" in the menu
The Certificate Import Wizard will be launched
Select "Local Machine" as the Store Location
Click "Next"
Select "Place all certificate in the following store"
Click "Browse..." to select the Certificate Store
Select "Trusted Root Certification Authorities"
Click "OK"
Click "Next"
Click "Finish"
Test Certificate
To verify that the CA certificate has been installed correctly, launch a web browser and visit the DualShield SSO Server by entering the URL below:
https://dualshield-sso-server-fqdn:8074/sso/ping
* Replace "dualshield-sso-server-fqdn" with the FQDN of your DualShield SSO Server.
If the CA certificate has been installed correctly, then there will be no certificate warning
You can check it further by clicking on the certificate icon
Enable IIS Reverse Proxy
If you do not want to expose the DualShield SSO server to the public network, for reasons such as that your DualShield SSO server does not have a public FQDN, or it does not have a commercial certificate, then you can take advantage of the IIS Reverse proxy function. By using the IIS reverse proxy, to the users, your DualShied SSO seems to be an integrated part of your web application. The IIS Reverse proxy not only saves you from publishing your DualShield SSO server, it also gives better user experience to users.
To enable the reverse proxy function in the IIS server, follow steps below:
Enable Proxy in the IIS Manager
Select the web server node (under "Start Page" if it is the first web server) from the list on the left pane in the IIS Manager console
In the "features view" window (the window in the middle), find "Application Request Routing" and double click it
On the right pane, find the "Server Proxy Settings..." link and click it
Back to the middle pane, tick (enable) the first check box, "Enable Proxy"
Click "Apply" to save the change.
Enable Proxy in the DualShield IIS Agent
Click the "DualShield IIS Agent" shortcut to open the IIS Agent Console
In the "SSO Server" section, click the "Change..." button
In the "SSO Server Settings" popup window, enable the option "Enable Proxy"
Click OK to save settings.
Click Apply to apply the changes.
Related Articles
- No labels