Prerequisites

• Windows 2012/2016/2019 Server with the latest Service Pack and Internet Information Services (IIS) 7.x/8.x installed.
• Exchange 2013/2016/2019 Server with the latest Service Pack, if the integration is for Exchange emails.  

Install DualShield IIS Agent

The DualShield IIS Agent must be installed on the IIS server that is to be secured with multi-factor authentication.

Before installing the DualShield IIS Agent, you must exit the IIS Manager if it is running.

To install the DualShield IIS Agent, launch the installer “SetupDualIIS7_x64.xxx.yyyy-dotnet4.exe” (where xxx is the version number and yyyy the build number) and complete the following steps.

Follow the steps below to into the CA certificate of the DualShield SSO Server and test it

Download CA Certificate

On the machine where the DualShield IIS Agent is installed, launch a web browser and visit the DualShield SSO Server by entering the URL below:

https://dualshield-sso-server-fqdn:8074/sso/ping

* Replace "dualshield-sso-server-fqdn" with the FQDN of your DualShield SSO Server.

Click the certificate warning icon, then click "Certificate (invalid)" to show certificate

Now, click the "Certificate Path" tab

Then select the root certificate (which is usually named as "ca.xxx.yyy")

Now, click the "Details" tab

then, click "Copy to File" button.

The Certificate Export Wizard" will be launched.

Click "Next"

Select the option: "DER encoded binary X.509" 

Enter a file name or use "Browser..." tol select the folder where the certificate file will be saved.

Click "Finish"

Install CA Certificate

Now that the CA certificate has been downloaded and saved in the local drive, it needs to be imported into the Windows certificate store.

In the File Explorer, navigate to the folder where the certificate is saved.

Right click on the certificate to bring up the context menu

Select "Install Certificate" in the menu

The Certificate Import Wizard will be launched

Select "Local Machine" as the Store Location

Click "Next"

Select "Place all certificate in the following store"

Click "Browse..." to select the Certificate Store

Select "Trusted Root Certification Authorities"

Click "OK"

Click "Next"

Click "Finish"

Test Certificate

To verify that the CA certificate has been installed correctly, launch a web browser and visit the DualShield SSO Server by entering the URL below:

https://dualshield-sso-server-fqdn:8074/sso/ping

* Replace "dualshield-sso-server-fqdn" with the FQDN of your DualShield SSO Server.

If the CA certificate has been installed correctly, then there will be no certificate warning

You can check it further by clicking on the certificate icon

If you do not want to expose the DualShield SSO server to the public network, for reasons such as that your DualShield SSO server does not have a public FQDN, or it does not have a commercial certificate, then you can take advantage of the IIS Reverse proxy function. By using the IIS reverse proxy, to the users, your DualShied SSO seems to be an integrated part of your web application.  The IIS Reverse proxy not only saves you from publishing your DualShield SSO server, it also gives better user experience to users. 

To enable the reverse proxy function in the IIS server, follow steps below:

Enable Proxy in the IIS Manager

Select the web server node (under "Start Page" if it is the first web server) from the list on the left pane in the IIS Manager console

In the "features view" window (the window in the middle), find "Application Request Routing" and double click it

On the right pane, find the "Server Proxy Settings..." link and click it

Back to the middle pane, tick (enable) the first check box, "Enable Proxy"

Click "Apply" to save the change.

Enable Proxy in the DualShield IIS Agent

Click the "DualShield IIS Agent" shortcut to open the IIS Agent Console

In the "SSO Server" section, click the "Change..." button

In the "SSO Server Settings" popup window, enable the option "Enable Proxy"

Click OK to save settings.

Click Apply to apply the changes.