Authentication Broker is currently a feature of the EWS Protector Bastion Filter.

Prerequisites

The Authentication Broker have the following prerequisites:

Communication between the server hosting the EWS filter with the following domains:
1. outlook.office365.com (port 443)
2. login.microsoftonline.com (port 443)
Communication between the EWS Filter and Database
API key and IV configured for the EWS filter

Deployment steps

Ensure you have an Azure app (registration) with Exchange with the following permissions:

SphereShield for Skype for Business 2015/2019 Knowledge Base > Deploying Authentication Broker for EWS > image-20210706-124507.png

Configure the Azure app credentials in Access Portal → Settings → Authentication

1   103	EwsAzureImpersonation	GENERAL	YES	NULL	 	NULL	Bastion	False
1	100	CasbAzureTenant	GENERAL	AgatDevelopment.onmicrosoft.com		settings_CasbAzureTenant_label	settings_CasbAzureTenant_explanation	Casb	True
1	101	CasbO365ApplicationId	GENERAL	4c836ac3-5d91-4c9a-bc56-e9dc048dde41		settings_CasbO365ApplicationId_label	settings_CasbO365ApplicationId_explanation	Casb	True
1	102	CasbO365ApplicationSecret	GENERAL			settings_CasbO365ApplicationSecret_label	settings_CasbO365ApplicationSecret_explanation	Casb	False

SphereShield for Skype for Business 2015/2019 Knowledge Base > Deploying Authentication Broker for EWS > image-20210124-115236.png

1. Add an “EWS-Online” channel to Bastion. Its external hostname should be something like ews-online.company.com. This requires an appropriate DNS record and firewall/LB configuration. The published host should be outlook.office365.com.
2. Add the Traffic Modifier filter to the new EWS-Online channel with the provided config file.
3. Add the EWS Protector filter too, using the same config file as the existing EWS channel.
4. <authRelaying passthrough="false" type="Azure">
The existing EWS filter (On Prem) should contain the following config: (Not required if manual discovery is used)
<authRelaying passthrough="false" type="KCD" ewsOnlineHost = "ews-online.company.com">
Add DNS records/Network config for ews-online.company.com
If using manual Exchange server discovery on clients, ensure that clients have the new DNS record specified as the Exchange server (see step 2), for users hosted on O365. E.g. https://ews-online.company.com/
Link to example config: http://downloads.agatsoftware.com/Bastion - HybridEWSAzureImpersonation.zip