Deploying Authentication Broker for EWS

Authentication Broker is currently a feature of the EWS Protector Bastion Filter.

Prerequisites

The Authentication Broker have the following prerequisites:

  1. Communication between the server hosting the EWS filter with the following domains:

    1. outlook.office365.com (port 443)

    2. login.microsoftonline.com (port 443)

  2. Communication between the EWS Filter and Database

  3. API key and IV configured for the EWS filter

Deployment steps

  1. Ensure you have an Azure app (registration) with Exchange with the following permissions:

 

  1. Configure the Azure app credentials in Access Portal → Settings → Authentication

    1 103 EwsAzureImpersonation GENERAL YES NULL NULL Bastion False 1 100 CasbAzureTenant GENERAL AgatDevelopment.onmicrosoft.com settings_CasbAzureTenant_label settings_CasbAzureTenant_explanation Casb True 1 101 CasbO365ApplicationId GENERAL 4c836ac3-5d91-4c9a-bc56-e9dc048dde41 settings_CasbO365ApplicationId_label settings_CasbO365ApplicationId_explanation Casb True 1 102 CasbO365ApplicationSecret GENERAL settings_CasbO365ApplicationSecret_label settings_CasbO365ApplicationSecret_explanation Casb False

     

  2.  

    1. Add an “EWS-Online” channel to Bastion. Its external hostname should be something like ews-online.company.com. This requires an appropriate DNS record and firewall/LB configuration. The published host should be outlook.office365.com.

    2. Add the Traffic Modifier filter to the new EWS-Online channel with the provided config file.

    3. Add the EWS Protector filter too, using the same config file as the existing EWS channel.

    4. <authRelaying passthrough="false" type="Azure">
  3. The existing EWS filter (On Prem) should contain the following config: (Not required if manual discovery is used)

    <authRelaying passthrough="false" type="KCD" ewsOnlineHost = "ews-online.company.com">
  4. Add DNS records/Network config for ews-online.company.com

  5. If using manual Exchange server discovery on clients, ensure that clients have the new DNS record specified as the Exchange server (see step 2), for users hosted on O365. E.g. https://ews-online.company.com/

  6. Link to example config: http://downloads.agatsoftware.com/Bastion - HybridEWSAzureImpersonation.zip