I want to show you how to secure Outlook Web App (/owa & /ecp) via OTP token. First you need to configure the webserver protection for your Exchange webservices. See this article.
Configure a new reverse authentication template:
For securing the specific Outlook Web App sites, go to “Site-Path-Routing” and configure the following rules for /owa and /ecp.
now you can activate OTP authentication for Web Application Firewall. I activate “Auto-create OTP tokens for users” so every user can login to the UserPortal with their active directory credentials to directly receive an OTP token:
You can also use OTP tokens from SafeNet or Feitian but in this example we will use software-token with the Sophos Authenticator app (you can use also Google Authenticator). Download the app to your device now:
Apple AppStore IOS App: Sophos Authenticator
Google PlayStore Android App: Sophos Authenticator
Login to your UserPortal and use your new app to scan the QR code. The token is now active and can be used for WAF, VPN or UserPortal logins (based on your Sophos UTM configuration).
At the end, you need to change the authentication method in the Exchange server to basic for /owa and /ecp in the IIS. Do a “iisreset” in the command line to activate the changes.