If you're not familiar with AuthAnvil, you should check it out. It's a great two-factor solution designed for the SMB market. It's easy to install, and the support is great.
They're getting ready to release the 1.6 version of their agents (edit: It was released yesterday). I've been running 1.5 for a while and we use it to secure our desktop machines as well as OWA.
Did I mention that we use Exchange 2007? Exchange 2007 requires a 64-bit server OS. However there's one little problem. There isn't a 64-bit version of the ISAPI available for AuthAnvil yet (I think that's coming out in 1.6).
I've had many conversations with Dana Epp, the owner of Scorpion Software, makers of AuthAnvil. I told him that I wanted to experiment with securing OWA 2007 using their Web Logon Agent. He was kind enough to send me the 64-bit version of the ISAPI DLL and some instructions. I ran into some roadblocks along the way, but was able to get past all of them. We have been running AuthAnvil with our OWA server with no issues for over two months now.
With this in mind, I was confident telling a client of mine that we would have no problem installing it onto their Exchange 2007 OWA server. However their environment was a little bigger than ours. One of the features of AA's web logon agent is the whitelist. You can setup individual IP addresses that don't require two-factor logins. This is handy if you have internal users using OWA and you don't want to buy tokens for them. However this environment has 12 class-C networks spread out across Central Iowa. Many of the internal users use OWA for their email. That means we would have roughly 3000 IP addresses to whitelist.
So my solution was to create a secondary OWA in IIS on a different IP. Internal users would continue to hit the old, unsecured version. However external users would be directed to the new listener in IIS, which would be secured with AuthAnvil. I've had to create secondary OWA listeners in older versions of Exchange. How hard could it be with this shiny new version?
Famous last words...
(to be continued)
So my solution was to create a secondary OWA in IIS on a different IP. Internal users would continue to hit the old, unsecured version. However external users would be directed to the new listener in IIS, which would be secured with AuthAnvil. I've had to create secondary OWA listeners in older versions of Exchange. How hard could it be with this shiny new version?
Famous last words...
(to be continued)
Posts
No comments:
Post a Comment