How to make more secure Exchange 2019 OWA

Question

Hi,
We are currently using basic authentication / FBA for OWA, but it looks unsecure in the modern world.
What are best practices to secure OWA?

We tested 2 options:

• ADFS authentication;
• Windows authentication (we were trying to use Kerberos as it's described in the article https://techcommunity.microsoft.com/t5/iis-support-blog/setting-up-kerberos-authentication-for-a-website-in-iis/ba-p/347882#:~:text=%20Setting%20up%20Kerberos%20Authentication%20for%20a%20Website,be%20used.%20It%20might%20also%20use...%20More%20. But the last requires to change site's settings and we are not sure how it affects all means of clients' access).

Best regards,
Dmitry Horushin.

Answer 1

I would use App Proxy for that:
https://thesleepyadmins.com/2019/02/10/configure-mfa-for-azure-application-proxy/

Answer 2

I would integrate with ADFS ( and use a MFA solution as well)

Answer 3

Hi
Thank you.
My superior wants to test a configuration with Kerberos authentication when requests of external OWA users are accepted by Azure based proxy servers. He believes that this configuration is easy to configure and maintain that a configuration with ADFS and MFA. But we miss a documentation how to set up OWA with Kerberos.

Our further steps:

• set up an Azure proxy for external users;
• set up a second Exchange 2019 server to see how it works with load balancer;
• install the next Exchange 2019 CU and test how it affects the configuration.

If you can help to find Microsoft recommendations/best practices how to secure Exchange OWA on-premises, it will be wonderful.
Best regards,
Dmitry Horushin.

Answer 4

Sounds like you need to setup Azure Modern Auth instead:

https://learn.microsoft.com/en-us/microsoft-365/enterprise/hybrid-modern-auth-overview?view=o365-worldwide
https://learn.microsoft.com/en-us/microsoft-365/enterprise/configure-exchange-server-for-hybrid-modern-authentication?view=o365-worldwide