I would use App Proxy for that:
https://thesleepyadmins.com/2019/02/10/configure-mfa-for-azure-application-proxy/
How to make more secure Exchange 2019 OWA
Hi,
We are currently using basic authentication / FBA for OWA, but it looks unsecure in the modern world.
What are best practices to secure OWA?
We tested 2 options:
- ADFS authentication;
- Windows authentication (we were trying to use Kerberos as it's described in the article https://techcommunity.microsoft.com/t5/iis-support-blog/setting-up-kerberos-authentication-for-a-website-in-iis/ba-p/347882#:~:text=%20Setting%20up%20Kerberos%20Authentication%20for%20a%20Website,be%20used.%20It%20might%20also%20use...%20More%20. But the last requires to change site's settings and we are not sure how it affects all means of clients' access).
Best regards,
Dmitry Horushin.
-
Andy David - MVP 141.5K Reputation points MVP
2021-06-07T12:39:13.687+00:00
3 additional answers
Sort by: Most helpful
-
Andy David - MVP 141.5K Reputation points MVP
2021-05-28T11:02:00.613+00:00 I would integrate with ADFS ( and use a MFA solution as well)
-
Dmitry Horushin 61 Reputation points
2021-06-06T08:21:57.527+00:00 Hi
Thank you.
My superior wants to test a configuration with Kerberos authentication when requests of external OWA users are accepted by Azure based proxy servers. He believes that this configuration is easy to configure and maintain that a configuration with ADFS and MFA. But we miss a documentation how to set up OWA with Kerberos.Our further steps:
- set up an Azure proxy for external users;
- set up a second Exchange 2019 server to see how it works with load balancer;
- install the next Exchange 2019 CU and test how it affects the configuration.
If you can help to find Microsoft recommendations/best practices how to secure Exchange OWA on-premises, it will be wonderful.
Best regards,
Dmitry Horushin. -
Andy David - MVP 141.5K Reputation points MVP
2021-06-07T11:41:17.62+00:00 Sounds like you need to setup Azure Modern Auth instead:
https://learn.microsoft.com/en-us/microsoft-365/enterprise/hybrid-modern-auth-overview?view=o365-worldwide
https://learn.microsoft.com/en-us/microsoft-365/enterprise/configure-exchange-server-for-hybrid-modern-authentication?view=o365-worldwide