Rublon

Secure Remote Access

By

Last updated on December 12, 2024

MFA for Outlook Web App (OWA) is a secure way to access the Outlook Web App that adds an extra layer of security to OWA user logins. OWA MFA requires users to provide two authentication factors to gain access to Outlook on the web. For the first factor, the user provides their login and password as always. After completing the first factor, the user performs secondary authentication using one of the authentication methods, such as WebAuthn/U2F Security Key, Mobile Passcode (TOTP), or Mobile Push. After completing both factors, the user gains access to the resource. MFA for OWA prevents hackers from accessing an Outlook account even if they know the password.

Overview of the Rublon MFA for OWA and ECP connector

Rublon MFA for OWA is a connector that integrates Microsoft Outlook Web Access (OWA) with Rublon API to add Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA) to your Outlook Web App (OWA) logins.

MFA for OWA supports MFA for users logging in to:

  • Microsoft Exchange Outlook Web App (OWA)
  • Exchange Control Panel (ECP) [also called Exchange Admin Center (EAC)]

When OWA MFA is enabled, the user must enter the correct login and password and select an available Authentication Method from the Rublon Prompt. After confirming their identity with the second authentication method, the user gains access to Outlook on the web. If the user fails to complete any authentication factors, Rublon denies access to Outlook Web Access.

The Rublon MFA for OWA connector identifies users by their usernames.

The MFA for Outlook Web App connector determines the username regardless of how the user logs in to Outlook. So, the connector always tries to send the appropriate username to the Rublon API based on information from Active Directory. For example, if the SendUPN parameter is enabled and the user logs in by entering domain\sAMAccountName, the connector still tries to find the UPN and, if successful, sends the UPN to Rublon as the username.

Refer to the description of the SendUPN parameter in the Configuration section of this documentation to learn more.

Supported Authentication Methods

Authentication Method Supported Comments
Mobile Push N/A
WebAuthn/U2F Security Key N/A
Passcode N/A
SMS Passcode N/A
SMS Link N/A
Phone Call N/A
QR Code N/A
Email Link N/A
YubiKey OTP Security Key N/A

Before You Start

If you have a separate test environment for Outlook Web Access, we recommend you test the MFA for OWA and ECP connector there before deploying it in a production environment. If you do not have a testing environment, make a backup or take a snapshot of the VM before installing MFA for Outlook on the web.

Ensure that you have a well-tested, working, and running Exchange Control Panel (ECP) and Microsoft Outlook Web Access (OWA).

Rublon MFA for Outlook Web Access supports the following operating systems:

  • Windows Server 2012R2
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2022

Note

All editions of Windows Server are supported, including Windows Server Essentials.

Rublon MFA for Outlook Web Access supports the following Exchange Server versions:

  • Microsoft Exchange Server 2013
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2019

Required Components

  • .NET Framework, version 4.6
  • An up-to-date Windows Server
  • Configured and well-tested Microsoft Exchange Server
  • Configured and well-tested Microsoft Outlook Web Access (OWA)
  • An external identity provider (IdP) – Microsoft Active Directory
  • Open Outbound Port 443 for https://core.rublon.net on the machine where Microsoft Outlook Web Access is configured

Pre-Installation Steps

1. Sign in to the Rublon Admin Console.

2. Click Applications on the left.

3. Click Add.

4. Set a name for your application, e.g., Outlook Web Access.

5. Set Type to Outlook Web App.

6. Click Save to create a new application.

7. Copy and save the values of the System Token and Secret Key. You are going to need them later.

Image showing how to copy the System Token and Secrey Key of an application of type Outlook Web App in the Rublon Admin Console

8. Download Rublon MFA for OWA by clicking the following link:

Download the Rublon MFA for Outlook Web Access installer

Installation of Rublon MFA for Outlook Web App (OWA) and Exchange Control Panel (ECP)

1. Run the installer with administrator rights.

2. On the first page of the installer, read about the product you are about to install.

  • If this is the first time you are installing the connector, click Next.

If this is not the first time you are installing the connector on this endpoint, you will be able to either update the current installation or do a clean installation.

  • Update current installation: If you choose to update the current installation, you will not be able to change any old options in the installer. However, if a new option has been introduced in this version of the installer, you will be able to change its value before the installation begins. The Update current installation option is recommended for those who want to update the connector to a newer version but want to keep all current settings.
  • Clean installation: If you choose to do a clean installation, continue with the steps in this section.

3. Enter the API credentials (System Token and Secret Key) from your application of type Outlook Web App in the Applications tab of the Rublon Admin Console and click Next.

ParameterDescription
System TokenSystem Token of your application in the Rublon Admin Console.

Paste the value you noted down before.
Secret KeySecret Key of your application in the Rublon Admin Console.

Paste the value you noted down before.

4. Check the configuration options you want and click Next. Refer to the following image and table.

OptionDescription
Use proxyCheck this option to enable proxy.

When checked, the next page after clicking Next will ask you for more details about the proxy.

When unchecked, the page that asks for proxy details will not appear.

5. If you checked Use proxy on the previous page, you will see an additional page asking you to enter proxy details. After filling in the details, click Next. Refer to the following image and table.

OptionDescription
Proxy HostThe address of the proxy server.
Proxy PortThe port on which the proxy server is operating.
Proxy UsernameThe username of the HTTP proxy server user.

Optional. Fill in if verification by username is required.
Proxy PasswordThe password of the HTTP proxy server user.

Optional. Fill in if required for verification.

6. Check the bypass options you want and click Next. Refer to the following image and table.

OptionDescription
Bypass MFA when it cannot be performedCheck to bypass MFA when the Rublon API is reachable but cannot perform MFA (e..g, too many requests).

7. Rublon MFA for OWA is ready to install.

Rublon MFA for OWA performs the following steps during installation:

  • Adds configuration settings to Windows Registry.
  • Installs the application on the system in a defined location. It is not possible to change this path.
  • Starts the installer of the required additional packages: Microsoft Visual C++ 2015-2019 Redistributable (x64). Note that Rublon for OWA requires the Microsoft Visual C ++ 2015-2019 Redistributable (x64) package to work. The OWA installer will install this package automatically if it does not exist in the system. If the package exists in the system, the installer will omit this step and will not print info about it on the Ready to install page.

8. Click Install to install Rublon MFA for Outlook Web App.

9. After a successful installation, the installer informs you that your installation is complete. Check View log if you want and click Finish.

10. Congratulations. Your installation is complete. You can now take a look at the Configuration section to better understand each parameter or go straight to Testing MFA for OWA.

Note

If you are experiencing problems with the installer, please refer to our FAQ.

Configuration of MFA for OWA and ECP

You can change the settings of Rublon MFA for Outlook Web Access in Windows Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Rublon\OWA. The changes you made will be applied automatically during your next login.

Value Description Default Value
RublonApiServer The server of the Rublon API. https://core.rublon.net
SystemToken A string value gathered from Rublon Admin Console, for the Outlook Web App application type. The value you set during installation.
SecretKey A string value gathered from Rublon Admin Console, for the Outlook Web App application type. The value you set during installation.
Modules Allows you to enable Rublon MFA only for OWA, only for ECP, or for both.

Possible values:
owa,ecp – Enables MFA for both OWA and ECP
owa – Enables MFA for OWA but not for ECP
ecp – Enables MFA for ECP but not for OWA		 owa,ecp
ProxyHost The address of the proxy server. Optional.
ProxyMode Default: 0

You need to set at least two parameters for the proxy to work: ProxyHost and ProxyPort.

If you add both of these parameters, then the proxy will be automatically activated (and ProxyMode will be set to 1).

If you only specify ProxyHost or only specify ProxyPort, registry changes will be made, but ProxyMode will be set to 0, meaning the proxy will not be active.

Set ProxyMode to 0 to disable the proxy.

The password of the HTTP proxy server user. Optional.
ProxyPassword The password of the HTTP proxy server user. Optional.
ProxyPort The port on which the proxy server is operating. Optional.
ProxyUsername The username of the HTTP proxy server user. Optional.
FailMode Defines what happens when a user cannot perform Multi-Factor Authentication (MFA) for technical reasons.

Possible values:
bypass – MFA is skipped, and the user gains access to OWA even if the configuration is incorrect or there is no connection to the Rublon API.
deny – Rublon blocks the user when the configuration is incorrect or there is no connection to the Rublon API.
safe – an alternative for bypass, the user gains access to OWA
secure – an alternative for deny, the user does not gain access to OWA		 bypass/safe
SendUPN If set to 1, Rublon looks up the Universal Principal Name (UPN) in Active Directory and sends the UPN to the Rublon API as Rublon username (e.g., [email protected]).

If set to 0, Rublon sends sAMAccountName as Rublon username, e.g., Domain\user.

Possible values:
1 – enables sending UPN to Rublon
0 – disables sending UPN to Rublon

Suppose you set SendUPN to 1, but Rublon cannot find the User Principal Name (UPN) for a given user in Active Directory. In that case, Rublon denies access to the user and adds appropriate information to the logs.		 0
LogConfigurationFile Path to the application log file. Refer to Logging to learn more. %SystemDrive%\Program Files\Rublon\OWA\log4Net.config
DebugRequests When set to 1, enables detailed logging of requests and responses in communication with the Rublon API.

Set to 1 only if requested by Rublon’s Customer Support.		 0
AuthCookieLifeDuration The maximum lifetime of a Rublon session cookie in seconds.

This value must be 0 or a positive integer. When set to 0, the cookie expires only after the user logs out.

You can enter the value in the key as a String.		 The default maximum lifetime of a Rublon session cookie is 28800 seconds.

However, AuthCookieLifeDuration is not added to Windows Registry by default. You must add it yourself if you want to change this value.
SecretSessionKey Rublon cookie signing key.

Do not reveal the value of this key to anybody. If the key leaks, generate a new one.		 A random key is automatically generated during installation.

Logging

You can change the logging settings in the log4Net.config file located in the folder where you installed Rublon MFA for OWA (C:\Rublon\OWA\ by default).

Change the log file path

By default, the log file is located in C:\Rublon\OWA\RublonOWA.log. You can change this path by following the steps below.

  1. Open the log4Net.config file and look for the following line:
    <file value=”${SystemDrive}\\Rublon\\OWA\\RublonOWA.log” />
  2. Replace ${SystemDrive}\\Rublon\\OWA\\RublonOWA.log with a new path.
  3. From now on, any Rublon authentication process information will be logged to a new file. 

Note

If you have authenticated via Rublon, but no new file has been created, ensure the path access is not restricted.

If you do not see any entries in the log file, make sure the logging level is set to at least info.

Change logging level

The amount of information logged to the log file can be adjusted using the so-called logging levels. 

  1. Open the log4Net.config file and look for the following entry:

    <root>
    <level value="DEBUG" />
  1. Change the default DEBUG value to one of the following values:
  • ALL – logs everything
  • DEBUG – logs detailed information about the logging process
  • INFO – logs info, warnings, and errors 
  • WARN – logs warnings and errors
  • ERROR – logs errors only
  • OFF – turns off logging

High Availability (HA) OWA MFA Installation & Configuration

The Rublon MFA for Outlook Web Access (OWA) connector uses the so-called Rublon session files that allow Rublon to perform MFA. So, if you have a High Availability architecture, e.g., a Load Balancer and several OWA nodes, it is necessary to set the same SecretSessionKey for all OWA nodes.

Refer to the following instructions:

1. Install Rublon MFA for OWA on one OWA node and copy the value of secretStorageKey from Windows Registry.

2. Install the connector on other OWA nodes and set the copied secretStorageKey for all of them.

You can define the secretStorageKey in the installation command by appending the following string:

-secretStorageKey <value>

Testing MFA for Outlook Web App (OWA)

1. Open the Outlook Web App login page.

2. Provide your Domain\user name and Password, and click sign in.

Image showing the step of MFA for OWA login where the user enters their username and password

3. A window will appear with various 2FA options from Rublon. Let’s choose Mobile Push.

Note

If the Mobile Push tile is grayed out, you probably have not enrolled a mobile device yet. You can enroll your phone or choose the Email Link authentication method instead.

4. Rublon will send a Mobile Push authentication request to your phone. Tap APPROVE.

Image showing the step of MFA for OWA login where the user receives a Mobile Push notification

5. You will successfully log in to Outlook on the web (OWA).

6. We recommend you also test logging in to the Exchange Control Panel (ECP). The login process looks exactly the same but you start from the login form at https:/domain/ecp.

Updating MFA for OWA and ECP

If you have already installed Rublon MFA for Outlook Web App (OWA) and would like to update it to a newer version, open the latest installation file with administrator rights and go through the installation process again. Rublon will keep your settings from the previous version.

You do not have to uninstall the old version of Rublon MFA for OWA before updating it.

You do not have to specify the installation parameters again if you are updating Rublon MFA for OWA.

Rublon Prompt Doesn’t Show Up After Update

Updating MFA for OWA by running the installation file without administrator rights might cause the Rublon Prompt to not appear during logins. If this is the case, follow the steps below:

1. Open the IIS Server Manager.

2. Select Sites → owa.

3. Right-click and select Explore.

4. Open the web.config file.

5. Paste this line just above the closing </modules> tag:

<add name="RublonOWAModule" type="Rublon.OWA.OWAModule, RublonOWAModule, Version=<VERSION>, Culture=neutral, PublicKeyToken=be7e75eeb046f1eb" preCondition="" />

where <VERSION> is the version of the connector in the following form: X.X.X.X. For example, if your OWA connector is version 1.1.2, enter Version=1.1.2.0.

6. Save the file. You should now see the Rublon Prompt on your next login to OWA.

If you have the same issue with the Exchange Control Panel (ECP):

1. Open the IIS Server Manager.

2. Select Sites → ecp.

3. Right-click and select Explore.

4. Open the web.config file.

5. Paste this line just above the closing </modules> tag:

<add name="RublonOWAModule" type="Rublon.OWA.ECPModule, RublonOWAModule, Version=<VERSION>, Culture=neutral, PublicKeyToken=be7e75eeb046f1eb" preCondition="" />

where <VERSION> is the version of the connector in the following form: X.X.X.X. For example, if your OWA connector is version 1.1.2, enter Version=1.1.2.0.

6. Save the file. You should now see the Rublon Prompt on your next login to ECP.

Uninstalling MFA for OWA and ECP

Run unins000.exe located in C:\Program Files\Rublon\OWA\ as administrator to uninstall Rublon MFA for OWA.

Alternatively, open Apps & features, select Rublon for OWA version X.X.X and click Uninstall.

INFO

The uninstallation file deletes all Global Assembly Cache (GAC) DLL files associated with Rublon except for C:\Windows\Microsoft.NET\assembly\Rublon.dll. This is because the Rublon.dll file is used by the IIS process, and it is not possible to remove it without killing the IIS process. You can manually delete this file or just keep it, as it does not affect OWA in any way.

Troubleshooting

Look up your log file located in C:\Rublon\OWA\RublonOWA.log by default and send the file to Rublon Support along with a description of your issue.

If you encounter any issues with your Rublon integration, please contact Rublon Support.

Related Posts