UserLock makes it easy to secure access on Microsoft IIS for #Windows Server. Protect a specific #IIS application such as Outlook Web Access (#OWA), #RDWeb, SharePoint, CRM or an Intranet website. Learn more: [ Ссылка ]
Video transcript :
Hello. I am Kate from IS Decisions.
Welcome to this UserLock tutorial where we will show you how to protect access to Outlook Web Access and the Exchange Admin Center.
To demonstrate this, we have set up a virtual environment with a first server on which UserLock is installed. We also have a second server on which Exchange is installed with the Client Access Server role.
In addition, we have a first workstation located within the company network. And a second workstation which allows us to simulate access from outside the network.
So, first thing to do, we go to UserLock’s Agent distribution. We choose the right server with the right type of IIS agent, and click on "Install".
Once the agent is deployed, we need to complete the agent configuration in the IIS console. Go to the root under Modules. "Configure Native Modules" and "Register".
From here we search for the module “Http UserLock” which we had deployed beforehand. Once selected, we give it a name.
For now, we leave it unselected in the root. We will only select it on the OWA application. Go into Modules, "Configure Native Modules".
Now, we should see it here in the list to select, but as you can see, it is not there. So we will have to perform a little bit of magic.
As you can see, if I go to the last line and press the down key, you can see that the cursor has just moved to an invisible line. I’m going to press the space bar to select that line, and then press "OK". Now you see the agent has been selected.
Apologies for this little bug in the IIS admin console. But hey, we managed to work around it!
Now the agent is presumed to be active, we are going to verify that it works properly.
To do this we connect with a user account.
So… we wait a little time until the connection is established and for the application to load. It may take a while because the agent installation has recycled the pool. That's it. It looks fine.
We are connected. We can now go to the UserLock console session view, where we can see user Bob's session clearly.
So that’s very good.
If now, user Bob logs out, I can update the sessions view, and find that this session is no longer visible. Next we can create rules for accessing Outlook Web Access and the Exchange Administration Center.
To demonstrate this, we are going to take advantage of the fact that in this setup, access to the Exchange Admin Center is possible from outside the network - which is in itself a security liability. – Click on The ECP application.
Next we will create a small rule to prevent the administration of Exchange from the Internet. To do this we first create a protected group for the domain administrators.
In the protected group we are editing, we scroll down to the "Geolocation" section and enable the restriction. We leave the list of allowed countries blank. We then deselect everything here.
This is to only allow private IP addresses for administrator access. OK, the rule is now active.
Next, I can check that the administrator is still able to administer Exchange from inside the network.
We wait while the application loads. That's it. I check in the UserLock console – sessions view – and yes we see clearly that the administrator's session is visible.
Next, I’ll go to the workstation which is located outside the network. From which I will try to connect as a normal user to their mailbox with Outlook Web Access.
There you go, it works fine.
I refresh the sessions view and I can clearly see the session.
However, you will notice that this is not a real Internet address. I simulated the Internet address using a small UserLock option that allows you to consider certain IP address ranges as external. Everything in 10.1 is considered to be an internet IP address. When in fact it is private.
That's it, it is purely for testing purposes.
So now I am going to disconnect.
Finally, I can do a test connection with an administrator account to the Exchange administration from outside.
And there you go, you can see that the connection is refused.
That's it for this tutorial. We will be back soon to show you how to activate strong authentication for these two applications. Thank you and see you soon for a new video.
