Access Portal Integration w/ OWA

In attempts to protect an on prem Exchange / OWA with AuthPoint I have followed these instructions verbatim.

https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/AuthPoint/AccessPortal-reverse proxy-saml_authpoint-OWA.html?tocpath=Self-Help Tools|Integration-Guides|AuthPoint|_____11#In3

Everything works, I receive the same Access Portal login screen as the documentation, but I have a couple questions.

Why do I have the option of using either AuthPoint-MFA or the old User Name and Password?

The old User Name and Password works just fine to get in, so why would anyone choose the AuthPoint option?

Is there a way to remove User Name & PW to only allow AuthPoint logins?

Secondly, within the Access Portal the Reverse Proxy for Exchange wizard creates the OWA web app for you, but when I log into the AP and click on the OWA app it just opens the FQDN external URL of OWA in a new tab. It doesn't even appear to open via the AP like an RDP session via the AP would.

How do I know this is working?

Yes, I have a separate Internal URL configured for OWA.

Any insight is appreciated.

It's usually something simple.


  • Options

    Can't believe I'm the first person to run across this issue so I opened a support ticket on it. #01848779

    Appears the option to use either MFA or user/pass inside the Access Portal is expected behavior. Below is the support tech's response:

    _I don't know why it was designed that way, but that is expected behavior. Unfortunately, you can't disable it at this time. There has been an RFE filed to add the option to disable it, but there is no timetable for it's implementation.


    Access portal: Allow administrator to disable all authentication servers if SAML is enabled

    I've added the RFE to this case as they are implemented based on demand. The more cases requesting it, the more likely it will be implemented. _

    I've also learned in order for Reverse Proxy to work the default SSLVPN and Allow SSLVPN-Users policies must be above the OWA web app policy. This will give security cert mismatches, and MOST importantly will break Active Sync for you mobile devices unless you use wildcard certificates in place of single security certificates.

    Thought MFA implementation was supposed to be easy.


    • Doug

    It's usually something simple.

Sign In to comment.