MFA for On-Prem Exchange Server

Last updated on February 12, 2025

MFA for on-prem Exchange Server is a critical security measure that helps protect sensitive communication data and user credentials. Using MFA for on-premises Exchange server and Exchange ActiveSync reduces the risk of unauthorized access to Exchange accounts and complies with industry standards and regulations. This page covers MFA for on-premises Exchange, including ActiveSync and Outlook Desktop & Mobile, to ensure your entire email infrastructure benefits from an added layer of security.

The Importance of Multi-Factor Authentication (MFA)

Multi-factor authentication (MFA) requires users to confirm their identity through more than one method – like a password plus a one-time passcode or mobile app prompt. This multi-layered approach significantly strengthens your security posture. It makes unauthorized access far less likely because attackers need more than a single stolen password to breach your system.

Why Your On-Premises Exchange Server Needs MFA

On-premises Exchange environments often store highly confidential emails and data. Since these environments are not hosted in the cloud, they can become prime targets for attackers seeking direct entry to your internal network. Employing MFA for on-premises Exchange helps:

• Mitigate phishing attacks
• Prevent unauthorized access and data breaches
• Comply with regulatory requirements

Why MFA for OWA and ECP via the Web Might Not Be Enough

Rublon offers the Rublon MFA for Outlook Web App (OWA) and Exchange Control Panel (ECP) connector. This connector secures user access to their mailboxes via the web. It can also secure administrator access to the Exchange Control Panel (ECP) via the web.

Safeguarding web access to OWA and ECP is paramount for ensuring high-security standards in your organization.

However, the Rublon MFA for OWA & ECP connector is not a silver bullet. It cannot secure every element of your Exchange infrastructure. For one, it does not support the desktop and mobile versions of Outlook. In addition, the connector is deployed on the Exchange server. If an attacker reaches the Windows Server itself, they can disable or remove MFA. This requires thwarting the hacker before they can try to compromise the Exchange server.

How to Implement MFA for On-Premises Exchange Server?

In short, deploy your on-prem Exchange server on a Windows Server machine behind a VPN and then secure the VPN with multi-factor authentication (MFA) using the Rublon Authentication Proxy. You can also secure direct access to the Windows Server machine storing the Exchange server using Rublon MFA for Windows Logon & RDP for additional security.

What follows are more detailed steps for implementing multi-factor authentication (MFA) for on-prem Exchange Server.

Step 1: Remove Public Access to Exchange

Stop exposing the Exchange server to the open internet. An attacker should have no direct route.

A best practice is to deploy the Exchange server on the Windows Server operating system behind a Virtual Private Network (VPN). This makes it impossible for admins to access the Exchange server from the public internet without first authenticating via VPN. It also requires users to be in the corporate VPN before they access their mailbox.

Step 2: Secure Your VPN With Rublon MFA

Integrate your VPN with Rublon MFA to authenticate users against the Rublon Authentication Proxy. The Auth Proxy is a RADIUS/LDAP proxy server that adds a second authentication factor to FreeRADIUS & Active Directory user logins.

Deploying Rublon MFA on your VPN means that users and administrators must complete Rublon MFA authentication each time they start a VPN session. Once authenticated, they gain access to the corporate network where the on-premises Exchange Server, Exchange ActiveSync, local Active Directory, and other elements of the Exchange infrastructure are deployed. After a successful VPN MFA:

• Users can check their mailbox using Outlook Web App (OWA) or Outlook Desktop.
• Admins can manage the Exchange server using the Exchange Control Panel (ECP) or by directly connecting to the Windows Server hosting the Exchange server via RDP.

Securing your VPN with Rublon MFA is a crucial step. You need to bolster the security of VPN connections with multi-factor authentication (MFA) because your VPN is the first gate that will thwart the hacker. It is also the weakest point in your infrastructure. Suppose you do not have MFA in place. Should a hacker compromise the administrator’s VPN password, they can gain access to the corporate network. Now they can move laterally, hacking or stealing data (not necessarily Exchange-related!).

Step 3: Secure Your Windows Server Endpoint Hosting the Exchange Server With MFA

Why not also enable two-factor authentication (2FA) on the Windows Server machine where the Exchange server is deployed?

While this is not a hard requirement, you definitely should consider it.

Securing your endpoints might be less convenient to admins who would have to complete MFA twice (first while connecting to the VPN, then again while connecting via RDP to the Windows Server on which the Exchange Server is deployed).

Still, if you require the highest level of security, use Rublon MFA for Windows Logon & RDP to secure access (local & via RDP) to the Windows Server where the Exchange Server is deployed.

While you are at it, you can also use the Rublon MFA for Windows connector to secure your Domain Controller (the Windows Server where your Active Directory is deployed).

Step 4: Verify Connectivity and Security

After configuration, test your setup:

• Ensure you receive MFA prompts when connecting to the VPN.
• Confirm access to Exchange ActiveSync and Outlook Desktop once the VPN tunnel is established.

MFA for On-Premises Exchange – Network Diagram

The following diagram portrays an On-Premises Exchange infrastructure secured by Rublon MFA.

Remote users not yet connected to the corporate network cannot access the Exchange Server in any way. They must first connect to the corporate network via VPN Rublon MFA.

• VPN Connection: During login, a remote user enters their login and password as usual. The Rublon Authentication Proxy asks the Identity Provider like Active Directory if the credentials are correct. If so, the Auth Proxy challenges the user for MFA. Rublon MFA supports a few strong authentication methods, including but not limited to, a Mobile Push authentication request and SMS Link.

Network users who are already connected to the corporate network can access the Exchange Server in a few ways:

• Via OWA/ECP: In this use case, the Rublon MFA for OWA & ECP connector (deployed on the Exchange server) prompts users for MFA when they log in via Outlook Web App or Exchange Control Panel.
• Via RDP: In this use case, the Rublon MFA for Windows Logon & RDP connector (deployed on the Exchange server) prompts admins for MFA when they connect to the Exchange server via Remote Desktop Protocol (RDP).
• Via Outlook Desktop/Mobile: In this use case, there is no direct Rublon MFA when users access their mailboxes. Users complete Rublon MFA only once when they connect to the corporate network.

Conclusion

MFA for on-prem Exchange is a vital shield that blocks attackers from your organization’s email data. By placing your on-premises Exchange behind a VPN and strengthening that VPN with Rublon MFA, you make it far harder for thieves to sneak in. If you need a higher level of security, consider also enabling MFA for Windows Logon and RDP on the Exchange Server itself. Securing on-prem Exchange with MFA ensures both end-users and administrators stay safe from modern cyber threats.

Frequently Asked Questions (FAQ)

1. How do I secure desktop and mobile Outlook apps that don’t support the Rublon MFA for OWA & ECP connector?

You can place your on-premises Exchange behind a VPN and enable Rublon MFA on the VPN login. Desktop and mobile Outlook apps connect only after passing MFA at the VPN layer. This approach blocks unauthorized access to your Exchange server from the internet.

2. Why is it important to remove public internet access to the Exchange Server?

By removing direct internet access, you eliminate external attack vectors that target Exchange services. Attackers cannot attempt brute-force logins or exploit unpatched vulnerabilities if the server is only accessible behind a VPN that requires MFA.

3. Can I use Rublon MFA to secure the Windows Server where Exchange is installed?

Yes. via Rublon MFA for Windows Logon & RDP. Administrators log in to the VPN (with MFA) and then authenticate again when connecting to the server. Although it requires multiple steps, it dramatically reduces the risk of unauthorized server access.

4. What if an attacker knows my VPN password but cannot compromise the second factor?

They will be unable to authenticate without the second factor, such as a mobile push or one-time passcode. This extra layer prevents them from gaining entry and moving laterally within your network.

6. Is the Rublon Authentication Proxy difficult to set up with my VPN?

Rublon offers step-by-step documentation for deploying the Rublon Authentication Proxy and separate docs for each VPN integration. The Auth Proxy works with common VPNs using protocols RADIUS, SAML, and LDAP, making the setup process straightforward.

7. Are there any performance impacts when using MFA for on-prem Exchange?

Restricting Exchange access to a VPN decreases the risk of malicious traffic targeting your internet-facing servers. Typically, the performance impact of MFA on the authentication process is minimal.

Related Posts

• MFA for OWA (Outlook Web App) and ECP (Exchange Control Panel
• MFA for Active Directory
• MFA for SAML
• MFA for LDAP
• MFA for RADIUS