GroupWise 18.3.1 / 18.4.1 and Multi-Factor Authentication (MFA)
Published 8/24/2022 (Work in Progress)
This document is relevant to GroupWise 18.4 and beyond and is specific to Multi-Factor Authentication. Note the following:
- Although MFA was available in GroupWise 18.3, it was new and there were lots of problems with the MFA implementation.
- MFA was not available in any earlier versions of GroupWise.
- If you want to use MFA, plan on installing GroupWise 18.4.1 at a minimum.
- As with most of my technical guides, this is a work in progress and I add/modify as I am able to.
- Most people assume MFA is a simple implementation that controls the end-user login behavior. But when you implement MFA in a GroupWise environment, there are many different components that are impacted that you may not realize.
- MFA introduces complex elements to your environment that change the behavior of the Admin Console, GroupWise Agent Screens, the GroupWise Client, GroupWise Web, GroupWise Mobility, GroupWise Messenger, and possibly other 3rd party products that connect to GroupWise such as Retain Archiving.
- You cannot just enable a checkmark to magically turn MFA on. MFA for GroupWise requires a separate server called the NetIQ Advanced Authentication server to be installed and configured. To an experienced person, it's not a huge deal, to anyone that has never dealt with this before, it can be extremely overwhelming. The learning curve is quite severe, and documentation is lacking in many areas.
- There are architectural and security concerns that must be addressed. While the Advanced Authentication server does have policies and configurations to secure the system, there are some limitations that could require an additional proxy server to help secure and restrict access from the outside.
- With GroupWise, you receive entitlements for a limited license of the Advanced Authentication server. Depending on what "Methods" you choose to use, you may be required to purchase licenses or 3rd party subscriptions. "Method" means the way you receive the code that serves as the 2nd Authentication piece. For example, SMS Text Messages is an included method with the GroupWise limited license, but you will need to pay for a 3rd party texting service for this to function.
- An MFA implementation is what I would consider a significant project that requires adequate planning, implementation time, and testing before rolling out to an entire user base. It could take several weeks or even months to fully implement. I say this because you need to be realistic in your expectations about a project like this.
Here's what you need to successfully implement GroupWise MFA.
- A GroupWise 18.4.1+ system. It doesn't matter if it's on Windows or Linux. It doesn't matter if you have a single post office or if you have 20. MFA is designed to work with any GroupWise 18.4.1 system regardless of scale.
- LDAP Authentication must be utilized in your GroupWise environment.
- A NetIQ Advanced Authentication Server. Installed as a virtual appliance.
- If you're using GroupWise Mobility, you should also be running GroupWise Mobility 18.4.1
- If you're using GroupWise Messenger, you should also be running GroupWise Messenger 18.4.1
- If you're using GroupWise GWWEB, you should be running the latest GWWeb version (Currently 18.4.1)
- If you're using an older version of GroupWise WebAccess, you should abondon it and switch to GWWEB. WebAccess can be used with MFA, but it does not natively support it. It is considered an "UI-Less" endpoint.
- If you're using Retain Archiving, you should be running the latest version, 4.10 (?).
- If you are using any services that require authentication from the public internet (Such as GWWEB or the GroupWise Client), you should utilize a reverse proxy server on your network perimeter to control and restrict access to sensitive areas of the Advanced Authentication server from the public Internet. This can be done with an Ubuntu server running the NGINX proxy, or can also be done with some firewalls. This is a complex topic that is very critical to understand. More on this later.
- Depending on how your users authenticate with the GroupWise Client, you may be required to fully roll out the GroupWise 18.4.1 client to your users to be successful with MFA. Clients older than version 18.3 are not MFA aware and generally cannot authenticate when MFA policies are enabled.
Other 3rd Party MFA Solutions and GroupWise
GroupWise only supports MFA being implemented via the NetIQ Advanced Authentication Server. It does not support 3rd party solutions such as Duo or Okta. Note the following:
- Unsure what the right term is, but the NetIQ Advanced Authentication Server is the Master / Authoritative Source for the process used by GroupWise. Duo and Okta also want to be the Master source. What this means is that even if you tried to integrate into a 3rd party solution, you will end up with 2 systems that want to be in full control of the process.
- Theoretically -- Through some of the more advanced NetIQ Methods, it may be possible to spawn a task from the Advanced Auth Server to another solution, however it adds another complex layer to the mix. Unless you have a significant amount of experience working with this type of solution, you're probably better off not going this route.
- I have worked extensively trying to get GroupWise, NetIQ Advanced Authentication Server, and Okta's MFA solution to work. I spent weeks and weeks working with Technical resources at both Micro Focus and Okta trying to get various methods of integration configured and we were not successful. We ended up scrapping that process and using simpler native methods to get the project on track.
- You might think "Gosh, I would think that I could just connect to a different system like DUO, it shouldn't be that hard." It doesn't work that way. GroupWise is very tightly connected to the NetIQ server and there are currently no supported integration options for other vendors.