Check your server versions before starting. This integration works with Exchange Server 2007 (64-bit only), running on Windows Server 2008 R1 or R2.
This application communicates with Duo's service on TCP port 443. Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review this Duo KB article.
The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!
Try setting your application's "New user policy" to "Allow Access" while testing. Users that Duo knows about will be prompted to authenticate with Duo, while all other users will be transparently let through.
Users that have a phone (or hardware token) associated with them will see the authentication prompt. All other users will be able to add their phone through Duo's self-service enrollment (see Test Your Setup).
Then (when you're ready) change the "New user policy" to "Require Enrollment." This will prompt all users to authenticate (or enroll) after they type in their usernames and passwords.
Duo Security's installer needs to be installed on the Microsoft Exchange server(s) where the Client Access Server role exists.
Open the Duo Security installer with administrative privileges to run it. Accept the license agreement and enter your integration key, secret key, and API hostname from the Duo Security application page when prompted:
To test your setup, log into OWA. Duo's enrollment or login prompt should appear after you enter your username and password: