Manually configure the Microsoft Exchange server

Before manually configuring an Exchange server for AppInsight for Exchange:

  • Make sure to have credentials and a proper Exchange account
  • Review the configuration changes to enable AppInsight for Exchange

Use the following instructions to configure an Exchange server:

For a list of possible configuration errors with solutions, see Troubleshoot error codes in AppInsight for Exchange.

Define Exchange credentials

Use domain accounts to access Exchange Management interfaces; AppInsight for Exchange does not support local accounts. Select an existing Active Directory account or create one to use with AppInsight for Exchange. See Verify Microsoft Exchange credentials.

  1. On the server where you are granting local administrative privileges, open the Computer Management console.

    On Windows Server 2012, use the Active Directory console to manage administrative privileges.

  2. Navigate to the Administrators group.
  3. Add the type in the Active Directory user name of the account. (Ensure the location is set to either the domain where the account is located or Entire Directory.)
  4. Save your changes.

Alternatively, add an Active Directory group to the local administrators group and add Active Directory user accounts to that group.

To verify the account and local group membership was configured properly, run the following in a PowerShell session:

$Recurse = $true

$GroupName = 'Administrators'

Add-Type -AssemblyName System.DirectoryServices.AccountManagement

$ct = [System.DirectoryServices.AccountManagement.ContextType]::Machine

$group = [System.DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($ct,$GroupName)

$LocalAdmin = $group.GetMembers($Recurse) | select @{N='Domain'; E={$_.Context.Name}}, samaccountName, @{N='ObjectType'; E={$_.StructuralObjectClass}} -Unique

$LocalAdmin = $LocalAdmin | Where-Object {$_.ObjectType -eq "user"}

Grant Exchange Access

To grant Least Privilege access to the Exchange Organization:

  1. Open Active Directory Users and Computers (ADUC) and find the Microsoft Exchange Security Groups OU.
  2. From the View-Only Organization Management group, add the user name of the account you want to grant access to the Exchange organization.

See Microsoft.com for detailed instructions.

Set Mailbox Search Access

Mailbox Search access is required to determine attachment counts and sizes.

  1. From the Start menu, open the Exchange Management Shell (EMS).
  2. Type: New-ManagementRoleAssignment -Role "Mailbox Search" -User <Username of account being granted access> and then press Enter.
  3. To verify the management role has been properly assigned, enter the following command:
    Get-ManagementRoleAssignment -RoleAssignee <Username of account>

Install PowerShell 2.0

PowerShell 2.0 is usually installed in Microsoft Server 2012; use Server Manager to confirm that PowerShell 2.0 is fully installed. Install it, if necessary.

If you have Microsoft Server 2008 R2, PowerShell 2.0 comes fully installed.

You may also need to set the PowerShell permissions. See Set PowerShell permissions for Exchange.

If you need to download and install PowerShell:

  1. Navigate to Windows Management Framework (http://go.microsoft.com/fwlink/?LinkId=177670).

  2. Review the information on the web page, and then click the link for the download of the Windows Management Framework Core for your platform in the Download Information section.
  3. On the Update page, click Download.
  4. When the download is complete, click Finish.

See Microsoft.com for detailed installation instructions.

Set PSLanguageMode to FullLanguage for the PowerShell website

Use IIS Manager on the Exchange server to configure application settings for the default website and PowerShell virtual directory, and then recycle the MSExchangePowerShellAppPool application pool.

See Microsoft.com for detailed instructions.

Create a self-signed certificate

SolarWinds provides a Self-signed Certificate PowerShell script for AppInsight for Exchange. Alternatively, follow these steps to create your own certificate:

  1. Using PowerShell and CertEnroll, open PowerShell in the Run as Administrator context.
  2. Enter the following code:

    Use the following format in the CN (Subject): "<IP Address of Server>_Solarwinds_Exchange_Zero_Configuration." For Example: “10.199.15.106_Solarwinds_Exchange_Zero_Configuration”

$name = new-object -com "X509Enrollment.CX500DistinguishedName.1"
$name.Encode("CN=TestServer", 0)

$key = new-object -com "X509Enrollment.CX509PrivateKey.1"
$key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
$key.KeySpec = 1
$key.Length = 1024
$key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)"
$key.MachineContext = 1
$key.Create()

$serverauthoid = new-object -com "X509Enrollment.CObjectId.1"
$serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1")
$ekuoids = new-object -com "X509Enrollment.CObjectIds.1"
$ekuoids.add($serverauthoid)
$ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1"
$ekuext.InitializeEncode($ekuoids)

$cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1"
$cert.InitializeFromPrivateKey(2, $key, "")
$cert.Subject = $name
$cert.Issuer = $cert.Subject
$cert.NotBefore = get-date
$cert.NotAfter = $cert.NotBefore.AddDays(3650)
$cert.X509Extensions.Add($ekuext)
$cert.Encode()

$enrollment = new-object -com "X509Enrollment.CX509Enrollment.1"
$enrollment.InitializeFromRequest($cert)
$certdata = $enrollment.CreateRequest(0)
$enrollment.InstallResponse(2, $certdata, 0, "")

For details, see Generating a Certificate.

Configure WinRM 2.0 on an Exchange server

  1. Open a command prompt in the Run as Administrator context.
  2. Type: winrm create winrm/config/listener?Address=*+Transport=HTTPS @{Port="5986";CertificateThumbprint="<Thumbprint value of certificate>";Hostname="<IP Address of Server>_Solarwinds_Exchange_Zero_Configuration"} and press Enter.

  3. Verify the configuration by typing: winrm get winrm/config/listener?Address=*+Transport=HTTPS.

Create a firewall rule

  1. Open PowerShell using Run as Administrator.
  2. Create a function for adding firewall rules using the following code:
    function Add-FirewallRule {
    param(
    $name,
    $tcpPorts,
    $appName = $null,
    $serviceName = $null
    )
    $fw = New-Object -ComObject hnetcfg.fwpolicy2
    $rule = New-Object -ComObject HNetCfg.FWRule
    $rule.Name = $name
    if ($appName -ne $null) { $rule.ApplicationName = $appName }
    if ($serviceName -ne $null) { $rule.serviceName = $serviceName }
    $rule.Protocol = 6 #NET_FW_IP_PROTOCOL_TCP
    $rule.LocalPorts = $tcpPorts
    $rule.Enabled = $true
    $rule.Grouping = "@firewallapi.dll,-23255"
    $rule.Profiles = 7 # all
    $rule.Action = 1 # NET_FW_ACTION_ALLOW
    $rule.EdgeTraversal = $false
    $fw.Rules.Add($rule)
    }
  3. Run the function to create the firewall exception for WSMAN with this command:Add-FirewallRule "Windows Remote Management" "5986" $null $null

  4. Verify the rule was created.

Configure IIS

  1. Open a command prompt in the Run as Administrator context.
  2. Change to the C:\Windows\System32\Inetsrv directory.
  3. Type: appcmd.exe unlock config -section:system.webServer/security/authentication/windowsAuthentication and press Enter.
  4. Open PowerShell in the Run As Administrator context.
  5. Type: Import-Module WebAdministration and press Enter.
  6. Type: (Get-WebConfiguration system.webServer/security/authentication/windowsAuthentication 'IIS:\sites\Default Web Site\PowerShell').enabled and press Enter.
  7. If the return value is True, Windows Authentication is configured. If the value returned is False, follow these steps:
    1. Type: Set-WebConfiguration system.webServer/security/authentication/windowsAuthentication 'IIS:\sites\Default Web Site\PowerShell' -value True and then press Enter.
    2. Type: (Get-WebConfiguration system.webServer/security/authentication/windowsAuthentication 'IIS:\sites\Default Web Site\PowerShell').enabled to verify the setting changed.

    3. Close PowerShell.
    4. In the open command prompt, type: appcmd.exe lock config -section:system.webServer/security/authentication/windowsAuthentication and then press Enter.

    5. Close the command prompt.

Test the application

Navigate to the Application Edit page and click Test. Your screen should look like the following illustration.