Manually configure an Exchange server for AppInsight for Exchange

Manual configuration is only recommended for experienced Exchange administrators. SAM includes an automated way to configure Exchange servers.

Before manually configuring an Exchange server for AppInsight for Exchange:

• Review AppInsight for Exchange requirements and permissions.
• Make sure you have valid credentials for an Exchange account.
• Verify that PowerShell 5.1 is installed.
• Review the configuration changes to enable AppInsight for Exchange.

Complete these tasks to configure a target Exchange server:

• Define Exchange credentials
• Grant Exchange access
• Set mailbox search access
• Install PowerShell
• Set PSLanguageMode to RestrictedLanguage for the PowerShell website
• Create a self-signed certificate
• Configure WinRM on the Exchange server
• Create a firewall rule
• Configure IIS
• Test the application

To learn about related error codes and solutions, see Troubleshoot error codes in AppInsight for Exchange.

Define Exchange credentials

Use domain accounts to access Exchange Management interfaces; AppInsight for Exchange does not support local accounts. Select an existing Active Directory account or create one to use with AppInsight for Exchange. See Verify Microsoft Exchange credentials.

1. On the server where you are granting local administrative privileges, open the Computer Management console.

   On Windows Server 2012, use the Active Directory console to manage administrative privileges.

2. Navigate to the Administrators group.
3. Add the type in the Active Directory user name of the account. (Ensure the location is set to either the domain where the account is located or Entire Directory.)
4. Save your changes.

Alternatively, add an Active Directory group to the local administrators group and add Active Directory user accounts to that group.

To verify the account and local group membership was configured properly, run the following in a PowerShell session:

$Recurse = $true
$GroupName = 'Administrators'
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$ct = [System.DirectoryServices.AccountManagement.ContextType]::Machine
$group = [System.DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($ct,$GroupName)
$LocalAdmin = $group.GetMembers($Recurse) | select @{N='Domain'; E={$_.Context.Name}}, samaccountName, @{N='ObjectType'; E={$_.StructuralObjectClass}} -Unique
$LocalAdmin = $LocalAdmin | Where-Object {$_.ObjectType -eq "user"}

Grant Exchange access

To grant Least Privilege access to the Exchange Organization to an account:

1. Open Active Directory Users and Computers (ADUC) and find the Microsoft Exchange Security Groups organizational unit (OU).
2. Add the user name of the account to the View-Only Organization Management group.

Set Mailbox Search access

Mailbox Search access is required to determine attachment counts and sizes.

1. From the Start menu, open the Exchange Management Shell (EMS).
2. Type: New-ManagementRoleAssignment -Role "Mailbox Search" -User <Username of account being granted access> and then press Enter.
3. To verify the management role has been properly assigned, enter the following command:
   
   Get-ManagementRoleAssignment -RoleAssignee <Username of account>

Install PowerShell on target servers

PowerShell is usually installed with Microsoft Server. If necessary, install PowerShell 5.1 on target servers.

See also Set PowerShell permissions for Exchange.

Set PSLanguageMode to RestrictedLanguage for the PowerShell website

If the PSLanguageMode is NoLanguage, change it to RestrictedLanguage. Using FullLanguage mode is not recommended.

Use IIS Manager on the Exchange server to configure application settings for the default website and PowerShell virtual directory, and then recycle the MSExchangePowerShellAppPool application pool.

Create a self-signed certificate

You can download a PowerShell script to create a self-signed certificate suitable for AppInsight for Exchange from the SolarWinds Success Center. See Create a self-signed certificate for AppInsight for Exchange with a PowerShell script.

Alternatively, follow these steps to create your own certificate.

1. Using PowerShell and CertEnroll, open PowerShell in the Run as Administrator context.

2. Enter the following code.

   Use this format in the CN (Subject): "<IP Address of Server>_Solarwinds_Exchange_Zero_Configuration"
   For example: “10.xxx.15.106_Solarwinds_Exchange_Zero_Configuration”

$IPAddress = Read-Host "Enter the IP Address of the Exchange server"
$ExpDays = "3650"
$FriendlyName = "$IPAddress" + "_Solarwinds_Exchange_Zero_Configuration"
$name = new-object -com "X509Enrollment.CX500DistinguishedName.1"
$name.Encode("CN=$FriendlyName", 0)

$key = new-object -com "X509Enrollment.CX509PrivateKey.1"
$key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
$key.KeySpec = 1
$key.Length = 1024
$key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)"
$key.MachineContext = 1
$key.Create()

$serverauthoid = new-object -com "X509Enrollment.CObjectId.1"
$serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1")
$ekuoids = new-object -com "X509Enrollment.CObjectIds.1"
$ekuoids.add($serverauthoid)
$ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1"
$ekuext.InitializeEncode($ekuoids)

$cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1"
$cert.InitializeFromPrivateKey(2, $key, "")
$cert.Subject = $name
$cert.Issuer = $cert.Subject
$cert.NotBefore = get-date
$cert.NotAfter = $cert.NotBefore.AddDays($ExpDays)
$cert.X509Extensions.Add($ekuext)
$cert.Encode()

$enrollment = new-object -com "X509Enrollment.CX509Enrollment.1"
$enrollment.InitializeFromRequest($cert)
$enrollment.CertificateFriendlyName = $FriendlyName
$certdata = $enrollment.CreateRequest(0)
$enrollment.InstallResponse(2, $certdata, 0, "")

Configure WinRM on the Exchange server

1. Open a command prompt in the Run as Administrator context.

2. Type: winrm create winrm/config/listener?Address=*+Transport=HTTPS '@{Port="5986";CertificateThumbprint="<Thumbprint value of certificate>";Hostname="<IP Address of Server>_Solarwinds_Exchange_Zero_Configuration"}' and press Enter.

   

3. Verify the configuration by typing: winrm get winrm/config/listener?Address=*+Transport=HTTPS.

   

Create a firewall rule

1. Open PowerShell using Run as Administrator.
2. Create a function for adding firewall rules using the following code:

   function Add-FirewallRule {
   param(
   $name,
   $tcpPorts,
   $appName = $null,
   $serviceName = $null
   )
   $fw = New-Object -ComObject hnetcfg.fwpolicy2
   $rule = New-Object -ComObject HNetCfg.FWRule
   $rule.Name = $name
   if ($appName -ne $null) { $rule.ApplicationName = $appName }
   if ($serviceName -ne $null) { $rule.serviceName = $serviceName }
   $rule.Protocol = 6 #NET_FW_IP_PROTOCOL_TCP
   $rule.LocalPorts = $tcpPorts
   $rule.Enabled = $true
   $rule.Grouping = "@firewallapi.dll,-23255"
   $rule.Profiles = 7 # all
   $rule.Action = 1 # NET_FW_ACTION_ALLOW
   $rule.EdgeTraversal = $false
   $fw.Rules.Add($rule)
   }

3. Run the function to create the firewall exception for WSMAN with this command:

   Add-FirewallRule "Windows Remote Management" "5986" $null $null

   

4. Verify the rule was created.

Configure IIS

1. Open a command prompt in the Run as Administrator context.
2. Change to the C:\Windows\System32\Inetsrv directory.
3. Type: appcmd.exe unlock config -section:system.webServer/security/authentication/windowsAuthentication and press Enter.
4. Open PowerShell in the Run as Administrator context.
5. Type: Import-Module WebAdministration and press Enter.
6. Type: (Get-WebConfiguration system.webServer/security/authentication/windowsAuthentication 'IIS:\sites\Default Web Site\PowerShell').enabled and press Enter.
7. If the return value is True, Windows Authentication is configured. If False, follow these steps:
   1. Type: Set-WebConfiguration system.webServer/security/authentication/windowsAuthentication 'IIS:\sites\Default Web Site\PowerShell' -value True and then press Enter.

   2. Type: (Get-WebConfiguration system.webServer/security/authentication/windowsAuthentication 'IIS:\sites\Default Web Site\PowerShell').enabled to verify the setting changed.

      

   3. Close PowerShell.

   4. In the open command prompt, type: appcmd.exe lock config -section:system.webServer/security/authentication/windowsAuthentication and then press Enter.

      

   5. Close the command prompt.

Test the application

Navigate to the Application Edit page and click Test. The result should look similar to this figure:

Scripts are not supported under any SolarWinds support program or service. The scripts are provided AS IS without warranty of any kind. SolarWinds further disclaims all warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The risk arising out of the use or performance of the scripts and documentation stays with you. In no event shall SolarWinds or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the scripts or documentation.