Manually configure an Exchange server

Manual configuration is only recommended for experienced Exchange administrators. SAM includes an automated way to configure Exchange servers, as described in Configure AppInsight for Exchange on nodes.

Before manually configuring an Exchange server for AppInsight for Exchange:

Use the following instructions to configure an Exchange server:

Define Exchange credentials

Use domain accounts to access Exchange Management interfaces; AppInsight for Exchange does not support local accounts. Select an existing Active Directory account or create one to use with AppInsight for Exchange. See Verify Microsoft Exchange credentials.

  1. On the server where you are granting local administrative privileges, open the Computer Management console.

    On Windows Server 2012, use the Active Directory console to manage administrative privileges.

  2. Navigate to the Administrators group.
  3. Add the type in the Active Directory user name of the account. (Ensure the location is set to either the domain where the account is located or Entire Directory.)
  4. Save your changes.

Alternatively, add an Active Directory group to the local administrators group and add Active Directory user accounts to that group.

To verify the account and local group membership was configured properly, run the following in a PowerShell session:

$Recurse = $true

$GroupName = 'Administrators'

Add-Type -AssemblyName System.DirectoryServices.AccountManagement

$ct = [System.DirectoryServices.AccountManagement.ContextType]::Machine

$group = [System.DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($ct,$GroupName)

$LocalAdmin = $group.GetMembers($Recurse) | select @{N='Domain'; E={$_.Context.Name}}, samaccountName, @{N='ObjectType'; E={$_.StructuralObjectClass}} -Unique

$LocalAdmin = $LocalAdmin | Where-Object {$_.ObjectType -eq "user"}

Grant Exchange Access

To grant Least Privilege access to the Exchange Organization:

  1. Open Active Directory Users and Computers (ADUC) and find the Microsoft Exchange Security Groups OU.
  2. From the View-Only Organization Management group, add the user name of the account you want to grant access to the Exchange organization.

See Microsoft.com for detailed instructions.

Set Mailbox Search Access

Mailbox Search access is required to determine attachment counts and sizes.

  1. From the Start menu, open the Exchange Management Shell (EMS).
  2. Type: New-ManagementRoleAssignment -Role "Mailbox Search" -User <Username of account being granted access> and then press Enter.
  3. To verify the management role has been properly assigned, enter the following command:
    Get-ManagementRoleAssignment -RoleAssignee <Username of account>

Install PowerShell 2.0 or later

PowerShell 2.0 or later is usually installed with Microsoft Server. Install it, if necessary (see Use PowerShell in SAM). You may also need to Set PowerShell permissions for Exchange.

Set PSLanguageMode to FullLanguage for the PowerShell website

Use IIS Manager on the Exchange server to configure application settings for the default website and PowerShell virtual directory, and then recycle the MSExchangePowerShellAppPool application pool.

See Microsoft.com for detailed instructions.

Create a self-signed certificate

You can download a PowerShell script to create a self-signed certificate suitable for AppInsight for Exchange from the SolarWinds Success Center. See Create a self-signed certificate for AppInsight for Exchange with a PowerShell script.

Alternatively, follow these steps to create your own certificate.

  1. Using PowerShell and CertEnroll, open PowerShell in the Run as Administrator context.
  2. Enter the following code:

    Use the following format in the CN (Subject): "<IP Address of Server>_Solarwinds_Exchange_Zero_Configuration." For Example: “10.199.15.106_Solarwinds_Exchange_Zero_Configuration”

$name = new-object -com "X509Enrollment.CX500DistinguishedName.1"
$name.Encode("CN=TestServer", 0)

$key = new-object -com "X509Enrollment.CX509PrivateKey.1"
$key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
$key.KeySpec = 1
$key.Length = 1024
$key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)"
$key.MachineContext = 1
$key.Create()

$serverauthoid = new-object -com "X509Enrollment.CObjectId.1"
$serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1")
$ekuoids = new-object -com "X509Enrollment.CObjectIds.1"
$ekuoids.add($serverauthoid)
$ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1"
$ekuext.InitializeEncode($ekuoids)

$cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1"
$cert.InitializeFromPrivateKey(2, $key, "")
$cert.Subject = $name
$cert.Issuer = $cert.Subject
$cert.NotBefore = get-date
$cert.NotAfter = $cert.NotBefore.AddDays(3650)
$cert.X509Extensions.Add($ekuext)
$cert.Encode()

$enrollment = new-object -com "X509Enrollment.CX509Enrollment.1"
$enrollment.InitializeFromRequest($cert)
$certdata = $enrollment.CreateRequest(0)
$enrollment.InstallResponse(2, $certdata, 0, "")

Configure WinRM 2.0 on an Exchange server

  1. Open a command prompt in the Run as Administrator context.
  2. Type: winrm create winrm/config/listener?Address=*+Transport=HTTPS @{Port="5986";CertificateThumbprint="<Thumbprint value of certificate>";Hostname="<IP Address of Server>_Solarwinds_Exchange_Zero_Configuration"} and press Enter.

  3. Verify the configuration by typing: winrm get winrm/config/listener?Address=*+Transport=HTTPS.

Create a firewall rule

  1. Open PowerShell using Run as Administrator.
  2. Create a function for adding firewall rules using the following code:
    function Add-FirewallRule {
    param(
    $name,
    $tcpPorts,
    $appName = $null,
    $serviceName = $null
    )
    $fw = New-Object -ComObject hnetcfg.fwpolicy2
    $rule = New-Object -ComObject HNetCfg.FWRule
    $rule.Name = $name
    if ($appName -ne $null) { $rule.ApplicationName = $appName }
    if ($serviceName -ne $null) { $rule.serviceName = $serviceName }
    $rule.Protocol = 6 #NET_FW_IP_PROTOCOL_TCP
    $rule.LocalPorts = $tcpPorts
    $rule.Enabled = $true
    $rule.Grouping = "@firewallapi.dll,-23255"
    $rule.Profiles = 7 # all
    $rule.Action = 1 # NET_FW_ACTION_ALLOW
    $rule.EdgeTraversal = $false
    $fw.Rules.Add($rule)
    }
  3. Run the function to create the firewall exception for WSMAN with this command:Add-FirewallRule "Windows Remote Management" "5986" $null $null

  4. Verify the rule was created.

Configure IIS

  1. Open a command prompt in the Run as Administrator context.
  2. Change to the C:\Windows\System32\Inetsrv directory.
  3. Type: appcmd.exe unlock config -section:system.webServer/security/authentication/windowsAuthentication and press Enter.
  4. Open PowerShell in the Run As Administrator context.
  5. Type: Import-Module WebAdministration and press Enter.
  6. Type: (Get-WebConfiguration system.webServer/security/authentication/windowsAuthentication 'IIS:\sites\Default Web Site\PowerShell').enabled and press Enter.
  7. If the return value is True, Windows Authentication is configured. If the value returned is False, follow these steps:
    1. Type: Set-WebConfiguration system.webServer/security/authentication/windowsAuthentication 'IIS:\sites\Default Web Site\PowerShell' -value True and then press Enter.
    2. Type: (Get-WebConfiguration system.webServer/security/authentication/windowsAuthentication 'IIS:\sites\Default Web Site\PowerShell').enabled to verify the setting changed.

    3. Close PowerShell.
    4. In the open command prompt, type: appcmd.exe lock config -section:system.webServer/security/authentication/windowsAuthentication and then press Enter.

    5. Close the command prompt.

Test the application

Navigate to the Application Edit page and click Test. Your screen should look like the following illustration.