Skip to main content

Configure Exchange Defender

This configuration is optional.

This section describes how to create the management account which allows a connection to the Exchange server remotely by using PowerShell, with access only to the given cmdlets, and how to configure Exchange Defender in Settings.

Prerequisites

To be able to connect to the exchange server remotely by using PowerShell, the account must have:

  • Exchange 2013 / 2016 / 2019 / M365 (online)

  • PowerShell 2.0 / 3.0 with Exchange Management Shell plugin

  • Some administrative rights in Exchange

To connect to Exchange online you should also install Windows Management Framework 3.0 or the Windows Management Framework 4.0.

Create and organize the management roles

The custom management roles are created with Role Based Access Control (RBAC) and the roles are organized in role groups. When a user is added to a role group made in this guide, the user can connect to the Exchange server using PowerShell.

  1. To create a user:

    1. Create a service account in ActiveDirectory.

      Note

      In this guide, the user is named “SnowUser”. Replace “SnowUser” with your preferred name.

    2. To enable remote PowerShell logon for the user, start PowerShell and type: 

      Set-User SnowUser -RemotePowerShellEnabled $True

    3. To set execution policy on the application server that runs Cloud Extender and to enable scripts to be run on the application server, type:

      Set-ExecutionPolicy RemoteSigned

  2. To create a management role called "SnowMGMT", start the Exchange Management Shell and type New-ManagementRole SnowMGMT –Parent "User Options".

    Note

    The management role is based on the parent role “User Options”, which gives the role access to some of the “User Option” cmdlets.

  3. To create a second management role, type:

    New-ManagementRole SnowMGMT1 –Parent "Organization Client Access"

  4. To group the management roles, type:

    New-RoleGroup -Name RemoteSnow -Roles "SnowMGMT", "SnowMGMT1" -Members "SnowUser"

  5. To verify the functionality of the account and the connection:

    Note

    Authentication and encryption methods may vary depending on configuration.

    1. Open PowerShell from any computer that can connect to the Exchange server, and then type:

      $so = New-PSSessionOption –SkipCNCheck –SkipCACheck –SkipRevocationCheck

    2. To create the session, type:

      $session = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionUri https://FQDN/powershell/ -Credential $UserCredential –Authentication Basic – AllowRedirection –SessionOption $so

      Note

      Replace <FQDN> with the name of the Exchange server or virtual directory.

    3. To import the created session, type:

      Import-PSSession $session

    4. To verify the connection, type for example:

      Get-CASMailbox –ResultSize 10

      You should now receive 10 users from the exchange server.

    5. To end the session, type :

      Remove-PSSession $Session

Configure Exchange Defender

  1. In the Settings dialog box, select the Exchange Defender check box, and then click Configure.

    The Exchange PowerShell Config dialog box appears.

  2. Type the URI for the powershell application pool of the exchange server, usually http://<FQDN>/powershell/

  3. Type the user name of the service account in the Identity box.

  4. Type the password of the service account in the Password box.

  5. Click Verify.

  6. Click Save.

    Note

    You need to set the correct authentication mechanism for your own exchange setup, you might also need to try different settings until you are able to connect, unless you already know the correct settings for your case.

  7. When you are finished with the settings, select Save in the Settings dialog box.

In this section: