Converse agora com nosso suporte
Chat com o suporte

Foglight for Exchange 6.3.0 - Release Notes

Foglight for Exchange 6.3.0 Release Notes Contents Welcome to Foglight for Exchange New in this release Resolved issues and enhancements Known issues Third party known issues Upgrade and compatibility System requirements Prerequisites Troubleshooting Product licensing Getting started with Foglight for Exchange About Us

SmbServerNameHardeningLevel in Exchange Server should be 0 (the default)

Prerequisites

The following prerequisite conditions must be in place in order to successfully initialize an Exchange agent. Failure to meet these prerequisites may result in missing metrics in Foglight for Exchange dashboards.

Important: All prerequisite steps must be completed on the Exchange server as well as the Active Directory® server because the Exchange agent collects information from the Active Directory server and requires access permissions.

Note: The Remote Access Diagnostics utility, provided with this cartridge, checks the connectivity between the Foglight Agent Manager (FglAM) and Active Directory and Exchange servers that are being monitored. It also tests for the prerequisite conditions that must be met in order to initialize an Exchange agent. This utility requires .NET® 2.0 libraries to run. For more information on running the Remote Access Diagnostics utility, see the Remote Access Diagnostics User Guide.

Account privileges

Exchange account privileges:

Note: Make sure to give minimum required privilege to your agent; otherwise this agent cannot start data collection.

  • Exchange server Local Administrator privilege (DCOM, WinRm).
  • Running Exchange PowerShell cmdlet with the following privileges:
    • Server Management
    • Organization Management
    • View-Only Organization Management

Domain Controller account privileges: a domain user account with the following privileges (LDAP):

  • Organization Management (Exchange 2010, 2013, 2016, 2019)

DCOM prerequisites for the Exchange server

  1. Enable the Distributed COM (DCOM) on the Exchange server:
    1. Click Start | Run.
    2. In the Run dialog, enter dcomcnfg and click OK.
    3. Expand Component Services and then Computers.
    4. Right-click the My Computer object and select Properties.
    5. On the Default Properties tab, check the Enable Distributed COM on this computer option.
      • Select "Default Authentication Level" as "Connect.
      • Select "Default Impersonation Level" as "Identify".
  2. The Remote Registry Service must be running on each Exchange server being monitored by Foglight for Exchange, to allow agents remote access to the registry.
  3. The Exchange account specified in the agent properties must have Full Control permissions on the registry keys. Refer to Permissions on registry keys to configure DCOM command shell connection in Foglight Agent Manager Guide for detailed information.

SmbServerNameHardeningLevel in Exchange Server should be 0 (the default)

 Exchange servers that have to be accessed by clients not supporting GSS authentication must have SmbServerNameHardeningLevel set to 0 (the default). For more information, see http://support.microsoft.com/kb/2345886.

Firewall settings for the Exchange Server

Rule #1: need local ports 135, 139, 389 (or 636) and 445 opened.

Rule #2: need "Dynamic RPC" local ports opened.

For more information, see the following article: https://support.quest.com/kb/SOL85903.

Configure Windows Remote Management (WinRM)

For details about this topic, refer to the "Configuring Windows Remote Management (WinRM)" section in the Foglight Agent Manager Guide.  

Kerberos settings for the Agent Manager

The Kerberos configuration file specifies the KDC from which tickets are obtained. Operating systems sometimes have their own Kerberos configuration files. If present, the Agent Manager uses them by default. They can be found in the following locations:

  •  Windows: %WINDIR%\krb5.ini which typically translates to C:\Windows\krb5.ini
  •  UNIX:
    /etc/krb5.conf
    Or:
    /etc/krb5/krb5.conf

If none of these files are found, the Agent Manager attempts to create its own kerberos configuration file, based on the detected settings. The detection can only be done on Windows, so on Unix, the file is not generated. On Unix platforms, you need to create your own Kerberos configuration files to establish WinRM connections using Negotiate authentication.

The krb5.ini or krb5.conf file should contain the realm info and hostname of the KDC for this realm. For example:

[libdefaults]
default_realm = <REALM_NAME_IN_CAPS>
[realms]
<REALM_NAME_IN_CAPS> = {
kdc = <fully_qualified_kdc_name>
}
[domain_realm]
.<domain_in_lower_case> = <REALM_NAME_IN_CAPS>

Agent must be able to reach the target host

Server objects do not appear until at least one piece of data has been collected and recorded. If communication fails completely, you will not see objects.

Configuration steps:

  1. Test Ping by IP. You must be able to ping the collection target from the FglAM hosting the agent instance. If ping by IP fails, there are routing issues.
  2. Test Ping by host name. A DNS server or Hosts file must be available to the FMS server in order to resolve names. If ping by host name fails, there are DNS or Hosts file issues.
  3. If a Hosts file is used, it should contain an entry for each domain where hosts reside. For example:
    10.10.10.100 domain.local
    10.10.10.200 childdomain.domain.local
  4. In addition, individual servers must resolve to the NetBIOS names and the FQDN. For example:
    10.10.10.101 server server.domain.local
    The Hosts file is located at %windir%\system\drivers\etc.

Additional configuration settings

  1. Enable Remote Shell for the user account used to monitor the Exchange environment. For more information, see Manage Exchange Management Shell access.

  2. If your Exchange environment is running on Windows Server 2012 or below, make sure to download and install KB2842230 from Microsoft Updated Catalog to avoid the "Out of memory" error. For more information, see "Out of memory" error on a computer that has a customized MaxMemoryPerShellMB quota set and has WMF 3.0 installed.

  3. Execute the Set-ExecutionPolicy RemoteSigned command for all of your Exchange environments.

PowerShell configurations required for feature state queries (for Exchange servers only)

The new-TestCasConnectivityUser.ps1 PowerShell script must be run on each Exchange Server to configure a test account for the OWA connectivity user tests. This aids in the collection of OWA metrics. The script is located in the Scripts folder of your Exchange install directory. For example, if Exchange is installed in C:\Program Files\Microsoft\Exchange, then the script is located in C:\Program Files\Microsoft\Exchange\Scripts.

 


Firewall settings for the Exchange Server

Prerequisites

The following prerequisite conditions must be in place in order to successfully initialize an Exchange agent. Failure to meet these prerequisites may result in missing metrics in Foglight for Exchange dashboards.

Important: All prerequisite steps must be completed on the Exchange server as well as the Active Directory® server because the Exchange agent collects information from the Active Directory server and requires access permissions.

Note: The Remote Access Diagnostics utility, provided with this cartridge, checks the connectivity between the Foglight Agent Manager (FglAM) and Active Directory and Exchange servers that are being monitored. It also tests for the prerequisite conditions that must be met in order to initialize an Exchange agent. This utility requires .NET® 2.0 libraries to run. For more information on running the Remote Access Diagnostics utility, see the Remote Access Diagnostics User Guide.

Account privileges

Exchange account privileges:

Note: Make sure to give minimum required privilege to your agent; otherwise this agent cannot start data collection.

  • Exchange server Local Administrator privilege (DCOM, WinRm).
  • Running Exchange PowerShell cmdlet with the following privileges:
    • Server Management
    • Organization Management
    • View-Only Organization Management

Domain Controller account privileges: a domain user account with the following privileges (LDAP):

  • Organization Management (Exchange 2010, 2013, 2016, 2019)

DCOM prerequisites for the Exchange server

  1. Enable the Distributed COM (DCOM) on the Exchange server:
    1. Click Start | Run.
    2. In the Run dialog, enter dcomcnfg and click OK.
    3. Expand Component Services and then Computers.
    4. Right-click the My Computer object and select Properties.
    5. On the Default Properties tab, check the Enable Distributed COM on this computer option.
      • Select "Default Authentication Level" as "Connect.
      • Select "Default Impersonation Level" as "Identify".
  2. The Remote Registry Service must be running on each Exchange server being monitored by Foglight for Exchange, to allow agents remote access to the registry.
  3. The Exchange account specified in the agent properties must have Full Control permissions on the registry keys. Refer to Permissions on registry keys to configure DCOM command shell connection in Foglight Agent Manager Guide for detailed information.

SmbServerNameHardeningLevel in Exchange Server should be 0 (the default)

 Exchange servers that have to be accessed by clients not supporting GSS authentication must have SmbServerNameHardeningLevel set to 0 (the default). For more information, see http://support.microsoft.com/kb/2345886.

Rule #1: need local ports 135, 139, 389 (or 636) and 445 opened.

Rule #2: need "Dynamic RPC" local ports opened.

For more information, see the following article: https://support.quest.com/kb/SOL85903.

Configure Windows Remote Management (WinRM)

For details about this topic, refer to the "Configuring Windows Remote Management (WinRM)" section in the Foglight Agent Manager Guide.  

Kerberos settings for the Agent Manager

The Kerberos configuration file specifies the KDC from which tickets are obtained. Operating systems sometimes have their own Kerberos configuration files. If present, the Agent Manager uses them by default. They can be found in the following locations:

  •  Windows: %WINDIR%\krb5.ini which typically translates to C:\Windows\krb5.ini
  •  UNIX:
    /etc/krb5.conf
    Or:
    /etc/krb5/krb5.conf

If none of these files are found, the Agent Manager attempts to create its own kerberos configuration file, based on the detected settings. The detection can only be done on Windows, so on Unix, the file is not generated. On Unix platforms, you need to create your own Kerberos configuration files to establish WinRM connections using Negotiate authentication.

The krb5.ini or krb5.conf file should contain the realm info and hostname of the KDC for this realm. For example:

[libdefaults]
default_realm = <REALM_NAME_IN_CAPS>
[realms]
<REALM_NAME_IN_CAPS> = {
kdc = <fully_qualified_kdc_name>
}
[domain_realm]
.<domain_in_lower_case> = <REALM_NAME_IN_CAPS>

Agent must be able to reach the target host

Server objects do not appear until at least one piece of data has been collected and recorded. If communication fails completely, you will not see objects.

Configuration steps:

  1. Test Ping by IP. You must be able to ping the collection target from the FglAM hosting the agent instance. If ping by IP fails, there are routing issues.
  2. Test Ping by host name. A DNS server or Hosts file must be available to the FMS server in order to resolve names. If ping by host name fails, there are DNS or Hosts file issues.
  3. If a Hosts file is used, it should contain an entry for each domain where hosts reside. For example:
    10.10.10.100 domain.local
    10.10.10.200 childdomain.domain.local
  4. In addition, individual servers must resolve to the NetBIOS names and the FQDN. For example:
    10.10.10.101 server server.domain.local
    The Hosts file is located at %windir%\system\drivers\etc.

Additional configuration settings

  1. Enable Remote Shell for the user account used to monitor the Exchange environment. For more information, see Manage Exchange Management Shell access.

  2. If your Exchange environment is running on Windows Server 2012 or below, make sure to download and install KB2842230 from Microsoft Updated Catalog to avoid the "Out of memory" error. For more information, see "Out of memory" error on a computer that has a customized MaxMemoryPerShellMB quota set and has WMF 3.0 installed.

  3. Execute the Set-ExecutionPolicy RemoteSigned command for all of your Exchange environments.

PowerShell configurations required for feature state queries (for Exchange servers only)

The new-TestCasConnectivityUser.ps1 PowerShell script must be run on each Exchange Server to configure a test account for the OWA connectivity user tests. This aids in the collection of OWA metrics. The script is located in the Scripts folder of your Exchange install directory. For example, if Exchange is installed in C:\Program Files\Microsoft\Exchange, then the script is located in C:\Program Files\Microsoft\Exchange\Scripts.

 


Configure Windows Remote Management (WinRM)

Prerequisites

The following prerequisite conditions must be in place in order to successfully initialize an Exchange agent. Failure to meet these prerequisites may result in missing metrics in Foglight for Exchange dashboards.

Important: All prerequisite steps must be completed on the Exchange server as well as the Active Directory® server because the Exchange agent collects information from the Active Directory server and requires access permissions.

Note: The Remote Access Diagnostics utility, provided with this cartridge, checks the connectivity between the Foglight Agent Manager (FglAM) and Active Directory and Exchange servers that are being monitored. It also tests for the prerequisite conditions that must be met in order to initialize an Exchange agent. This utility requires .NET® 2.0 libraries to run. For more information on running the Remote Access Diagnostics utility, see the Remote Access Diagnostics User Guide.

Account privileges

Exchange account privileges:

Note: Make sure to give minimum required privilege to your agent; otherwise this agent cannot start data collection.

  • Exchange server Local Administrator privilege (DCOM, WinRm).
  • Running Exchange PowerShell cmdlet with the following privileges:
    • Server Management
    • Organization Management
    • View-Only Organization Management

Domain Controller account privileges: a domain user account with the following privileges (LDAP):

  • Organization Management (Exchange 2010, 2013, 2016, 2019)

DCOM prerequisites for the Exchange server

  1. Enable the Distributed COM (DCOM) on the Exchange server:
    1. Click Start | Run.
    2. In the Run dialog, enter dcomcnfg and click OK.
    3. Expand Component Services and then Computers.
    4. Right-click the My Computer object and select Properties.
    5. On the Default Properties tab, check the Enable Distributed COM on this computer option.
      • Select "Default Authentication Level" as "Connect.
      • Select "Default Impersonation Level" as "Identify".
  2. The Remote Registry Service must be running on each Exchange server being monitored by Foglight for Exchange, to allow agents remote access to the registry.
  3. The Exchange account specified in the agent properties must have Full Control permissions on the registry keys. Refer to Permissions on registry keys to configure DCOM command shell connection in Foglight Agent Manager Guide for detailed information.

SmbServerNameHardeningLevel in Exchange Server should be 0 (the default)

 Exchange servers that have to be accessed by clients not supporting GSS authentication must have SmbServerNameHardeningLevel set to 0 (the default). For more information, see http://support.microsoft.com/kb/2345886.

Firewall settings for the Exchange Server

Rule #1: need local ports 135, 139, 389 (or 636) and 445 opened.

Rule #2: need "Dynamic RPC" local ports opened.

For more information, see the following article: https://support.quest.com/kb/SOL85903.

For details about this topic, refer to the "Configuring Windows Remote Management (WinRM)" section in the Foglight Agent Manager Guide.  

Kerberos settings for the Agent Manager

The Kerberos configuration file specifies the KDC from which tickets are obtained. Operating systems sometimes have their own Kerberos configuration files. If present, the Agent Manager uses them by default. They can be found in the following locations:

  •  Windows: %WINDIR%\krb5.ini which typically translates to C:\Windows\krb5.ini
  •  UNIX:
    /etc/krb5.conf
    Or:
    /etc/krb5/krb5.conf

If none of these files are found, the Agent Manager attempts to create its own kerberos configuration file, based on the detected settings. The detection can only be done on Windows, so on Unix, the file is not generated. On Unix platforms, you need to create your own Kerberos configuration files to establish WinRM connections using Negotiate authentication.

The krb5.ini or krb5.conf file should contain the realm info and hostname of the KDC for this realm. For example:

[libdefaults]
default_realm = <REALM_NAME_IN_CAPS>
[realms]
<REALM_NAME_IN_CAPS> = {
kdc = <fully_qualified_kdc_name>
}
[domain_realm]
.<domain_in_lower_case> = <REALM_NAME_IN_CAPS>

Agent must be able to reach the target host

Server objects do not appear until at least one piece of data has been collected and recorded. If communication fails completely, you will not see objects.

Configuration steps:

  1. Test Ping by IP. You must be able to ping the collection target from the FglAM hosting the agent instance. If ping by IP fails, there are routing issues.
  2. Test Ping by host name. A DNS server or Hosts file must be available to the FMS server in order to resolve names. If ping by host name fails, there are DNS or Hosts file issues.
  3. If a Hosts file is used, it should contain an entry for each domain where hosts reside. For example:
    10.10.10.100 domain.local
    10.10.10.200 childdomain.domain.local
  4. In addition, individual servers must resolve to the NetBIOS names and the FQDN. For example:
    10.10.10.101 server server.domain.local
    The Hosts file is located at %windir%\system\drivers\etc.

Additional configuration settings

  1. Enable Remote Shell for the user account used to monitor the Exchange environment. For more information, see Manage Exchange Management Shell access.

  2. If your Exchange environment is running on Windows Server 2012 or below, make sure to download and install KB2842230 from Microsoft Updated Catalog to avoid the "Out of memory" error. For more information, see "Out of memory" error on a computer that has a customized MaxMemoryPerShellMB quota set and has WMF 3.0 installed.

  3. Execute the Set-ExecutionPolicy RemoteSigned command for all of your Exchange environments.

PowerShell configurations required for feature state queries (for Exchange servers only)

The new-TestCasConnectivityUser.ps1 PowerShell script must be run on each Exchange Server to configure a test account for the OWA connectivity user tests. This aids in the collection of OWA metrics. The script is located in the Scripts folder of your Exchange install directory. For example, if Exchange is installed in C:\Program Files\Microsoft\Exchange, then the script is located in C:\Program Files\Microsoft\Exchange\Scripts.

 


Kerberos settings for the Agent Manager

Prerequisites

The following prerequisite conditions must be in place in order to successfully initialize an Exchange agent. Failure to meet these prerequisites may result in missing metrics in Foglight for Exchange dashboards.

Important: All prerequisite steps must be completed on the Exchange server as well as the Active Directory® server because the Exchange agent collects information from the Active Directory server and requires access permissions.

Note: The Remote Access Diagnostics utility, provided with this cartridge, checks the connectivity between the Foglight Agent Manager (FglAM) and Active Directory and Exchange servers that are being monitored. It also tests for the prerequisite conditions that must be met in order to initialize an Exchange agent. This utility requires .NET® 2.0 libraries to run. For more information on running the Remote Access Diagnostics utility, see the Remote Access Diagnostics User Guide.

Account privileges

Exchange account privileges:

Note: Make sure to give minimum required privilege to your agent; otherwise this agent cannot start data collection.

  • Exchange server Local Administrator privilege (DCOM, WinRm).
  • Running Exchange PowerShell cmdlet with the following privileges:
    • Server Management
    • Organization Management
    • View-Only Organization Management

Domain Controller account privileges: a domain user account with the following privileges (LDAP):

  • Organization Management (Exchange 2010, 2013, 2016, 2019)

DCOM prerequisites for the Exchange server

  1. Enable the Distributed COM (DCOM) on the Exchange server:
    1. Click Start | Run.
    2. In the Run dialog, enter dcomcnfg and click OK.
    3. Expand Component Services and then Computers.
    4. Right-click the My Computer object and select Properties.
    5. On the Default Properties tab, check the Enable Distributed COM on this computer option.
      • Select "Default Authentication Level" as "Connect.
      • Select "Default Impersonation Level" as "Identify".
  2. The Remote Registry Service must be running on each Exchange server being monitored by Foglight for Exchange, to allow agents remote access to the registry.
  3. The Exchange account specified in the agent properties must have Full Control permissions on the registry keys. Refer to Permissions on registry keys to configure DCOM command shell connection in Foglight Agent Manager Guide for detailed information.

SmbServerNameHardeningLevel in Exchange Server should be 0 (the default)

 Exchange servers that have to be accessed by clients not supporting GSS authentication must have SmbServerNameHardeningLevel set to 0 (the default). For more information, see http://support.microsoft.com/kb/2345886.

Firewall settings for the Exchange Server

Rule #1: need local ports 135, 139, 389 (or 636) and 445 opened.

Rule #2: need "Dynamic RPC" local ports opened.

For more information, see the following article: https://support.quest.com/kb/SOL85903.

Configure Windows Remote Management (WinRM)

For details about this topic, refer to the "Configuring Windows Remote Management (WinRM)" section in the Foglight Agent Manager Guide.  

The Kerberos configuration file specifies the KDC from which tickets are obtained. Operating systems sometimes have their own Kerberos configuration files. If present, the Agent Manager uses them by default. They can be found in the following locations:

  •  Windows: %WINDIR%\krb5.ini which typically translates to C:\Windows\krb5.ini
  •  UNIX:
    /etc/krb5.conf
    Or:
    /etc/krb5/krb5.conf

If none of these files are found, the Agent Manager attempts to create its own kerberos configuration file, based on the detected settings. The detection can only be done on Windows, so on Unix, the file is not generated. On Unix platforms, you need to create your own Kerberos configuration files to establish WinRM connections using Negotiate authentication.

The krb5.ini or krb5.conf file should contain the realm info and hostname of the KDC for this realm. For example:

[libdefaults]
default_realm = <REALM_NAME_IN_CAPS>
[realms]
<REALM_NAME_IN_CAPS> = {
kdc = <fully_qualified_kdc_name>
}
[domain_realm]
.<domain_in_lower_case> = <REALM_NAME_IN_CAPS>

Agent must be able to reach the target host

Server objects do not appear until at least one piece of data has been collected and recorded. If communication fails completely, you will not see objects.

Configuration steps:

  1. Test Ping by IP. You must be able to ping the collection target from the FglAM hosting the agent instance. If ping by IP fails, there are routing issues.
  2. Test Ping by host name. A DNS server or Hosts file must be available to the FMS server in order to resolve names. If ping by host name fails, there are DNS or Hosts file issues.
  3. If a Hosts file is used, it should contain an entry for each domain where hosts reside. For example:
    10.10.10.100 domain.local
    10.10.10.200 childdomain.domain.local
  4. In addition, individual servers must resolve to the NetBIOS names and the FQDN. For example:
    10.10.10.101 server server.domain.local
    The Hosts file is located at %windir%\system\drivers\etc.

Additional configuration settings

  1. Enable Remote Shell for the user account used to monitor the Exchange environment. For more information, see Manage Exchange Management Shell access.

  2. If your Exchange environment is running on Windows Server 2012 or below, make sure to download and install KB2842230 from Microsoft Updated Catalog to avoid the "Out of memory" error. For more information, see "Out of memory" error on a computer that has a customized MaxMemoryPerShellMB quota set and has WMF 3.0 installed.

  3. Execute the Set-ExecutionPolicy RemoteSigned command for all of your Exchange environments.

PowerShell configurations required for feature state queries (for Exchange servers only)

The new-TestCasConnectivityUser.ps1 PowerShell script must be run on each Exchange Server to configure a test account for the OWA connectivity user tests. This aids in the collection of OWA metrics. The script is located in the Scripts folder of your Exchange install directory. For example, if Exchange is installed in C:\Program Files\Microsoft\Exchange, then the script is located in C:\Program Files\Microsoft\Exchange\Scripts.

 


Documentos relacionados

The document was helpful.

Selecione a classificação

I easily found the information I needed.

Selecione a classificação