Chat now with support
Chat with Support

Metalogix Archive Manager for Exchange 8.1.1 - Advanced Installation Guide

Introduction Getting started Pre-installation tasks Installing Archive Manager for Exchange Post-installation tasks Addendum

After installation

When you have completed this check list and installed everything as described in this manual, log on to the Archive Manager Server as the super-user and open Outlook. Add a few test mailboxes and send a couple of emails, in order to see if you can read them. This way you can check if the super-user has the necessary rights for archiving to function properly.

Office 365 Configuration Details

Archive Manager requires specific connection configuration details to import your o365 users. This section will guide you through the steps to be completed in your o365 in order to collect the necessary data:

Organization Name in Office 365 – your organization in Office 365

Client ID – get this ID by following the process described below

Client Secret (or Key) – get this key by following the process described below

Autodiscovery Url – to get this URL, go to https://testconnectivity.microsoft.com/, select the Outlook Autodiscover option; click Next and perform the test with your details; As a result you should get the URL

Username & Password – the respective user must be Office 365 administrator

VERY IMPORTANT: In case of Office 365, run the EM with the super-user under which Archive Manager has been installed (i.e. the user under which MAM services run).

NOTE: This sample will not work with a Microsoft account, so if you signed in to the Azure portal with a Microsoft account and have never created a user account in your directory before, you need to do that now. If you create an account and want to use it to sign-in to the Azure portal, don't forget to add the user account as a co-administrator of your Azure subscription.

1.Sign in to the Azure Management Portal.

2.Click on Active Directory in the left hand nav.

Snap1-a-o365

3.Click on the App registrations.

Snap2-a-o365

4.Click on New application registration.

Snap3-a-o365

 

5.Enter friendly name for the application (e.g. Archive Manager).

6.Select Web app / API as application type.

7.For the Sign-on URL, enter the base URL, which is by default

 https://localhost:44322/WebAppGraphAPI

 

 
Snap4-a-o365

 

8.Click on Create button.

9.Find your application in the list and click on it.

10.In the Settings tab click on Keys and generate a secret key.

 
Snap5-a-o365

                 Snap6-a-o365

11. Copy and save the key value. You won’t be able to retrieve after you leave this blade.

Snap7-a-o365

12.Click on Properties and define App ID URI.

For the App ID URI enter https://<your_tenant_name>/WebAppGraphAPI , replacing <your_tenant_name> with the domain name of your Azure AD tenant.
(e.g. https://metalogix.com/WebAppGraphAPI).

 

Snap8-a-o365

 

13.Copy and save the Application ID value.

14.Click on Reply URLs and define Reply URL. This URLs are used to return the authorization code returned during Authorization code flow.
 
Note:  Both URLs (https://localhost:44322/WebAppGraphAPI & http://localhost:44322/Response ) are needed.

 

Snap9-a-o365

 

15.Click on Required permissions.

 

Snap10-a-o365

16.Click on Windows Azure Active Directory.

 

Snap11-a-o365

 

17.Configure and Save permissions according the screenshots below.

 

Snap12-a-o365

 

Snap13-a-o365

 

18.Click on Grant permissions.

 

 

 Snap14-a-o365

 

 

 

Advanced Authentication

Archive Manager for Exchange supports also access to Azure AD in case when user account name and password are needed (advanced authentication) for retrieval of user accounts and groups in Azure AD. Advanced authentication is normally not required and must be configured on both Azure AD and Archive Manager for Exchange.

Advanced authentication is implemented in Archive Manager in two components:

 

1.Back-end is in MAM Exchange Direct Archive Error Monitoring service which contains a web application waiting for responses on location specified in registry key. It needs to match reply URL in Azure AD web application and it needs to end with character /. The URL from example above is then: http://localhost:44322/

 

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Metalogix\exchangePAM

 

Value name:

OwinAuthWebAppLocation

Value data:

http://localhost:44322/
(The first part of REPLY URL from Azure AD, the slash at the end is needed)

Value type:

string

 

2.Front-end is located in Enterprise Manager which authenticates a user on Azure AD server and waits for security token which is send from Azure AD server to Archive Manager back-end.

Tips & Tricks:  If there is a problem with retrieval of security token it is recommended to restart Enterprise Manager. Also check the registry keys.

 

 

Configuration in Office365 Exchange Admin Center

It is necessary to assign Full Access permissions on behalf of Archive Manager User against all recipients you plan to archive.

 

This can be done in Exchange Admin Center or with Azure PowerShell.

 

1.Exchange Admin Center

a.Go to https://outlook.office365.com/ecp/

b.Click on Recipients > Mailboxes

c.Select Mailbox > Edit User Mailbox > Mailbox delegation > Full Access

d.Delegate Full Access permissions on behalf of Archive Manager User against all recipients you plan to archive.

 

Snap15-a-o365

2.Azure PowerShell

Set full access for all members of a distribution group to Archive Manager user:

 

Get-DistributionGroupMember <%NameOfDistributionGroup%> | Get-Mailbox |
Add-MailboxPermission –User <%SuMailAddress%> -AccessRights FullAccess  -InheritanceType all

 

 

Authentication with native application

1.Sign in to the Azure management portal.

2.Click on Azure Active Directory in the left hand nav.

3.Click on App registrations.

4.Click on New application registration.

z1-o365

 

5.Enter friendly name for the application.

6.Select Native as application type.

z2-o365

 

7.Redirect URI of the Native Application must be added to registry: create registry key “NativeAppRedirectUri” in path HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Metalogix\exchangePAM. The value of this key must be the Redirect URI defined in the Native Application.

8.Properties of newly created application contains the Application ID, and under Keys tab you can generate the Client secret (Key).  These values are needed in Server Wizard in Archive Manager.  If Keys tab is not available in Azure AD, then you can leave empty the Client Secret field.

z3-0365

 

9.In owners tab add new owner (super-user) for the Application.

z4-o365

 

10.In Required permissions tab grant Windows Azure Active Directory permissions for the application.

z5-o365

 

11.When permissions are selected, do not forget to push Grant Permissions button.

z6-o365

Configuration for German tenants

1.Register and configure Native Application on Azure AD as it is described above.

2.Create 2 new registry keys in path:

 HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Metalogix\exchangePAM

·GraphResourceId with value https://graph.cloudapi.de/

·AadInstance with value https://login.microsoftonline.de/{0}

z7-o365

3.In Archive Manager in Server wizard modify the Autodiscovery Url to: https://autodiscover-s.outlook.de/Autodiscover/Autodiscover.xml  (change .com to .de)

Creating an MS SQL database with a database user

When planning to install Archive Manager, an empty database(s) and an appropriate database user must be created before running the setup. The database providers supported by Archive Manager are MS SQL Server 2008 and higher and Oracle 11g, 12c and 18c.

NOTE: This section guides you through the configuration of SQL Server 2012 and creation of a database with a database user. In case of SQL 2008 you can use the “SQL Server 2008 Configuration for Archive Manager” guide.

To configure your SQL Server 2012:

1.Open the SQL Server Configuration Manager and click the SQL Server Services node. Both the SQL Server (SERVERNAME) and the SQL Server Browser services have to run.

Snap1-db

2.If the SQL Server Browser service is not started and the Start option available in its context menu, it means that this service is disabled. To enable the service, right-click it and from the context menu select Properties.

Snap2-db

3.The Properties window opens. Switch over to the Service tab and change the Start Mode from Disabled to Manual. Conclude by clicking Apply and OK and then try to start the service again.

Snap3-db

4.In the SQL Server Configuration Manager expand the SQL Server Network Configuration node from the navigation tree. On the Protocols for SQL node you need to enable the Named Pipes, the Shared Memory and the TCP/IP protocols.

Snap4-db

5.Instead of enabling the TCP/IP using the context menu, we recommend opening its Properties window. This window has two tabs, Protocol and IP Addresses. On the Protocol tab set the Enabled to Yes.

Snap5-db

6.On the IP Addresses tab you will see several sections - one for each network connection and a local loopback connection indicated by the standard address of 127.0.0.1 For remote access to the SQL Server Express 2012 instance the loopback connection is of no interest.

For the desired network connection the Active option should say Yes as should the Enabled option. The IP address will probably be filled in for you (by Windows) and will be different on your machine.

Snap6-db

If you wish to enable dynamic ports for your SQL Server Express 2012 instance then the TCP Dynamic Ports option should be 0. To disable this option and use a fixed port change this field to a blank value and fill in the port on the TCP Port option. Disabling dynamic ports is non standard for named instances and should really only be done if you know exactly what you are doing and why you want to do it.

Conclude by clicking Apply and then OK.

Snap7-db

7.For the changes to take effect you need to restart both the SQL Server (SERVERNAME) and SQL Server Browser services have to be restarted switching over to the SQL Server Services node.

8.Check the Shared Memory, the TCP/IP and the Named Pipes client protocols on the SQL Native Client Configuration node in the SQL Server Configuration Manager too. They should all be enabled.

Snap8-db

 
Furthermore you will need to create an empty database and a database user for your Archive Manager. To do so:

1.Connect to your SQL Server 2012 with the Microsoft SQL Server Management Studio, then expand its tree and right-click on the Databases node. From the context menu choose to create a new database.

2.In the New Database dialog, give the new database a name (e.g. exchangeDB) and you can leave the owner to be the <default>. This owner will be changed later on, when you will create a new login with table owner rights over the database you are creating. You can also choose to change the default location for the Data file and Log file, if needed. Finish by clicking OK.

Snap9-db

3.To create the Table Owner for the exchangeDB database you will need to create a new login, a new scheme and a new user as well. We will name each of them “srv_exchange”.

To create a new login, expand the tree of the MS SQL Server Management Studio tool and right-click on the Security tab and choose New/Login.

4.The new dialog opens. Before proceeding further on the General tab decide on the type of authentication to be used:

Windows authentication - the user (e.g. “srv_exchange”) must already exist in the Active Directory. Use the Search button to find your desired user in AD. It can be your Archive Manager super-user as is described in the section “Creating a super-user account”.

SQL authentication – specify the login name (“srv_exchange” in our example). Make sure to uncheck the Enforce password policy check box.

Snap10-db

As for the Default database, select the exchangeDB database and set the Default language to be English.

5.Once this is done, you can switch over to the User Mapping tab. Here map to the exchangeDB database a user (it will be automatically created and named with the same name as the login) and select also the db_owner and public membership role for the exchangeDB database.

Snap11-db

6.Switching over to the Status tab. Make sure that the Permission to connect to database engine is granted and also that the Login is enabled. Conclude by clicking OK.

Snap12-db

7.Next you will need to create a schema for your new database login. To do so, expand the tree on the new created database (exchangeDB) in the Microsoft SQL Server Management Studio tool down to Security/Schemas. Right-click on Schemas and choose New Schema from the context menu.

In the New schema dialog just give a name to the schema you want to create (e.g. srv_exchange) and click the Browse button to select the schema owner. Select the schema owner to be the previous user you have specified in step 4 (srv_exchange). Click OK.

Snap13-db

8.Furthermore you will need to assign the new created schema to your new database user. The new database user (srv_exchange) was automatically created when creating the new login and mapping a user to the exchangeDB database.

To locate this new user, expand the tree of the exchangeDB database in the MS SQL Server Management Studio tool down to Security/Users.

By clicking on the Users node you will see the user called srv_exchange on the right pane of the tool. Double-click on it to open its Properties window.

A new dialog opens on the General tab. Click the browse button next to the Default Schema text box and select the previously created user “srv_exchange”.

Snap14-db

9.Switch to Owned Schemas node where you will see that the one called srv_exchange is selected. Make sure that the db_owner is selected too.

Now switch to the Membership node and make sure that db_owner is selected here, too. Save the changes you have made by clicking OK.

Snap15-db

 

 

Metalogix makes every effort to perform comprehensive testing but cannot guarantee, due to environmental differences, that all functions will work in every environment. It is always recommended that testing be conducted within your own environment to confirm functionality and compatibility.

Related Documents