Skip to main content

Exchange 2007+ Server

Connector name

agtexg2k7

Connector type

Executable

Type (UI field value)

Exchange 2007+ Server

Target system versions supported / tested

Bravura Security Fabric can manage Microsoft Exchange 2007/2010/2013/2016/2019 accounts using the agtexg2k7 . The connector manages Exchange accounts by updating users, group memberships, and suitable attributes on an Exchange server. In a hybrid deployment the connector can also synchronize the on-premises mailboxes with Exchange Online.

Connector status / support

Bravura Security-Verified

This connector has been tested and is fully supported by Bravura Security.

Upgrade notes

Exchange 2019 support implemented in Connector Pack 4.3.0

The following Bravura Security Fabric operations are supported by the agtexg2k7 connector:

  • create account

  • delete account

  • update attributes

  • user verify password

  • add user to group

  • delete user from group

  • create group

  • delete group

  • list account attributes

  • move contexts

  • List:

    • accounts

    • attributes

    • groups

    • members

For a full list and explanation of each connector operation, see Connector operations.

The following sections show you how to:

  • Define an account for the target system administrator in the domain

  • Install the required software components on the Bravura Security Fabric or Bravura Security Fabric proxy server

  • Set the Exchange target system address in Bravura Security Fabric

  • Create template accounts

This chapter also describes how Bravura Identity handles special attributes, which are used when creating or modifying accounts on an Exchange

See also

Microsoft Exchange servers verify user passwords on a Microsoft Active Directory Domain .

Preparation for Exchange 2007, 2010, 2013 and 2016+

It is recommended that you target Exchange using a proxy server installed on the Exchange server, for the following reasons:

  • Joining the main Bravura Security Fabric server to a domain presents security issues.

  • The proxy allows the Bravura Security Fabric server to communicate with multiple Exchange servers and domains.

Other preparation steps for targeting Exchange include:

  1. Installing client software for Exchange

    You do not need to install the client software if you target a particular Exchange server in the address line or for connecting to Exchange online.

  2. Configuring a target administrator

  3. For Bravura Identity implementations, creating at least one template account

Installing client software for Exchange

If you target a particular Exchange server in the address line, you do not need to install the client software for Exchange.

When installing client software for Exchange, ensure that the server is a member of a domain running in native mode.

Requirements for installing the client software for Exchange 2007 and 2010

You must have the following pre-requisites installed and configured:

  • Microsoft .NET Framework 2.0

  • Microsoft Management Console (MMC)

  • Microsoft Windows PowerShell

  • Exchange Management Tools, installed as follows:

    • Installation Type: Custom Exchange Server Installation

    • Server Role Selection: Management Tools

Requirements for installing client software for Exchange 2013

You must have the following pre-requisites installed and configured:

  • Microsoft .NET Framework 4.5

  • Windows Management Framework 3.0

  • Microsoft Windows PowerShell

  • Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit

  • KB974405 (Windows Identity Foundation)

  • KB2619234 (Hotfix to enable the Association Cookie/GUID that is used by RPC over HTTP to also be used at the RPC layer in Windows 7 and in Windows Server 2008 R2)

  • KB2533623 (Insecure library loading could allow remote code execution)

  • Exchange Management Tools, installed as follows:

    • Installation Type: Custom Exchange Server Installation

    • Server Role Selection: Management Tools

Requirements for installing client software for Exchange 2016+

Note

Exchange 2019 support implemented in Connector Pack 4.3.0

You must have the following pre-requisites installed and configured:

  • Microsoft .NET Framework 4.5.2

  • Windows Management Framework 3.0

  • IIS 6 Metabase Compatibility component.

  • IIS 6 Management Console.

  • Exchange Management Tools, installed as follows:

    • Installation Type: Use recommended settings

    • Server Role Selection: Management Tools

    Caution

    The Exchange Management Tools version, where the instance is installed, must match the version of the Exchange server.

If you are targeting Exchange through a proxy, carry out the following steps on the proxy server. If you are not using a proxy, carry out the following steps on the main Bravura Security Fabric server.

To install the client software for Exchange:

  1. Join the server with the Active Directory domain.

  2. Ensure that DNS settings point to the Exchange server.

  3. Install the Exchange Management Tools.

    Consult your Microsoft documentation regarding proper installation of the Exchange Management Tools.

  4. Optionally, Install the Active Directory module for Windows PowerShell to list Active Directory account attributes.

    Consult your Microsoft documentation regarding proper installation of the Remote Server Administration Tools.

Configuring a target system administrator

Bravura Security Fabric manages Exchange mailboxes using an Active Directory domain administrator account. The administrative account must be a Domain user with membership in the local administrators group on the Exchange server and the Domain Admins group.

Ensure that you set and note the account’s password. You will be required to enter the login ID and password when you add the target system to Bravura Security Fabric .

After the account is created, the services that run the connector (Transaction Monitor Service (idtm) or Proxy Service (psproxy)) need to be updated to run under this Domain account. You must grant sufficient privileges to the Domain user on the Server member before it can run the service.

Provide the target system administrator account the required permissions to user mailboxes. For example; if you want to update profile and request attributes for mailboxes, run the following command from PowerShell to provide the target system administrator Full Access permissions to all mailboxes.

Get-Mailbox -ResultSize unlimited -Filter {RecipientTypeDetails -eq
'UserMailbox'} | Add-MailboxPermission -User John -AccessRights FullAccess
-InheritanceType All

Refer to Microsoft’s documentation for more PowerShell commands.

Preparation for Exchange Online

Note

Implemented in Connector Pack 4.3

Preparation steps for targeting Exchange Online:

  • Install Microsoft Windows PowerShell

    To Install the native PowerShell you will need to install the latest Package Manager and the latest version of PowerShellGet. To do this, close all PowerShell Windows and from an elevated PowerShell session, run the following command:

    [Net.ServicePointManager]::SecurityProtocol =
[Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12
Install-PackageProvider -Name NuGet -Force
Install-Module -Name PowerShellGet -Force -AllowClobber

  • Install Exchange Online PowerShell V2 Module (abbreviated as the EXO V2 module)

    You can use the following command to install the EXO V2 module in PowerShell:

    Install-Module -Name ExchangeOnlineManagement -RequiredVersion 2.0.6-Preview6 -AllowPrerelease

    For more details regarding installing the EXO V2 module and troubleshooting possible issues may encounter during installing the package, see:

    https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-online-powershell-v2-module-preview-now-more-secure/ba-p/2922946

  • Configure a target system administrator

    Configure a target admin account with access to Exchange online and grant the administrator the permissions you require in Azure Active Directory to manage Exchange users, mailboxes and groups. The administrator account requires the minimum of "access to exchange online" enabled.

    More detailed permissions of Exchange online can be found at: https://docs.microsoft.com/en-us/exchange/permissions-exo/feature-permissions

  • For Bravura Identity implementations, creating at least one template account

Creating a template account

Create a mailbox on the Exchange server to be used for the template. Exchange requires the mailbox to be added to an existing user or a new user. Bravura Security recommends choosing an existing user - usually the account that is used for the Microsoft Active Directory template user.

Targeting Microsoft Exchange

For each Exchange system, add a target system (Manage the system > Resources > Target systems):

  • ID must be a unique value, for example EXCHSRV

  • Type is Exchange 2007+ Server .

  • Address is formed with options listed in in the table below.

  • If you are using a proxy server, type the server name and port number for the proxy server in the List of proxies to run connectors on field in the format: <server name>/<port number>.

  • The Administrator ID and Password are the credentials for the target system administrator you configured earlier in preparation steps .

    Ensure you enter the login ID using the domain format: <domain>\<loginID>. For example:

    corpdomain\administrator

    By default, all connectors run the Bravura Security Fabric processes on the Bravura Security Fabric server, as the local psadmin account. To enable the target system administrator to run those processes, select the Run as? checkbox.

The full list of target parameters is explained in Target system options .

Note

"List shared mailboxes' access rights as groups" implemented in Connector Pack 4.4.0

Table 1. Exchange address configuration

Option

Description

Options marked with a redstar.png are required.

Domain redstar.png

The FQDN of the AD domain.

(key: domain)

Server

The name of the Exchange server to contact to perform operations. If you target a particular server here, you do not need to install the client software for Exchange.

(key: svr)

Database name

The name of the mailbox database where new mailboxes will be created. Not mailbox stores. If this is left blank, Exchange will choose the database.

(key: db)

Version

Specifies product version. Accepted values are 2007 , 2010 or 2013 +. If unspecified, the default version is 2007.

(key: ver)

Validate the server’s certificate when connecting

Determines whether to validate the server’s security certificate for SSL connections. Default is "true".

(key: checkCert)

OUs to list users from

Specifies one or more organizational units to target. See Targeting a specific container or containers for details.

(key: listOUs)

DBs to list users from

Specifies the databases to list uses from. See Listing from specific databases for details.

(key: listDBs)

Poll time after create

Time in seconds, the product server will check the Exchange server for a new mailbox creation. The default is 5 seconds.

(key: polltime)

Connector fail on invalid user

If the server does not find the mailbox within the poll time, a message will appear in the system log: Mailbox creation failed, please re-try later.

(key: failOnInvalidUser)

Load AD Attributes

If this setting is enabled and attributes are added to the target system attributes to be loaded, then AD attributes are included in listing and loaded. The attributes available are provided by the cmdlet Get-ADUser.

(key: loadADAttrs)

Look in entire forest

If this setting is enabled, users will be listed across the entire forest.

(key: lookforest)

Connect into Exchange Online

Connect Exchange online to manage mailboxes in cloud. Default is false.

(key: ConnectCloud)

List shared mailboxes' access rights as groups

Allow users to managed shared mailbox permissions using groups. Default is true.

(key: ListSharedBoxAsGroup)

Mailbox Scope

Accepted values are Local Server Only and Online Only where Online Only will synchronize mailboxes with Exchange Online and Local Server Only will keep the mailboxes local.

(key: mailscope)



The address line is entered in the format:

{domain=<AD domain>;[svr=<Exchange server>];[db=<Database>];[ver=12.7.2];[listDBs={<Database>;<Database>;}];[polltime=<n>];[failOnInvalidUser=<true|false>];[checkCert=<true|false>];[listOUs={<OU>; <OU>;...};][loadADAttrs=<true|false>][lookforest=<true|false>][ConnectCloud=<true|false>][mailscope=<cloud|local>]}

For example:

{domain=corpdomain.local;svr=exchange.corpdomain.local;ver=2013+;listDBs={MDB001;MDB002;};polltime=5;failOnInvalidUser=true;checkCert=false;listOUs={"CN=psynchusers,DC=corpdomain,DC=local"};}

or

{domain=;[svr=];[db=];[ver=12.2.5];[listDBs={;;}];[polltime=];[failOnInvalidUser=<true|false>];[checkCert=<true|false>];[listOUs={; ;...};][loadADAttrs=<true|false>][lookforest=<true|false>][ConnectCloud=<true|false>][mailscope=<cloud|local>]}

Targeting a specific container or containers

You can restrict Bravura Security Fabric to list only those mailboxes and groups that exist in one or more named containers; for example, if your Active Directory is divided into organizational units. To do this, on the Target system address configuration page, specify OU in OUs to list users from field. Select List from the drop-down list box and use the More button to add input box for additional OU given. For example:

'OU=people,OU=it,DC=example,DC=com'
'OU=people,OU=hr,DC=example,DC=com'

If there are many OUs to list, there is an option to include all OUs in a file. To use the file, select the File option from the drop-down list and specify the file name.

The file must be located in the <Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\ script\ directory and contain a list of OUs to list from:

   # KVGROUP-V2.0
   listOUs = {
     "OU=people,OU=it,DC=example,DC=com";
     "OU=people,OU=hr,DC=example,DC=com";
   }

The connector will not list any OU if an OU file is empty.

Listing from specific databases

You can restrict Bravura Security Fabric to list only those mailboxes that exist in one or more named databases, if mailboxes in your organization are stored in different mailboxes. To do this, on the Target system address configuration page, specify database in DBs to list users from field , usethe More button to add input box for additional databases given.

If you leave this field empty, the connector will list users from all databases.

Managing groups

Group (mail distribution list) membership is not copied from the template account when a new Exchange account is created in Bravura Identity .

To set up group management see:

  • Groups in the Bravura Security Fabric configuration documentation to use the Exchange connector

    When targeting Exchange 2007, the groupuseradd and groupuserdelete operations will require the psadmin account to have additional privileges, beyond that of a local user.

    or

  • Mail distribution lists to use the Active Directory connector to manage mail distribution lists

Handling account attributes

You can view the complete list of attributes that Bravura Security Fabric can manage, including native and pseudo-attributes, using in the Manage the system (PSA) module account attributes menu.

See Account attributes in the Bravura Security Fabric configuration documentation for more information.

Supported attributes differ between versions of Exchange. For information about the native Exchange attributes managed by Bravura Security Fabric , consult your Exchange documentation.

Retrieving out-of-office status

The _out_of_office attribute is used by the first chance escalation plugin. This attribute is leveraged to auto-escalate to a different authorizer for approval if the current authorizer is flagged as out-of-office. Retrieval of out-of-office status is only supported on Exchange 2010+ systems.

Creating or deleting Active Directory groups

The following pseudo attributes are supported to allow you to create or delete Active Directory distribution groups and mail enable them.

  • _CreateADGroup: This pseudo attribute allows to create an Active Directory distribution groups. When it exists and has value True, the connector will create the Active Directory group and assign a mailbox.

    If it's false or doesn't exist, the connector assumes the group is already in Active Directory and will just enable a mailbox for it.

  • _DeleteADGroup: This pseudo attribute allows to delete an Active Directory distribution group. When it exists and has value True, it will delete the distribution group in Active Directory, otherwise, it will just remove the mailbox that's attached to that group, but leaving the group still in Active Directory.

Delegating mailbox permissions

The following pseudo attribute is supported to allow the owner of a mailbox to delegate permissions for access for their mailbox to another user:

  • PERM_PermissionAction

  • Permissions:

    • FA - FullAccess

    • EA - ExternalAccount

    • DI - DeleteItem

    • RP - ReadPermission

    • CP - ChangePermission

    • CO - ChangeOwner

    • SA - SendAs

  • Inheritance Type:

    • All

    • Children

    • Descendants

    • None.

    • SelfAndChildren

These options must be set in the same form and fashion as you would set them using Add-MailboxPermission from the Exchange Management PowerShell console.

Examples

The attribute may be submitted in the following format:

  • Grant ReadPermission and remove FullAccess for the user admin1:

    "{grant=admin1@scom.local;mask={RP;-FA;};flags={InheritanceType=All;}}"

  • Deny ReadPermission for the user admin1.

    "{deny=admin1@scom.local;mask={RP;};flags={InheritanceType=All;}}"

  • Remove all permissions granted to the user admin1.

    "{remove=admin1@scom.local;}"

  • Replace existing permissions for the user admin1.

    "{grant=admin1@scom.local;mask={RP;};flags={InheritanceType=All;}replace;}"

Configuring message size limits for a mailbox

The following pseudo attributes are supported across Exchange to configure message size limits for mailboxes:

  • MaxSendSize

    • 0B to 2GB

    • Unlimited

  • MaxReceiveSize

    • 0B to 2GB

    • Unlimited

These options must be set in the same form and fashion as you would set them using Set-Mailbox from the Exchange Management PowerShell console.

Creating/Moving Exchange mailboxes

You can configure Bravura Security Fabric to use a profile/request attribute to prompt users for the destination mailbox database when creating or moving accounts on a target system that supports contexts.

When the Profile/request attribute to use as the container DN option is configured on the Target system information page (Manage the system >Resources >Target systems) , users can:

  • Set the destination mailbox database when creating new accounts.

    Users do this by setting the profile/request attribute value in the request form. By default, Bravura Security Fabric creates new accounts in the same mailbox database as the template. Without the profile/request attribute, you may need to set up identical templates for each mailbox database.

    If enabled when setting the target system address, Bravura Security Fabric can also create a container if a non-existing one is specified.

  • Move existing accounts on the target system to a different mailbox database.

    Users do this by setting the To container value – which is actually the profile/request attribute, but with a different name – on the move accounts page. Bravura Security Fabric only displays the move operation (the Move button) for users with accounts that can be moved between mailbox databases.

To allow users to select a mailbox database for a create account or move context operation:

  1. Add a profile attribute to provide a place to prompt the user for this information. To learn how to do this, see Profile and request attributes.

    It is recommended that you configure the profile attribute to have a set of restricted values, so that the requester or product administrator can select from a drop-down list.

  2. Ensure that you set read/write permissions for the profile attribute.

    To learn how to do this, see Attribute groups.

  3. Provide a group of users the "Move user from one context to another" rule.

    To learn how to do this, see Access to user profiles.

  4. Update the Target system information page by typing the name of the profile attribute in the Profile/request attribute to use as the container DN field.

    This allows Bravura Security Fabric to use the profile attribute for this purpose.

Targeting specific domain controllers for Exchange connector operations with the DomainController attribute

When performing a create operation the Exchange agent (agtexg2k7 ) will:

  1. Submit Enable-Mailbox to create the mailbox

  2. Submit Get-RemoteMailbox to validate the mailbox exists

If either of the above fails, the request itself will fail. If Get-RemoteMailbox specifically fails, the request will be retried and will then fail Enable-Mailbox as the mailbox is already created.

An example of where Get-RemoteMailbox could fail is if:

  1. The Enable-Mailbox reached DC1 and succeeded.

  2. The Get-RemoteMailbox reached DC2, which had not yet had the new mailbox replicated to it, causing the Get-RemoteMailbox to fail.

Where replication between the DCs is responsive, the polltime target address attribute can be used.

Where replication between the DCs is not responsive the above scenario can be solved with the DomainController account attribute. The DomainController account attribute, when populated with a specific DC, will ensure that all connector operations are sent to that DC avoiding replication related delay issues above.

There are two ways to configure and use the DomainController attribute.

Utilize DomainController attribute via a mapped request attribute

  1. Include a request attribute on your workflow request to define a specific domain controller.

  2. Configure an override of the account attribute DomainController with the settings:

    • Action when creating account set to specified value

    • Action when updating account set to specified value

    • Map account attribute to profile/request attribute =request attribute X above

    • Sequence number for setting attribute -1

Utilize DomainController attribute via hardcoded value:

  1. Configure an override of the account attribute DomainController with the settings:

    • Action when creating account set to specified value

    • Action when updating account set to specified value

    • Sequence number for setting attribute -1

  2. At the bottom of the configurations for this account attribute set:

    • Value type Literal Value

    • Attribute value <the DC you want to create the mailbox for>

Room/Equipment/Shared mailbox types

You can configure the Bravura Security Fabric to allow users to request a mailbox of the following supported types:

  • Regular - UserMailbox

  • Shared - SharedMailbox

  • Room - RoomMailbox

  • Equipment - EquipmentMailbox

The mailbox type is controlled by the Type attribute. When attempting to create any type other than a regular user mailbox, Microsoft requires that the corresponding Active Directory user account is first in a disabled state. You must ensure that the Active Directory template account used for these requests is configured to be disabled, and that the accountDisabled attribute is configured to copy from the template during the create operation.

Archiving mailboxes

You can configure the Bravura Security Fabric to allow users to archive their mailboxes, using the following attributes:

  • Archive - Boolean

    Set to true when archiving a mailbox and false when un-archiving a mailbox.

  • ArchiveDatabase - String

    Name of archive database, used only when Archive is set to true.

This operation is supported only for existing mailboxes, and is not supported when creating a new mailbox.

Additional considerations

In order for Bravura Identity to create a new Exchange account, the user must have an account in the corresponding Windows domain. Bravura Identity includes rules to ensure that when an Active Directory template and an Exchange template are selected as part of the same request, the Active Directory account is created first.

It is highly recommended that you configure Bravura Identity so that users cannot select an Exchange template without also selecting an Active Directory template, or without already owning an Active Directory account. There are several ways to do this. SeeUser Provisioning for more information.

Troubleshooting

If you experience any errors, verify that:

  • Administrator credentials have Run as? enabled.

  • Target system address setting Version is set if the target system is greater than Exchange 2007.

  • Target system address setting Server is set if there are server resolution issues.

In this section: