Submit a ticketCall us

AnnouncementsTHWACKcamp 2018 is here

2018 is the seventh year for THWACKcamp™, and once again we’ll be live October 17 – 18 with packed session tracks covering everything from network monitoring and management, to change control, application management, storage, cloud and DevOps, security, automation, virtualization, mapping, logging, and more.

Register for online sessions.

Home > Success Center > Server & Application Monitor (SAM) > SAM Documentation > SAM 6.7 Administrator Guide > AppInsight for Exchange > Manually configuring the Exchange server

Manually configuring the Exchange server

Updated: 3-9-2017

Before manually configuring  an Exchange server for AppInsight for Exchange:

  • Make sure you have credentials and a proper Exchange account
  • Review the configuration changes required to enable AppInsight for Exchange

Use the following instructions to configure Exchange:

For a list of possible configuration errors with solutions, see Troubleshoot error codes in AppInsight for Exchange.

Define Exchange credentials

Use domain accounts to access Exchange Management interfaces; AppInsight for Exchange does not support local accounts. Select an existing Active Directory account or create one with AppInsight for Exchange. See Find Exchange credentials.

To define Exchange credentials:

  1. On the server where you are granting local administrative privileges, open a Computer Management console.

    On Windows 2012, add this privilege using the Active Directory console.

  2. Navigate to the Administrators group.
  3. Enter the Active Directory user name of the account.
  4. Ensure the location is set to either the domain where the account is located or Entire Directory.
  5. Save your changes.

Alternatively, add an Active Directory group to the local administrators group and add Active Directory user accounts to that group.

To verify that account and local group membership was configured properly, run the following code in a PowerShell session:

$Recurse = $true
$GroupName = 'Administrators'
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$ct = [System.DirectoryServices.AccountManagement.ContextType]::Machine
$group = [System.DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($ct,$GroupName)
$LocalAdmin = $group.GetMembers($Recurse) | select @{N='Domain'; E={$_.Context.Name}}, samaccountName, @{N='ObjectType'; E={$_.StructuralObjectClass}} -Unique
$LocalAdmin = $LocalAdmin | Where-Object {$_.ObjectType -eq "user"}


Grant Exchange Access

To grant Least Privilege access to the Exchange Organization:

  1. Open Active Directory Users and Computers (ADUC) and find the Microsoft Exchange Security Groups organizational unit (OU).
  2. From the View-Only Organization Management group, add the user name of the account you want to grant access to the Exchange organization.

See for detailed instructions.

Set Mailbox Search Access

Mailbox Search access is required to determine attachment counts and sizes. 

  1. From the Start menu, open the Exchange Management Shell (EMS).
  2. Type: New-ManagementRoleAssignment -Role "Mailbox Search" -User <Username of account being granted access> and press Enter.
  3. To verify the management role was properly assigned, enter:
    Get-ManagementRoleAssignment -RoleAssignee <Username of account>

Install PowerShell 2.0

Use  Server Manager to confirm that PowerShell 2.0 is installed in Microsoft Server. If you need to download and install PowerShell, follow these steps: 

  1. Navigate to Windows Management Framework (

  2. After reviewing details on the web page, click the download link for the Windows Management Framework Core for your platform in the Download Information section.
  3. On the Update page, click Download.
  4. When the download is complete, click Finish.

See for detailed installation instructions.

You may also need to set the PowerShell permissions. See Set PowerShell permissions for Exchange for details.

Set PSLanguageMode to FullLanguage for the PowerShell website

Use IIS Manager on the Exchange server to configure application settings for the default website and PowerShell virtual directory, and then recycle the MSExchangePowerShellAppPool application pool.

See for detailed instructions.

Create a self-signed certificate

SolarWinds provides a Self-signed Certificate PowerShell script for AppInsight for Exchange. Alternatively, follow these steps to create your own certificate:

  1. Using PowerShell and CertEnroll, open PowerShell in the Run as Administrator context.
  2. Enter the following code:

The CN (Subject) should be in the following format: "<IP Address of Server>_Solarwinds_Exchange_Zero_Configuration." For Example: ???

$name = new-object -com "X509Enrollment.CX500DistinguishedName.1"
$name.Encode("CN=TestServer", 0)

$key = new-object -com "X509Enrollment.CX509PrivateKey.1"
$key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
$key.KeySpec = 1
$key.Length = 1024
$key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)"
$key.MachineContext = 1

$serverauthoid = new-object -com "X509Enrollment.CObjectId.1"
$ekuoids = new-object -com "X509Enrollment.CObjectIds.1"
$ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1"

$cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1"
$cert.InitializeFromPrivateKey(2, $key, "")
$cert.Subject = $name
$cert.Issuer = $cert.Subject
$cert.NotBefore = get-date
$cert.NotAfter = $cert.NotBefore.AddDays(3650)

$enrollment = new-object -com "X509Enrollment.CX509Enrollment.1"
$certdata = $enrollment.CreateRequest(0)
$enrollment.InstallResponse(2, $certdata, 0, "")

For more information, see Generating a Certificate.

Configure WinRM 2.0 on an Exchange Server

  1. Open a command prompt in the Run as Administrator context. 
  2. Type: winrm create winrm/config/listener?Address=*+Transport=HTTPS @{Port="5986";CertificateThumbprint="<Thumbprint value of certificate>";Hostname="<IP Address of Server>_Solarwinds_Exchange_Zero_Configuration"} and then press Enter.

  3. Verify the configuration by typing: winrm get winrm/config/listener?Address=*+Transport=HTTPS.


Create a firewall rule

  1. Open PowerShell using Run as Administrator.
  2. Create a function to add firewall rules using the following code:
    function Add-FirewallRule {
    $appName = $null,
    $serviceName = $null
    $fw = New-Object -ComObject hnetcfg.fwpolicy2
    $rule = New-Object -ComObject HNetCfg.FWRule
    $rule.Name = $name
    if ($appName -ne $null) { $rule.ApplicationName = $appName }
    if ($serviceName -ne $null) { $rule.serviceName = $serviceName }
    $rule.Protocol = 6 #NET_FW_IP_PROTOCOL_TCP
    $rule.LocalPorts = $tcpPorts
    $rule.Enabled = $true
    $rule.Grouping = "@firewallapi.dll,-23255"
    $rule.Profiles = 7 # all
    $rule.Action = 1 # NET_FW_ACTION_ALLOW
    $rule.EdgeTraversal = $false
  3. Run the function to create the firewall exception for WSMAN using the following command:Add-FirewallRule "Windows Remote Management" "5986" $null $null


  4. Verify the rule was created.

Configure IIS

  1. Open a command prompt in the Run as Administrator context.
  2. Change the directory to C:\Windows\System32\Inetsrv.
  3. Type: appcmd.exe unlock config -section:system.webServer/security/authentication/windowsAuthentication and then press Enter.
  4. Open PowerShell in the Run As Administrator context.
  5. Type: Import-Module WebAdministration and then press Enter.
  6. Type: (Get-WebConfiguration system.webServer/security/authentication/windowsAuthentication 'IIS:\sites\Default Web Site\PowerShell').enabled and then press Enter to determine if Windows Authentication has been configured.
  7. If the return value is True, Windows Authentication is configured. If the  returned value is False,  follow these steps::
    1. Type: Set-WebConfiguration system.webServer/security/authentication/windowsAuthentication 'IIS:\sites\Default Web Site\PowerShell' -value True and then press Enter.
    2. Type: (Get-WebConfiguration system.webServer/security/authentication/windowsAuthentication 'IIS:\sites\Default Web Site\PowerShell').enabled to verify the setting has changed.


    3. Close PowerShell.
    4. In the open command prompt, type: appcmd.exe lock config -section:system.webServer/security/authentication/windowsAuthentication and then press Enter.


    5. Close the command prompt.

Test the application

Navigate to the Application Edit page and click Test. Your screen should look like the following illustration.


Last modified