Configure Exchange Management (On-Premise)
- Phillip Hanegan
If your environment has an on-premise Microsoft Exchange organization, you can configure EmpowerID to inventory and enforce permissions for your Exchange organization. If you are using Exchange, EmpowerID automatically discovers the organization during the initial Active Directory forest scan, categorizes it as a Resource System, and creates a record within the ExchangeMailbox table of the EmpowerID Identity Warehouse for each mailbox within the organization.Â
To work with Exchange after the initial inventory, you must:
Enable the Exchange Management Host Web Service on an EmpowerID Web server, enabled by default on All-In-One and Web Front-End server roles.
Configure the Exchange Resource System to talk to the host on the specified EmpowerID Web server
EmpowerID directs all traffic for Exchange through the EmpowerID Exchange Services website and application pool in IIS.
Procedure
Expand Admin > Applications and Directories on the navbar, and select Account Stores and Systems.
Select the Resource Systems tab and search for the Exchange Organization you want to configure.
Click the Display Name link for the organization.
On the Account Store Details page that opens, select the Resource System tab and click the Edit icon to put the resource system in edit mode.
This opens the edit form for the Exchange resource system. Settings that can be edited are described below.
Account Store Settings | |
|---|---|
Setting | Description |
General Settings | |
IT Environment Type | Allows you to specify the type of environment in which the server resides. |
Use Secure LDAPS Binding | Specifies whether to use secure LDAPS binding (for LDAP directories). |
Load Balancing Scheme | Select one of the options:
|
Is Remote (Cloud Gateway Connection Required) | This setting appears for account stores with local directories, such as Active Directory, LDAP, SAP, etc. When enabled, this tells EmpowerID to use the Cloud Gateway Connection for that account store. The Cloud Gateway Connection must be installed on an on-premise machine. For installation information, please see Installing the EmpowerID Cloud Gateway Client. |
Directory Cleanup Settings | |
Directory Clean Up Enabled | Specifies whether the SubmitAccountTermination permanent workflow should claim the account store for processing account terminations. When enabled, accounts in the account store that meet the qualifications to be marked for deletion are moved into a special OU within the external directory, disabled and finally deleted after going through an automated approval process. This process involves setting a number of system settings in EmpowerID and requires multiple approvals by designated personnel before an account is finally removed from the account store. |
Report Only Mode (No Changes) | When enabled, a report of what the Directory Clean Up process would do is written to the log. The process itself is ignored and all accounts are set to Termination Pending. |
OU to Move Stale Accounts | Specifies the external directory in which to move accounts marked for termination. |
Inventory Settings | |
Inventory Enabled | Allows EmpowerID to inventory mailboxes. |
Inventory Calendar Permissions Enabled | Allows EmpowerID to inventory calendar permissions. |
Membership Schedule Interval | Specifies the time span that occurs before EmpowerID runs the Group Membership Reconciliation job. The default value is 10 minutes. |
Projection Settings | |
Group Membership Projection Enabled | Select to allow EmpowerID to dynamically manage the membership of the organization's groups, adding and removing users to and from groups based on policy-based assignment rules. |
Projection Interval: Start | Set the date on which to begin projection. By default, this is set to the creation date of the account store. |
Projection Interval: Start | Set the date on which to begin projection. By default, this is set to the creation date of the account store. |
Projection Interval: End | Set the date on which to stop projection. By default, this is set to ten years after the creation date of the account store, but since Run Indefinitely is selected by default, this value is ignored unless you clear that checkbox. |
Projection Interval: (units) | Select the units for the interval at which to run projection. By default, this is set to 10 minutes.
|
Run Indefinitely | Select to allow projection to run indefinitely, ignoring the End date. |
Interval: (number) | Set the number of units for the interval at which to run projection. By default, this is set to 10 minutes. |
Enforcement Settings | |
Rights Enforcement Enabled | Select to allow EmpowerID to determine who should have access to what in Exchange based on their assignments to Access Levels in EmpowerID and to enforce it using domain local groups (Resource Role Groups). |
Enforcement Type | Select to specify how EmpowerID is to enforce rights in native systems.Â
|
Schedule: Start | Set the date on which to begin enforcement. By default, this is set to the creation date of the account store. |
Schedule: End | Set the date on which to stop enforcement. By default, this is set to ten years after the creation date of the account store, but since Run Indefinitely is selected by default, this value is ignored unless you clear that checkbox. |
Interval: (units) | Select the units for the interval at which to run enforcement. By default, this is set to 10 minutes.
|
Run Indefinitely | Select to allow enforcement to run indefinitely, ignoring the End date. |
Interval: (number) | Set the number of units for the interval at which to run enforcement. By default, this is set to 10 minutes. |
Edit settings as needed and then click Save.