Skip to content

Prerequisites

Make sure your system fits the descriptions below before starting the installation.

Software Requirements

File Access Manager requires the latest ASP.NET Core 6.0.x Hosting Bundle. This bundle consists of .NET Runtime and ASP .NET Core Runtime. You can download the latest 6.0.x Hosting Bundle version from here.

Supported Versions

  • Exchange 2013
  • Exchange 2016 (including Exchange 2016 having a CAS installed on Windows server 2016)

Enable Remote PowerShell

  • Run the following command on one of the Exchange CAS to enable remote PowerShell: shell winrm q

Important

The Exchange environment on a 2019 server with an Activity Monitor must be configured to communicate with a 2019 CAS server.

Note

Previous versions of File Access Manager required the installation of an additional PowerShell endpoint on an Exchange CAS server that allowed unrestricted script execution. This requirement was removed beginning with SecurityIQ v5p1 to simplify the deployment of the connector.

If your environment was upgraded from older versions, it is recommended that you delete the obsolete “WBXPowerShell” endpoint from the Exchange CAS server.

Permissions

  • Create a designated domain user (for example, siq_xch).

  • Assign the following user Exchange groups:

  • Recipients Management

  • Records Management

  • Public Folders Management

  • From PowerShell on the CAS run the following: Set-User [username] -RemotePowerShellEnabled $True

Fine-Grained Permissions

Exchange allows for creating custom admin roles, and this can be used to grant File Access Manager service account the minimum privileges they need.

Each of these admin roles will grant privileges to a specific set of cmdlets.

Listed below are the cmdlets we use sorted by service type:

BAM

  • Get-ExchangeServer
  • Set-AdminAuditLogConfig
  • Search-MailboxAuditLog
  • Set-Mailbox
  • Get-Mailbox
  • Get-User

Crawler

  • Get-Mailbox
  • Get-MailboxStatistics
  • Get-MailboxFolderStatistics
  • Get-PublicFolder

PC

  • Get-ExchangeServer
  • Get-Group
  • Get-User
  • Get-Mailbox
  • Get-MailboxPermission
  • Get-MailboxFolderPermission
  • Get-MailboxFolderStatistics
  • Get-ADPermission
  • Get-PublicFolder
  • Get-PublicFolderClientPermission

Using those as reference and following PowerShell commands, create and assign the needed roles:

BAM

  • New-ManagementRole -Name "FIleAccessManager Activities View-Only Recipients" -Parent "View-Only Recipients" -EnabledCmdlets Get-User,Get-Mailbox

  • New-ManagementRole -Name "FileAccessManager Activities Audit Logs" -Parent "Audit Logs" -EnabledCmdlets Set-Mailbox,Search-MailboxAuditLog,Set-AdminAuditLogConfig

  • New-ManagementRole -Name "FileAccessManager Activities View-Only Config" -Parent "View-Only Configuration" -EnabledCmdlets Get-ExchangeServer

  • New-RoleGroup -Name "FileAccessManager Activities Role Group" -Roles "FIleAccessManager Activities View-Only Recipients","FileAccessManager Activities Audit Logs","FileAccessManager Activities View-Only Config"

  • Add-RoleGroupMember -Identity "FileAccessManager Activities Role Group" -Member <domain\activities_user>

Crawler and PC

  • New-ManagementRole -Name "FileAccessManager Crawl And Permissions View-Only Recipients" -Parent "View-Only Recipients" -EnabledCmdlets Get-Mailbox,Get-MailboxStatistics,Get-MailboxFolderStatistics,Get-PublicFolder,Get-Group,Get-User,Get-MailboxPermission,Get-MailboxFolderPermission,Get-PublicFolderClientPermission

  • New-ManagementRole -Name "FileAccessManager Crawl And Permission View-Only Config" -Parent "View-Only Configuration" -EnabledCmdlets Get-ExchangeServer,Get-ADPermission

  • New-RoleGroup -Name "FileAccessManager Crawl And Permissions Role Group" -Roles "FileAccessManager Crawl And Permissions View-Only Recipients","FileAccessManager Crawl And Permission View-Only Config"

  • Add-RoleGroupMember -Identity "FileAccessManager Crawl And Permissions Role Group" -Member <domain\crawl_user>

Another option to having all permissions assigned to a single user:

All

  • New-ManagementRole -Name "FIleAccessManager View-Only Recipients" -Parent "View-Only Recipients" -EnabledCmdlets Get-User,Get-Mailbox,Get-MailboxStatistics,Get-MailboxFolderStatistics,Get-PublicFolder,Get-Group,Get-MailboxPermission,Get-MailboxFolderPermission,Get-PublicFolderClientPermission

  • New-ManagementRole -Name "FileAccessManager Audit Logs" -Parent "Audit Logs" -EnabledCmdlets Set-Mailbox,Search-MailboxAuditLog,Set-AdminAuditLogConfig

  • New-ManagementRole -Name "FileAccessManager View-Only Config" -Parent "View-Only Configuration" -EnabledCmdlets Get-ExchangeServer,Get-ADPermission

  • New-RoleGroup -Name "FileAccessManager Group" -Roles FIleAccessManager View-Only Recipients","FileAccessManager Audit Logs","FileAccessManager View-Only Config"

  • Add-RoleGroupMember -Identity "FileAccessManager Group" -Member <domain\user>

Audit Bypass

The File Access Manager Connector for Exchange sets the mailbox audit for the selected mailboxes according to the configuration in the Application. However, there are application service accounts (for example, BlackBerry or IXOS) which create many mailbox audit log entries that overload the Exchange and create a lot of noise in File Access Manager.

You can configure a user or computer account to bypass mailbox audit logging, so that actions taken by that user or account for any mailbox are not logged.

By bypassing a trusted user or computer accounts that require frequent access to mailboxes, you can reduce the noise in mailbox audit logs.

For more information, refer to Bypassing a user account from mailbox audit logging in Exchange 2013

Note

It is recommended to set an alert on bypass commands to verify that users are not bypassed unexpectedly.

Audit Age Log Limit

By default, audit logging is configured to store audit log entries for 90 days.

After 90 days, the audit log entry is cycled. You can change the audit log age limit using the Set-Mailbox cmdlet with the AuditLogAgeLimit parameter.

You can specify the number of days, hours, minutes, and seconds to retain audit log entries.

Logs need not be retained for a long time (more than a few days), since File Access Manager offloads the data from the exchange.

For more information, refer to Set-Mailbox

Note

It is not recommended to retain an audit for a long time, since doing so expands the Exchange DB.

Communications Requirements

Requirement Source Destination Port
File Access Manager Message Broker Permissions Collector RabbitMQ 5671
File Access Manager Access Activity Monitor / Permissions Collector File Access Manager Servers 8000-8008
Remote PowerShell Activity Monitor / Permissions Collector CAS server 80 or 443