cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Exchange scanning

bramassendorp
Engaged Sweeper II
Hi,

I have an issue with Lansweeper and Exchange scanning, I tried all the troubleshooting steps documented but it is still not working.

Log file (did not use the original host names):

2021-08-02 09:45:10,012 [236] INFO LOGEXCHANGESCANNING DEBUG Executing script failed
2021-08-02 09:45:10,012 [236] INFO LOGEXCHANGESCANNING DEBUG Asset with FQDN 'exchangehost.domain.local' not found in Exchange server list.
2021-08-02 09:45:10,012 [236] INFO LOGEXCHANGESCANNING DEBUG DOMAIN\exchangehost\1 is not found in the domain's Exchange server list

When I try it via the "Scan Test Tool" it does scan the information.

In Lansweeper the hosts are not showing the "Exchange" tab.

Powershell is enabled and set to RemoteSigned, the scanning account is member of domain admins.

Please advice!
20 REPLIES 20

MoonDogg
Engaged Sweeper III
3cardmagictrick : glad I was able to help, not sure why you are getting the invalid credential error though.

Joerg : Thanks for the detailed post. The method you posted is what I eventually did. I do have an Internal Root-CA and tried multiple times to get that certificate working and never could. Then I did self signed (even though it tells you it can't be self signed) and it worked. I worked on this for several hours trying to get it to work without buying a certificate.

Support was not very helpful other than asking for a debug log (with a different option than what's outlined in the online documents) where I found the SSL issue. They never got back to me after sending the logs. I had to reach back out to them and tell them how I fixed it.

jgallott
Engaged Sweeper II
Corey Lambert wrote:
I do have an Internal Root-CA and tried multiple times to get that certificate working and never could. Then I did self signed (even though it tells you it can't be self signed) and it worked.


I also have an Internal Certificate Authority, and feel your pain about getting it to work. Error of 'RPC server not available' when requesting a certificate through the Certificates snap-in in mmc.exe. Went through dozens of links about adding permissions in DCOM Config for 'CertSrv Request', including Domain Computers in the 'Certificate Service DCOM Access' group (both in AD and in the local group on the CA), and I'm not sure how many other things I ended up checking.

I finally noticed that on the CA server is a local group called 'Distributed COM Users'. On a whim, I checked it and found that it was empty (so nobody or nothing could access DCOM). Added Domain Users, Domain Computers and Domain Controllers to the group and the magic happened and the Exchange server certificate requests succeeded.

I had to add the Domain Controllers group to the Security tab of the 'Computer' template for it to show when requesting from the Domain Controllers. At least for me, the certificate had to be from the Computer template for WinRM to succeed. On the CA, run Certification Authority Management, right-click the 'Certificate Templates' folder and choose 'Manage', then 'properties' on the Computer template.

After getting the certificate, I found that I could configure WinRM HTTPS on the server just by running: 'winrm quickconfig -transport:https' in an elevated command prompt.

https://docs.microsoft.com/en-us/troubleshoot/windows-client/system-management-components/configure-...

Once the CA was straightened out, on each Exchange server and each Domain Controller:

1) run mmc.exe, add the Certificates snap-in for 'Computer account' and 'local computer'; under Personal --> Certificates, right click the folder and All Tasks --> Request certificate; choose 'Computer' template.
2) once certificate succeeds, in an elevated command prompt, run 'winrm quickconfig -transport:https' (without quotes). It will ask you if you want to make the necessary changes, say yes and you're done.

Rescan, and at least for me, everything scanned properly.

Joerg
Engaged Sweeper
Hi.
Corey Lambert wrote:
[...]I do have an Internal Root-CA[...]

Me as well - you have to configure a template for client authentication and then configure your AD to automatically deploy the machine certificates. A bit tricky to do but it works quite well once you get used to it. Don't have a short instructions right now; maybe will find the time to write all that stuff into one article.

Joerg
Engaged Sweeper
Hey guys.

brama wrote:
[...]I have an issue with Lansweeper and Exchange scanning[...]

Me too - at least I _had!_ an issue with it... 😉
[...]Please advice![...]

I'll try to. 😉
First of all, instructions for Exchange scanning are hard to find as the original article from Lansweeper's KB is rubbish - scan acoount DOES NOT! need to be a domain admin but for proper scanning has to be member of the AD's "Domain Administrators" and "Organization Management" groups.

As long as you have your Windows firewalls turned off there is no problem at all with Exchange scanning. The fun part starts with firewalls enabled on either of your systems. For proper exchange scanning the requirements from the KB article are not complete - you need to configure your Exchange server(s) as well as your domain controller(s)!

Combining all links and infos from this thread the following setup worked (at least for me). This is the quick n' dirty solution. If you e.g. have an internal Root-CA you can automate some of these steps concerning certificates. Further on, with the proper use of GPOs you can automate the steps for WSMan/WinRM configuration.

In a nutshell:
- Create self signed certificates on your DCs and Exchange servers (or use/export existing ones) - purpose is "Client Authentication"
- Import these certificates to "Trusted root" store on your scanning server
- Create a WinRM https listener on each DC and Exchange
- Trigger "Rescan Asset" for your Exchange server(s)

I used Powershell to configure my setup, will just leave those lines here - feel free to adapt them to your needs:
#Creating and exporting certificates
$hostName = $env:COMPUTERNAME
$serverCert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName $hostName
Export-Certificate -Cert $serverCert -FilePath \\server\share\PSR<hostname>.cer


#Configure WinRM on DC(s) and Exchange server(s)
Enable-PSRemoting -Force
New-Item -Path WSMan:\localhost\Listener\ -Transport HTTPS -Address * -CertificateThumbPrint $serverCert.Thumbprint -Force
New-NetFirewallRule -Displayname 'WinRM - Powershell remoting HTTPS-In' -Name 'WinRM - Powershell remoting HTTPS-In' -Profile Any -LocalPort 5986 -Protocol TCP
Restart-Service WinRM


#Import certificates on your scanning server
Import-Certificate -FilePath \\server\share\PSR<hostname>.cer -CertStoreLocation Cert:\LocalMachine\My


HTH! 😉

Cheers,
Joerg


EDIT:
Just as an addition - I have one Exchange server where Exchange Management Shell does NOT! load the Exchange CMDlets. As expected, this server CAN NOT! be scanned by LanSweeper. Have to fix EMS and will try again. Pretty sure it'll work then.

MoonDogg
Engaged Sweeper III
As I suspected the reason it is not scanning is because of WinRM SSL error. I fixed it with this article.





MoonDogg
Engaged Sweeper III
Corey Lambert wrote:
As I suspected the reason it is not scanning is because of WinRM SSL error. I fixed it with this article.


This has been confirmed with the support team and they are getting with the development team to see if they need to modify the requirements for Exchange scanning.

jgallott
Engaged Sweeper II
So far, not much back from support. He did point out an error:

'Unable to scan Windows Cluster for target exch01.CSAC.Local with credential Exchange Scan.'

Is there an 'Exchange Scan' credential? I haven't seen it anywhere.

The normal Windows credentials are a Domain Admin member, so that isn't it, either.

MoonDogg
Engaged Sweeper III
Jim Gallott wrote:
So far, not much back from support. He did point out an error:

'Unable to scan Windows Cluster for target exch01.CSAC.Local with credential Exchange Scan.'

Is there an 'Exchange Scan' credential? I haven't seen it anywhere.

The normal Windows credentials are a Domain Admin member, so that isn't it, either.



My global scan credentials is the domain admin as well. I even created another credential and mapped it to the netbios name of the exchange server and it did not change anything.

I think its the WinRM using ssl. This was in my error log while debug was turned on:

WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet. - on exchange-server.local using port 5986 and ssl True as the user 'domain\admin'.

jgallott
Engaged Sweeper II
I have tested remote powershell successfully from the scanning server to the exchange servers using:

https://docs.microsoft.com/en-us/powershell/exchange/connect-to-exchange-servers-using-remote-powershell?view=exchange-ps

All three connect and I can run Get-mailbox.

I did remote powershell successfully to the preferred domain controller using:

Enter-PSSession -ComputerName <dc_name> –credential <credentials>

Still Exchange won't scan. It does not seem to be the remote powershell that is getting in the way.