-->

Sunday, August 28, 2016

Exchange 2013/2016 Using The Exchange Management Shell Through A Web Proxy

In my current project, we have Exchange 2016 running in a pretty secure environment consisting of a Resource Forest, and all servers are behind a HTTP Proxy Server.

Having Exchange behind a proxy can cause all sorts of headaches including not being able to download CU .iso files, FIPS (anti-malware) update failures, Remote PowerShell connection problems, and Federated Sharing issues.

The best course of action is to get your security team to allow Exchange out through the proxy, or at the very least disable authentication requirements...but sometimes that's not an option, so I'll show you the next best option.


Most likely, you'll have your Web Proxy configured in Internet Explorer, and you can use PowerShell to import those settings into the Exchange Management Shell (EMS).


**Note** Importing the proxy settings only works with explicit proxy settings in IE, it cannot use a PAC script.

**Note** Since Exchange 2013/2016 runs a web-based EAC (Exchange Admin Console), you really only need to set exclusions in the proxy for local addresses, and that should allow all connections to the EAC.

On each Exchange server do the following:

First, fire up an elevated Windows PowerShell to ensure that you have your exclusions set, by running:


netsh winhttp set proxy 10.1.2.3:8080 ";*.exchangeitup.com;*.exchangeitup.org;*.exchangeitup.net"

**Note** Change "10.1.2.3" to your proxy server IP address, and whatever domain names you need to exclude for instance "exchangeitup".

Next, import the proxy into PowerShell by running:

netsh winhttp import proxy source=ie

**Note** IE proxy settings are set per user, not per computer so you'll need to import them on each admin account that logs into the Exchange servers. Or you can set it through a GPO, but I try to keep GPO's on Exchange servers to a minimum :)

Next, add your proxy server authentication to the Credential Manager under Control Panel.

Next, we'll add the proxy to the EMS on each Exchange server, by running:

Set-ExchangeServer -identity EXCH01 -internetwebproxy:http://10.1.2.3:8080
Set-ExchangeServer -identity EXCH02 -internetwebproxy:http://10.1.2.3:8080
Set-ExchangeServer -identity EXCH03 -internetwebproxy:http://10.1.2.3:8080


**Note** Change the server name and proxy IP to match your environment.

You can verify that the proxy is set on each server by running:

Get-ExchangeServer |fl name,internetwebproxy

Now you shouldn't be blocked by your proxy when trying to do everyday Exchange management, but like I said above best is to allow Exchange out to the internet "uninhibited" to alleviate all the headaches :)

4 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. This comment has been removed by a blog administrator.

    ReplyDelete
  4. This comment has been removed by a blog administrator.

    ReplyDelete