Thursday, April 30, 2020

itrezzo Unified Contact Management (UCM) Prerequisites

By Harpreet Singh Wasu

Ready to install and deploy itrezzo UCM software on a server in your environment ?

Before you install and deploy itrezzo UCM, please go through the prerequisites below for a smooth installation and on-boarding process.

Important: It is essential that all the prerequisites are completed prior to the installation to make sure all software components are working as designed and to avoid re-installation.

itrezzo Service Account and Permissions:

  • You will need to create a user account in Active Directory (On-Premise) which will be used as a Service Account for itrezzo UCM.
  • The itrezzo Service Account must be Mail-Enabled.
  • The Service Account mailbox should be able to receive emails from internal recipients.
Important Note: The Service Account created must not be a 'Managed Service Account (M.S.A.)'. A Managed Service Account's password is not managed by any Administrator and since the password is managed by the server itself, the account's password gets changed in every 30 days automatically.
This causes the itrezzo UCM services to stop every-time the password gets changed.
Also this account doesn't have a mailbox as the password is not known to a user or an Administrator and hence you cannot login to a Managed Service Account manually.

Another point to consider is that if a previously used normal service account for itrezzo UCM is converted to a managed service account, all the existing configuration of itrezzo UCM will be lost and cannot be recovered. 
  • All Retention Policies and Archiving MUST be disabled on this mailbox.
  • The service account does not need to be a Domain Admin. It can be a user account with a user mailbox.
    • For Exchange Server 2010, the Service Account created will need Full Access to Exchange mailboxes. 
    The easiest way is to grant the permissions at the mailbox database level, so that whenever a new user is added, it will obtain the inherited permission from the Mailbox Databases.
    This permission can be easily applied using Exchange Management Shell from the On-Premise Exchange Server and this command will cover all available Mailbox Databases.

    Please Note: The below PowerShell cmdlet only applies for Exchange Server 2010.

    Get-MailboxDatabase | Add-ADPermission -User "srv-ucm" -AccessRights ExtendedRight -ExtendedRights Receive-As,Send-As

    In the above command, replace "srv-ucm"with the itrezzo Service Account you created.
    • If your Exchange environment is Exchange Server 2013/2016/2019 or Office 365 (Exchange Online), then you need to grant Application Impersonation Role to this Service Account so that it can create, modify and delete contacts in the desired mailboxes.
    Please follow our article that provides detailed steps on How to Set Impersonation Mode for GAL or Public Folder Sync to User Mailboxes

    You will also need to setup an Exchange Throttling Policy:

    New-ThrottlingPolicy itrezzoSvcPolicy
    Set-Mailbox "itrezzo" -ThrottlingPolicy itrezzoSvcPolicy
    Set-ThrottlingPolicy itrezzoSvcPolicy  -EWSMaxConcurrency Unlimited -EwsMaxBurst Unlimited -EWSMaxSubscriptions 10000 -EWSCutoffBalance Unlimited

    Server Requirements:

    We recommend you to create a new VM which is a member server (Server joined to a domain) to run itrezzo UCM. If you wish to use an existing server, avoid one with existing IIS applications.

    Important Note: We DO NOT support or recommend installing or running itrezzo UCM on a server running Exchange Server or a Domain controller.

    Below are the server requirements:
    • Member Server (Server joined to your AD domain) running Windows Server 2012/2016/2019 either bare iron, or a Virtual Guest.
    • Minimum RAM - 4 GB for less than 300 target mailboxes and 8 GB RAM if the target mailboxes are more than 300.
    • Minimum two processor cores for less than 300 target mailboxes, 4 CPU's for more than 300 target mailboxes.
    • Minimum free Hard Disk space required - 10 GB.
    • Must have Internet access and Port 80 should be open for inbound & outbound connection.

    Preparing your Server for itrezzo UCM:

    Add the Service Account created for itrezzo to the 'Local Administrators" group on the Member Server where you will install itrezzo UCM using the below steps:

    1. Open Server Manager > Click on Tools on the Top Right 
    2. Select Computer Management
    3. On the left hand navigation, expand Local Users and Groups > Groups
    4. Right Click on Administrators > Properties > Add
    5. Enter the name of the new Service Account that we created > Check Names > OK.
    6. Apply > OK.

    You can also open Local User and Groups on a Member server using Run command.

    • Open Run prompt using Windows + R key on your keyboard.
    • Type LUSRMGR.msc and hit Enter.

    The next step is to set the Service Account to 'Log On as a Service".

    1. Open Run prompt using Windows + R key on your keyboard.
    2. Type secpol.msc to open Local Security Policy MMC console.
    3. Expand Local Policies > Select Users Rights Assignment.
    4. Under list of Policies, double click on Log on as a service.
    5. Click Add User or Group > Type the name of itrezzo Service Account > Check Names > OK.
    6. Apply > OK.
    7. Log Off from the server and login again as the itrezzo Service Account.

    • The itrezzo Web Admin requires Silverlight and Internet Explorer. Turn Off  IE Enhanced Security Configuration on the member server.
    • We have found that network packet inspection software such as Cylance, Symantec Endpoint Protection, Sophos, Cisco AMP cause exceptionally poor performance outcomes. These options should be disabled for the network on this server. Thousands of EWS packets are sent and received to the Exchange environment via port 443 and also multiple internal network ports are used to pass data between modules in the software. Packet inspection software can drastically affect performance and cause mailboxes not to get updated with the latest contact and calendar changes.
    • Also, any REAL TIME antivirus file monitoring should have an exclusion for the \Program Files (x86)\itrezzoAgent\... folders on the server.

    Software Requirements:

    Firewall Requirements:

    • We recommend that the Windows Firewall should be Turned Off on the Server running itrezzo UCM.
    If your organization cannot afford to keep the Firewall off, then the below ports must be open:

    • Port 80 - It is used to run the itrezzo Web Admin locally.
    • Port 443 - Required to make EWS calls to and from the Exchange Servers.
    • Port 389 - itrezzo UCM uses LDAP port at 389 to communicate with AD.
    • In addition to this, all internal high-range ports must be open (like 49241 and up) - these are used to communicate between ECO, UCM, SSU and the Web Admin.

      Download the itrezzo UCM software from the below link: