Setup Requirements - All Modules

Virtual appliances are available for:
On-Premises deployment:

• VMWare vSphere (recommended for production)

• VMWare Workstation (for evaluation purposes)

   For compatibility reasons, our appliances are configured for ESXi 6.0 and Workstation 11. If you run a newer version, we recommend to upgrade the virtual machine hardware version.

• MicrosoftHyper-V
  
  

Azure tenant deployment:

• Azure tenant deployment (incl. virtual appliance and all necessary Azure resources)

The underlying hardware and OS needs to have VT-x support enabled (in the BIOS). This is mainly relevant in scenarios where workstations act as host software. You can find  detailed information about operating system requirements on the respective product pages: www.vmware.com/products/ 

Please use the following table for reference:

You may require additional resources in addition to all above described conditions, depending on data collection intervals, number of sensors enabled, and number of servers being monitored. panagenda and selected panagenda OfficeExpert business partners can help you evaluate the ideal hardware specifications for your environment.

The following image shows the architecture of panagenda OfficeExpert, including the required port configurations: 

OfficeExpert Virtual Appliance:

Outbound (originating in virtual appliance):

• HTTP/HTTPS to Office365 Cloud tenant for data collection (TCP 80/443)
• HTTPS to Azure Key Vault within customers Azure tenant (TCP 443)
• Internet Repository URLS (docker.panagenda.com, OS security updates) (TCP 80/443)

• Kafka/Zookeeper to Windows Proxy and simulation clients (TCP 29092/ 22181)

Inbound (accessing virtual appliance):

• HTTP/HTTPS for configuration and reports (TCP 80/443)

• HTTPS for Azure Bot Framework Service  (TCP 4443 !)  - https://<appliance>:4443/bot/messages

Just allow inbound tcp 4443 to this particular endpoint /bot/messages only!  (via Firewalls, Azure AD Proxy, ...)

• SSH for system configuration and application tuning (TCP 22)

• VNC for system configuration and IBM Notes client access (TCP 5901)

• Kafka/Zookeeper from Windows Proxy and simulation clients (TCP 29092/ 22181)

OfficeExpert Windows Proxy

Outbound (originating in Windows Proxy):

• PowerShell to Active Directory server, Azure Connect server, ADFS server (TCP 5985/ 5986)
• PowerShell to Cloud tenant (TCP 80/443)

Inbound (accessing Windows Proxy):

• PowerShell from Active Directory server, Azure Connect server, ADFS server (TCP 5985/ 5986)

OE Simulation Machines (Bots) 1-n

Outbound (originating in simulation client):

• Kafka/Zookeeper to virtual appliance (TCP 29092/22181)
• HTTP/HTTPS to Office365 Cloud tenant (TCP 80/443)

https://docs.microsoft.com/en-us/microsoft-365/admin/activity-reports/activity-reports?view=o365-worldwide#show-user-details-in-the-reports

If you leave this enabled, OfficeExpert will be unable to map user data with activity data.

Hardware:

The panagenda OfficeExpert web interface is based on HTML5 and therefore accessible on any HTML5 capable device.

Only Chrome, Edge, FireFox and Safari are officially supported (latest 64-bit versions).

In general, the OfficeExpert web interface requires a minimum screen resolution of 1366 x 768 pixels. 

Browser security and network access:

No special web browser security settings are required to access the panagenda OfficeExpert web interface. For the web interface, you need to have access to the panagenda OfficeExpert appliance via TCP/IP, Port 80 (HTTP) and Port 443 (HTTPS).

Simulation Bots

Machines

These bots need to run on dedicated machines such as PCs, notebooks, or even virtual machines (as long as the virtual machine is located in the respective region) with the following requirements:

• Windows 7 or 10
• Hosts have to be member of your Active Directory domain (relevant in case of ADFS)
• All required ports have to be opened (see Network and Firewall - Requirements)
• Internet access is needed to access the cloud environment
• Optional: access to an on-premises Exchange server

• Please install:

• • Optional: for Outlook client simulation: MS Outlook 2016 or later

• • Optional: for or Skype client simulation : latest version of Skype for Business

Accounts

For the configuration of OfficeExpert, the following accounts are required:

• Dedicated Office365 user account (any kind of subscription)

• • with the necessary applications assigned (Teams, SharePoint, Skype for Business, Outlook, and OneDrive)

• For Outlook client data analyses, please make sure that Outlook is configured with the same user account
  • it has to be the first profile!
  • please use the auto-discover setup instead of IMAP/POP3 configuration!
  • caching has to be disabled:
    Go to Account Settings > Data Files > Settings > Advanced and uncheck Use Cached Exchange Mode
    

• • and make sure that 3rd-party add-ins are disabled.

• For Skype for Business data analyses, make sure you are logged in with the same user account
  •  adjust the following settings:
    

• For ADFS-enabled clients

• • make sure the client is member of the domain (joined)

• • make sure the OS account is ADFS enabled

• • verify the following on client level:
    • login to OS and open https://portal.office.com
    • enter user name
    • no password prompt should appear; you should be logged-in to the portal right away

• For modern authentication
  • If you want to configure the simulation bot with modern authentication, please refer to the Knowledge Base article Modern Authentication.

• For certificate-based authentication (only valid for Exchange simulations)

• 
  
  • make sure the client is member of the domain (joined)
  • make sure the client/user certificate is deployed to the machine

Simulation Azure Sync

You need the following items for the configuration of an Azure Sync Simulation:

• Active Directory account (normal user) with delegated control to create/modify a user object (see next bullet point)

• An Active Directory account (normal user) which will be modified by the simulation (the mobile phone field will be updated with timestamp information)
• An AD Account to access the Azure Active Directory Connect server

The user has to be able to start a remote PowerShell session on that synchronization server (optional: local admin account)

• A user account to access and read Azure Active Directory (normal user)

• Tenant ID
• Application ID of Azure Active Directory application (see below)
• (FQDN of OfficeExpert appliance, which will be configured during setup, see Starting the Virtual Appliance)

• an Office 365 user account with the necessary apps/subscription (E1,E3....)

An Azure Active Directory application for BOTs is required which needs to be registered as follows:

1. Open aad.portal.azure.com (log in as a global admin) and click on App registrations
   
   
   

2. Click on New registration, complete the fields as shown in the screenshot below and click on Create
   
   

   In the following screen, enter the following "Redirect URI": https://OfficeExpert

   
   
   

3. After the creation, click on Authentication and scroll to Advanced settings. Click on Yes to treat application as a public client.
   
   
   
4. Click on Manifest and adjust the section requiredResourceAccess
   Select the blue selected lines in the screenshot

and overwrite it with the following lines...

    "requiredResourceAccess": [
        {
            "resourceAppId": "00000004-0000-0ff1-ce00-000000000000",
            "resourceAccess": [
                {
                    "id": "44e84b5a-52a3-4b41-975c-6c960414004a",
                    "type": "Scope"
                },
                {
                    "id": "d0c8f2ea-8f80-4289-8e78-4bc821cde1bc",
                    "type": "Scope"
                },
                {
                    "id": "208afe8f-9dfa-4f72-a755-6b810d61f42f",
                    "type": "Scope"
                },
                {
                    "id": "4d48dea7-b534-4bca-9d76-5f8a7a8edae8",
                    "type": "Scope"
                },
                {
                    "id": "5bdeff8b-73d9-4b8a-9e9b-d44c6105f9b4",
                    "type": "Scope"
                }
            ]
        },
        {
            "resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
            "resourceAccess": [
                {
                    "id": "1002502a-9a71-4426-8551-69ab83452fab",
                    "type": "Scope"
                },
                {
                    "id": "4e0d77b0-96ba-4398-af14-3baa780278f4",
                    "type": "Scope"
                },
                {
                    "id": "b3f70a70-8a4b-4f95-9573-d71c496a53f4",
                    "type": "Scope"
                },
                {
                    "id": "2cfdc887-d7b4-4798-9b33-3d98d6b95dd2",
                    "type": "Scope"
                }
            ]
        },
        {
            "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
            "resourceAccess": [
                {
                    "id": "3b5f3d61-589b-4a3c-a359-5dd4b5ee5bd5",
                    "type": "Scope"
                },
                {
                    "id": "75767999-c7a8-481e-a6b4-19458e0b30a5",
                    "type": "Scope"
                },
                {
                    "id": "5eb43c10-865a-4259-960a-83946678f8dd",
                    "type": "Scope"
                },
                {
                    "id": "765f423e-b55d-412e-97e3-13a800c3a537",
                    "type": "Scope"
                },
                {
                    "id": "6223a6d3-53ef-4f8f-982a-895b39483c61",
                    "type": "Scope"
                }
            ]
        }
    ],

1. Click on API Permission. You should then see this list
   
   
   
   
2. Finally, click on Grant Permissions
   
   
   
3. Write down the Application ID which will be needed to configure OfficeExpert bots (see Bot Configuration - "Coreinfo" Section).

• min. Windows Server2016 Standard
• Hosts have to be member of your Active Directory Domain
  
• All required ports have to be opened (see Network and Firewall - Requirements)
• Internet access is needed to access the cloud environment