Virtual Appliance

panagenda OfficeExpert is based on the very popular CentOS Linux distribution, which is based on the source code of Red Hat Enterprise Linux (RHEL). CentOS 7 was chosen because of its stability and its long-time support (maintenance until June 2024). It uses a current kernel version (3.10.x) for virtual systems. Only security patches are configured for automatic update via YUM (Yellowdog updater modified).

Virtual appliances are available for:
On-Premises deployment:

  • VMWare vSphere (recommended for production)
  • VMWare Workstation (for evaluation purposes)

     For compatibility reasons, our appliances are configured for ESXi 6.0 and Workstation 11. If you run a newer version, we recommend to upgrade the virtual machine hardware version.

  • MicrosoftHyper-V

Azure tenant deployment:

  • Azure tenant deployment (incl. virtual appliance and all necessary Azure resources)

The underlying hardware and OS needs to have VT-x support enabled (in the BIOS). This is mainly relevant in scenarios where workstations act as host software. You can find  detailed information about operating system requirements on the respective product pages: 

Please use the following table for reference:

 # of UsersCPUMemoryHard disk (additional disk)
up to 1.0004vCpus8 - 16 GB200 GB
up to 10.0004vCpusmin 16 GB

300 GB

up to 100.0008vCpusmin 32 GB400 GB
> 100.0008vCpusmin 48 GB500 GB  

For on-prem deployment, add an additional disk to the VM to fit your hard disk requirement (do not extend the existing disk).

For Azure deployment, you can define the hard disk size in the script (data disk) before you deploy.

You may require additional resources in addition to all above described conditions, depending on data collection intervals, number of sensors enabled, and number of servers being monitored. panagenda and selected panagenda OfficeExpert business partners can help you evaluate the ideal hardware specifications for your environment.

Network and Firewall

The following image shows the architecture of panagenda OfficeExpert, including the required port configurations: 

OfficeExpert Virtual Appliance:

Outbound (originating in virtual appliance):

  • HTTP/HTTPS to Office365 Cloud tenant for data collection (TCP 80/443)
  • HTTPS to Azure Key Vault within customers Azure tenant (TCP 443)
  • Internet Repository URLS (, OS security updates) (TCP 80/443)
  • Kafka/Zookeeper to Windows Proxy and simulation clients (TCP 29092/ 22181)

Inbound (accessing virtual appliance):

  • HTTP/HTTPS for configuration and reports (TCP 80/443)
  • HTTPS for Azure Bot Framework Service  (TCP 4443 !)  - https://<appliance>:4443/bot/messages

Just allow inbound tcp 4443 to this particular endpoint /bot/messages only!  (via Firewalls, Azure AD Proxy, ...)

Note that you also have to provide a company-owned SSL certificate for the OfficeExpert ACE Notification Bot.

  • SSH for system configuration and application tuning (TCP 22)
  • VNC for system configuration and IBM Notes client access (TCP 5901)

  • Kafka/Zookeeper from Windows Proxy and simulation clients (TCP 29092/ 22181)

OfficeExpert Windows Proxy

Outbound (originating in Windows Proxy):

  • PowerShell to Active Directory server, Azure Connect server, ADFS server (TCP 5985/ 5986)
  • PowerShell to Cloud tenant (TCP 80/443)

Inbound (accessing Windows Proxy):

  • PowerShell from Active Directory server, Azure Connect server, ADFS server (TCP 5985/ 5986)

OE Simulation Machines (Bots) 1-n

Outbound (originating in simulation client):

  • Kafka/Zookeeper to virtual appliance (TCP 29092/22181)
  • HTTP/HTTPS to Office365 Cloud tenant (TCP 80/443)

Azure Lighthouse

OfficeExpert requires several components in the customers Azure tenant. Therefore an Azure subscription is required to setup OfficeExpert
More details can be found here >> Setup - Azure Lighthouse

Disable MS Report obfuscation

Make sure that the Report setting for de-identifying users user, groups and sites names is disabled in your tenant:

If you leave this enabled, OfficeExpert will be unable to map user data with activity data.

Admin Client (Web Interface)


The panagenda OfficeExpert web interface is based on HTML5 and therefore accessible on any HTML5 capable device.

Only Chrome, Edge, FireFox and Safari are officially supported (latest 64-bit versions).

In general, the OfficeExpert web interface requires a minimum screen resolution of 1366 x 768 pixels

Browser security and network access:

No special web browser security settings are required to access the panagenda OfficeExpert web interface. For the web interface, you need to have access to the panagenda OfficeExpert appliance via TCP/IP, Port 80 (HTTP) and Port 443 (HTTPS).

Client Simulation Bots

Simulation Bots


These bots need to run on dedicated machines such as PCs, notebooks, or even virtual machines (as long as the virtual machine is located in the respective region) with the following requirements:

  • Windows 7 or 10
  • Hosts have to be member of your Active Directory domain (relevant in case of ADFS)
  • All required ports have to be opened (see Network and Firewall - Requirements)
  • Internet access is needed to access the cloud environment
  • Optional: access to an on-premises Exchange server
  • Please install:
    • Optional: for Outlook client simulation: MS Outlook 2016 or later
    • Optional: for or Skype client simulation : latest version of Skype for Business


For the configuration of OfficeExpert, the following accounts are required:

  • Dedicated Office365 user account (any kind of subscription)
    • with the necessary applications assigned (Teams, SharePoint, Skype for Business, Outlook, and OneDrive)
  • For Outlook client data analyses, please make sure that Outlook is configured with the same user account
    • it has to be the first profile!
    • please use the auto-discover setup instead of IMAP/POP3 configuration!
    • caching has to be disabled:
      Go to Account Settings > Data Files > Settings > Advanced and uncheck Use Cached Exchange Mode
    • and make sure that 3rd-party add-ins are disabled.

  • For Skype for Business data analyses, make sure you are logged in with the same user account
    •  adjust the following settings:

  • For ADFS-enabled clients
    • make sure the client is member of the domain (joined)
    • make sure the OS account is ADFS enabled
    • verify the following on client level:
      • login to OS and open
      • enter user name
      • no password prompt should appear; you should be logged-in to the portal right away

  • For modern authentication
    • If you want to configure the simulation bot with modern authentication, please refer to the Knowledge Base article Modern Authentication.

  • For certificate-based authentication (only valid for Exchange simulations)

    • make sure the client is member of the domain (joined)
    • make sure the client/user certificate is deployed to the machine

Simulation Azure Sync

You need the following items for the configuration of an Azure Sync Simulation:

  • Active Directory account (normal user) with delegated control to create/modify a user object (see next bullet point)

  • An Active Directory account (normal user) which will be modified by the simulation (the mobile phone field will be updated with timestamp information)
  • An AD Account to access the Azure Active Directory Connect server

The user has to be able to start a remote PowerShell session on that synchronization server (optional: local admin account)

  • A user account to access and read Azure Active Directory (normal user)

Azure AD Application for Bots

To configure the OfficeExpert simulation bots, you will need to provide the following information:
  • Tenant ID
  • Application ID of Azure Active Directory application (see below)
  • (FQDN of OfficeExpert appliance, which will be configured during setup, see Starting the Virtual Appliance)
  • an Office 365 user account with the necessary apps/subscription (E1,E3....)

An Azure Active Directory application for BOTs is required which needs to be registered as follows:

  1. Open (log in as a global admin) and click on App registrations

  2. Click on New registration, complete the fields as shown in the screenshot below and click on Create

    In the following screen, enter the following "Redirect URI": https://OfficeExpert

  3. After the creation, click on Authentication and scroll to Advanced settings. Click on Yes to treat application as a public client.

  4. Click on Manifest and adjust the section requiredResourceAccess
    Select the blue selected lines in the screenshot

and overwrite it with the following lines...

    "requiredResourceAccess": [
            "resourceAppId": "00000004-0000-0ff1-ce00-000000000000",
            "resourceAccess": [
                    "id": "44e84b5a-52a3-4b41-975c-6c960414004a",
                    "type": "Scope"
                    "id": "d0c8f2ea-8f80-4289-8e78-4bc821cde1bc",
                    "type": "Scope"
                    "id": "208afe8f-9dfa-4f72-a755-6b810d61f42f",
                    "type": "Scope"
                    "id": "4d48dea7-b534-4bca-9d76-5f8a7a8edae8",
                    "type": "Scope"
                    "id": "5bdeff8b-73d9-4b8a-9e9b-d44c6105f9b4",
                    "type": "Scope"
            "resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
            "resourceAccess": [
                    "id": "1002502a-9a71-4426-8551-69ab83452fab",
                    "type": "Scope"
                    "id": "4e0d77b0-96ba-4398-af14-3baa780278f4",
                    "type": "Scope"
                    "id": "b3f70a70-8a4b-4f95-9573-d71c496a53f4",
                    "type": "Scope"
                    "id": "2cfdc887-d7b4-4798-9b33-3d98d6b95dd2",
                    "type": "Scope"
            "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
            "resourceAccess": [
                    "id": "3b5f3d61-589b-4a3c-a359-5dd4b5ee5bd5",
                    "type": "Scope"
                    "id": "75767999-c7a8-481e-a6b4-19458e0b30a5",
                    "type": "Scope"
                    "id": "5eb43c10-865a-4259-960a-83946678f8dd",
                    "type": "Scope"
                    "id": "765f423e-b55d-412e-97e3-13a800c3a537",
                    "type": "Scope"
                    "id": "6223a6d3-53ef-4f8f-982a-895b39483c61",
                    "type": "Scope"
  1. Click on API Permission. You should then see this list

  2. Finally, click on Grant Permissions

  3. Write down the Application ID which will be needed to configure OfficeExpert bots (see Bot Configuration - "Coreinfo" Section).

Windows Proxy

A Windows Proxy performs all necessary PowerShell cmdlet calls against the Office 365 cloud AND the server monitoring on-premises infrastructure (required in hybrid infrastructures). The virtual appliance and the simulation bots do not necessarily need the Windows Proxy. 
However, to get the most out of panagenda OfficeExpert, we highly recommend to deploy a Windows Proxy with the following requirements:
  • min. Windows Server2016 Standard
  • Hosts have to be member of your Active Directory Domain
  • All required ports have to be opened (see Network and Firewall - Requirements)
  • Internet access is needed to access the cloud environment

Hybrid Infrastructure

To run OfficeExpert in hybrid infrastructures (Azure Active Directory Connect server, ADFS server), or if you want to run the Azure Sync simulation, make sure that remote PowerShell is active on each of the target hosts:

  • Enable-PSRemoting -force›
  • set-item -force WSMan:\localhost\Service\Auth\Basic $true
  • set-item -force WSMan:\localhost\Client\AllowUnencrypted $true
  • set-item -force WSMan:\localhost\Service\AllowUnencrypted $true
  • Make sure you use an account which is member of the local administrator group of the target host (no need to be a domain admin!)
  • TCP ports 5985 and 5986 need to be opened between OfficeExpert and target host
  • Make sure that the OE Windows Proxy host is listed as a TrustedHost on the Destination System (Exchange, on-prem, ...)
    • Check the current setting:  Get-Item -Path WSMan:\localhost\Client\TrustedHosts
    • Add the OE host:  Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value <FQDN_of_OE_WindowsProxy> -Force