Virtual Appliance

panagenda OfficeExpert is based on the very popular CentOS Linux distribution, which is based on the source code of Red Hat Enterprise Linux (RHEL). CentOS 7 was chosen because of its stability and its long time support (maintenance until June 2024). It uses a current kernel version (3.10.x) for virtual systems. Only security patches are configured for automatic update via the YUM (yellowdog updater modified)

Virtual appliances are available for:
On Premises deployment:

  • VMWare vSphere (recommended for production)
  • VMWare Workstation (for evaluation purposes)

     For compatibility reasons, our appliances are configured for ESXi 6.0 and Workstation 11. If you run a newer version, we recommend to upgrade the virtual machine hardware version.

  • MicrosoftHyper-V

Azure tenant deployment:

  • Azure tenant deployment (incl. virtual appliance and all necessary azure resources)

The underlying hardware and OS need to have VT-x support enabled (in BIOS). This is mainly relevant in scenarios where Workstation act as host software. Detailed information about operating system requirements can be found on the respective product pages: 

Please use the following table for reference:

 # of UsersCPUMemoryHarddisk (additional disk)
up to 1.0004vCpus8 - 16 GB200 GB
up to 10.0004vCpusmin 16 GB

300 GB

up to 100.0008vCpusmin 32 GB400 GB
> 100.0008vCpusmin 48 GB500 GB  


For On Prem deployment please add an additional disk to the VM to fit your harddisk requirement (please do not extend the existing disk)

For Azure deployment you can define the harddisk size in the script (Data Disk) before you deploy

Additional resources may be required under all above described conditions, depending on data collection intervals, number of sensors enabled, and number of servers being monitored. panagenda and selected panagenda OfficeExpert business partners can help you evaluate the optimum hardware specifications for your environment.

Network and Firewall

The following image shows the architecture of panagenda OfficeExpert, including the required port configurations: 

OfficeExpert Virtual Appliance:

Outbound (originating in virtual appliance):

  • HTTP/HTTPS to Office365 Cloud tenant for data collection (TCP 80/443)
  • HTTPS to Azure Key Vault within customers azure tenant (TCP 443)
  • Internet Repository URLS (, OS security updates) (TCP 80/443)
  • Kafka/Zookeeper to Windows Proxy and simulation clients (TCP 29092/ 22181)

Inbound (accessing virtual appliance):

  • HTTP/HTTPS for configuration and reports (TCP 80/443)
  • HTTPS for Azure Bot Framework Service  (TCP 4443 !)  - https://<appliance>:4443/bot/messages

Just allow inbound tcp 4443 to this particular endpoint /bot/messages only!  (via Firewalls, Azure AD Proxy, ...)

Please note that you also have to provide a company-owned SSL certificate for the OfficeExpert ACE Notification Bot.

  • SSH for system configuration and application tuning (TCP 22)
  • VNC for system configuration and IBM Notes client access (TCP 5901)

  • Kafka/Zookeeper from Windows Proxy and simulation clients (TCP 29092/ 22181)

OfficeExpert Windows Proxy

Outbound (originating in Windows Proxy):

  • PowerShell to Active Directory server, Azure Connect server, ADFS server (TCP 5985/ 5986)
  • PowerShell to Cloud tenant (TCP 80/443)

Inbound (accessing Windows Proxy):

  • PowerShell from Active Directory server, Azure Connect server, ADFS server (TCP 5985/ 5986)

OE Simulation Machines (Bots) 1-n

Outbound (originating in simulation client):

  • Kafka/Zookeeper to virtual appliance (TCP 29092/22181)
  • HTTP/HTTPS to Office365 Cloud tenant (TCP 80/443)

Azure Lighthouse

OfficeExpert requires several components in the customers Azure tenant. Therefore an Azure subscription is required to setup OfficeExpert
More details can be found here >> Setup - Azure Lighthouse

Disable MS Report obfuscation

Please make sure that the Report setting for de-identify users, disabled in your tenant

If you leave this enabled, OfficeExpert will be unable to map user data with activity data

Admin Client (Web Interface)


The panagenda OfficeExpert web interface is based on HTML5 and therefore accessible on any HTML5 capable device.

Only Chrome, Edge, FireFox and Safari webbrowser are officially supported (latest 64bit versions)

In general, the OfficeExpert web interface requires a minimum screen resolution of 1366 x 768 pixels

Browser Security and Network Access:

No special web browser security settings are required to access the panagenda OfficeExpert web interface. For the web interface, you need to have access to the panagenda OfficeExpert appliance via TCP/IP, Port 80 (HTTP) and Port 443 (HTTPS).

Client Simulation Bots

Simulation Bots


These bots need to run on dedicated machines such as PCs, notebooks or even virtual machines (as long as the virtual machine is located in the respective region) with the following requirements:

  • Windows 7 or 10
  • Hosts have to be member of your Active Directory domain (relevant in case of ADFS)
  • All required ports have to be opened (see Network and Firewall - Requirements)
  • Internet access is needed to access the cloud environment
  • Optional: Access to on-premises Exchange server
  • Please install:
    • Optional: for Outlook client simulation: MS Outlook 2016 or later
    • Optional: for or Skype client simulation : Latest version of Skype for Business


For the configuration of OfficeExpert, the following accounts are required:

  • Dedicated Office365 user account (any kind of subscription)
    • with the necessary applications assigned (Teams, SharePoint, Skype for Business, Outlook, and OneDrive)
  • For Outlook client data analyses, please make sure that Outlook is configured with the same user account
    • it has to be the first profile!
    • please use the autodiscover setup instead of imap/pop3 configuration!
    • caching has to be disabled:
      Go to Account Settings > Data Files > Settings > Advanced and uncheck Use Cached Exchange Mode
    • and please make sure that 3rd party add-ins are disabled.

  • For Skype for Business data analyses, please make sure that you are logged in with the same user account
    •  adjust the following settings:

  • For ADFS enabled clients
    • make sure that the client is member of the domain (joined)
    • make sure that the OS account is ADFS enabled
    • verify the following on client level:
      • login to OS and open URL
      • enter user name
      • no password prompt should appear; you should be logged-in to the portal right away

  • For modern authentication
    • If you want to configure the simulation bot with modern authentication please refer to the knowledge base article Modern Authentication.

  • For certificate based authentication (only valid for Exchange Simulations)

    • make sure that the client is member of the domain (joined)
    • make sure that the client/user certificate is deployed to the machine

Simulation Azure Sync

For the configuration of an Azure Sync Simulation the following items are necessary

  • Active Directory account (normal user) which has delegated control to create/modify a user object (see next bullet point)

  • An Active Directory account (normal user) which will be modified by the Simulaiton (Mobile phone field will be updated with timestamp information)
  • An AD Account to access the Azure Active Directory Connect server

The user has to be able to start a remote PowerShell session on that synchronization server (optional: Local admin account)

  • An User Account to access and read Azure Active Directory (normal user)

Azure AD Application for Bots

In order to configure the OfficeExpert simulation bots you will need to provide the following information:
  • Tenant ID
  • Application ID of Azure Active Directory application (see below)
  • (FQDN of OfficeExpert appliance, which will be configured during setup, see Starting the Virtual Appliance)
  • an O365 User account with the necessary apps/subscription (E1,E3....)

An Azure Active Directory application for BOTs is required which needs to be registered as follows:

  1. Open (login as a global admin) and click on Appregistrations

  2. Click on New application registration, complete the fields as shown in the second screenshot below and click on Create

    In the following screen, please enter the following "Redirect URI": https://OfficeExpert

  3. After the creation, click on Authentication and scroll to Advanced settings. Click on Yes to treat application as a public client.

  4. Click on Manifest and adjust the section requiredResourceAccess
    Select the blue selected lines in the screenshot.......

and overwrite it with the following lines...

    "requiredResourceAccess": [
            "resourceAppId": "00000004-0000-0ff1-ce00-000000000000",
            "resourceAccess": [
                    "id": "44e84b5a-52a3-4b41-975c-6c960414004a",
                    "type": "Scope"
                    "id": "d0c8f2ea-8f80-4289-8e78-4bc821cde1bc",
                    "type": "Scope"
                    "id": "208afe8f-9dfa-4f72-a755-6b810d61f42f",
                    "type": "Scope"
                    "id": "4d48dea7-b534-4bca-9d76-5f8a7a8edae8",
                    "type": "Scope"
                    "id": "5bdeff8b-73d9-4b8a-9e9b-d44c6105f9b4",
                    "type": "Scope"
            "resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
            "resourceAccess": [
                    "id": "1002502a-9a71-4426-8551-69ab83452fab",
                    "type": "Scope"
                    "id": "4e0d77b0-96ba-4398-af14-3baa780278f4",
                    "type": "Scope"
                    "id": "b3f70a70-8a4b-4f95-9573-d71c496a53f4",
                    "type": "Scope"
                    "id": "2cfdc887-d7b4-4798-9b33-3d98d6b95dd2",
                    "type": "Scope"
            "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
            "resourceAccess": [
                    "id": "3b5f3d61-589b-4a3c-a359-5dd4b5ee5bd5",
                    "type": "Scope"
                    "id": "75767999-c7a8-481e-a6b4-19458e0b30a5",
                    "type": "Scope"
                    "id": "5eb43c10-865a-4259-960a-83946678f8dd",
                    "type": "Scope"
                    "id": "765f423e-b55d-412e-97e3-13a800c3a537",
                    "type": "Scope"
                    "id": "6223a6d3-53ef-4f8f-982a-895b39483c61",
                    "type": "Scope"
  1. Click on API Permission. You  should then see this list.

  2. Finally, click on GrantPermissions

  3. Write down the Application ID which will be needed to configure OfficeExpert bots (see Bot Configuration - "Coreinfo" Section).

Windows Proxy

A Windows Proxy performs all necessary PowerShell cmdlet calls against the Office 365 cloud AND the server monitoring on-premises infrastructure (required in hybrid infrastructures). The virtual appliance and the simulation bots do not necessarily need the Windows Proxy. 
However, to get the most out of panagenda OfficeExpert, we highly recommend to deploy a Windows Proxy with the following requirements:
  • min. Windows Server2016 Standard
  • Hosts have to be member of your Active Directory Domain
  • All required ports have to be opened (see Network and Firewall - Requirements)
  • Internet access is needed to access the cloud environment

Hybrid Infrastructure

To run OfficeExpert in hybrid infrastructures (Azure Active Directory Connect server, ADFS server) or if you want to run the Azure Sync simulation, please make sure that remote PowerShell is active on each of the target host:

  • Enable-PSRemoting -force
  • set-item -force WSMan:\localhost\Service\Auth\Basic $true
  • set-item -force WSMan:\localhost\Client\AllowUnencrypted $true
  • set-item -force WSMan:\localhost\Service\AllowUnencrypted $true
  • Make sure that you use an account which is member of the local Administrator group of the target host (no need to be a Domain admin!)
  • TCP Port 5985 and 5986 needs to be opened between OfficeExpert and target host
  • Make sure that the OE Windows Proxy host is listed as a TrustedHost on the Destination System (Exchange Onprem, ...)
    • Check the current setting:  Get-Item -Path WSMan:\localhost\Client\TrustedHosts
    • Add the OE host:  Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value <FQDN_of_OE_WindowsProxy> -Force