If litigation hold isn’t enough of a retention method for your Office365 mailboxes, Commvault v11 gives you the option of mailbox backups using a traditional mailbox agent. At the time of writing this process has much room for improvement; it’s slow and fairly cumbersome to configure; however it does work.
SP8 also introduces the new pseudoclient style agent for mailbox backups, where multiple proxies can be placed under a single client (similar to the virtual server agent) however; as this is still early release this post focuses on the traditional mailbox agent method.
The proxy client is used to connect to O365 and use its installed Outlook client to stream messages back to the ContentStore.
- Windows service account. Needs to be local admin on the proxy.
- Office 2013 x64 SP1 or above + Updates
- If you are using a hybrid (On-prem & Online) you must use a separate proxy for both. This guide is aimed at an online-only deployment.
- dotNET framework 3.5
- Disable UAC
Commvault Books Online provides the following examples when sizing how many proxies to use:
If your Office 365 with Exchange environment includes 300 mailboxes:
- Create 5 subclients.
- Assign 60 mailboxes to each subclient.
- Use one proxy server.
- Use one Online Service account.
If your Office 365 with Exchange environment includes 3000 mailboxes:
- Create 30 subclients.
- Assign 100 mailboxes to each subclient.
- Use two proxy servers (15 subclients per proxy server).
- Use two Online Service accounts (one per proxy server).
Office365 requires a few changes to allow mailboxes to be accessed and protected.
- Global Administrator account with access to all mailboxes
- Update: Make sure you limit the number of “special” characters in the password. Stick with @ and # if possible, as of SP8 some of the others cause issues.
- Connection initiated from proxy via powershell – details here
- Log on using the windows service account.
- Install the OS & Outlook x64. In this example i’m using Server 2012R2 with Outlook 2013 64bit SP1. Ensure all updates are installed before continuing. For supported OS’s and Outlook editions click here, note: at present “click to run” editions of office are not supported.
- Install .NET framework 3.5
- Connect to Office365 and apply permissions to mailboxes. Using an elevated powershell prompt run the following commands:
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
This will allow you to run powershell commands on your exchange online environment.
- Apply Full access rights to all mailboxes for the service account you will be using for mailbox backup. If you are using more than one proxy, you will need more than one service account.
Get-Mailbox -ResultSize unlimited | Add-MailboxPermission -User "<service_account>" -AccessRights FullAccess -InheritanceType all -AutoMapping: $false
- If you want to apply permissions to a specific mailbox you can use:
Add-MailboxPermission -Identity "<mailbox_name>" -User "<service_account>" -AccessRights FullAccess -InheritanceType all -AutoMapping:$false
It is not necessary for the powershell session to remain open during the backup process. Once finished setting permissions you need to close the powershell session using the following command. This will avoid using up the sessions available to you.
- Create the outlook profile using Control Panel – Mail. Name the profile the same as the O365 account alias (before the @).
- Ensure the profile doesn’t use cached mode. Once you have created the profile, start Outlook and when prompted for credentials, ensure the “Remember Credentials” option is selected.
- You now need to ensure outlook uses RPC/HTTP as opposed to MAPI/HTTP to connect. Using regedit navigate to HKEY_CURRENT_USER –> Software –> Microsoft –> Exchange. Right click Exchange and choose new DWORD.
- Name the new DWORD MapiHttpDisabled and give it a value of 1
- Open outlook and use Ctrl+Right click to select the Outlook icon in the taskbar. Click Connection Status.
- The protocol Column in the Outlook Connection Status windows should read “RPC/HTTP”. If it doesn’t, double check the previous registry change and restart Outlook.
CommVault Mailbox Agent
The CommVault mailbox agent (traditional not archiver) can be pushed from the central CommServe. Before doing so, you’ll need to add the “bEnableExchangeOnline” additional setting to the ComCell (top level) as shown below:
- Right click on the CommCell name in the ComCell browser windows and choose properties.
- On the additional settings tab; add the bEnableExchangeOnline key with a value of true
Once that’s done you’re ready to deploy the mailbox agent to your proxy VM (Same place that you installed outlook. To deploy follow the instructions below:
- Choose Tools from the CommCell ribbon and Select Add/Remove software.
- Use the wizard to deploy the Exchange Mailbox software to the proxy, selecting defaults along the way. When prompted for exchange details, ensure the entries are blank & simply click Next.
- You can monitor the installation progress from the job monitor.
Once the software has been installed; you can configure the proxy client as follows. Do this from the Commvault console, you may have to press F5 to refresh the clients view.
- Right Click the Exchange mailbox (Classic) agent under the proxy client and choose properties
- Enter the Exchange Administrator account using the “Change Account” button higher up the page. This is the service account you used to log onto the proxy and configure the Outlook profile.
- Select “Exchange Online”, click OK on the warning.
- Enter the profile name used on the proxy.
- Click the lower “Change Account” button. Enter the full SMTP address and password for the exchange online service account.
- Click OK to return to the main CommServe screen. Right click on the proxy client and choose properties.
- Click “Advanced” and select the “Additional Settings” tab. Add the following Keys:
- nMailboxesperSession = 1
- nRestartMAPIOnNetworkError = 1
- nSkipUserImpersonation = 1
- nExchangeOnlineOnly = 1
Disable User Impersonation
Now that the mailbox client & agent are configured, the logon user for the CommVault services on the proxy need to be adjusted.
- Log onto the proxy VM. Open services.msc from the Run command.
- Adjust the Log On As properties for the following services to reflect the windows service account.
- Commvault Communications Service
- Commvault Client Event Manager
- Commvault Communications Service
- If prompted to allow Log On As rights, click OK. Restart the services once complete.
Content is added via subclients in the same way you would many other agents. As descrived in the prerequisites section, in order to get the best throughput from your mauilbox backups, it would be wise to split the mailboxes into multiple subclients. In this example I have split the content into 4 subclients, in a real life scenario I would recommend considerably more.
The subclients are split by first letter resulting in any mailboxes with the alias starting with A-F being picked up by the one subclient, any with their alias starting with H-K selected by another etc. This is achieved by enabling “Auto Discover” on the defaultBackupSet properties as shown below.
Once thats done you can use wildcards (more detail here) to specify the content. Wildcards used for my H-K subclient are shown below:
Now the content is configured you can run the first backup & schedule accordingly. As stated previously if you have a lot of mailboxes this will take a while. Make sure you have sufficient subclients & proxies to suit the size of your environment. If you have multiple proxies, that means multiple accounts need to be created in O365. SP8 brings new functionality to mailbox backup which will be discussed in a later post, some simplification of the process would be a very good thing!