Skip to content

Commit

Permalink
Merge pull request #1998 from microsoft/dpaul-EpUpdate
Browse files Browse the repository at this point in the history
Able to run prerequisites check only
  • Loading branch information
dpaulson45 authored Feb 21, 2024
2 parents 16141ba + 5e37057 commit b54952e
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 4 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ param(
[Parameter (Mandatory = $false, ValueFromPipeline, ParameterSetName = 'ConfigureEP', HelpMessage = "Enter the list of server names on which the script should execute on")]
[Parameter (Mandatory = $false, ValueFromPipeline, ParameterSetName = 'ShowEP', HelpMessage = "Enter the list of server names on which the script should execute on")]
[Parameter (Mandatory = $false, ValueFromPipeline, ParameterSetName = 'DisableEP', HelpMessage = "Enter the list of server names on which the script should execute on")]
[Parameter (Mandatory = $false, ValueFromPipeline, ParameterSetName = 'PrerequisitesCheckOnly', HelpMessage = "Enter the list of server names on which the script should execute on")]
[string[]]$ExchangeServerNames = $null,

[Parameter (Mandatory = $false, ParameterSetName = 'ConfigureMitigation', HelpMessage = "Enter the list of servers on which the script should not execute on")]
Expand All @@ -46,11 +47,15 @@ param(
[Parameter (Mandatory = $false, ParameterSetName = 'ConfigureEP', HelpMessage = "Enter the list of servers on which the script should not execute on")]
[Parameter (Mandatory = $false, ParameterSetName = 'ShowEP', HelpMessage = "Enter the list of servers on which the script should not execute on")]
[Parameter (Mandatory = $false, ParameterSetName = 'DisableEP', HelpMessage = "Enter the list of servers on which the script should not execute on")]
[Parameter (Mandatory = $false, ParameterSetName = 'PrerequisitesCheckOnly', HelpMessage = "Enter the list of servers on which the script should not execute on")]
[string[]]$SkipExchangeServerNames = $null,

[Parameter (Mandatory = $true, ParameterSetName = 'ShowEP', HelpMessage = "Enable to provide a result of the configuration for Extended Protection")]
[switch]$ShowExtendedProtection,

[Parameter (Mandatory = $true, ParameterSetName = "PrerequisitesCheckOnly", HelpMessage = "Enable to check if the set of servers that you have provided will pass the prerequisites check.")]
[switch]$PrerequisitesCheckOnly,

[Parameter (Mandatory = $false, ParameterSetName = 'ConfigureEP', HelpMessage = "Used for internal options")]
[string]$InternalOption,

Expand Down Expand Up @@ -357,7 +362,8 @@ begin {
return
}

if ($ConfigureEPSelected) {
if ($ConfigureEPSelected -or $PrerequisitesCheckOnly) {
$prerequisitesCheckFailed = $false
$params = @{
ExchangeServers = $ExchangeServersPrerequisitesCheckSettingsCheck
SkipEWS = $SkipEWS
Expand Down Expand Up @@ -534,7 +540,7 @@ begin {
Write-Host ""
}

exit
$prerequisitesCheckFailed = $true
} else {
Write-Host "All servers attempting to enable Extended Protection or already enabled passed the TLS prerequisites."
Write-Host ""
Expand Down Expand Up @@ -609,11 +615,11 @@ begin {
if ($rpcFailedServers.Count -gt 0) {
Write-Warning "Please address the following server regarding RPC (Default Web Site) and SSL Offloading: $([string]::Join(", " ,$rpcFailedServers))"
Write-Warning "The following cmdlet should be run against each of the servers: Set-OutlookAnywhere 'SERVERNAME\RPC (Default Web Site)' -SSLOffloading `$false -InternalClientsRequireSsl `$true -ExternalClientsRequireSsl `$true"
exit
$prerequisitesCheckFailed = $true
} elseif ($rpcNullServers.Count -gt 0) {
Write-Warning "Failed to find the following servers RPC (Default Web Site) for SSL Offloading: $([string]::Join(", " ,$rpcFailedServers))"
Write-Warning $canNotConfigure
exit
$prerequisitesCheckFailed = $true
}
Write-Host "All servers that we are trying to currently configure for Extended Protection have RPC (Default Web Site) set to false for SSLOffloading."
} else {
Expand All @@ -624,6 +630,24 @@ begin {
exit
}

Write-Host ""
Write-Host ""

if ($prerequisitesCheckFailed) {
Write-Warning "Unable to continue due to the required prerequisites to enable Extended Protection in the environment. Please address the above issues."
Write-Host ""
exit
} elseif ($PrerequisitesCheckOnly) {
Write-Host "Successfully passed the Prerequisites Check for the server: $([string]::Join(", ", $onlineSupportedServers.ComputerName ))" -ForegroundColor Green

if ($onlineSupportedServers.Count -ne $ExchangeServersPrerequisitesCheckSettingsCheck.Count) {
Write-Host ""
Write-Warning "Not all Exchange Servers were included in this Prerequisites Check. This could be caused by servers being down, or being excluded from the list to check against."
}
Write-Host ""
exit
}

# Configure Extended Protection based on given parameters
# Prior to executing, add back any unsupported versions back into the list
# for onlineSupportedServers, because the are online and we want to revert them.
Expand Down
7 changes: 7 additions & 0 deletions docs/Security/ExchangeExtendedProtectionManagement.md
Original file line number Diff line number Diff line change
Expand Up @@ -103,12 +103,19 @@ This syntax will disable Extended Protection configuration for all the Exchange
PS C:\> .\ExchangeExtendedProtectionManagement.ps1 -DisableExtendedProtection
```

This syntax will process the prerequisites check only against the servers that you provided. This will execute the same checks as if you were attempting to configure Extended Protection.

```powershell
PS C:\> .\ExchangeExtendedProtectionManagement.ps1 -PrerequisitesCheckOnly
```

## Parameters

Parameter | Description
----------|------------
ExchangeServerNames | A list of servers to pass that you want to run the script against. This can be used for configuration or rollback.
SkipExchangeServerNames | A list of server to pass that you don't want to execute the script for configuration or rollback.
PrerequisitesCheckOnly | Run the required prerequisites check for the passed server list to know if configuration can be attempted.
ShowExtendedProtection | Show the current configuration of Extended Protection for the passed server list.
ExcludeVirtualDirectories | Used to not enable Extended Protection on particular virtual directories. The following values are allowed: `EWSFrontEnd`.
FindExchangeServerIPAddresses | Use this to collect a list of the Exchange Server IPs that should be used for IP Restriction.
Expand Down

0 comments on commit b54952e

Please sign in to comment.