Below are the system requirements in order for CloudPanel to operate correctly:
- Windows Server 2008 R2, 2012, 2012 R2, 2016
- IIS installed with ASP.NET 3.5 and 4.5
- Powershell 3.0 or later
- Microsoft .NET Framework 4.6.2 or later
- Microsoft SQL Server 2008 R2 or later
- Microsoft Exchange 2010, 2013, or 2016 (2016 recommended)
- Microsoft Exchange must be installed on its own server. You cannot install Exchange on a domain controller
- Microsoft SQL Server System CLR Types Package
- Microsoft Report Viewer 2015 Runtime
Prepare Active Directory
CloudPanel places all reseller and company objects inside a “Hosting” organizational unit that you create. This organizational unit can be located wherever you would like and be named whatever you want.
- Create a new organizational unit (or use existing one) in any location that you want to store all reseller and company objects which include users, contacts, groups, and more. This will be referred to as the “hosting organizational unit”.
- Create a new organizational unit called Applications inside your hosting organizational unit.
- Inside the Hosting organizational unit create two security groups named exactly: AllTSUsers@Hosting and GPOAccess@Hosting
Prepare Microsoft Exchange
CloudPanel uses Address Book Policies to keep your customers information separate from each other. Address Book Policies were created in Exchange 2010 SP2 and is Microsoft’s new way of providing a multi-tenant environment for Exchange server. There are some things that they left out that could still expose information between tenants.
Secure the Offline Address Book
The following two commands should be run once per Exchange installation to remove the MS-Exch-Download-OAB extended right from the root OAB container. This prevents all subsequently created OABs from inheriting this extended right.
Each of the following examples assumes the domain being used by the hoster is called fabrikam.com, you need to change the examples shown below to refer to your own deployment.
$BaseOABContainer="CN=Offline Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Fabrikam,DC=com" Get-ADPermission BaseOABContainer -User "NT Authority\Authenticated Users" |WHERE extendedrights -match "ms-exch-download-oab" |Remove-ADPermission
Hide the "Groups" section in OWA (Exchange 2010/2013)
Note: This is not needed for Exchange 2016, however you will need to modify the Role Assignment in CloudPanel under the Advanced section on the Exchange tab in the CloudPanel settings.
By default users will be able to see other company’s distribution groups when they are logging into the web interface. To resolve this we either need create an alternate role or modify what features are in this role. To begin open the Exchange Management Shell and enter the follow commands (make sure you Exchange environment is fully patched):
New-RoleAssignmentPolicy "Alternate Assignment Policy" New-ManagementRoleAssignment -Name "MyContactInformation-Alternate Assignment Policy" -policy "Alternate Assignment Policy" -role MyContactInformation New-ManagementRole "MyBaseOptionsWithoutMessageTracking" -Parent MyBaseOptions Remove-ManagementRoleEntry "MyBaseOptionsWithoutMessageTracking\Search-MessageTrackingReport" New-ManagementRoleAssignment -Name "MyBaseOptionsWithoutMessageTracking-Alternate Assignment Policy" -policy "Alternate Assignment Policy" -role MyBaseOptionsWithoutMessageTracking
Mailtips are included with Exchange but can expose information between customers. We can’t simply disable Mailtips because the users will see an error in Outlook saying something about mailtips are disabled. Most likely you will get called about this. To resolve it we simple tell Exchange not to trigger Mailtips unless they are emailing a mass amount of people (which you set this number higher than what you would allow a user to email):
Set-OrganizationConfig -MailTipsExternalRecipientsTipsEnabled $False -MailTipsLargeAudienceThreshold 1000 -MailTipsMailboxSourcedTipsEnabled $False -MailTipsGroupMetricsEnabled $False -MailTipsAllTipsEnabled $True
Enable Basic Authentication on Powershell Virtual Directory
If you are planning on setting CloudPanel to use Basic Authentication (recommended) instead of Kerberos when calling powershell commands on Exchange then you must enable Basic Authentication on the powershell virtual directory. You only need to do this on the Exchange server you are configuring CloudPanel to communicate with.
Also make sure you are enabling basic authentication using ECP / EAC and not directly on IIS.
Sometimes new updates to Exchange can cause this setting to reset.
When you first run the installer you will be asked to provide information for the IIS configuration. We recommend you leave the default setting for the website to “Default Web Site” and enter a new name such as “CloudPanel” for the application pool. The credentials are used to run the application pool as the user you enter in the bottom fields which should be in the format of DOMAIN\Username.
Note: If you enter a new website in the first drop down box then it could disable your currently running website that is running on port 80. Entering a new website will cause the CloudPanel installer to create a new IIS website using port 80. During this process it still creates the virtual directory “CloudPanel” inside the new website and this must be deleted. The reason is because it sets the root website and the virtual application to the exact same paths and causes issues if you try to browse to the virtual directory.
The next dialog will ask you about your SQL server information so the CloudPanel installer can create the database. You must provide the SQL server name AND the SQL instance (the sql instance isn’t required if you use the default instance MSSQLSERVER). When you click the next button it will verify if it can access the SQL server.
Note: CloudPanel allows the use of Windows authentication or SQL authentication when installing. If you are using Windows authentication, then the user account you are using to install CloudPanel must have rights to create the database on the SQL server and the user account you set on the previous install window for the application pool must have rights to the CloudPanel database.
If you are having issues with getting CloudPanel to authenticate with SQL then we suggest you use SQL Management Studio and test connecting to the same server name and instance that you specified in the CloudPanel install and using the same SQL credentials.
Set CloudPanel Settings
The first thing you need to do after installing CloudPanel is update the database and configure the settings. To do this you need to open a browser that is installed on the SAME server that CloudPanel is and browse to: http://localhost/CloudPanel/admin/setup. If you are using host headers then you may need to temporarily remove the host headers to access this page without having to login (because you can’t login during the first install or after each update)
Login to CloudPanel
After you configure CloudPanel you are now ready to login. If you are on the settings page click on Dashboard or browse to http://<your url>/cloudpanel to reach the login screen.
To login, you need to use the full UserPrincipalName of user accounts and not their SamAccountName. An example of a SamAccountName would be “superadmin” but the full UserPrincipalName would be “firstname.lastname@example.org” if your internal Active Directory domain was named “lab.local”
Once you are able to login to CloudPanel, you need to configure a few things before you start creating resellers and companies. The first thing you need to configure is the Company Plans. With company plans you can control how many users, mailboxes, and other objects such as distribution groups and security groups can be created in a company that is assigned the plan. When you create a company you must choose a company plan to assign. To read more about company plans please visit our KB article How CloudPanel plans work.
After you configure the company plans, you must start configuring the mailbox plans. Mailbox plans are assigned to each user that you enable a mailbox for and is what assigns the appropriate values such as mailbox size, what features they have enabled, and send/receive limits. Pay close attention to the features because leaving a feature like “MAPI” disabled will result in Outlook not being able to connect. To read more about mailbox plans please visit our KB article How CloudPanel plans work.
By this point you should be setup and ready to use CloudPanel! There are many features in CloudPanel which are not covered in the install guide, so please be sure to check out our knowledge base for other options.
There are also some advanced settings that can only be modified by adjusting the settings XML file using an XML editor or notepad. To read more about some advanced options/customizations please visit our Advanced Settings KB article.