Exchange 2019 Hybrid Backup Issue

[kmiller1398]

Hello,

I just wanted to verify a requirement for backing up archive mailboxes that we have as part of our Exchange 2019 hybrid setup with O365. is it true that we have to have PowerShell enabled on all PowerShell Default Web Sites on our Exchange 2019 servers for basic authentication? The reason I ask is this appears to open a security hole that lets one login via PowerShell from the internet to Exchange with just a name and password. Our objective is to just back up our users archive mailboxes which we have migrated to o365.

Regards,

Kevin

[HannesK]

Hello,

PowerShell enabled on all PowerShell Default Web Sites

where did you read that requirement?

Or is it about this sentence?

Exchange Web Services (EWS) and PowerShell to connect to Microsoft Office 365 and on-premises Microsoft Exchange organizations.

Best regards,
Hannes

[kmiller1398]

The Veeam o365 engineer I am working with on an open case told me it is a requirement. My preference would be to turn that feature off globally and then only allow Basic Authentication logon for PowerShell for a Veeam service account, but he said that is not possible.

[Mike Resseler]

@kmiller1398

I do believe that is a requirement but not sure what you mean with PowerShell enable on all PowerShell Default Web Sites. I believe it was only necessary on the Exchange web sites but will verify.

Second: PowerShell enabling on internal websites should not be an issue? It must be signed but again, I will check and let you know as soon as possible

[kmiller1398]

Mike,

We enabled Basic Authentication on PowerShell Default Website(s) in Exchange 2019 IIS across all Exchange servers, as per direction from Veeam support. Before we did so we verified we could not connect via PowerShell with a known account and password only from the internet. Once enabled, we tested and found that we could connect with that same account and password.