Overview
Client Sense is a web application backed by a SQL database. The website and database can exist on the same server, separate servers and share existing. Authentication to Client Sense is provided using Windows Authentication and access is controlled through Active Directory security groups. Client Sense interacts with Exchange using PowerShell and EWS where it reads and never writes.
The Client Sense team will perform the installation and configuration through remote access once the server and credentials are ready. There currently isn't an option for self installation.
Exchange
Client Sense supports Office 365 / Exchange Online and Exchange 2010 or higher
Server Hardware
Please discuss technical requirements with our team to confirm the minimum requirements for your company.
Hardware minimum requirements for the IIS and SQL server.
- Memory - 8GB
- CPU - 2 vCPU
- Storage - 30GB free
- No data drive is required currently
Server Software
- Windows Server 2012 or higher
- .Net 4.8
- IIS 8 or higher
- SQL Server 2012 Standard or higher with Full-Text capability
For smaller clients the website and database can share a server and SQL Express may be viable, please discuss with us
Service Account
Domain Account
You can decide on your own service account name following your standard account creation and naming convention procedures. Alternatively you can contact us for suggestions.
It
is recommended to create a new domain account which can be used by
Client Sense, this will be used for the application pool, database
access and exchange permissions
- Create a domain account called serviceaccountname
- Ensure the password is set to not expire
- This account requires permission to run Exchange remote PowerShell commands but doesn't require a mailbox
- Set the UPN to serviceaccountname@domain.com with domain being the email domain rather than the internal domain
- Add this account to the local Administrators group on the server, or provide the minimum permission to the account for "Logon as batch job rights"
SQL Permissions
The serviceaccountname accounts needs at minimum to be dbowner of a precreated ClientSense database.
Alternatively you can give the serviceaccountname account dbcreater permission to allow it to create its own database.
If Client Sense has its own SQL instance then you can give the serviceaccountname account the sysadmin server role
Client Sense can automatically create a database on the SQL server if the
serviceaccountname account is given the dbcreator or sysadmin server role.
If creator permissions can't be provided, manually create a database called ClientSense on the SQL Server and give the
serviceaccountname account db_owner permission on the database through User Mapping
Exchange Permissions
- View-Only Recipients (PowerShell get-recipients command)
- Message Tracking (PowerShell get-messagetrace / get-messagetrackinglogs command)
- ApplicationImpersonation (EWS mailbox access)
See section on
Exchange Permissions for more information on configuring these permissions for Office 365 / Exchange Online or Exchange
Note regarding Multi Factor Authentication (MFA/2FA)
Client Sense doesn't support MFA prompts on the service account. The account can have MFA enabled but it needs to be configured and whitelisted for the IP address of Client Sense itself so that it isn't prompted when accessing Office 365.
Security Groups
Create two security groups in Active Directory to control user access and administrator access. The following names are suggestions, name the groups according to your taxonomy which can be set in Client Sense.
- Client Sense Users
- Client Sense Admins
DNS and Web Access
Client Sense should be an internally accessed website only, there is no need for external DNS entries to be created
Create an internal DNS A record pointing to the Client Sense web server called clientsense. This will allow users to browse to
http://clientsense to access Client Sense.
If using a fully qualified dns entry for Client Sense ensure the following
If you would like to use a fqdn (SSL certificate optional) ensure that you add clientsense.fqdn.com to the local intranet zone through group policy. This will prevent prompts for username and password and allow seemless access.
If you already have a wildcard entry in the intranet zone you won't need to add an additional entry for clientsense.fqdn.com
You can test which zone the dns appears in with the following PowerShell command
[System.Security.Policy.Zone]::CreateFromUrl('https://clientsense.fqdn.com')
Client Software
The only client software required to access Client Sense is a web browser
Client Sense supports the following browsers
- Chrome
- Firefox
- Edge
- Internet Explorer 9+