Configuring Exchange Scheduler in an air-gapped environment
In a typical Exchange on-premises deployment of Secure Scheduler for Exchange, Outlook clients require internet access in order to use the Outlook add-in. However, for fully air-gapped environments you must provide the add-in resources locally. This topic includes:
- how to download and host the required resources locally
- how to configure Pexip Infinity to use the locally-hosted files
- how to update your CSP with details of the web server being used
- how to configure IIS to host the add-in resources (although any web server can be used)
- firewall and certificate considerations.
Adding the add-in sources to the web server
In air-gapped environments the add-in sources must be downloaded and hosted on a web server on the local network that the Outlook clients can reach. These files and how to access them are described below.
We recommend creating a /pexip directory on the web server to host the files, with two sub-directories: /js for office.js and ajax.js, and /css for the other resources.
Later configuration steps will assume that you have used this recommended naming structure.
Downloading office.js
Download the office.js package from Microsoft. You can do this either using the NuGet tool (https://dist.nuget.org/index.html) or via npm (https://github.com/OfficeDev/office-js).
-
Download and install the latest version of NuGet from https://dist.nuget.org/win-x86-commandline/latest/nuget.exe
-
From the NuGet CLI, update the sources using the command:
.\nuget.exe add -Name "NuGet official package source" -Source "https://api.nuget.org/v3/index.json"
-
From the NuGet CLI, install Office.js using the command:
.\nuget.exe install Microsoft.Office.js
-
Copy the required files from Microsoft.Office.js.<version>\Content\Scripts\Office\1 to the web server under /pexip/js
- Download Node.js from https://nodejs.org/en/
-
Launch the nodejs shell and run:
npm install @microsoft/office-js --save
- Copy the files from C:\Users\username\node_modules@microsoft\office-js\dist to the web server under /pexip/js
Downloading MicrosoftAjax.js
Download MicrosoftAjax.js from https://ajax.aspnetcdn.com/ajax/3.5/MicrosoftAjax.js and save it on the web server under /pexip/js
Downloading CSS
Download the other files referenced on the custom add-in sources page and save them to /pexip/css:
- Microsoft Fabric CSS: https://appsforoffice.microsoft.com/fabric/1.0/fabric.min.css
- Microsoft Fabric Components CSS: https://appsforoffice.microsoft.com/fabric/1.0/fabric.components.min.css
Configuring Pexip Infinity to use the custom add-in sources
When Configuring Pexip Infinity for Exchange Scheduler, there is an option to Use custom add-in sources. For air-gapped environments, you must enable this option. Additional fields appear where you can enter the location of the files you saved to the web server in the steps above, as follows:
Adding the web server to Infinity's CSP header
You may need to add the URL of the web server that is hosting the add-in files to Infinity's HTTP Content Security Policy Header. To do this:
-
From , scroll down to and expand the section.
-
Under HTTP Content Security Policy Header, add the URL of the web server (for example, https://*.pexample.com) to the following directives:
- frame-src
- style-src
- font-src
- script-src
- connect-src
For example:
upgrade-insecure-requests; default-src 'self'; frame-src 'self' https://telemetryservice.firstpartyapps.oaspapps.com/telemetryservice/telemetryproxy.html https://*.microsoft.com https://*.office.com https://*.pexample.com; style-src 'self' 'unsafe-inline' https://*.microsoft.com https://*.office.com https://*.pexample.com; object-src 'self'; font-src 'self' https://*.microsoft.com https://*.office.com https://*.pexample.com; img-src 'self' https://www.adobe.com data: blob:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.microsoft.com https://*.office.com https://ajax.aspnetcdn.com https://api.keen.io https://*.pexample.com; media-src 'self' blob:; connect-src 'self' https://*.microsoft.com https://*.office.com https://example.com https://*.pexample.com; frame-ancestors 'self';
Using IIS as your add-in web server
We recommend that you create a separate, dedicated website on your internal web server to host the add-in resources. Any web server can be used for this purpose.
Most Exchange environments will have an existing Microsoft IIS (Internet Information Services) server, so we have provided instructions below on how to configure IIS to host the add-in files.
Creating a new site
-
From Internet Information Services (IIS) Manager, navigate to the Sites folder. Right-click and select Add Website:
-
From the Add Website window, configure the following fields:
- Site name: in our example we have used pexip
- Physical path: enter the root of where you are hosting the files, e.g. c:\inetpub\pexip
- Type: select https
-
Port: select an unused port, e.g. 8443
You must ensure that your firewall is configured so that Outlook clients can access the server on this port.
- Host name: in our example we have used pexip.pexample.com
- SSL certificate: in our example we have used pexip.pexample.com
Configuring the new site
-
From the Sites folder, select the site you created above (in our example the site name is pexip). From the web site pane, double-click Authentication:
-
Ensure that Anonymous Authentication is Enabled:
-
Select the site again and in the web site pane, double-click HTTP Response Headers:
-
From the Actions pane, select Add...:
-
Enter the following and select OK:
-
Name: Access-Control-Allow-Origin
-
Value: *
-
-
Select Add... again. Enter the following and select OK:
-
Name: X-Frame-Options
-
Value: SAMEORIGIN
-
Your HTTP Response Headers should now include the following:
Firewall / certificate considerations
-
You must ensure that the Outlook clients in your environment can reach the web server that is hosting the add-in sources, using the specified port. In our IIS configuration example, this is pexip.pexample.com on 8443/tcp.
-
Your web server must have a certificate that is trusted by your Outlook clients.