How to Integrate Office Communications Server 2007 R2 with Exchange 2010

One of the new features of Outlook Web App (OWA) in Exchange 2010 is the ability for OWA to act as an IM client if you have Office Communications Server (OCS) in your environment. Once configured, you’ll be able to see and manage your buddy list, manage presence, as well as participate in IM conversations while logged in to OWA.

Configuring this integration requires a number of steps on each of your Exchange 2010 Client Access Servers (CAS’). Many of the changes discussed in this blog post will cause brief service interruptions so it is highly recommended that you perform this work during a maintenance window where these interruptions are tolerable.

You’ll need to download two packages in order to proceed:

• The web service provider
• The latest ucmaredist.msp rollup package (currently January 2010)

You can simply run the first download on one machine as it will extract the contents to C:\WebService Provider Installer Package (by default). Inside of this folder will be a number of installers which you’ll need to execute (in order) on each of your CAS servers:

1. Visual C++ Redistributable (vcredist_x64.exe)
2. Unified Communications Managed API (ucmaredist.msi)
3. OCS Service Provider (cwaowassp.msi)

Finally, you’ll need to patch the UC Managed API by installing ucmaredist.msp.

Note: If you have User Account Control (UAC) enabled on your CAS servers, you should execute all of these packages from an elevated command prompt.

Once these packages are installed, you’re ready to configure OWA for integration with OCS. You’ll need to have the name of the OCS Pool which you plan to have your CAS servers connect to on hand as well as some information about the certificate on each CAS server which will be used to secure communications between the CAS server and OCS. Specifically, you’ll need to collect the certificate issuer string as well as the certificate’s serial number. You can do this using the following PowerShell command:

Get-ExchangeCertificate | fl Subject,Issuer,SerialNumber

You should get text returned back similar to the following:

Subject : CN=e2010w2k8
Issuer : CN=X, DC=Y, DC=Z
SerialNumber : 478C52B6B53E467F9331BB8CB4B2BDB8

Note: If you are using different certificates on each CAS server in your array, you’ll need to collect this data individually on a per CAS server basis.

Make note of the issuer and serial number values for the certificate. You’ll need to tell OWA to use this certificate for communications with OCS. To do this, browse to C:\Program Files\Microsoft\Exchange\V14\ClientAccess\Owa and open the web.config file with notepad. Scroll down and find the following section:

{add key="IMPoolName" value="" /}
{add key="IMCertificateIssuer" value="" /}
{add key="IMCertificateSerialNumber" value="" /}

These are the three values you’ll need to populate for OWA to make the connection to OCS. The first value should be the FQDN of the OCS pool you want to connect to, and the following two values should be copied out of the Get-ExchangeCertificate spew collected earlier as shown below:

{add key="IMPoolName" value="ocspool01.briandesmond.net" /}
{add key="IMCertificateIssuer" value='CN=X, DC=Y, DC=Z ' /}
{add key="IMCertificateSerialNumber" value="47 8C 52 B6 B5 3E 46 7F 93 31 BB 8C B4 B2 BD B8" /}

Warning: There are three extremely important things you need to do when customizing the configuration settings shown above:

1. If your certificate’s issuer includes any double quotes (as mine does), you must enclose the data in single quotes instead of the default double quotes as shown above.

2. You must insert the spaces in between each octet in the serial number as shown above.

3. You must remember to update these values when you renew or replace the certificate on a CAS server.

Once OWA is configured, you’ll need to configure your OCS pool to trust the CAS servers. To do this, access the OCS Administration Pool, and open the Front End Properties of the pool (right click the pool, Properties>Front End Properties). On the Host Authorization tab, add an entry reflecting the certificate you configured in the web.config file in the previous step. You’ll also want to check the “Treat As Authenticated” and “Throttle As Server” checkboxes as shown below:

In order for this change to take effect immediately, you may need to restart the services on your OCS Front Ends. Doing this will disconnect any currently connected clients so it may instead be advantageous to wait for caches to refresh. The final step is to enable OCS IM integration for the OWA virtual directory. To do this, run the following PowerShell command:

Get-OwaVirtualDirectory -Server YourCasServer | Set-OwaVirtualDirectory -InstantMessagingType OCS

Users who are enabled for OCS should see their buddy list next time they login:

In summary, there are four key steps you’ll need to take in order to enable OCS integration with Outlook Web App in Exchange 2010. First, you’ll need to download the service provider and latest rollup for the components in the service provider download. Next, you’ll need to install the components downloaded on each Client Access Server. You’ll then collect certificate information from each CAS server and configure that information along with your OCS pool information in the OWA web.config file. Finally, you’ll add the CAS certificate to the list of trusted hosts in OCS and enable OCS integration on the OWA virtual directory.

Configuring OWA 2010 and OCS 2007 R2 Integration

One of the nicest integration features in Exchange 2010 Outlook Web App is the ability to integrate Office Communications Server 2007 R2 presence and instant message right in the OWA 2010 screen.

By integrating the two applications, users can simply go to OWA 2010 to get their email, calendar appointments, contacts, etc as they normally do, AND they can also see who in their IM list is online and initiate instant messaging conversations straight from within OWA.

The pre-requisites for this capability are to obviously be running Exchange 2010 with Outlook Web App 2010, and you need to be running OCS 2007 R2, for this configuration to work, there are four high-level steps needed:

• Properly Configure the Exchange 2010 Client Access Server.
• Properly Configure the OCS 2007 R2 Server.
• Modify Windows Firewall on the Client Access Server.
• Confirm User Configuration.

Configuring the Exchange Client Access Server

1. Download and install the "Microsoft Office Communications Server 2007 R2 Web Service Provider" on your Exchange 2010 CAS server (this adds special DLLs and configuration files needed to link OWA 2010 to your OCS 2007 R2 environment)

2. Gather Information about the certificate used by the Client Access Server.

3. Edit the OWA Web Config file.

4. Enable OCS Integration.

5. Restart Internet Information Services.

Step 1:- Downloading/Installing the OCS 2007 R2 Web Service Provider Files

Download and install the "Microsoft Office Communications Server 2007 R2 Web Service Provider" from Microsoft http://www.microsoft.com/downloads/details.aspx?FamilyID=ca107ab1-63c8-4c6a-816d-17961393d2b8&displaylang=en and install this update on your Exchange 2010 CAS server (this adds special DLLs and configuration files needed to link OWA 2010 to your OCS 2007 R2 environment)

Step 2:- Gather Certificate Information

The Client Access Server needs to use a certificate that is trusted by the OCS server. Effectively, you should be able to sit on the CAS server, run Internet Explorer, and access Communicator Web Access (CWA) and be able to logon to CWA with a user account without any certificate errors. If you sit on the OWA server and access CWA and you get an error that the certificate is not trusted, then you need to add the RootCA of the CWA certifcate to your "Trusted Root Certificates" on the OWA server, effectively letting the OWA server know that the CWA is a trusted server. If you get any CWA errors from a browser as a CWA user sitting on the OWA server, then the link between CAS and OCS won't work.

NOTE: To simplify the configuration, the certificate used by the Client Access Server should be issued by the same Issuer as the certificate used by OCS 2007 R2.

Assuming you have no errors running CWA from the CAS server, then using Exchange PowerShell, gather certificate information of the Exchange Server by running the following command:

Get-ExchangeCertificate | fl

Sample Output, with only relevant information shown:

IsSelfSigned : False
Issuer : CN=ca1, DC=companyabc, DC=com
SerialNumber : 71652G3R00000000001A
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=e2010w2k8

Locate the certificate that will be used and make note of the following information:

 Issuer of the certificate
 Serial Number assigned to the certificate
 Subject of the certificate

Document this information for use in later steps.

Step 3:- Edit the OWA Web Config File

On the Client Access Server, navigate to the following directory:

C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\OWA
Open the web.config file using Notepad and perform the following steps:

1. Search for OCS (IM) Server Name. You see the following three entries:

{add key="IMServerName" value="" /}
{add key="IMCertificateIssuer" value="" /}
{add key="IMCertificateSerialNumber" value=""/}

2. Populate the server name:

In the {add key="IMServerName" section, insert the FQDN of the OCS server between the final two quotes. For our example, the line will look like this:

{add key="IMServerName" value="ocs-1.companyabc.com" /}

3. Populate the Certificate Issuer:

In the {add key="IMCertificateIssuer" section, insert the issuer of the certificate (gathered earlier) between the final two quotes. For our example, the line will look like this:

{add key="IMCertificateIssuer" value=" CN=ca1, DC=companyabc, DC=com " /}

4. Populate the Certificate SerialNumber:

In the {add key="IMCertificateSerialNumber" section, insert the certificate serial number between the final two quotes. For our example, the line would look like this:

{add key="IMCertificateSerialNumber" value="71 65 2G 3R 00 00 00 00 00 1A" /}

Important: You must manually add spaces in the Serial Number string to separate each octet or the system cannot locate the certificate.

5. Save and close the Web.config file.

Step 4:- Edit the OCS Integration

To enable the OWA Virtual Directory to use OCS IM integration, from Exchange PowerShell, type the following command:

Get-OwaVirtualDirectory -server SERVERNAMEHERE Set-OwaVirtualDirectory –InstantMessagingType 1

Step 5:- Restart Internet Information Services

Although the preceding changes should be detected automatically, administrators might need to restart IIS on the Client Access Server. However, doing so can cause any current OWA sessions to be logged off, so care should be taken.

From the command prompt on the Client Access server, issue the IISRESET command to restart the services.

Configure the OCS Server

The Exchange Server 2010 OWA IM integration component is implemented as an OCS 2007 end-point. For the integration component to sign in to OCS 2007 R2, the OCS server must be configured to trust the Client Access Server.

This is accomplished by adding the Exchange Client Access Server as a trusted server on the OCS 2007 R2 front end. To do so, perform the following steps:

1. While logged in as an OCS administrator, start the OCS Management Console by selecting the following:
Start\All Programs\Administrative Tools\Office Communicator Server 2007 R2

2. Navigate to the OCS 2007 R2 Pool. Right-click the OCS Pool name and select Properties; then select Front End Properties

3. Click on the Host Authorization tab; then click the Add button.

4. In the Add Authorized host window, select the FQDN radio button, then type the name of the Client Access Server, basically what you type in to run OWA, such as owa.companyabc.com (note: you could use the IP address button instead of the FQDN button but this is less secure as it does not rely on certificate authentication, so use the name you use to access OWA externally as that'll likely use https SSL security and will work), select (checkbox) the following options: Treat as Authenticated and Throttle as Server.

5. Click OK to save the configuration changes.

6. To allow changes to take effect immediately, stop and restart the OCS front-end services; note that doing so will disconnect any active users.

Note: If you install OCS 2007 R2 on Windows 2008 R2, you have to download a hotfix for UcmaRedist.msi; UcmaRedist.msp from the Microsoft Office Communications Server 2007 R2 Hotfix KB 968802. If you don't, everything works except IM communication back to OWA, you would receive an Error id: 504. With UcmaRedist.msp installed, the issue is resolved.

Troubleshooting the Installation

Next are a few troubleshooting steps that can assist with some of the more common problems encountered with Exchange/OCS integration.

Configuring the Firewall on the CAS Server

If the Client Access Server has the Windows Firewall enabled, it might need an exception to enable OCS 2007 R2 to communicate with it. To create the exception, perform the following steps:

1. From the Control Panel, open Windows Firewall.

2. On the left side of the Windows Firewall window, click .“Allow a Program Through Windows Firewall.

3. Click Add Program; then click Browse.

4. Browse to C:\Windows\System32\inetsrv and select w3wp.exe.

5. Click Open and then click OK twice to apply changes and close the window.

User Configuration

Before the user community can utilize the IM features, they must be “provisioned” for Office Communications Server R2 and must be enabled for Enhance Presence. When the user is initially enabled on OCS 2007 R2, he will automatically be enabled for Enhanced Presence.

Users must also have a valid SIP proxy address for the OWA IM integration component to enable the IM Integration UI.

Instant Messaging Not Available

When attempting to view the Instant Messaging contact list, a user might receive a notification that states:

Instant Messaging Isn’t Available Right Now. The Contact List Will Appear When the Service Becomes Available.

If this occurs, perform the following steps:

1. Using the same user account, confirm that you can access the IM services using the Office Communicator 2007 R2 client.

2. If functional, confirm that the OCS Server name is properly entered in the Web.Config file of the CAS server.

3. Also confirm the configuration of the Authorized Hosts option on the OCS pool contains all IM Integrated Client Access Servers.

OWA Certificate Error

If OWA cannot locate the certificate, an error stating The Local Certificate Specified Was Not Found in the Store for the Local Computer appears.

In this case, confirm that the value of the OCSCertificateIssuer and OCSCertificateSerialNumber fields in the Web.Config file are correct. Also ensure that there are blank spaces between every two characters in the serial number to separate octets in the string.