Saturday, April 23, 2011

Integrating Exchange UM with Lync 2010

Until now, my lab was under domain “drago.ws”. Recently I acquired “lynclog.com” and for the last two days I have been deploying another lab. From now on, our examples will be on this lab – still same topology, different domain.

Now that I have deployed Microsoft Exchange 2010 SP1, it is time to configure Unified Messaging role to work with Lync and further extend testing for voicemail, Subscriber Access, Auto attendant etc. As usual, when deploying new software and/or roles, I made sure the OS and product is fully patched and updated. Another habit of mine is to resolve all errors or warnings in the Windows Event log before attempt to integrate products and services. My previous experience thought me that something “innocent” that I postponed for resolving later sometimes lead to major problem else seems unrelated…

On my UM server, first I made sure TLS is enabled. Fact is – I could not install certificate on the UM server unless TLS or Dial is enabled.




Because TLS support was turned ON, our UM server needs a certificate, else the service will not start. This certificate must be from Trusted Root CA and since UM is internal service only, a certificate form our Domain CA will be sufficient.

In EMC, server node, click on your UM server and proceed further












I just created offline certificate request. Now I will go to my Domain Certificate Services we site and process the request.




Here I need to open my request (c:\um.req) with notepad and copy the content. It is very important to copy the text exactly as it is. I always use STRL + A to make sure only the necessary text was copied.

…paste the text in the request page and submit the request.



Next step is to complete the pending request. Click on the request to see “Complete Pending Request” option…




…and now I see the certificate as Valid. However, I must assign service(s) to it.




At the end, I have a valid certificate assigned to UM server. Reboot and let’s move further.


Next, I will create UM dial plan.







My dial plan is not completed yet. I still must create Subscriber access number and so other customization.





***Note that here I used two numbers - +14785550001 which is full US E.164 number and “+0099” which, because has “+” on front, is still considered E.164. I want to see if this number can be utilized later somehow.


***ALERT***ALERT***ALERT***

Apparently there are some changes introduced with SP1. Make sure you follow the next steps or your Auto Attendant will not be able to transfer to extensions.



***You must apply at his point.






 Next, I will customize my UM Mailbox Policy created automatically when the Dial plan was enabled. Since this is lab, I will change the Minimum PIN Policy to 4 digits and remove the PIN expiration.




…and leave the rest to default settings.


Lastly, Auto Attendant. Frankly, with the introduction of RGS, I rarely use AA except in one case (the Main college number, where the caller has an option to dial by extension or name).




…and customize it.







Let’s move to our front end server and execute “C:\Program Files\Common Files\Microsoft Lync Server 2010\Support\OcsUmUtil.exe” from Command Prompt.







Oops. I forgot to change the Name of the contact object.


Move back to the UM server. In Exchange Management Shell, navigate to C:\Program Files\Microsoft\Exchange Server\V14\Scripts and execute .\ExchUCUtil.ps1



 The setup is now completed and test calls to Subscriber Access and Auto attendant numbers were successful with all features functioning as expected.

40 comments:

Real said...

Hi Drago,

I am getting below certificate error when I start UM service on exchange server..

The Microsoft Exchange Unified Messaging service was unable to start. More information: "Microsoft.Exchange.UM.UMService.UMServiceException: No certificate was found using the thumbprint '' specified in the UMCertificateThumbprint property of the UMServer object.
at Microsoft.Exchange.UM.UMService.UMConnectionManagerHelper.TLSConnectionManager.Initialize()
at Microsoft.Exchange.UM.UMService.UMConnectionManagerHelper.DualConnectionManager.Initialize()
at Microsoft.Exchange.UM.UMService.UMService.InitializeConnectionManager()
at Microsoft.Exchange.UM.UMService.UMService.StartService()
at Microsoft.Exchange.UM.UMService.UMService.OnStartInternal(String[] args)"

Drago said...

Thanks for catching this Real,

Indeed, I forgot to include the step for requesting and assigning certificate to UM server. Since we will use TLS, certificate must be present or the service will not start. Will update the post later today.

Real said...

Hey Drago,

I have assigned certificate to the UM service
Get-ExchangeCertificate
[PS] C:\Windows\system32>Enable-ExchangeCertificate -Services UM -Thumbprint C39006265E9274FF9BDE790AEE02AABAC9388A79

Restarted UM service

Now I am able to start UM service, but when I dial Voice mail number I am getting below error under event logs.

Thanks for your help.

The Unified Messaging server failed to exchange the required certificates with an IP gateway to enable Transport Layer Security (TLS) for an incoming call. Please check that this is a configured TLS peer and that the certificates being used are correct. More information: A TLS failure occurred because the certificate presented by the remote server wasn't trusted. The error code = 0x800B0109 and the message = A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider..

Drago said...

"...A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider..."

Can you verify your domain Root certificate is present in Trusted Root Certificate Authority store on the UM server?

Also, by default, the UM server uses self signed certificate. Did you assign the new certificate to the UM role as described above?

Real said...

Thanks a lot Drago. now voice mail/ AA works for me without any issues..

But still I am facing issue with my Lync client & MS office outlook 2010 integration. I am getting exchange connection error in Lync client . I am working on it. I will post the results..

Cheers!!
-Real

Drago said...

Do you have SRV record for _autodiscover._tcp.domain.local pointing to your Exchange server in the internal DNS?

Real said...

Hey Drago,

sorry for late reply.. I have addede _autodiscover._tcp.domain.local SRV record & it works..

Thanks
Real

s@ul said...

such a great post... it helped my when i couldnt start my UM service, because i didnt assign a service to my certificate! thanks

Anonymous said...

Hi Drago,

for 2010 SP1 UM, is that a requirement: UM-assigned certificate CommonName (CN) attribute has to match the FQDN of the UM server or is it enought to have the UM server FQDN somewhere in the SAN list?

Drago said...

If you co-locate UM role with consolidated Exchange Server, your question is self-explanatory (smile), since we would have CN=FQDN and SAN=mail, autodiscover etc.
For standalone, I think SAN should do, because after all, UM and Lync do TLS and not MTLS, where the CN must match the machine FQDN.
However, I have not tested this scenario. Let us know what result you get, if you do...

Anonymous said...

I just confirmed (with OCS R2 and Exchg 2007 --> 2010 UM migration) if the 2010 SP1 UM server does not have the UM server FQDN in the CN of the UM certificate, calls from OCS to 2010 UM will be unsuccessful.

Drago said...

So, it is MTLS after all. Thanks for sharing. I will update the article to reflect your finding.

Anonymous said...

Incomplete hosted voicemail configuration
HostedVoicemailPolicy is not completely configured for [SA@domain.internal].
Cause: Destination or Organization setting might not have proper value.
Resolution:
Ensure that both Destination as well as Organization settings have valid values.

I get the above error when trying to dial the Subscriber or the Auto Attendant. For the life of me i cannot figure it out. There is no problem with users making calls to voice mail or to each other from the Lync client. Its only the numbers for both the SA and AA that fail any ideas?

Drago said...

Just to make sure: You did run OcsUmUtil.exe and configure the number, right?

shawn harry said...

New-CsExUmContact -SipAddress "sip:AA@domain.internal" -RegistrarPool "lync.domain.internal" -OU "CN=Users,DC=domain,DC=internal" -DisplayNumber "+442035555555" -AutoAttendant $True

Thanks for the prompt reply.
I used the above cmdlet to create both the SA and the AA. My set up is very simple. One multi role Exchange 2010 server and One Lync server.

Drago said...

Shawn, New-CsExUmContact apparently is used to “Creates a new Auto Attendant or Subscriber Access contact object for hosted Exchange Unified Messaging (UM)” as per this article: http://technet.microsoft.com/en-us/library/gg398139.aspx Note the word “hosted”.

I would delete the two objects and use “OcsUmUtil.exe” as described above and see what happens…

shawn harry said...

I used that cmdlet because for some odd reason the OcsUmUtil.exe says it couldn't find a domain controller in my domain. It can find the dial plan and i know there is nothing wrong with the DC as if there was everything in the domain would break. I never realised that cmdlet was only for the hosted setup though? Thanks for the headsets up. Guess il try and get OcsUmUtil.exe to work....

Anonymous said...

And what if I try to add certificate on UM and I got an error:
The certificate status could not be determined because the revocation check failed.
??
Tried to manage it in many ways, but no good result till now.
Any ideas ?

Drago said...

Here is a good place to start: http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/299c8ebe-223c-43ab-8cbc-c8221991813a/

Paul Knock said...

I've set up the UM with Lync with no problems, except nobody can call direct to extensions.

When you ring the switchboard, the recorded message starts 'Welcome to ABC..'. I try and dial the extension but nothing happens. Then it goes to the Response Groups within Lync, for press 1 for this, press 2 for that, etc. Any extension dialing here is going to go through to a group.

I've set up all the UM dial plans and auto attendants and I can't work out why this isn't working

Thanks

Paul

Drago said...

Do you want to take a look together this weekend? Email me - temp2 at lynclog.com

Daz said...

Hi Drago,
I have an existing Exchange 2010 SP1 deployment with UM working along side our Cisco call managers for about 2 years. We are just deploying Lync 2010 and would like to integrate this with UM as well. Do I have to create a new dial plan in Exchange or can Lync use the existing dial plan ?

Any Advise,

Darren.

Andy said...
This comment has been removed by the author.
Andy said...

Can ocsumutil be done on the command line?? I would like to automate the creation of these when I create my Auto Attendants via power shell.

Thanks,
Andrew

Drago said...

Andy,

Try the following: "OcsUMUtil /domain:your_domain_here"

Drago said...

Darren,

You should use the same dial plan. I have no way to test this, but believe it will work.

Andy said...

Hey Drago,
Calls are unable to transfer from Auto Attendants when calling in from Lync clients and transferring to an internal Lync user.

Say option 1 transfers to 64 9 123-4567 which belongs to a Lync user with a LineURI of +64 9 123-4567. When calling in from Lync and pressing option 1 another window pops up and tries to call 64 9 123-4567. This is not an E164 number and does not match an internal users LineURI so the call fails.

On the other hand if I call in from the PSTN Exchange UM passes the call directly to the Lync gateway and it is normalised based on the Global Dial Plan rule and the call transfer succeeds.

I have played a bit with using Exchange UM Dialling Rule Groups but haven't had much success. I was hoping I could get UM to normalise the number before passing it to the Lync client.

I added this rule to UM Dial Plan -
MASK: 649xxxxxxx
DIALLED: +649xxxxxxx

Then added it to Auto Attendants Dialling Restrictions.

Unfortunately this didnt help.

Any clues or help would be greatly appreciated.

Thanks,
Andrew

Drago said...

I believe Exchange uses the Global Dial Plan for normalization. Do you have such rule in the Global?

Andy said...

Hey Drago,

Thanks for your reply. Yep I have a Global rule but this doesn't seem to apply when calling in from a Lync client. Nor does the users Dial Plan normalisation rules.

See here for more info on what I'm talking about - http://social.technet.microsoft.com/Forums/en-US/ocsucintegration/thread/494340c2-a96e-491a-a0d1-c3deb5d4250b

Thanks,
Andrew

Mohammed J.H said...

Hi Drago,

I have finished the integration, and I can call voice mail internally when but Externally it will fail and says call fails due to network issues.

I noticed that I can't even call the Subscriber access number from my Lync. but when I use my GSM phone it will work and I can hear Exchange IVR answering.

I'm using Certificate issued from my internal domain with Exchange's FQDN as common name as both lync and exchange are joined to same domain.

Please your help
Thanks

Stuart R said...

Hi Drago,

I have finished deployment and now am facing issues when i call into voicemail it sometimes picks up and other times dials about 10 times and then gives busy signal. this only happens externally when calling vm. Internal calls to vm work fine. And it is only sometimes that it wont get in from the outside. BIZARRE! Any thoughts?

Anonymous said...

thanks for your great Effort

Ramana said...

Very nice & detailed post... Great..!

Ramana

Kimo maru said...

Hi Drago,
Quick question; is TLS necessary in order to implement UM with Lync? I am working through what appears to be two problems; 1) a certificate issue and a 2) dial plan issue. I would like to isolate to the dial plan issue but am wordering if TLS is necessary.

Drago said...

TLS is mandatory for UM integration. If you are implementing stand-alone UM server, make sure the Common Name of the certificate is the FQDN of the server, or the MTLS will fail. As for dial plan – can you provide more information?

Drago

Anonymous said...

Hi Drago,

In the OcsUmUtil, the only SIP Dial Plan that will display is one that I created as a test and then deleted. I have created a new one but it will not display, only the old one. I have searched everywhere and cannot find a solution to this.

-Andrew

Unified Communications said...

Thanks for the sharing of such information we will pass it on to our readers.
Great article! I work with college students and will pass this on! Thanks so much :)

Sergio Justo said...

thanks so much for this detailed and easy to follow tutorial. In my case my 2010 unfied messaging certificate expired and I easily created a new one and activated it with this guide. thanks again

Imran said...

Hi I am trying to integrate Exchange 2007 Unified communication with Lync 2013. But in Exchange 2007 EMC, I do not see any option of 'New Exchange Certificate' for UM.
How I suppose to create new Exchange certificate for UM without this option in EMC?
I have checked so many websites but everybody talks about Lync 2013 integration with Exchange 2010 but now with Exchange 2007.
Please provide steps for Exchange 2007.

Thanks

Imran said...

I am not with Exchange 2007