configure Microsoft Exchange integration with the
Presence Service, consult the compatibility matrix below and make
sure that you have installed and configured the required components for this
Table 1 Compatibility
Install Compatible Version
Service Packs for Windows
Server 2003 (SP2)
Service Packs for Windows
Server 2008 (SP2)
Cisco Unified Communications Manager
Unified Communications Manager release must match the
and Presence Service release.
IM and Presence
and Presence Service release must match the Cisco
Unified Communications Manager release.
Microsoft Exchange Server 2007
Service Packs for Microsoft Exchange 2007 (SP1).
Microsoft Exchange Server 2010
Service Packs for Microsoft Exchange 2010 (SP1).
Active Directory 2003 with
Windows Server 2003 (SP2)
-- OR --
Active Directory 2008 with
Windows Server 2008 (SP2)
configured in Active Directory must be identical to those names defined in
Cisco Unified Communications Manager.
Third-Party Certificate OR Certificate Server
One or the other of these is required to generate the
The following table
shows the Exchange servers required to support WebDAV and Exchange
Web Services (EWS).
Table 2 Microsoft
Exchange Versions that Support WebDAV and EWS
Microsoft Exchange Server 2003 and 2007 over WebDAV
Exchange Server (2003 and 2007 versions) supports WebDAV-based calendar
integration. The Exchange Server (2003 and 2007 versions) integrates with the
Presence Service using the WebDAV protocol, over the Outlook Web
Access (OWA) interface exposed by the Exchange Server.
The IM and Presence
Service can only communicate with a single WebDAV front-end Exchange
Server. The front-end Exchange Server communicates with multiple back-end
Exchange servers that you configure during the WebDAV setup. Exchange
communicates with the
Presence Service through a Presence Gateway configured for the
Exchange Server on the
and Permissions in Exchange Server 2003 and 2007
in Microsoft Exchange 2003 and 2007, administrators are denied permission to
log in to a user mailbox on the Exchange Server. In order for the
Presence Service to connect to mailbox stores on the Exchange Server
and query end-user calendaring data, it requires an Exchange account with
special permissions, referred to as a 'Receive-As' account.
Configuration for Microsoft Exchange Server 2003 and 2007 Integrations
A single Presence
Gateway using WebDAV, is configured on the IM and Presence
Service, and requires a restart of the Cisco Presence Engine when
added, updated, or deleted.
Microsoft Exchange Server 2007 and 2010 over Exchange Web Services
to WebDAV integration, Exchange 2007 introduces Exchange Web Services (EWS) for
calendaring integration using a Simple Object Access Protocol-like (SOAP)
interface to the Exchange Server. For Exchange 2010, WebDAV is no longer
supported and customers can only use EWS for calendaring integration. For
Exchange 2007, WebDAV is supported.
your EWS Presence Gateway for Exchange integrations in
the Cisco Unified CM IM and
Presence Service Administration user interface, note the following:
You cannot deploy a mixed
environment of WebDAV and EWS servers.
You can add, update, or delete
one or more EWS servers with no maximum limit. However, the Troubleshooter on
Gateway Configuration window is designed to only verify and report
status of the first 10 EWS servers that you configure.
EWS Server gateways share the
credentials (Account Name and Password) that you configure for the first EWS
Server Gateway. If you change the credentials for one EWS Server Gateway, the
credentials change accordingly on all of the configured EWS gateways.
You must restart the Cisco
Presence Engine after you add, update, or delete one or more EWS servers for
your configuration changes to take effect. If you add multiple EWS servers one
after another, you can restart the Cisco Presence Engine once to make all of the changes simultaneously.
and Permissions in Exchange Server 2007 and 2010
Web Services (EWS) requires a special account to enable access to all user
calendaring information. This account is referred to as the impersonation
Exchange Server 2007
caller to access the email account of another user with Exchange Server 2007,
the EWS integration requires an account with Impersonation permissions. The
caller impersonates a given user account using the permissions that are
associated with the impersonated account instead of the permissions that are
associated with the account of the caller.
impersonated account must be granted the
ms-Exch-EPI-Impersonation permission on the Client Access
Server (CAS) running Exchange 2007. This gives the caller the permission to
impersonate a user email account using the CAS. In addition, the caller must be
ms-Exch-EPI-MayImpersonate permission on either the mailbox
database or on the individual user objects in the directory.
the Access Control List (ACL) for an individual user takes precedence over the
mailbox database setting so that you can allow a caller access to all mailboxes
in the database but if required, deny access on certain mailboxes in that
Exchange Server 2010
Exchange Server 2010 uses Role-Based Access Control (RBAC) to assign
permissions to impersonation accounts and allow users to perform tasks specific
to their function in the organization. Depending on whether the user is an
administrator, super user, or an end-user, there are two primary methods to
apply RBAC permissions:
groups—Microsoft provides 11 default management role groups during the Exchange
setup process with associated permissions specific to the role of the group.
The Recipient Management and Help Desk, for example, are built-in role groups.
Typically, super users who need to perform specific tasks are assigned to the
relevant management role group and inherit the associated permissions. For
example, a Product Support representative who needs to be able to modify the
contact details of any user across the entire Exchange organization may be
assigned as a member of the Help Desk management role group.
assignment policies—For normal users who are not administrators or super users,
management role assignment policies control the specific mailboxes such users
can modify. The
ApplicationImpersonation role, when assigned to the user
New-ManagementRoleAssignment cmdlet, enables an account to
impersonate users in an organization to perform tasks on behalf of the user.
The scope of the role assignments are managed individually using the
New-ManagementScope cmdlet, and can be filtered to target
specific recipients or specific servers.
With RBAC, you do
not need to modify and manage the ACL as required for Exchange Server 2007.
Configuration for Exchange Server 2007 and 2010 Integrations
a large number of users (with EWS calendar integration enabled), the
Presence Service must distribute the load of EWS traffic among
multiple Client Access Servers (CASs). The
Presence Service can connect to a number of CASs by way of EWS, and
it uses the following round robin strategy to support the traffic load that it
The first time
that a user's calendar subscription is enabled, the user is assigned a CAS from
a pool of eligible CAS hosts configured by the administrator.
The user retains
the assignment until their calendar subscription fails.
If the user’s
calendar subscription fails, the user is again assigned a CAS from the pool of
eligible CAS hosts.
Known Issues with
Exchange Web Services Integration
IM and Presence
Service integration with Microsoft Exchange supports various
authentication methods including Windows Integrated authentication (NTLM).
Presence Service supports NTLMv1 Windows Integrated authentication
only and does not currently support NTLMv2.
network security policies allow NTLMv2 authentication only, which prevents the
integration between the
Presence Service and Exchange from functioning (both WebDAV and EWS).
You must verify that NTLMv2 authentication is not enabled on each Windows
server running Exchange. If NTLMv2 authentication is enabled, disable the
setting and reboot the server to properly apply the new security setting.
Communications Manager and IM and Presence Service Documentation