Before you configure Microsoft Exchange integration with the IM and Presence Service, consult the compatibility matrix below and make sure that you have installed and configured the required components for this integration:
Table 1 Compatibility Matrix
Install Compatible Version
Service Packs for Windows Server 2003 (SP2)
Service Packs for Windows Server 2008 (SP2)
Cisco Unified Communications Manager
The Cisco Unified Communications Manager release must match the IM and Presence Service release.
IM and Presence Service
The IM and Presence Service release must match the Cisco Unified Communications Manager release.
Microsoft Exchange Server 2003
Service Packs for Microsoft Exchange 2003 (SP2)
Microsoft Exchange Server 2007
Service Packs for Microsoft Exchange 2007 (SP1).
Microsoft Exchange Server 2010
Service Packs for Microsoft Exchange 2010 (SP1).
Active Directory 2003 with Windows Server 2003 (SP2) -- OR --
Active Directory 2008 with Windows Server 2008 (SP2)
User names configured in Active Directory must be identical to those names defined in Cisco Unified Communications Manager.
A Third-Party Certificate OR Certificate Server
One or the other of these is required to generate the certificates.
The following table shows the Microsoft Exchange servers required to support WebDAV and Exchange Web Services (EWS).
Table 2 Microsoft Exchange Versions that Support WebDAV and EWS
Integration with Microsoft Exchange 2003 and 2007 - over WebDAV
Microsoft Exchange Server (2003 and 2007 versions) supports WebDAV-based calendar integration. The Exchange Server (2003 and 2007 versions) integrates with the IM and Presence Service using the WebDAV protocol, over the Outlook Web Access (OWA) interface exposed by the Exchange Server.
The IM and Presence Service can only communicate with a single WebDAV front-end Exchange Server. The front-end Exchange Server communicates with multiple back-end Exchange servers that you configure during the WebDAV setup. Exchange communicates with the IM and Presence Service through a Presence Gateway configured for the Exchange Server on the IM and Presence Service.
Administrative Roles and Permissions in Exchange Server 2003 and 2007
By default in Microsoft Exchange 2003 and 2007, administrators are denied permission to log in to a user mailbox on the Exchange Server. In order for the IM and Presence Service to connect to mailbox stores on the Exchange server and query end-user calendaring data, it requires an Exchange account with special permissions, referred to as a 'Receive As' account.
Presence Gateway Configuration for Microsoft Exchange Server 2003 and 2007 Integrations
A single Presence Gateway using WebDAV, is configured on the IM and Presence Service, and requires a restart of the Cisco Presence Engine when added, updated, or deleted.
Integration with Microsoft Exchange 2007 and 2010 - over Exchange Web Services
In addition to WebDAV integration, Exchange 2007 introduces Exchange Web Services (EWS) for calendaring integration using a Simple Object Access Protocol-like (SOAP) interface to the Exchange Server. For Exchange 2010, WebDAV is no longer supported and customers can only use EWS for calendaring integration. For Exchange 2007, WebDAV is supported.
When configuring your EWS Presence Gateway for Exchange integrations in Cisco Unified CM IM and Presence Service Administration, note the following:
You cannot deploy a mixed environment of WebDAV and EWS servers.
You can add, update or delete one or more EWS servers with no maximum limit. However, the Troubleshooter on the Presence Gateway Configuration window is designed to only verify and report status of the first 10 EWS servers that you configure.
EWS Server gateways share the credentials (Account Name and Password) that you configure for the first EWS Server Gateway. If you change the credentials for one EWS Server Gateway, the credentials change accordingly on all of the configured EWS gateways.
You must restart the Cisco Presence Engine after you add, update or delete one or more EWS servers for your configuration changes to take effect. If you add multiple EWS servers one after another, you can restart the Cisco Presence Engine once to effect all of your changes simultaneously.
Administrative Roles and Permissions in Exchange Server 2007 and 2010
Exchange Web Services (EWS) requires a special account to enable access to all user calendaring information. This account is referred to as the impersonation account.
Microsoft Exchange Server 2007
For a caller to access the email account of another user with Exchange Server 2007, the EWS integration requires an account with Impersonation permissions. The caller impersonates a given user account using the permissions that are associated with the impersonated account instead of the permissions that are associated with the account of the caller.
The impersonated account must be granted the ms-Exch-EPI-Impersonation permission on the Client Access Server (CAS) running Exchange 2007. This gives the caller the permission to impersonate a user email account using the CAS. In addition, the caller must be granted the ms-Exch-EPI-MayImpersonate permission on either the mailbox database or on the individual user objects in the directory.
Note that the Access Control List (ACL) for an individual user takes precedence over the mailbox database setting so that you can allow a caller access to all mailboxes in the database but if required, deny access on certain mailboxes in that database.
Microsoft Exchange Server 2010
Microsoft Exchange Server 2010 uses Role-Based Access Control (RBAC) to assign permissions to impersonation accounts and allow users to perform tasks specific to their function in the organization. Depending on whether the user is an administrator, super user, or an end-user, there are two primary methods to apply RBAC permissions:
Management role groups—Microsoft provides 11 default management role groups during the Exchange setup process with associated permissions specific to the role of the group. The Recipient Management and Help Desk, for example, are built-in role groups. Typically, super users who need to perform specific tasks are assigned to the relevant management role group and inherit the associated permissions. For example, a Product Support representative who needs to be able to modify the contact details of any user across the entire Exchange organization may be assigned as a member of the Help Desk management role group.
Management role assignment policies—For normal users who are not administrators or super users, management role assignment policies control which specific mailboxes such users can modify. The ApplicationImpersonation role, when assigned to the user using the New-ManagementRoleAssignment cmdlet, enables an account to impersonate users in an organization to perform tasks on behalf of the user. The scope of the role assignments are managed individually using the New-ManagementScope cmdlet, and can be filtered to target specific recipients or specific servers.
With RBAC, you do not need to modify and manage the ACL as required for Exchange Server 2007.
Presence Gateway Configuration for Microsoft Exchange Server 2007 and 2010 Integrations
To support a large number of users (with EWS calendar integration enabled), the IM and Presence Service must distribute the load of EWS traffic among multiple Client Access Servers (CASs). The IM and Presence Service can connect to a number of CASs by way of EWS, and it uses the following round robin strategy to support the traffic load that it encounters:
The first time that a user's calendar subscription is enabled, the user is assigned a CAS from a pool of eligible CAS hosts configured by the administrator.
The user retains the assignment until their calendar subscription fails.
If the user’s calendar subscription fails, the user is again assigned a CAS from the pool of eligible CAS hosts.
Known Issues with Exchange Web Services Integration
IM and Presence Service integration with Microsoft Exchange supports various authentication methods including Windows Integrated authentication (NTLM).
The IM and Presence Service supports NTLMv1 Windows Integrated authentication only and does not currently support NTLMv2.
Some Windows network security policies allow NTLMv2 authentication only, which prevents the integration between the IM and Presence Service and Exchange from functioning (both WebDAV and EWS). You must verify that NTLMv2 authentication is not enabled on each Windows server running Exchange. If NTLMv2 authentication is enabled, disable the setting and reboot the server to properly apply the new security setting.
Getting More Information
Cisco Unified Communications Manager and IM and Presence Service Documentation