Microsoft Exchange for IM and Presence Service on Cisco Unified Communications Manager, Release 9.1(1)
Configure Microsoft Exchange Server 2007 and 2010 to Integrate with the IM and Presence Service over Exchange Web Services
Downloads: This chapterpdf (PDF - 1.46MB) The complete bookPDF (PDF - 3.07MB) | Feedback

Contents

Configure Microsoft Exchange Server 2007 and 2010 to Integrate with the IM and Presence Service over Exchange Web Services


Note


This module describes the integration of the IM and Presence Service with Exchange Server 2007 and 2010 over Exchange Web Services (EWS). If you are integrating with the Exchange server 2003 or 2007 over WebDAV, see Configure Microsoft Exchange Server 2003 and 2007 to Integrate with the IM and Presence Service over WebDAV. For an overview of each type of Exchange integration, we recommend that you review Planning for IM and Presence Integration with Microsoft Exchange.


Microsoft Exchange 2007 Configuration over Exchange Web Services

Before You Begin

Note that the steps required to configure Exchange Server 2007 differ depending on whether you use Windows Server 2003 or Windows Server 2008.

You must complete the following tasks when configuring access to mailboxes on the Exchange Server 2007. For detailed instructions, see the Exchange Server 2007 documentation at the following URL:http:/​/​technet.microsoft.com/​en-us/​library/​bb124558(EXCHG.80).aspx.


Tip


The IM and Presence Service only requires impersonation permissions on the account to enable it to log in to that account when it connects to the Exchange Server. Note that this account does not typically receive mail so you do not need to be concerned about allocating space for it.


Windows Security Policy Settings

IM and Presence Service integration with Microsoft Exchange supports various authentication methods including Windows Integrated authentication (NTLM).


Note


The IM and Presence Service supports NTLMv1 Windows Integrated authentication only and does not currently support NTLMv2.


Some Windows network security policies allow NTLMv2 authentication only, which prevents the integration between the IM and Presence Service and Exchange from functioning (both WebDAV and EWS). You must verify that NTLMv2 authentication is not enabled on each Windows server running Exchange. If NTLMv2 authentication is enabled, disable the setting and reboot the server to properly apply the new security setting.

Verifying Windows Security Settings

Procedure
    Step 1   On the Windows Server running Exchange, choose Start > Administrative Tools > Local Security Policy.
    Step 2   Navigate to Security Settings > Local Policies > Security Options.
    Step 3   Choose Network Security: Minimum session security for NTLM SSP based (including secure RPC) servers.
    Step 4   Verify that the Require NTLMv2 session security checkbox is unchecked.
    Step 5   If the Require NTLMv2 session security checkbox is checked, complete the following steps:
    1. Uncheck the checkbox Require NTLMv2 session security.
    2. Click OK.
    Step 6   Reboot the Windows Server running Exchange to apply the new security settings.

    Grant Users Permission to Sign in to the Service Account Locally

    Complete one of the following procedures to configure users to log in to the service account locally.

    Before you begin

    • For Exchange impersonation to work, all Microsoft Exchange servers must be members of the Windows Authorization Access Group.
    • The service account should not be a member of any of the Exchange Administrative Groups. Exchange explicitly denies Impersonation for all accounts in those groups.

    Configuring Microsoft Exchange 2007 on Windows Server 2003

    Procedure
      Step 1   Log in to Exchange Server 2007 using a service account that has been delegated the Exchange View Only Administrator role.
      Step 2   In the left pane, under Security Settings, navigate to Local Policies > User Rights Assignments.
      Step 3   In the right pane of the console, double-click Allow Log On Locally.
      Step 4   Choose Add User or Group then navigate to the service account that you created and select it.
      Step 5   Choose Check Names, and verify that the specified user is correct. Then click OK.

      What to Do Next

      Setting Impersonation Permissions at the Server Level

      Configuring Microsoft Exchange 2007 on Windows Server 2008

      Procedure
        Step 1   Log in to Exchange Server 2007 using a service account that has been delegated the Exchange View Only Administrator role.
        Step 2   Choose Start.
        Step 3   Type gpmc.msc.
        Step 4   Choose Enter.
        Step 5   Open the Domain Controller Security Settings window on the Exchange Server.
        Step 6   In the left pane, under Security Settings, navigate to Local Policies > User Rights Assignments.
        Step 7   In the right pane of the console, double-click Allow Log On Locally.
        Step 8   Ensure that the Define these policy settings checkbox is checked.
        Step 9   Choose Add User or Group and navigate to the service account that you previously created and select it. Then click OK.
        Step 10   Choose Check Names, and verify that the specified user is correct. Then click OK.
        Step 11   Click Apply then click OK in the Allow Log On Locally Properties dialog box.
        Step 12   Determine if your users SMTP address is alias@FQDN. If it is not, you must impersonate using the user principal name (UPN). This is defined as alias@FQDN.

        What to Do Next

        Setting Impersonation Permissions at the Server Level

        Setting Impersonation Permissions at the Server Level

        The command in the following procedure allows you to grant impersonation permissions at the server level. You can also grant permissions at the database, user, and contact levels.

        Before you begin

        • If you wish to only grant the service account rights to access individual Microsoft Exchange servers, replace Get-OrganizationConfig with the string Get-ExchangeServer -Identity ServerName where ServerName is the name of the Exchange Server. Example Add-ADPermission -Identity (Get-ExchangeServer -Identity exchangeserver1). DistinguishedName -User (Get-User -Identity user | select-object).identity -ExtendedRights Send-As
        • Verify that the SMTP address of your users is defined as alias@FQDN. If it is not, you must impersonate the user account using the User Principal Name (UPN).
        Procedure
          Step 1   Open the Exchange Management Shell (EMS) for command line entry.
          Step 2   Run this Add-ADPermission command to add the impersonation permissions on the server.

          Syntax

          Add-ADPermission -Identity (Get-OrganizationConfig).DistinguishedName -User (Get-User -Identity User | select-object).identity -AccessRights GenericAll -InheritanceType Descendents

          Example

          Add-ADPermission -Identity (Get-OrganizationConfig).DistinguishedName -User (Get-User -Identity Ex2007 | select-object).identity -AccessRights GenericAll -InheritanceType Descendents


          What to Do Next

          Setting Active Directory Service Extended Permissions for the Service Account

          Setting Active Directory Service Extended Permissions for the Service Account

          Before You Begin

          You must set these permissions on the Client Access Server (CAS) for the service account that performs the impersonation.

          • If the CAS is located behind a load-balancer, grant the ms-Exch-EPI-Impersonation rights to the Microsoft Exchange 2007 account for all CASs behind the load-balancer.
          • If your mailbox servers are located on a different machine to the CASs, grant ms-Exch-EPI-Impersonation rights for the Exchange 2007 account for all mailbox servers.
          • You can also set these permissions by using Active Directory Sites and Services or the Active Directory Users and Computers user interfaces.
          Procedure
            Step 1   Open the Exchange Management Shell (EMS).
            Step 2   Run this Add-ADPermission command in the EMS to add the impersonation permissions on the server for the identified service account (for example, Exchange 2007).

            Syntax

            Add-ADPermission -Identity (Get-OrganizationConfig).DistinguishedName -User (Get-User -Identity User | select-object).identity -ExtendedRight ms-Exch-EPI-Impersonation

            Example

            Add-ADPermission -Identity (Get-OrganizationConfig).DistinguishedName -User (Get-User -Identity Ex2007 | select-object).identity -ExtendedRight ms-Exch-EPI-Impersonation

            Step 3   Run this Add-ADPermission command in the EMS to add the impersonation permissions to the service account on each mailbox that it impersonates:

            Syntax

            Add-ADPermission -Identity (Get-OrganizationConfig).DistinguishedName -User (Get-User -Identity User | select-object).identity -ExtendedRight ms-Exch-EPI-May-Impersonate

            Example

            Add-ADPermission -Identity (Get-OrganizationConfig).DistinguishedName -User (Get-User -Identity Ex2007 | select-object).identity -ExtendedRight ms-Exch-EPI-May-Impersonate


            What to Do Next

            Granting Send As Permissions to the Service Account and User Mailboxes

            Granting Send As Permissions to the Service Account and User Mailboxes

            Follow this procedure to grant send as permissions to the service account and user mailboxes.


            Note


            You cannot use the Microsoft Exchange Management Console (EMC) to complete this step.
            Procedure
              Step 1   Open the Exchange Management Shell (EMS).
              Step 2   Run this Add-ADPermission command in the EMS to grant Send As permissions to the service account and all associated mailbox stores:

              Syntax

              Add-ADPermission -Identity (Get-OrganizationConfig).DistinguishedName -User (Get-User -Identity User | select-object).identity -ExtendedRights Send-As

              Example

              Add-ADPermission -Identity (Get-OrganizationConfig).DistinguishedName -User (Get-User -Identity Ex2007 | select-object).identity -ExtendedRights Send-As


              What to Do Next

              Granting Impersonation Permissions to the Service Account and User Mailboxes

              Granting Impersonation Permissions to the Service Account and User Mailboxes

              Follow this procedure to grant impersonation permissions to the service account and user mailboxes.


              Note


              You cannot use the Microsoft Exchange Management Console (EMC) to complete this step.
              Procedure
                Step 1   Open the Exchange Management Shell (EMS).
                Step 2   Run this Add-ADPermission command in the EMS to grant impersonation permissions on the service account all associated mailbox stores:

                Syntax

                Add-ADPermission -Identity (Get-OrganizationConfig) .DistinguishedName -User (Get-User -Identity User | select-object) .identity -ExtendedRights Receive-As

                Example

                Add-ADPermission -Identity (Get-OrganizationConfig) .DistinguishedName -User (Get-User -Identity EX2007 | select-object) .identity -ExtendedRights Receive-As

                Note    The IM and Presence Service only requires impersonation permissions on the account to enable it to log in to that account when it connects to the Exchange Server. This account does not typically receive mail so you do not need to be concerned about allocating space for it.

                What to Do Next

                Verifying Permissions on the Microsoft Exchange 2007 Account

                Verifying Permissions on the Microsoft Exchange 2007 Account

                After you have assigned the permissions to the Exchange 2007 account, you must verify that the permissions propagate to the mailbox level and that a specified user can access the mailbox and impersonate the account of another user. On Exchange 2007, it takes some time for the permissions to propagate to mailboxes.

                Before You Begin

                Delegate the appropriate permissions to the Exchange 2007 account. See, Microsoft Exchange 2007 Configuration over Exchange Web Services.

                Procedure
                  Step 1   In the Exchange Management Console (EMC) on Exchange Server 2007, right-click Active Directory Sites and Services in the console tree.
                  Step 2   Point to View, and then choose Show Services Node.
                  Step 3   Expand the service node, for example, Services/MS Exchange/First Organization/Admin Group/Exchange Admin Group/Servers.
                  Step 4   Verify that the Client Access Server (CAS) is listed for th e service node that you chose.
                  Step 5   View the "Properties" of each CAS, and under the Security tab, verify that:
                  1. Your service account is listed.
                  2. The permissions granted on the services account indicate (with a checked checkbox) that the Exchange Web Services Impersonation permission is allowed on the account.
                  Note   

                  If the account or the impersonation permissions do not display as advised in Step 5, you may need to recreate the service account and ensure that the required impersonation permissions are granted to the account.

                  Step 6   Verify that the service account (for example, Ex2007) has been granted Allow impersonationpermission on the storage group and the mailbox store to enable it to exchange personal information and to Send As and Receive As another user account.
                  Step 7   You may be required to restart the Exchange Server for the changes to take effect. This has been observed during testing.

                  What to Do Next

                  Enable Authentication on the Exchange 2007 and 2010 Virtual Directories

                  Microsoft Exchange 2010 Configuration over Exchange Web Services

                  Before You Begin

                  Before you use Exchange Web Services (EWS) to integrate Exchange 2010 Server with the IM and Presence Service, ensure that you configure the following throttle policy parameter values on the Exchange Server. These are the values that are required for the EWS calendaring integration with the IM and Presence Service to work.

                  Table 1 Recommended Throttle Policy Parameter Values on the Exchange 2010 Server

                  Parameter

                  Recommended Configuration Value

                  EWSMaxConcurrency

                  It has been observed during Cisco tests that the default throttling policy value is sufficient to support 50% calendaring-enabled users. If you have a higher load of EWS requests to the Client Access Server (CAS), however, we recommend that you increase this parameter to 100.

                  EWSPercentTimeInAD

                  50

                  EWSPercentTimeInCAS

                  90

                  EWSPercentTimeInMailboxRPC

                  60

                  EWSMaxSubscriptions

                  Null

                  EWSFastSearchTimeoutInSeconds

                  60

                  EWSFindCountLimit

                  1000

                  Windows Security Policy Settings

                  IM and Presence Service integration with Microsoft Exchange supports various authentication methods including Windows Integrated authentication (NTLM).


                  Note


                  The IM and Presence Service supports NTLMv1 Windows Integrated authentication only and does not currently support NTLMv2.


                  Some Windows network security policies allow NTLMv2 authentication only, which prevents the integration between the IM and Presence Service and Exchange from functioning (both WebDAV and EWS). You must verify that NTLMv2 authentication is not enabled on each Windows server running Exchange. If NTLMv2 authentication is enabled, disable the setting and reboot the server to properly apply the new security setting.

                  Verifying Windows Security Settings

                  Procedure
                    Step 1   On the Windows server running Exchange, choose Start > Administrative Tools > Local Security Policy.
                    Step 2   Navigate to Security Settings > Local Policies > Security Options.
                    Step 3   Choose Network Security: Minimum session security for NTLM SSP based (including secure RPC) servers.
                    Step 4   Verify that the Require NTLMv2 session security checkbox is unchecked.
                    Step 5   If the Require NTLMv2 session security checkbox is checked, complete the following steps:
                    1. Uncheck the checkbox Require NTLMv2 session security.
                    2. Click OK.
                    Step 6   Reboot the Windows Server running Exchange to apply the new security settings.

                    Setting Exchange Impersonation Permissions for Specific Users or Groups

                    Complete the following procedure using the Microsoft Exchange Management Shell (EMS) to set the Exchange impersonation permissions for specific users or a group of users.

                    Procedure
                      Step 1   Create the account in Active Directory.
                      Step 2   Open the EMS for command line entry.
                      Step 3   Run the New-ManagementRoleAssignment command in the EMS to grant a specified existing domain service account (for example, Ex2010) the permission to impersonate other user accounts:

                      Syntax

                      New-ManagementRoleAssignment -Name:_suImpersonateRoleAsg -Role:ApplicationImpersonation -User:user@domain

                      Example

                      New-ManagementRoleAssignment -Name:_suImpersonateRoleAsg -Role:ApplicationImpersonation -User:Ex2010@contoso.com

                      Step 4   Run this New-ManagementRoleAssignment command to define the scope to which the impersonation permissions apply. In this example, the Ex2010 account is granted the permission to impersonate all accounts on a specified Exchange Server.

                      Syntax

                      New-ManagementScope -Name:_suImpersonateScope -ServerList:server_name

                      Example

                      New-ManagementScope -Name:_suImpersonateScope -ServerList:nw066b-227

                      Step 5   Run the New-ThrottlingPolicy command to create a new Throttling Policy with the recommended values defined in Microsoft Exchange 2010 Configuration over Exchange Web Services.

                      Syntax

                      New-ThrottlingPolicy -Name:Policy_Name -EWSMaxConcurrency:100 -EWSPercentTimeInAD:50 -EWSPercentTimeInCAS:90 -EWSPercentTimeInMailboxRPC:60 -EWSMaxSubscriptions:NULL -EWSFastSearchTimeoutInSeconds:60 -EWSFindCountLimit:1000

                      Example

                      New-ThrottlingPolicy -Name:IM_and_Presence_ThrottlingPolicy -EWSMaxConcurrency:100 -EWSPercentTimeInAD:50 -EWSPercentTimeInCAS:90 -EWSPercentTimeInMailboxRPC:60 -EWSMaxSubscriptions:NULL -EWSFastSearchTimeoutInSeconds:60 -EWSFindCountLimit:1000

                      Note: Only available with supported Exchange SP1.

                      Step 6   Run the Set-ThrottlingPolicyAssociation command to associate the new Throttling Policy with the service account used in Step 2.

                      Syntax

                      Set-ThrottlingPolicyAssociation -Identity Username -ThrottlingPolicy Policy_Name

                      Example

                      Set-ThrottlingPolicyAssociation -Identity Ex2010 -ThrottlingPolicy IM_and_Presence_ThrottlingPolicy


                      What to Do Next

                      Verifying Permissions on the Microsoft Exchange 2010 Account

                      Related Information

                      Verifying Permissions on the Microsoft Exchange 2010 Account

                      After you have assigned the permissions to the Exchange 2010 account, you must verify that the permissions propagate to mailbox level and that a specified user can access the mailbox and impersonate the account of another user. On Exchange 2010, it takes some time for the permissions to propagate to mailboxes.

                      Procedure
                        Step 1   On the Active Directory Server, verify that the Impersonation account exists.
                        Step 2   Open the Exchange Management Shell (EMS) for command line entry.
                        Step 3   On the Exchange Server verify that the service account has been granted the required Impersonation permissions:
                        1. Run this command in the EMS:

                          Get-ManagementRoleAssignment -Role ApplicationImpersonation

                        2. Ensure that the command output indicates role assignments with the Role ApplicationImpersonation for the specified account as follows:

                          Example Command Output

                          Name - - - - Role - - - Role AssigneeName- Role AssigneeType- Assignment Method- - - Effective UserName
                          _suImpersonate RoleAs Application Impersonation ex2010 User Direct ex2010
                        Step 4   Verify that the management scope that applies to the service account is correct:
                        1. Run this command in the EMS:

                          Get-ManagementScope _suImpersonateScope

                        2. Ensure that the command output returns the impersonation account name as follows:

                          Example Command Output

                          Name - - - Scope RestrictionType Exclusive Recipient Root - - Recipient Filter - Server Filter- - -
                          _suImpersonate Scope ServerScope False User Direct Distinguished Name
                        Step 5   Verify that the ThrottlingPolicy parameters match what is defined in Recommended Throttle Policy Parameter Values on the Exchange 2010 Server by running this command in the EMS.

                        Get-ThrottlingPolicy -Identity Policy_Name | findstr ^EWS


                        What to Do Next

                        Enable Authentication on the Exchange 2007 and 2010 Virtual Directories

                        Enable Authentication on the Exchange 2007 and 2010 Virtual Directories

                        For the Exchange Web Services (EWS) integration to work properly, Basic Authentication, Windows Integrated Authentication, or both must be enabled on the EWS virtual directory (/EWS) for Exchange 2007 and Exchange 2010.

                        Enabling Authentication on Exchange 2007 Running Windows Server 2003

                        Procedure
                          Step 1   From Administrative Tools, open Internet Information Services and choose the server.
                          Step 2   Choose Web Sites.
                          Step 3   Choose Default Web Site.
                          Step 4   Right-click EWS directory folder and choose Properties.
                          Step 5   Choose the Directory Security tab.
                          Step 6   Under Authentication and access control, click Edit.
                          Step 7   Under Authentication Methods, verify that the following checkbox is unchecked:
                          • Enable anonymous access
                          Step 8   Under Authentication Methods Authenticated Access, verify that both of the following checkboxes are checked:
                          • Integrated Windows authentication
                          • Basic Authentication (password is sent in clear text)
                          Step 9   Click OK.

                          What to Do Next

                          Configuring the Presence Gateway for Microsoft Exchange Integration

                          Enabling Authentication on Exchange 2010 Running Windows Server 2008

                          Procedure
                            Step 1   From Administrative Tools, open Internet Information Services and choose the server.
                            Step 2   Choose Web Sites.
                            Step 3   Choose Default Web Site.
                            Step 4   Choose EWS.
                            Step 5   Under the IIS section, choose Authentication.
                            Step 6   Verify that the following Authentication methods are enabled:
                            • Anonymous Authentication
                            • Windows Authentication and/or Basic Authentication
                            Step 7   Use the Enable/Disable link in the Actions column to configure appropriately.

                            What to Do Next

                            Configuring the Presence Gateway for Microsoft Exchange Integration