Microsoft Exchange for IM and Presence Service on Cisco Unified Communications Manager, Release 9.1(1)
Integration of Microsoft Exchange Server 2007/2010 over EWS with IM and Presence
Download this chapter
Integration of Microsoft Exchange Server 2007/2010 over EWS with IM and PresenceIntegration of Microsoft Exchange Server 2007/2010 over EWS with IM and Presence
Download the complete book
Microsoft Exchange for IM and Presence Service on Cisco Unified Communications Manager, Release 9.1(1)Microsoft Exchange for IM and Presence Service on Cisco Unified Communications Manager, Release 9.1(1) (PDF - 1 MB)
 Feedback

Integration of Microsoft Exchange Server 2007/2010 over EWS with IM and Presence


Note

This module describes the integration of the IM and Presence Service with Microsoft Exchange Server 2007 and 2010 over Exchange Web Services (EWS). If you are integrating with the Exchange server 2003 or 2007 over WebDAV, see Integration of Microsoft Exchange Server 2003/​2007 over WebDAV with IM and Presence. For an overview of each type of Exchange integration, we recommend that you review IM and Presence integration with Microsoft Exchange.

Microsoft Exchange 2007 configuration checklist (EWS)

Before You Begin

Note that the steps required to configure Exchange 2007 server will differ depending on whether you use Windows Server 2003 or Windows Server 2008.

The following table provides a summary checklist to follow when configuring access to mailboxes on the Microsoft Exchange 2007 server on Windows Server 2003 and Window Server 2008. For detailed instructions, see the Microsoft Server 2007 documentation at the following URL: http:/​/​technet.microsoft.com/​en-us/​library/​bb124558(EXCHG.80).aspx

Table 1 Configuration tasks for Microsoft Exchange 2007 Components

Task

Procedure

Important Notes

Ensure that the Windows security policy settings are correct.

See Windows Security Policy Settings

Cisco Unified Presence supports NTLMv1 Windows Integrated authentication only and does not currentlly support NTLMv2.

Grant Users the Permission to Sign in to the Service Account Locally

Exchange 2007 Configuration on Windows Server 2003

  1. Sign into the Exchange 2007 server using a service account that has been delegated the Exchange View Only Administrator role.
  2. Open the Domain Controller Security Settings window on the Exchange server.
  3. Under Security Settings in the left frame, navigate to Local Policies > User Rights Assignments.
  4. Double-click Allow Log On Locally in the right frame of the console.
  5. Select Add User or Group and navigate to the service account that you previously created and select it.
  6. Select Check Names, and verify that the specified user is correct. Then select OK.

Exchange 2007 Configuration on Windows Server 2008

  1. Sign into the Exchange 2007 server using a service account that has been delegated the Exchange View Only Administrator role.
  2. Select Start.
  3. Type gpmc.msc
  4. Select Enter.
  5. Open the Domain Controller Security Settings window on the Exchange server.
  6. Under Security Settings in the left frame, navigate to Local Policies > User Rights Assignments.
  7. Double-click Allow Log On Locally in the right frame of the console.
  8. Ensure that the Define these policy settings check box is selected.
  9. Select Add User or Group and navigate to the service account that you previously created and select it. Then select OK.
  10. Select Check Names, and verify that the specified user is correct. Then select OK.
  11. Select Apply and OK in the Allow Log On Locally Properties dialog box.
  12. Determine if your users SMTP address is alias @ FQDN. If it is not, you must impersonate using the user principal name (UPN). This is defined as alias@FQDN.
  • For Exchange impersonation to work, all Exchange servers must be members of the Windows Authorization Access Group.
  • The service account should not be a member of any of the Exchange Administrative Groups. Microsoft Exchange explicitly denies Impersonation for all accounts in those groups.

Set Impersonation Permissions at the Server level

Via the Exchange Management Shell (EMS)

  1. Open the EMS for command line entry.
  2. Run this Add-ADPermission command to add the impersonation permissions on the server. Add-ADPermission -Identity (get-exchangeserver).DistinguishedName -User (Get-User -Identity User | select-object).identity -AccessRights GenericAll -InheritanceType Descendents For example: Add-ADPermission -Identity (get-exchangeserver).DistinguishedName -User (Get-User -Identity Ex2007 ¦ select-object).identity -ExtendedRight ms-Exch-EPI-Impersonation
  • These cmdlets grant impersonation permissions at the server level. You can also grant permissions at the database, user, and contact levels.
  • If you have multiple servers, you must grant Impersonation to each server (or database). Exchange 2007 does not have system-wide Impersonation permission capability.
  • Verify that the SMTP address of your users is defined as alias@FQDN. If it is not, you must impersonate the user account using the User Principal Name (UPN).

Set Active Directory Service Extended Permissions for the Service Account:

Via the Exchange Management Shell (EMS)

  1. Run this Add-ADPermission command in the EMS to add the impersonation permissions on the server for the identified service acccount (for example, Exch2007). Add-ADPermission -Identity (get-exchangeserver).DistinguishedName -User (Get-User -Identity User | select-object).identity -ExtendedRight ms-Exch-EPI-Impersonation For example: Add-ADPermission -Identity (get-exchangeserver).DistinguishedName -User (Get-User -Identity Ex2007 ¦ select-object).identity -ExtendedRight ms-Exch-EPI-Impersonation
  2. Run this Add-ADPermission command in the EMS to add the impersonation permissions to the service account on each mailbox that it impersonates: Add-ADPermission -Identity (get-exchangeserver).DistinguishedName -User (Get-User -Identity User | select-object).identity -ExtendedRight ms-Exch-EPI-May-Impersonate For example: Add-ADPermission -Identity (get-exchangeserver).DistinguishedName -User (Get-User -Identity Ex2007 ¦ select-object).identity -ExtendedRight ms-Exch-EPI-May-Impersonate
  • You must set these permissions (on the Client Access Server (CAS)) for the service account that performs the impersonation.
  • If the CAS is located behind a load-balancer, grant the ms-Exch-EPI-Impersonation rights to the Ex2007 account for all CAS servers behind the load-balancer.
  • If your mailbox servers are located on a different machine to the CAS servers, grant ms-Exch-EPI-Impersonation rights for the Ex2007 account for all mailbox servers.
  • You can also set these permissions by using Active Directory Sites and Services or the Active Directory Users and Computers user interfaces.

Grant Send As Permissions to the Service Account and User Mailboxes

Via the Exchange Management Shell (EMS)

Run this Add-ADPermission command in the EMS to grant Send As permisisons to the service account and all associated mailbox stores:

Add-ADPermission -Identity (get-exchangeserver).DistinguishedName -User (Get-User -Identity User | select-object).identity -ExtendedRights Send-As

For example:

Add-ADPermission -Identity (get-exchangeserver).DistinguishedName -User (Get-User -Identity Ex2007 ¦ select-object).identity -ExtendedRights Send-As

You cannot use the Exchange Management Console (EMC) to complete this step.

Grant Receive As Permissions to the Service Account and User Mailboxes

Via the Exchange Management Shell (EMS)

Run this Add-ADPermission command in the EMS to grant Receive As permisisons on the service account and all associated mailbox stores:

Add-ADPermission -Identity (get-exchangeserver).DistinguishedName -User (Get-User -Identity User | select-object).identity -ExtendedRights Receive-As

For example:

Add-ADPermission -Identity (get-exchangeserver).DistinguishedName -User (Get-User -Identity Ex2007 ¦ select-object).identity -ExtendedRights Receive-As

You cannot use the Exchange Management Console (EMC) to complete this step.

Troubleshooting Tips

IM and Presence only requires Receive As permissions on the account to enable it to sign in to that account when it connects to the Exchange server. Note that this account does not typically receive mail so you do not need to be concerned about allocating space for it.

What To Do Next

Verify permissions on the Exchange 2007 account

Verify permissions on the Exchange 2007 account

After you have assigned the permissions to the Exchange 2007 account, you must verify that the permissions propagate to mailbox level and that a selected user can access the mailbox and impersonate the account of another user. On Exchange 2007, it takes some time for the permissions to propagate to mailboxes.

Before You Begin

Delegate the appropriate permissions to the Exchange account. See the Microsoft Exchange 2007 Configuration Checklist (EWS) topic.

Procedure
    Step 1   In the EMC on the Exchange 2007 server, right-click Active Directory Sites and Services in the console tree.
    Step 2   Point to View, and then select Show Services Node.
    Step 3   Expand the service node, for example, Services/MS Exchange/First Organization/Admin Group/Exchange Admin Group/Servers.
    Step 4   Verify that the CAS is listed for th e service node that you selected.
    Step 5   View the "Properties" of each CAS server, and under the Security tab, verify that:
    1. Your service account is listed.
    2. The permissions granted on the services account indicate (with a checked box) that the Exchange Web Services Impersonation permission is allowed on the account.
    Step 6   Verify that the service account (for example, Ex2007) has been granted Allow impersonationpermission on the storage group and the mailbox store to enable it to exchange personal information and to send as and receive as another user account.

    Troubleshooting Tips

    • If the account or the impersonation permissions do not display as advised in Step 5, you may need to recreate the service account and ensure that the required impersonation permissions are granted to the account.
    • You may be required to restart the Exchange server for the changes to take effect. This has been observed during testing.
    What to Do Next

    Authentication on Exchange 2007/​2010 virtual directories.

    Microsoft Exchange 2010 configuration checklist (EWS)

    The following procedure provides a summary checklist to follow when configuring access to mailboxes on the Microsoft Exchange 2010 server. For detailed instructions, see the Microsoft Server 2010 documentation.

    Before You Begin

    Before you integrate Microsoft Exchange 2010 server with IM and Presence over EWS, ensure that you configure the following throttle policy parameter values on the Exchange server. These are the values that are required for the EWS calendaring integration with IM and Presence to work.

    Table 2 Recommended Throttle Policy Parameter Values on Microsoft Exchange

    Parameter

    Recommended Configuration Value

    EWSMaxConcurrency

    It has been observed during Cisco tests that the default throttling policy value is sufficient to support 50% calendaring-enabled users. If you have a higher load of EWS requests to the CAS, however, we recommend that you increase this parameter to 100.

    EWSPercentTimeInAD

    50

    EWSPercentTimeInCAS

    90

    EWSPercentTimeInMailboxRPC

    60

    EWSMaxSubscriptions

    Null

    EWSFastSearchTimeoutInSeconds

    60

    EWSFindCountLimit

    1000

    Procedure

    Complete the following steps to set Exchange Impersonation Permissions for specific users or groups of users for Microsoft Exchange 2010.

    1. Open the EMS for command line entry.
    2. Run the New-ManagementRoleAssignment command in the EMS to grant a specified service account (for example, Ex2010) the permission to impersonate other user accounts: new-ManagementRoleAssignment -Name:_suImpersonateRoleAsg -Role:ApplicationImpersonation -User:user@domainExample: new-ManagementRoleAssignment -Name:_suImpersonateRoleAsg -Role:ApplicationImpersonation -User:Ex2010@domain
    3. Run this New-ManagementRoleAssignment command to define the scope to which the impersonation permisisons apply. In this example, the Exch2010 account is granted the permission to impersonate all accounts on a specified Exchange Server. new-ManagementScope -Name:_suImpersonateScope -ServerList:<server name>Example: new-ManagementScope -Name:_suImpersonateScope -ServerList:nw066b-227
    4. Run the New-ThrottlingPolicy command to create a new Throttling Policy with the recommended values defined in the the table above. New-ThrottlingPolicy -Name:”<Policy Name>” -EWSMaxConcurrency:100 -EWSPercentTimeInAD:50 -EWSPercentTimeInCAS:90 -EWSPercentTimeInMailboxRPC:60 -EWSMaxSubscriptions:5000-EWSFastSearchTimeoutInSeconds:60-EWSFindCountLimit:1000Example: New-ThrottlingPolicy -Name:”IM and Presence ThrottlingPolicy” -EWSMaxConcurrency:100 -EWSPercentTimeInAD:50 -EWSPercentTimeInCAS:90 -EWSPercentTimeInMailboxRPC:60 -EWSMaxSubscriptions:5000 -EWSFastSearchTimeoutInSeconds:60 -EWSFindCountLimit:1000
    5. Run the Set-ThrottlingPolicyAssociation command to associate the new Throttling Policy with the service account used in Step 2 above. Set-ThrottlingPolicyAssociation -Identity “<Username>” -ThrottlingPolicy “<Policy Name>”Example: Set-ThrottlingPolicyAssociation -Identity “Ex2010” -ThrottlingPolicy “IM and Presence ThrottlingPolicy”

    What To Do Next

    Verify permissions on the Exchange 2010 account.

    Related Tasks
    Related Information

    Verify permissions on the Exchange 2010 account

    After you have assigned the permissions to the Exchange 2010 account, you must verify that the permissions propagate to mailbox level and that a selected user can access the mailbox and impersonate the account of another user. On Exchange 2010, it takes some time for the permissions to propagate to mailboxes.

    Before You Begin
    • Delegate the appropriate permissions to the Exchange account. See the Microsoft Exchange 2010 Configuration Checklist (EWS) topic.
    Procedure
      Step 1   Open the Exchange Management Shell (EMS) for command line entry.
      Step 2   Verify that the service account has been granted the required Impersonation permissions:
      1. Run this command in the EMS: 
        Get-ManagementRoleAssignment -Role ApplicationImpersonation
      2. Ensure that the command output indicates role assignments with the Role "ApplicationImpersonation” for the specified account as follows:

        Example: Command Output

        Name- - - - - - 
        Role - - - -
        		 
        RoleAssigneeName- - - - - - - - - - - - -
        		 
        RoleAssigneeType- - - - - - 
        AssignmentMethod- - - - - 
        EffectiveUserName- - - - - - - - -
        		 
        _suImpersonateRoleAsg 
        ApplicationImpersonation 
        ex 2010 
        User
        		 
        Direct
        		 
        ex 2010
      Step 3   Verify that the management scope that applies to the service account is correct:
      1. Run this command in the EMS: 
        Get-ManagementScope _suImpersonateScope
      2. Ensure that the command output returns the impersonation account name as follows:

        Example: Command Output

        Name- - - - - - 
        ScopeRestrictionType - - - -
        		 
        Exclusive- - - - - - - - 
        RecipientRoot - - - - - - 
        RecipientFilter- - - - - 
        ServerFilter
- - - - - - - - -
        		 
        _suImpersonateScope
        		 
        ServerScope 
        False 
        
        		

        
        		

        DistinguishedName
        
        		

        
        

        

        

        3. 

      

      

      Step 4  
            Verify that the ThrottlingPolicy parameters match what is defined in Table 1.
      1. Run this command in the EMS: 
        Get-ThrottlingPolicy -Identity "<Policy Name>" | findstr ^EWS
        

        2. 

      2. Ensure that the command output has the same values defined in Table 1:
        3. 

      

      

      
What to Do Next
      Authentication on Exchange 2007/​2010 virtual directories
      

      

      

      Authentication on Exchange 2007/2010 virtual directories
      

      You must enable basic authentication on the Exchange virtual directories (/exchange and /exchweb) for Microsoft Office Outlook Web Access to work properly. The /exchange directory handles mailbox access requests for OWA and WebDAV. The /exchweb directory contains resource files used by OWA and WebDAV. You can also optionally enable Windows Integrated Authentication on the Exchange virtual directories. Furthermore, Forms Based Authentication can be optionally enabled. 
      


      

      

      Enable authentication on Exchange 2007 with Windows Server 2003 installed
      

      Procedure
        Step 1  
            From Administrative Tools, open Internet Information Services and select the server. 
        

        Step 2  
            Select Web Sites and then Default Web Site.
        

        Step 3  
            Right click either the /exchange or /exchweb directory folder and select Properties. 
        

        Step 4  
            Select the Directory Security tab.
        

        Step 5  
            Under Authentication and access control, select Edit.
        

        Step 6  
            Under Authentication, ensure that the following checkboxes are checked:    
        • Basic Authentication (password is sent in clear text)

          • 

        • Integrated Windows authentication

          • 

        

        

        Step 7  
            [Optional] If you want to enable Forms Based Authentication, complete the following steps:
        1. Open the Exchange Management Console (EMC).
          2. 

        2. From the left pane, select Server Configuration > Client Access.
          3. 

        3. Select the appropriate server in the Client Access pane and select the Outlook Web Access tab.
          4. 

        4. Right-select owa (Default Web Site) and select Properties.
          5. 

        5. Select the Authentication tab.
          6. 

        6. Select Use forms-based authentication and under Logon Format select Domain\user name.
          7. 

        
 
        Note   
                
              
        Basic authentication is enabled by default for OWA when Forms Based Authentication is selected.
        

        

        

        
What to Do Next
        Configure presence gateway for Microsoft Exchange integration
        

        

        

        Enable authentication on Exchange 2010 with Windows Server 2008 installed
        

        Procedure
          Step 1  
            Open the Exchange Management console and select the server. 
          

          Step 2  
            Select Server Configuration.
          

          Step 3  
            Select Client Access.
          

          Step 4  
            Select the server hosting the Outlook Web App virtual directory.
          

          Step 5  
            Select the Outlook Web App tab.
          

          Step 6  
            In the work pane, select the virtual directory on which you want to configure authentication  and right-click it.
          

          Step 7  
            Select Properties and select the Authentication tab. 
          

          Step 8  
            Under Authentication, verify that these check boxes are checked and then select OK: 
          • Basic Authentication (password is sent in clear text)

            • 

          

          • Integrated Windows authentication 

            • 

          

          

          Step 9  
            Select the Exchange Control Panel directory.
          

          Step 10  
            In the work pane, select the virtual directory on which you want to configure authentication  and  right-click it. 
          

          Step 11  
            Under Authentication, verify that these check boxes are checked and then select OK: 
          • Basic Authentication (password is sent in clear text)

            • 

          

          • Integrated Windows authentication 

            • 

          

          

          Step 12  
            Enter the following command in the CLI to restart IIS for the changes to take effect: 
          iisreset /noforce
          

          

          Step 13  
            In the Control Panel, verify IIS Admin Service and World Wide Publishing Service are in a started state.
          

          Step 14  
            [Optional] If you want to enable Forms Based Authentication, complete the following steps:
          1. Open the Exchange Management Console (EMC).
            2. 

          2. From the left pane, select Server Configuration > Client Access.
            3. 

          3. Select the appropriate server in the Client Access pane and select the Outlook Web Access tab.
            4. 

          4. Right-select owa (Default Web Site) and select Properties.
            5. 

          5. Select the Authentication tab.
            6. 

          6. Select Use forms-based authentication and under Logon Format select Domain\user name.
            7. 

          
 
          Note   
                
              
          Basic authentication is enabled by default for OWA when Forms Based Authentication is selected.
          

          

          

          
What to Do Next
          Configure presence gateway for Microsoft Exchange integration
          

          

          Related Information