Table Of Contents
Microsoft Exchange 2007 Configuration Checklist (EWS)
Verifying Permissions on the Exchange 2007 Account
Microsoft Exchange 2010 Configuration Checklist (EWS)
Verifying Permissions on the Exchange 2010 Account
How to Enable Authentication on the Exchange 2007/2010 Virtual Directories
Enabling Authentication on Exchange 2007 Running Windows Server 2003
Enabling Authentication on Exchange 2010 Running Windows Server 2008
Configuring Microsoft Exchange Server 2007 and 2010 for Integration with Cisco Unified Presence (over EWS)
Revised: November 30, 2012
Note This module describes the integration of Cisco Unified Presence with Microsoft Exchange Server 2007 and 2010 over Exchange Web Services (EWS). If you are integrating with the Exchange server 2003 or 2007 over WebDAV, see Chapter 2 "Configuring Microsoft Exchange Server 2003 and 2007 for Integration with Cisco Unified Presence (over WebDAV)."For an overview of each type of Exchange integration, we recommend that you review Chapter 1 "Planning for Cisco Unified Presence Integration with Microsoft Exchange".
•Microsoft Exchange 2007 Configuration Checklist (EWS)
•Verifying Permissions on the Exchange 2007 Account
•Microsoft Exchange 2010 Configuration Checklist (EWS)
•Verifying Permissions on the Exchange 2010 Account
•How to Enable Authentication on the Exchange 2007/2010 Virtual Directories
Microsoft Exchange 2007 Configuration Checklist (EWS)
Before You Begin
Note that the steps required to configure Exchange 2007 server will differ depending on whether you use Windows Server 2003 or Windows Server 2008.
Table 3-1 provides a summary checklist to follow when configuring access to mailboxes on the Microsoft Exchange 2007 server on Windows Server 2003 and Window Server 2008. For detailed instructions, see the Microsoft Server 2007 documentation at the following URL: http://technet.microsoft.com/en-us/library/bb124558(EXCHG.80).aspx
Table 3-1 Configuration tasks for Microsoft Exchange 2007 Components
Troubleshooting Tips
Cisco Unified Presence only requires Receive As permissions on the account to enable it to sign in to that account when it connects to the Exchange server. Note that this account does not typically receive mail so you do not need to be concerned about allocating space for it.
What To Do Next
Verifying Permissions on the Exchange 2007 Account
Verifying Permissions on the Exchange 2007 Account
After you have assigned the permissions to the Exchange 2007 account, you must verify that the permissions propagate to mailbox level and that a selected user can access the mailbox and impersonate the account of another user. On Exchange 2007, it takes some time for the permissions to propagate to mailboxes.
Before You Begin
Delegate the appropriate permissions to the Exchange account. See the Microsoft Exchange 2007 Configuration Checklist (EWS) topic.
Procedure
Step 1 In the EMC on the Exchange 2007 server, right-click Active Directory Sites and Services in the console tree.
Step 2 Point to View, and then select Show Services Node.
Step 3 Expand the service node, for example, Services/MS Exchange/First Organization/Admin Group/Exchange Admin Group/Servers.
Step 4 Verify that the CAS is listed for th e service node that you selected.
Step 5 View the "Properties" of each CAS server, and under the Security tab, verify that:
a. Your service account is listed.
b. The permissions granted on the services account indicate (with a checked box) that the Exchange Web Services Impersonation permission is allowed on the account.
Step 6 Verify that the service account (for example, Ex2007) has been granted Allow impersonationpermission on the storage group and the mailbox store to enable it to exchange personal information and to send as and receive as another user account.
Troubleshooting Tips
•If the account or the impersonation permissions do not display as advised in Step 5, you may need to recreate the service account and ensure that the required impersonation permissions are granted to the account.
•You may be required to restart the Exchange server for the changes to take effect. This has been observed during testing.
What To Do Next
How to Enable Authentication on the Exchange 2007/2010 Virtual Directories.
Microsoft Exchange 2010 Configuration Checklist (EWS)
Table 3-3 provides a summary checklist to follow when configuring access to mailboxes on the Microsoft Exchange 2010 server. For detailed instructions, see the Microsoft Server 2010 documentation at the following URL: http://technet.microsoft.com/en-us/library/bb124558.aspx
Before You Begin
Before you integrate Microsoft Exchange 2010 server with Cisco Unified Presence over EWS, ensure that you configure the following throttle policy parameter values on the Exchange server. These are the values that are required for the EWS calendaring integration with Cisco Unified Presence to work.
Table 3-2 Recommended Throttle Policy Parameter Values on Microsoft Exchange
Table 3-3 Configuration tasks for Microsoft Exchange 2010 Components
Task ProcedureEnsure the Windows security policy settings are correct.
Set Exchange Impersonation Permissions for Specific Users or Groups of Users
Via the Exchange Management Shell (EMS)
1. Open the EMS for command line entry.
2. Run the New-ManagementRoleAssignment command in the EMS to grant a specified service account (for example, Ex2010) the permission to impersonate other user accounts:
Syntaxnew-ManagementRoleAssignment -Name:_suImpersonateRoleAsg -Role:ApplicationImpersonation -User:user@domainExamplenew-ManagementRoleAssignment -Name:_suImpersonateRoleAsg -Role:ApplicationImpersonation -User:Ex2010@domain3. Run this New-ManagementRoleAssignment command to define the scope to which the impersonation permisisons apply. In this example, the Exch2010 account is granted the permission to impersonate all accounts on a specified Exchange Server.
Syntaxnew-ManagementScope -Name:_suImpersonateScope -ServerList:<server name>Examplenew-ManagementScope -Name:_suImpersonateScope -ServerList:nw066b-2274. Run the New-ThrottlingPolicy command to create a new Throttling Policy with the recommended values defined in Table 3-2.
SyntaxNew-ThrottlingPolicy -Name:"<Policy Name>" -EWSMaxConcurrency:100 -EWSPercentTimeInAD:50 -EWSPercentTimeInCAS:90 -EWSPercentTimeInMailboxRPC:60 -EWSMaxSubscriptions:5000 -EWSFastSearchTimeoutInSeconds:60 -EWSFindCountLimit:1000ExampleNew-ThrottlingPolicy -Name:"Cisco Unified Presence ThrottlingPolicy" -EWSMaxConcurrency:100 -EWSPercentTimeInAD:50 -EWSPercentTimeInCAS:90 -EWSPercentTimeInMailboxRPC:60 -EWSMaxSubscriptions:5000 -EWSFastSearchTimeoutInSeconds:60 -EWSFindCountLimit:10005. Run the Set-ThrottlingPolicyAssociation command to associate the new Throttling Policy with the service account used in Step 2 above.
SyntaxSet-ThrottlingPolicyAssociation -Identity "<Username>" -ThrottlingPolicy "<Policy Name>"ExampleSet-ThrottlingPolicyAssociation -Identity "Ex2010" -ThrottlingPolicy "Cisco Unified Presence ThrottlingPolicy"
What To Do Next
Verifying Permissions on the Exchange 2010 Account
Related Topics
For a complete description of the Microsoft Exchange server parameters, see here: http://technet.microsoft.com/en-us/library/dd351045.aspx
Verifying Permissions on the Exchange 2010 Account
After you have assigned the permissions to the Exchange 2010 account, you must verify that the permissions propagate to mailbox level and that a selected user can access the mailbox and impersonate the account of another user. On Exchange 2010, it takes some time for the permissions to propagate to mailboxes.
Before You Begin
•Delegate the appropriate permissions to the Exchange account. See the Microsoft Exchange 2010 Configuration Checklist (EWS) topic.
Procedure
Step 1 Open the Exchange Management Shell (EMS) for command line entry.
Step 2 Verify that the service account has been granted the required Impersonation permissions:
a. Run this command in the EMS:
Get-ManagementRoleAssignment -Role ApplicationImpersonationb. Ensure that the command output indicates role assignments with the Role "ApplicationImpersonation" for the specified account as follows:
Example: Command Output
Step 3 Verify that the management scope that applies to the service account is correct:
a. Run this command in the EMS:
Get-ManagementScope _suImpersonateScopeb. Ensure that the command output returns the impersonation account name as follows:
Example: Command Output
Step 4 Verify that the ThrottlingPolicy parameters match what is defined in Table 3-2.
a. Run this command in the EMS:
Get-ThrottlingPolicy -Identity "<Policy Name>" | findstr ^EWSb. Ensure that the command output has the same values defined in Table 3-2:
What To Do Next
How to Enable Authentication on the Exchange 2007/2010 Virtual Directories
How to Enable Authentication on the Exchange 2007/2010 Virtual Directories
You must enable basic authentication on the Exchange virtual directories (/exchange and /exchweb) for Microsoft Office Outlook Web Access to work properly. The /exchange directory handles mailbox access requests for OWA and WebDAV. The /exchweb directory contains resource files used by OWA and WebDAV. You can also optionally enable Windows Integrated Authentication on the Exchange virtual directories. Furthermore, Forms Based Authentication can be optionally enabled.
•Enabling Authentication on Exchange 2007 Running Windows Server 2003
•Enabling Authentication on Exchange 2010 Running Windows Server 2008
Enabling Authentication on Exchange 2007 Running Windows Server 2003
Procedure
Step 1 From Administrative Tools, open Internet Information Services. and select the appropriate server.
Step 2 Select Web Sites.
Step 3 Select Default Web Site.
Step 4 Right click the EWS directory folders, and select Properties.
Step 5 Select the Directory Security tab.
Step 6 Under Authentication and access control, select Edit.
Step 7 Under Authentication Methods, verify that the following check box is unchecked:
–Enable anonymous access
Step 8 Under Authentication Methods Authenticated Access, verify that one or both of the following check boxes are checked:
–Integrated Windows authentication.
–Basic authentication (password is sent in clear text).
Step 9 Select OK.
What To Do Next
Configuring the Presence Gateway on Cisco Unified Presence for Microsoft Exchange Integration
Enabling Authentication on Exchange 2010 Running Windows Server 2008
Procedure
Step 1 From Administrative Tools, open Internet Information Services and select the server.
Step 2 Select Web Sites.
Step 3 Select Default Web Site.
Step 4 Select EWS.
Step 5 Under the IIS section, select Authentication.
Step 6 Verify that the following Authentication methods are enabled:
–Anonymous Authentication
–Windows Authentication and/or Basic Authentication
Step 7 Use the Enable/Disable link in the Actions column to configure appropriately.
What To Do Next
Configuring the Presence Gateway on Cisco Unified Presence for Microsoft Exchange Integration
Related Topics
•http://technet.microsoft.com/en-us/library/aa998849.aspx