configure Microsoft Exchange integration with the
Presence Service, consult the compatibility matrix below and make
sure that you have installed and configured the required components for this
Table 1 Compatibility
Install Compatible Version
Service Packs for Windows
Server 2003 (SP2)
Service Packs for Windows
Server 2008 (SP2)
Service Packs for Windows
Server 2012 (Standard)
Cisco Unified Communications Manager
Unified Communications Manager release must match the
and Presence Service release.
IM and Presence
and Presence Service release must match the Cisco
Unified Communications Manager release.
Microsoft Exchange Server 2007
Service Packs for Microsoft Exchange 2007 (SP1).
Microsoft Exchange Server 2010
Service Packs for Microsoft Exchange 2010 (SP1).
Microsoft Exchange Server 2013
Service Packs for Microsoft Exchange 2013 (SP1).
Active Directory 2003 with
Windows Server 2003 (SP2)
Active Directory 2008 with
Windows Server 2008 (SP2)
configured in Active Directory must be identical to those names defined in
Cisco Unified Communications Manager.
Third-Party Certificate OR Certificate Server
One or the other of these is required to generate the
Microsoft Exchange integration with IM and Presence Service supports certificates using RSA 1024 or 2048 bit keys and SHA1 and SHA256 signature algorithms.
Exchange Server 2007, 2010, and 2013 support Exchange
Web Services (EWS).
Integration with Microsoft Exchange Server over Exchange Web Services
Microsoft Exchange Server 2007 introduced Exchange Web Services (EWS) for
calendaring integration using a Simple Object Access Protocol-like (SOAP)
interface to the Exchange Server.
your EWS Presence Gateway for Exchange integrations in
the Cisco Unified CM IM and
Presence Service Administration user interface, note the following:
You can add, update or delete
one or more EWS servers with no maximum limit. However, the Troubleshooter on
Gateway Configuration window is designed to only verify and report
status of the first 10 EWS servers that you configure.
EWS Server gateways share the
credentials (Account Name and Password) that you configure for the first EWS
Server Gateway. If you change the credentials for one EWS Server Gateway, the
credentials change accordingly on all of the configured EWS gateways.
You must restart the Cisco
Presence Engine after you add, update or delete one or more EWS servers for
your configuration changes to take effect. If you add multiple EWS servers one
after another, you can restart the Cisco Presence Engine once to effect all of
your changes simultaneously.
Administrative Roles and Permissions in Exchange Server
Web Services (EWS) requires a special account to enable access to all user
calendaring information. This account is referred to as the impersonation
Exchange Server 2007
caller to access the email account of another user with Exchange Server 2007,
the EWS integration requires an account with Impersonation permissions. The
caller impersonates a given user account using the permissions that are
associated with the impersonated account instead of the permissions that are
associated with the account of the caller.
impersonated account must be granted the
ms-Exch-EPI-Impersonation permission on the Client Access
Server (CAS) running Exchange 2007. This gives the caller the permission to
impersonate a user email account using the CAS. In addition, the caller must be
ms-Exch-EPI-MayImpersonate permission on either the mailbox
database or on the individual user objects in the directory.
the Access Control List (ACL) for an individual user takes precedence over the
mailbox database setting so that you can allow a caller access to all mailboxes
in the database but if required, deny access on certain mailboxes in that
Exchange Server 2010 and 2013
Exchange Server 2010 and 2013 use Role-Based Access Control (RBAC) to assign
permissions to impersonation accounts and allow users to perform tasks specific
to their function in the organization. Depending on whether the user is an
administrator, super user, or an end-user, there are two primary methods to
apply RBAC permissions:
groups—Microsoft provides 11 default management role groups during the Exchange
setup process with associated permissions specific to the role of the group.
The Recipient Management and Help Desk, for example, are built-in role groups.
Typically, super users who need to perform specific tasks are assigned to the
relevant management role group and inherit the associated permissions. For
example, a Product Support representative who needs to be able to modify the
contact details of any user across the entire Exchange organization may be
assigned as a member of the Help Desk management role group.
assignment policies—For normal users who are not administrators or super users,
management role assignment policies control the specific mailboxes such users
can modify. The
ApplicationImpersonation role, when assigned to the user
New-ManagementRoleAssignment cmdlet, enables an account to
impersonate users in an organization to perform tasks on behalf of the user.
The scope of the role assignments are managed individually using the
New-ManagementScope cmdlet, and can be filtered to target
specific recipients or specific servers.
With RBAC, you do
not need to modify and manage the ACL as required for Exchange Server 2007.
Configuration for Exchange Server Integrations
a large number of users (with EWS calendar integration enabled), the
Presence Service must distribute the load of EWS traffic among
multiple Client Access Servers (CAS). The
Presence Service can connect to a number of CAS by way of EWS, and
it uses the following round robin strategy to support the traffic load that it
The first time
that a user's calendar subscription is enabled, the user is assigned a CAS from
a pool of eligible CAS hosts configured by the administrator.
The user retains
the assignment until their calendar subscription fails.
If the user’s
calendar subscription fails, the user is again assigned a CAS from the pool of
eligible CAS hosts.
Known Issues with
Exchange Web Services Integration