How to Integrate Lync Server 2010 with Exchange 2010 SP1+ OWA

Thursday, September 30, 2010
Lync Server 2010 can be integrated with Exchange 2010 SP1 or better, so that Exchange Outlook Web App can also act as a Lync web client.  Once integrated, users will automatically log into Lync when they log into OWA.  The OWA interface changes to include the following new features:
  • Sign In and Sign Out - Users can sign in or sign out of instant messaging from OWA.  Once signed in, the user will automatically sign into IM every time they sign into OWA.
  • Presence - User presence information is available for Lync users, showing a colored chiclet indicating their availability.
  • Contact List - The user's Lync IM contact list is made available in the OWA folder pane.  Users can be added and removed, and contact groups can be managed directly from OWA.
  • Instant Messaging - Lync users can chat with other Lync users using instant messaging directly from OWA.
  • Right-Click Functionality - Right-click menus and actions are updated to include new Lync features.  For example, right-click an email address to chat with the user or add them to an IM contact list.
All of these new OWA features can be seen in the screenshot below:


An instant messaging chat session can be started from OWA by double-clicking a contact in the Contact List or right-clicking an email address and choosing Chat.


This article explains how to configure Lync Server 2010 integration with Exchange 2010 SP1 or better.  I will assume that you have functional Lync Server 2010 and Exchange Server 2010 SP1 or SP2 servers already set up.  Let's get started.

Download and install the Microsoft Office Communications Server 2007 R2 Web Service Provider from http://www.microsoft.com/downloads/en/details.aspx?familyid=CA107AB1-63C8-4C6A-816D-17961393D2B8&displaylang=en on your Client Access Server.  This MSI package contains the installation programs to the local hard drive.  Normally it will put them in C:\Web Service Provider Installer Package, but I've also seen it install to a different drive.  Make note of the location it uses during installation.

The package will extract the following files:


Next, download and save the OCS 2007 R2 Web Service Provider Hotfix KB 981256 from http://www.microsoft.com/downloads/en/details.aspx?FamilyID=45C94403-39FA-44D3-BE23-07F25A2D25C7 to the same C:\Web Service Provider Installer Package folder.

Download and save the Unified Communications Managed API 2.0 Redist (64 Bit) Hotfix KB 2400399 from http://www.microsoft.com/downloads/en/details.aspx?FamilyID=1F565A42-71D2-4FBD-8AE0-4B179E8F02AB to the same C:\Web Service Provider Installer Package folder.

If your CAS server is running Exchange 2010 SP1 on Windows Server 2008 R2, you need to download and save the UcmaRedist.msp patch in Microsoft Office Communications Server 2007 R2 Hotfix KB 968802 from http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=19178.  The tricky part here is that the file name (UcmaRedist.msp) is the same as the Communications Managed API 2.0 Redist (64 Bit) Hotfix KB 2400399 you just downloaded.  Just rename this file name to something like UcmaRedist-R2.msp.

Now install the following files as Adminstrator in this order:
  1. vcredist_x64.exe
  2. UcmaRedist.msi
  3. UcmaRedist.msp
  4. UcmaRedist-R2.msp, if your CAS is running on Windows Server 2008 R2
  5. CWAOWASSP.msi
  6. CWAOWASSP.msp
  7. dotnetfx35setup.exe, if the .NET Framework 3.5 is not installed on Windows Server 2008.  For Windows Server 2008 R2, install the .NET Framework 3.5.1 feature from Server Manager.
Note that the MSI and MSP packages have a limited GUI during setup and don't indicate that they've installed successfully.

Next we need to configure the Exchange 2010 SP1 Client Access Server for Lync Server integration.  Run the following two commands from the Exchange Management Shell on the CAS:

$cert = (Get-ExchangeCertificate | Where {$_.Services -ilike "*IIS*"}).Thumbprint
Get-ExchangeServer (hostname)| Get-OWAVirtualDirectory | Set-OWAVirtualDirectory -InstantMessagingType OCS -InstantMessagingEnabled:$true -InstantMessagingCertificateThumbprint $cert -InstantMessagingServerName pool.domain.com
Be sure to change pool.domain.com to the FQDN of your Lync Server FE pool.  (hostname) automatically resolves to the hostname of the server you're running the cmdlet from.

Now we need to configure the Lync 2010 server.  Use the Lync Server Topology Builder to add a new Trusted Application Pool, as follows:
  • Open the existing topology.
  • Expand your Lync Server 2010 > your sitename.
  • Right-click Trusted application servers and select New Trusted Application Pool.
  • Enter your CAS server or CAS array's FQDN in the Pool FQDN field, select Single Computer Pool and click Next.  If you're using a hardware load balancer with separate VIPs for OWA and MAPI connections, use the FQDN for the OWA (HTTPS) connections.
  • Select the Front End Pool for the Trusted Application Pool.
  • Click Finish.
  • Right-click the new Trusted Application Server and select Edit Properties.
  • Clear the check box for Enable replication of configuration data to this pool and click OK.
  • Publish the new topology.  If you used the CAS Array or HTTPS VIP FQDN above, you will get a warning about the computer name not existing in Active Directory.  This is safe to ignore.
The final step is to create a new CsTrustedApplication using the Lync Server Management Shell on the Lync 2010 server.  Run the following command from the management shell:

New-CsTrustedApplication -ApplicationID ExchangeOutlookWebApp -TrustedApplicationPoolFqdn cas.domain.com -Port 9999
Enable-CsTopology
Be sure to change the TrustedApplicationPoolFqdn value in the command above to the FQDN of your CAS server or CAS array.  The Port value can be any unused TCP port.

Now login to Outlook Web App and enjoy the new Lync Server goodness!


51 comments:

  1. Great walkthru, however, when I go to install UcmaRedist.msi it says I need to install .Net Framework 3.5. I am running 2008 R2, so I go to Server Manager and I see that it is already installed. Help?

    ReplyDelete
  2. Had to uninstall .Net 4.0 stuff to proceed with the install. Lame, but effective.

    ReplyDelete
  3. Also - there is a " missing from the above string after 'IIS' - it should look like below:

    $cert = (Get-ExchangeCertificate | Where {$_.Services -ilike "*IIS*"}).Thumbprint

    ReplyDelete
  4. Hi, great post!

    I ran the above and all went well. However, when I then login to OWA I can see the LYNC IM Presence ICON (i.e. the Available, Busy, ..etc) but its is all greyed out and when I click on the Sign In to IM from OWA nothing happens. Any idea where I may have gone wrong?

    Thanks

    ECL

    ReplyDelete
  5. I had the same problem the first time, due to the there are two versions of the UcmaRedist.msp patch which are named the same. Review the steps above and try reconfiguring it again.

    ReplyDelete
  6. I've applied the R2 update. But mine is still grayed out and not selectable.

    ReplyDelete
  7. I'm getting the below within the Event log. Everything grayed out.

    The IM provider registry location doesn't contain a path to the implementation .dll file.

    Key: SYSTEM\CurrentControlSet\Services\MSExchange OWA\InstantMessaging
    String: ImplementationDLLPath

    ReplyDelete
  8. Hi, any developpement on the greyed out IM in OWA, because i have the same problem, all patchs are added even the R2 one (Running w2k8 r2 ent).

    ReplyDelete
  9. Please double-check each of the steps above. I've implemented this many times with no issues, as long as the steps above are followed carefully.

    ReplyDelete
  10. If I do these steps will there be any need for a reboot of our "only" CAS server? Any downtime required for a reboot? Restart services? Anything?

    ReplyDelete
  11. Nope, no need to restart anything. It just works.

    ReplyDelete
  12. Hi Jeff,

    I would like to thank you for this blog post, it's been definitely informative.

    In my lab implementation, I've experienced few problems with the integration while I followed your step by step guide. The reason why my integration failed was, the hash algorithm of the certificate was sha512 on both the Exchange Server and the Lync Server.

    I've written a blog post about this matter and I hope that it helps also your blog readers.

    http://blog.kabal.se/post/2010/12/27/Integrate-Lync-Server-2010-with-Exchange-2010-SP1-OWA-sha512-Certificate-Limitation.aspx

    Best Regards
    Omid

    ReplyDelete
  13. Get-OwaVirtualDirectory : fl *instant* in Exchange Management Shell, reveals only

    •InstantMessagingType =none

    •InstantMessagingEnabled = false

    how can i get rest i.e

    •InstantMessagingCertificateThumbprint =

    •InstantMessagingServerName =

    please help me

    ReplyDelete
  14. I just used these directions after trying other directions earlier and these worked first time. Thanks.

    ReplyDelete
  15. I have followed your steps. but get the message instant messaging is not available at this moment.
    When i run this command: Get-CsManagementStoreReplicationStatus is see that the replication with exchange status false is. what can i do about it.?>

    ReplyDelete
  16. i,
    I follow all the instruction. But not work, i read all user comments. Then issue is my local exchange fqdn and my go-daddy cas certificate name fdqn is different: example
    exchange server fqdn: abc.contose.com
    CAS Certificate name: mail.contose.com
    Lync fqdn: lync.contose.com
    local ad: xyz.contose.com

    When I create a trusted role on lync then give me an error the mail.contose.com not exist in active directory. then i create a computer name in ADUC "mail" but no effect.
    This is my production environment and I don, t want to any mass on my exchange server CAs certificate. Please help what can i do.

    ReplyDelete
  17. “Instant Messaging isn’t available right now. the Contact List will appear when the service becomes available”…

    Im getting the above error when i login to OWA. Have analysed the logs using the Lync Logging tool and it appears my problem may be certificate related as the following error is flagged:

    "The connection was closed before TLS negotiation completed. Did the remote peer accept our certificate?"

    My Exchange is using a public CA. It is also Exchange 2010 SP1 on Windows 2008 R2. Lync is also on R2 but using a self signed certificate. Any ideas on why im getting the above errors?

    ReplyDelete
  18. Sounds like AD replication has not completed.

    ReplyDelete
  19. Thanks for your answer Jeff but i dont think that islikely. This is one single site with one DC. The problem appears to be certificate related. Both certs are only capable of server authentication. Do these need to include client authentication? As the Exchange server rejects the Lync cert. At least that's what the SIP Stack is telling me. Unless its a red herring.....

    ReplyDelete
  20. Great, thanks for the information. I have followed your guide and it works perfectly. I have 2 Exchange 2010 SP1 CAS servers with OWA and a Lync 2010 Enterprise deployment with Edge services working beautifully! Keep up the good work! cheers, KRC

    ReplyDelete
    Replies
    1. I'm trying to add the integration to my 2nd CAS and i'm getting the "Istant Messaging isn't available right now..." message. The reason I think this is happening is because i'm using the same 3rd party cert for both servers and Lync doesn't like SAN being presented to it. Is there away around this?

      Delete
  21. What if you're in a coexistence scenario where you have some users on Lync and others on OCS. Is this a case of one or the other, but not both? Assuming that is the case and you point OWA to Lync, what is the experience for someone who logs in and isn't on Lync yet?

    ReplyDelete
    Replies
    1. Hi Scott, Not sure if anything has changed with SPs or other hotfixes released since you posted your question, but for me OWApp integration is working great for both our Lync and OCS 2007 R2 users during coex. We have all CAS servers configured to use our Lync SE server and all users can now see their buddy lists in OWApp and interact with each other using IM.

      Cheers,
      Garry

      Delete
  22. Hi Scott,

    Lync OWA integration only works for Lync users. If you're already using CWA 2007 and want to minimize web access downtime, migrate Lync users only when they've been migrated to Exchange 2010.

    ReplyDelete
  23. I've followed this procedure to a T. Doesn't work.

    ReplyDelete
  24. Jeff -

    The link for Hotfix KB 2400399 is now pointing to Hotfix KB 2647091, so both UcmaRedist.msp are the same 4 MB file.

    I followed all the other steps, it's not working though.

    ReplyDelete
  25. Great instructions, thanks Jeff!

    The only issue I had was the certificate assignment grabbed the public UC cert and not the internally signed cert.

    I ran Get-ExchangeCertificate and then copied the correct thumbprint. Then ran Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -InstantMessagingCertificateThumbprint . After a quick IISReset, OWA/Lync integration came right up.

    ReplyDelete
  26. Great instructions, thanks Jeff!

    The only issue I had was the certificate assignment grabbed the public UC cert and not the internally signed cert.

    I ran Get-ExchangeCertificate and then copied the correct thumbprint. Then ran Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -InstantMessagingCertificateThumbprint . After a quick IISReset, OWA/Lync integration came right up.

    ReplyDelete
  27. Thanks for this, but I had the problem of IM not signing in (nothing happens, Chat greyed out). Used the Lync logging tools and Res Kit to Analyze. Turns out it was trying my external FQDN of my CAS instead of my internal FQDN (webmail.domain.com instead of webmail.domain.local). Deleted Trusted App Server from topology, re-publish, recreate Trusted App Server using external FQDN and re-Published. Then re-run New-CsTrustedApplication cmdlet using External FQDN and Bingo all now working.

    ReplyDelete
  28. Will these same steps work with SBS 2011? I have done the above and when I log into OWA I don't see the lync integration. Any ideas?

    ReplyDelete
  29. I don't work with SBS, so I honestly don't know for sure. I would imagine it would work just fine, but I did find this info:

    If you have problems saying that you need to have framework 3.5 uninstall Framework 4.0 Extended and Client from AddRemove Programs.

    In SBS 2011 when you uninstall framework 4.0 it will break Remote Work Places. To fix Remote work places reinstall .Net Framework 4.0, go to IIS 7, expand Application Pools, go to SBS Web Work Place. Advance Settings and change .Net Framework Version to 4.0 After reinstalling it.

    ReplyDelete
  30. Well that is probably the issue. I didn't install framework 3.5 as I took the following statement

    "dotnetfx35setup.exe, if the .NET Framework 3.5 is not installed on Windows Server 2008. For Windows Server 2008 R2, install the .NET Framework 3.5.1 feature from Server Manager."

    To mean that I didn't have to install 3.5 since sbs 2011 is built on 2008 R2.

    ReplyDelete
  31. My fix was to reboot the server and also I originally had exchange.domain.local as the trusted application. I would then get a gray box and the contact list would not show up. Doing a trace with the logging tool I found it was looking for external.domain.com so I added it, rebooted, now all is good.

    Thanks.

    ReplyDelete
  32. Thanks man but you have to restart the IIS

    ReplyDelete
  33. Hi Jeff,

    Just one question! I'm using CA signed certificate for IIS, and the common name for the certificate is mail.mydomain.com.
    Does this affect the integration ? and what do I enter in the Trusted application pool ? my OutLook anywhere's fqdn is same as my certificate's Common name "mail.mydomain.com" and my CAS host server's domain is exchange.mydomain.com.

    Which one do I enter for the trusted application pool ?
    Thanks

    ReplyDelete
  34. RESOLVED: I got the following error in OWA too: ""Instant Messaging isn't available right now..."
    Problem: external and internal FQDN of CAS server is different. mail.domain.com and mail.int.domain.com. When you install cert on CAS server. SN of the certificate is mail.domain.com. and on New-CsTrustedApplication command you must use SN of the cert NOT SAN. http://technet.microsoft.com/en-us/library/gg420962.aspx

    -install cert on CAS with SN mail.domain.com
    -create tursted application on topology builder with mail.domain.com (IGNORE WARNINGS which tells you taht mail.domain.com is not a domain member. go a head and Publish the Topology
    -add lync FE server's host file: mail.domain.com
    -run
    New-CsTrustedApplication -ApplicationId -TrustedApplicationPoolFqdn MAIL.DOMAIN.COM -Port
    refresh owa page it worked!

    ReplyDelete
  35. We publish Webmail through an internal interface of UAG/TMG which prevented this from working initially because of the port requirement. As some posters noted on here, it's important to use the Webmail FQDN of the primary name which is on the IIS cert (some companies will add the CAS Array Name as a SAN on the cert as this name can be different than the Webmail FQDN name). In our case, we used the Webmail FQDN when creating the Trusted Application in Lync but had to create a HOST file entry which pointed to the CAS Array IP, thus bypassing the UAG/TMG. Once the IISReset was completed on all CAS servers in the array, the solution started working perfectly!

    Thanks for the guide!...

    ReplyDelete
    Replies
    1. Worked for me as well after creating the host file entry mail.domain.com and pointed it to the internal IP of the CAS, thanks for the article. By the way no restart of any kind was required.

      Delete
  36. One additional thing:
    Lync tries to replicate to the Exchange boxes, which don't have an RTC replica on them. This throws a red X in the topology screen, and may cause other script based stuff to show failures (SCOM for example)
    Its not being used, so you can turn it off:

    Set-CsTrustedApplicationPool -RequiresReplication $false –verbose

    ReplyDelete
  37. Thanks. That Lync cmdlet would be used if you didn't clear the check box for "Enable replication of configuration data to this pool", as specified above.

    ReplyDelete
  38. I have also followed instructions and getting IM greyed out cannot sign in OWA....

    ReplyDelete
  39. As many others above, I have followed the directions above without issue, but all Lync functionallity in OWA is greyed out. Hopefully someone out there will find a solution to this soon. I am at a loss.

    ReplyDelete
  40. I have followed the same steps but not able to reply from communicator to owa and also communication between owa is also not working

    ReplyDelete
  41. I followed these steps through several times. I even tried resetting IIS- Reseting the Lync web compatability service. Eventually I gave up-- and simply rebooted the FE and CAS servers and it works! I did need to reboot :p

    ReplyDelete
  42. few have mentioned using the lync logging tool to check how things were integrating .... what where you tracing? I see nothing on SIP ... is it LCSserver? Where are you guys seeing the certificate problem hinting that the names were wrong?

    ReplyDelete
  43. I spent hours troubleshooting this, even reading all the comments.

    My problem was with the Subject Alternative Names (SAN) in the certificate. Once I created a certificate where the Subject Name matched my OWA directory namespace/trusted application pool name -- without listing the individual CAS server names in the cert-- it worked!

    ReplyDelete
  44. The OWA cannot use the IM feature, but I have a question about the PS Command "New-CsTrustedApplication -ApplicationID ExchangeOutlookWebApp -TrustedApplicationPoolFqdn cas.domain.com -Port 9999"
    The cas.domain.com, What name I need to replace it?
    Because I use the internal domain name for the server, "srv.abc.local". Is that OK or not?
    Many Thanks

    ReplyDelete
  45. This has helped a lot. The problem I had was the Cert no error just greyed out. Finally changed the Pool to the Subject name on Cert and everything works.

    ReplyDelete
  46. I have 2 IIS virtual directories that show up when I perform the get-owavirtualdirectory. We have 2 sites one in the US and one in the UK but for now I only want to get this working in the US. How can I apply the powershell to only that server?

    ReplyDelete
  47. Great articular but I get Instant Messaging isn’t available right now. the Contact List will appear when the service becomes available I believ it has do with my owa is wildcard and needs to remain that way.

    I done some google and can not figure a way to keep wildcard cert and fix this issue without it effect the external webmail aaccess

    please help

    ReplyDelete
  48. Found the solution to my answer and also created an updated blog for it.
    http://www.techtroubleshoot.com/2013/03/install-lync-and-exchange-im-integration-with-multiple-exchange-servers-on-one-exchange-server/

    ReplyDelete

Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.