Configuring OWA 2010 and OCS 2007 R2 Integration

Getting the OCS WebPart on your Outlook Web App 2010 Page

{Updated Dec 5, 2009 to address inaccuracies in my original post (sorry), and the new download content from Microsoft.  Now updated to be correct. Rand}

One of the nicest integration features in Exchange 2010 Outlook Web App is the ability to integrate Office Communications Server 2007 R2 presence and instant message right in the OWA 2010 screen.

By integrating the two applications, users can simply go to OWA 2010 to get their email, calendar appointments, contacts, etc as they normally do, AND they can also see who in their IM list is online and initiate instant messaging conversations straight from within OWA.

The pre-requisites for this capability is to obviously be running Exchange 2010 with Outlook Web App 2010, and you need to be running OCS 2007 R2.

For this configuration to work, there are four high-level steps needed:

Properly Configure the Exchange 2010 Client Access Server.

Properly Configure the OCS 2007 R2 Server.

Modify Windows Firewall on the Client Access Server.

Confirm User Configuration.

Configuring the Exchange Client Access Server

There are five steps that must be taken to configure the Exchange Server 2010 Client Access Server:

1. Download and install the "Microsoft Office Communications Server 2007 R2 Web Service Provider" on your Exchange 2010 CAS server (this adds special DLLs and configuration files needed to link OWA 2010 to your OCS 2007 R2 environment)

2. Gather Information about the certificate used by the Client Access Server.

3. Edit the OWA Web Config file.

4. Enable OCS Integration.

5. Restart Internet Information Services.

Step 1:- Downloading/Installing the OCS 2007 R2 Web Service Provider Files

Download and install the "Microsoft Office Communications Server 2007 R2 Web Service Provider" from Microsoft and install this update on your Exchange 2010 CAS server (this adds special DLLs and configuration files needed to link OWA 2010 to your OCS 2007 R2 environment)

Step 2: Gather Certificate Information

The Client Access Server needs to use a certificate that is trusted by the OCS server.  Effectively, you should be able to sit on the CAS server, run Internet Explorer, and access Communicator Web Access (CWA) and be able to logon to CWA with a user account without any certificate errors.  If you sit on the OWA server and access CWA and you get an error that the certificate is not trusted, then you need to add the RootCA of the CWA certifcate to your "Trusted Root Certificates" on the OWA server, effectively letting the OWA server know that the CWA is a trusted server.  If you get any CWA errors from a browser as a CWA user sitting on the OWA server, then the link between CAS and OCS won't work.

NOTE:  To simplify the configuration, the certificate used by the Client Access Server should be issued by the same Issuer as the certificate used by OCS 2007 R2.

Assuming you have no errors running CWA from the CAS server, then using Exchange PowerShell, gather certificate information of the Exchange Server by running the following command:

Get-ExchangeCertificate | fl

(The last character of the command is an L, not a one.)

Sample Output, with only relevant information shown:

IsSelfSigned    : False

Issuer       : CN=ca1, DC=companyabc, DC=com

SerialNumber    : 71652G3R00000000001A

Services      : IMAP, POP, IIS, SMTP

Status       : Valid

Subject      : CN=e2010w2k8

Locate the certificate that will be used and make note of the following information:

  • Issuer of the certificate

  • Serial Number assigned to the certificate

  • Subject of the certificate

Document this information for use in later steps.

Step 3: Edit the OWA Web Config File

On the Client Access Server, navigate to the following directory:

C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\OWA

Open the web.config file using Notepad and perform the following steps:

1. Search for OCS (IM) Server Name. You see the following three entries:

<add key="IMServerName" value="" />

<add key="IMCertificateIssuer" value="" />

<add key="IMCertificateSerialNumber" value=""/>

2. Populate the server name:

In the <add key="IMServerName" section, insert the FQDN of the OCS server between the final two quotes. For our example, the line will look like this:

<add key="IMServerName" value="" />

3. Populate the Certificate Issuer:

In the <add key="IMCertificateIssuer" section, insert the issuer of the certificate (gathered earlier) between the final two quotes. For our example, the line will look like this:

<add key="IMCertificateIssuer" value=" CN=ca1, DC=companyabc, DC=com " />

4. Populate the Certificate SerialNumber:

In the <add key="IMCertificateSerialNumber" section, insert the certificate serial number between the final two quotes. For our example, the line would look like this:

<add key="IMCertificateSerialNumber" value="71 65 2G 3R 00 00 00 00 00 1A" />

Important: You must manually add spaces in the Serial Number string to separate each octet or the system cannot locate the certificate.

5. Save and close the Web.config file.

Step 4: Edit the OCS Integration

To enable the OWA Virtual Directory to use OCS IM integration, from Exchange PowerShell, type the following command:

Get-OwaVirtualDirectory -server SERVERNAMEHERE Set-OwaVirtualDirectory –InstantMessagingType 1

Step 5: Restart Internet Information Services

Although the preceding changes should be detected automatically, administrators might need to restart IIS on the Client Access Server. However, doing so can cause any current OWA sessions to be logged off, so care should be taken.

From the command prompt on the Client Access server, issue the IISRESET command to restart the services.

Configure the OCS Server

The Exchange Server 2010 OWA IM integration component is implemented as an OCS 2007 end-point. For the integration component to sign in to OCS 2007 R2, the OCS server must be configured to trust the Client Access Server.

This is accomplished by adding the Exchange Client Access Server as a trusted server on the OCS 2007 R2 front end. To do so, perform the following steps:

1. While logged in as an OCS administrator, start the OCS Management Console by selecting the following:

                Start\All Programs\Administrative Tools\Office Communicator Server 2007 R2

2. Navigate to the OCS 2007 R2 Pool. Right-click the OCS Pool name and select Properties; then select Front End Properties

3. Click on the Host Authorization tab; then click the Add button.

4. In the Add Authorized host window

Select the FQDN radio button.

Type the name of the Client Access Server, basically what you type in to run OWA, such as  (note:  you could use the IP address button instead of the FQDN button but this is less secure as it does not rely on certificate authentication, so use the name you use to access OWA externally as that'll likely use https SSL security and will work)

Select (checkbox) the following options: Treat as Authenticated and Throttle as Server.

5. Click OK to save the configuration changes.

6. To allow changes to take effect immediately, stop and restart the OCS front-end services; note that doing so will disconnect any active users.

Note:  If you install OCS 2007 R2 on Windows 2008 R2, you have to download a hotfix for UcmaRedist.msi; UcmaRedist.msp from the Microsoft Office Communications Server 2007 R2 Hotfix KB 968802. If you don't, everything works except IM communication back to OWA, you would receive an Error id: 504. With UcmaRedist.msp installed, the issue is resolved. {this point added Dec 5, 2009 thanks to input from Jahad Suboh who commented on my blog to add this point of additional accuracy!}

Troubleshooting the Installation

Next are a few troubleshooting steps that can assist with some of the more common problems encountered with Exchange/OCS integration.

Configuring the Firewall on the CAS Server

If the Client Access Server has the Windows Firewall enabled, it might need an exception to enable OCS 2007 R2 to communicate with it. To create the exception, perform the following steps:

1. From the Control Panel, open Windows Firewall.

2. On the left side of the Windows Firewall window, click .“Allow a Program Through Windows Firewall.

3. Click Add Program; then click Browse.

4. Browse to C:\Windows\System32\inetsrv and select w3wp.exe.

5. Click Open and then click OK twice to apply changes and close the window. Be sure to perform this step on all CAS servers with IM integration enabled.

User Configuration

Before the user community can utilize the IM features, they must be “provisioned” for Office Communications Server R2 and must be enabled for Enhance Presence. When the user is initially enabled on OCS 2007 R2, he will automatically be enabled for Enhanced Presence.

Users must also have a valid SIP proxy address for the OWA IM integration component to enable the IM Integration UI.

Instant Messaging Not Available

When attempting to view the Instant Messaging contact list, a user might receive a notification that states:

Instant Messaging Isn’t Available Right Now. The Contact List Will Appear When the Service Becomes Available.

If this occurs, perform the following steps:

1. Using the same user account, confirm that you can access the IM services using the Office Communicator 2007 R2 client.

2. If functional, confirm that the OCS Server name is properly entered in the Web.Config file of the CAS server.

3. Also confirm the configuration of the Authorized Hosts option on the OCS pool contains all IM Integrated Client Access Servers.

OWA Certificate Error

If OWA cannot locate the certificate, an error stating The Local Certificate Specified Was Not Found in the Store for the Local Computer appears.

In this case, confirm that the value of the OCSCertificateIssuer and OCSCertificateSerialNumber fields in the Web.Config file are correct. Also ensure that there are blank spaces between every two characters in the serial number to separate octets in the string.

The preceding procedures were taken (AND Updated 12/3/2009) from my book “Exchange 2010 Unleashed” from Sams Publishing where I cover, in 1300-pages, everything on Exchange 2010 from architecture planning to migrations from Exchange 2003 and 2007 to securing Exchange 2010 to the latest in administration, management, high availability, and recoverability

My next post will be on the Exchange Control Panel component of Outlook Web App 2010 that provides administrators the ability to perform administrative tasks like adding users, disabling users, configuring public folders, etc right from the OWA 2010 screen.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)