One of the new features of Outlook Web App (OWA) in Exchange 2010 is the ability for OWA to act as an IM client if you have Office Communications Server (OCS) in your environment. Once configured, you’ll be able to see and manage your buddy list, manage presence, as well as participate in IM conversations while logged in to OWA. Configuring this integration requires a number of steps on each of your Exchange 2010 Client Access Servers (CAS’). Many of the changes discussed in this blog post will cause brief service interruptions so it is highly recommended that you perform this work during a maintenance window where these interruptions are tolerable.
You’ll need to download two packages in order to proceed:
You can simply run the first download on one machine as it will extract the contents to C:\WebService Provider Installer Package (by default). Inside of this folder will be a number of installers which you’ll need to execute (in order) on each of your CAS servers:
- Visual C++ Redistributable (vcredist_x64.exe)
- Unified Communications Managed API (ucmaredist.msi)
- OCS Service Provider (cwaowassp.msi)
Finally, you’ll need to patch the UC Managed API by installing ucmaredist.msp.
Note: If you have User Account Control (UAC) enabled on your CAS servers, you should execute all of these packages from an elevated command prompt.
Once these packages are installed, you’re ready to configure OWA for integration with OCS. You’ll need to have the name of the OCS Pool which you plan to have your CAS servers connect to on hand as well as some information about the certificate on each CAS server which will be used to secure communications between the CAS server and OCS. Specifically, you’ll need to collect the certificate issuer string as well as the certificate’s serial number. You can do this using the following PowerShell command:
Get-ExchangeCertificate | fl Subject,Issuer,SerialNumber
You should get text returned back similar to the following:
Subject : CN=mail14.briandesmond.net, OU=IT, O=“Brian Desmond Consulting, LLC”, L=Chicago, S=Illinois, C=US
Issuer : CN=DigiCert Global CA, OU=www.digicert.com, O=DigiCert Inc, C=US
SerialNumber : 478C52B6B53E467F9331BB8CB4B2BDB8
Note: If you are using different certificates on each CAS server in your array, you’ll need to collect this data individually on a per CAS server basis.
Make note of the issuer and serial number values for the certificate. You’ll need to tell OWA to use this certificate for communications with OCS. To do this, browse to C:\Program Files\Microsoft\Exchange\V14\ClientAccess\Owa and open the web.config file with notepad. Scroll down and find the following section:
<add key="IMPoolName" value="" />
<add key="IMCertificateIssuer" value="" />
<add key="IMCertificateSerialNumber" value="" />
These are the three values you’ll need to populate for OWA to make the connection to OCS. The first value should be the FQDN of the OCS pool you want to connect to, and the following two values should be copied out of the Get-ExchangeCertificate spew collected earlier as shown below:
<add key="IMPoolName" value="ocspool01.briandesmond.net" />
<add key="IMCertificateIssuer" value=’CN=mail14.briandesmond.net, OU=IT, O="Brian Desmond Consulting, LLC", L=Chicago, S=Illinois, C=US’ />
<add key="IMCertificateSerialNumber" value="47 8C 52 B6 B5 3E 46 7F 93 31 BB 8C B4 B2 BD B8" />
There are three extremely
important things you need to do when customizing the configuration settings shown above:
- If your certificate’s issuer includes any double quotes (as mine does), you must enclose the data in single quotes instead of the default double quotes as shown above.
- You must insert the spaces in between each octet in the serial number as shown above.
- You must remember to update these values when you renew or replace the certificate on a CAS server.
Once OWA is configured, you’ll need to configure your OCS pool to trust the CAS servers. To do this, access the OCS Administration Pool, and open the Front End Properties of the pool (right click the pool, Properties>Front End Properties). On the Host Authorization tab, add an entry reflecting the certificate you configured in the web.config file in the previous step. You’ll also want to check the “Treat As Authenticated” and “Throttle As Server” checkboxes as shown below:
In order for this change to take effect immediately, you may need to restart the services on your OCS Front Ends. Doing this will disconnect any currently connected clients so it may instead be advantageous to wait for caches to refresh. The final step is to enable OCS IM integration for the OWA virtual directory. To do this, run the following PowerShell command:
Get-OwaVirtualDirectory -Server YourCasServer | Set-OwaVirtualDirectory -InstantMessagingType OCS
Users who are enabled for OCS should see their buddy list as well as a jelly bean to manage presence next time they login:
In summary, there are four key steps you’ll need to take in order to enable OCS integration with Outlook Web App in Exchange 2010. First, you’ll need to download the service provider and latest rollup for the components in the service provider download. Next, you’ll need to install the components downloaded on each Client Access Server. You’ll then collect certificate information from each CAS server and configure that information along with your OCS pool information in the OWA web.config file. Finally, you’ll add the CAS certificate to the list of trusted hosts in OCS and enable OCS integration on the OWA virtual directory.