Securing Exchange UM with TLS for Microsoft Lync Integration

When integrating Exchange UM with Lync Server Unified Messaging must be running in either TLS or dual mode. For it to run in either of these modes a valid certificate from a CA must be installed on the Exchange UM server, rather than the standard self signed certificate.

However!

Simply adding a valid cert from your internal CA to Exchange UM and assigning it to the UM service using Enable-ExchangeCertificate or the Certificate Wizard UI in the Exchange Management Console does not solve the issue.

What we must do is set the UM service to run in either TLS or dual mode. To do this follow these steps.


1. You have succesfully added a certificate from your internal CA for Unified Messaging, you are now either using Powershell or the UI to assign this cert to your UM service, you then get this error:

2. This means you haven't set the UM service to run in either TLS or dual mode, TLS is enforced and dual mode means it runs allowing both. To set the UM service to the correct configuration fire up Powershell and run:

Set-UMserver - UMStartupMode dual -identity 'UMServer'

If you want to force TLS:

Set-UMserver - UMStartupMode TLS -identity 'UMServer'

If you have multiple UM servers and they all have the relevant certificate already in their certificate store then we could for example run:

Get-UMserver Set-UMserver - UMStartupMode dual/tls (selecting only one here).

3. We can now try and assign the certificate again via either Enable-ExchangeCertificate or via the Exchange Certificate Wizard UI in the Exchange Management Console:

4. Once this configuration change is made we must restart the UM service

Restart-Service MSExchangeUM

The service is now restarted and the UM service is running in either TLS or dual mode with the certificate from your internal CA.

You are now ready to proceed with the next step of integrating UM with Lync. Watch out for the next part of this process coming soon.

Take Care


Oliver Moazzezi MVP - Exchange Server