Tuesday 30 October 2012

Lync 2010 and 2013 IM integration into Exchange 2013 OWA

IM integration was a great feature in Exchange 2010 and is followed through into Exchange 2013.
The steps have changed slightly however and the current TechNet documentation isn’t _that_ clear. So I thought I’d write it up. You'll find the TechNet article here, and I hope you agree my blog is more informative.
Exchange 2013 has two roles. The Front End proxy, and the Back End. The Back End co-locates all roles which are: Mailbox, Client Access, Hub Transport and Unified Messaging.
In Exchange 2010 you configured the IM integration entirely on the server that had the Client Access role. This could be a standalone server all co-located role server depending on the infrastructure needed. This was a config file at Exchange 2010 RTM and later moved to Powershell and settings on OWA virtual directories with SP1+.
In Exchange 2013 configuration is necessary on both the Front End and Back End roles. Again this can be co-located or standalone. I will treat them as separated for ease of understanding here.
Exchange 2013 Front Ends
1.    Perform in Powershell “Get-OWAVirtualDirectory”, you can use “Get-OWAVirtualDirectory –identity “Exchange2013FrontEnd\owa (default web site)” |select inst*” to immediately get the necessary information.

 2.  You will, if familiar with IM integration in Exchange 2010, be immediately at home here. However for IM integration in Exchange 2013 we only set two of the above four values. The values are ‘InstantMessagingEnabled’ and ‘InstantMessagingType’. We leave both ‘InstantMessagingCertificateThumbprint’ and ‘InstantMessagingServerName’ blank. This is very important as it actually does break the integration between Lync 2010 and Exchange 2013.

      We can set these values with the following command:
       3.      “Set-OwaVirtualDirectory –identity “Exchange2013FrontEnd\owa (default web site)” –InstantMessagingEnabled $true –InstantMessagingType OCS”
(Ignore the yellow text in my example below – I’m running the command to show you but as I’ve already set these attributes it’s telling me no settings have been modified)

       4. Perform the above command against ALL your Exchange 2013 Front End servers in your       associated sites that need IM integration.

      Exchange 2013 Back ends

      5.   Once this has been set we need to configure certificates. But the certificate configuration is on our Back End Exchange 2013 Servers. Browse to your Back End Servers and generate a new Certificate using New-ExchangeCertificate against the internal CA that Lync uses. I recommend this TechNet article for Cert creation: http://technet.microsoft.com/en-us/library/aa998327.aspx
Use the following two commands:
$Data = New-ExchangeCertificate –GenerateRequest –SubjectName “details here, use server FQDN as CN” –DomainName “FQDN of server” –PrivateKeyExportable $true –FriendlyName “Desired Cert Name”


Set-Content –Path “x:\your desired location” –Value $Data

      6.    Once this is done we need to complete the signing request against your internal certificate authority. I have used the web request of our SubOrdinate for this example. Use the same internal CA as what you used for SSL procurement for your Lync platform!

      Save the signing request.

        7.  We now need to complete the signing request using Import-ExchangeCertificate. Information on this cmdlet is available here: http://technet.microsoft.com/en-us/library/bb124424.aspx

       Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path ‘x:\cert location’ -Encoding byte -ReadCount 0))

The certificate is now installed.
Ensure you do this for all Exchange 2013 Back End Servers.

8.        We are now in a place where all our Exchange 2013 Front End Servers have had the necessary configuration via Powershell and ‘Set-OWAVirtualDirectory’, and we have installed Certificates on all our Exchange 2013 Back End servers. We now need to edit a web config file on each Exchange 2013 Back End.

      The file we want to modify is the web.config file in the following location “x:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Owa”. Where x is the drive you installed too.


     9.    Open the Web Config file and perform a search for “</appsettings>”. This takes you to the end of all App Settings configuration. Add these two lines in:

    <add key="IMCertificateThumbprint" value="Enter Thumbprint here!" />
   <add key="IMServerName" value="FQDN of Lync Pool or Director Pool" />

 You can see I have commented this out to explain the change I am making.

 It is important to note that the thumbprint you enter in each web.config file is the thumbprint of the Certificate you have created on each Back End server.

      10.   Once you have performed this on all Back Ends we need to open the Lync Topology Builder and enter each Back End as a Trusted Application

       Add each Exchange 2013 Back End server separately, matching the FQDN of the server and the certificate published for the Back End as the Trusted Application. Add all required Exchange 2013 Back Ends.


      11.   Once created you can edit them and remove ‘Enable replication of configuration data to this pool’ as this is not needed for Lync IM integration.


     12.  Once all have been added Publish the Topology.

    13.   We now need to open a Lync Powershell session and perform the following:

       New-CsTrustedApplication –ApplicationID “Server Name” –TrustedApplicationPoolFqdn “FQDN of Exchange 2013 Back End server” –Port ‘desired port number’

I     Set the ApplicationID as the server name for easy reference. Set the TrustedApplicationPoolFQDN as the FQDN of the Exchange 2013 Back End you are adding. Add a port number that isn’t in use. I normally start at 5070 and work my way up after ensuring they aren’t in use.

      14.  Once this is done ensure you repeat it for every Exchange 2013 Back End server that you need and indeed published in the Topology Builder in step 11. and 12.

       15.  Finally we may need to do the following two things to get Lync IM integration working.

      The first is to recycle the MSExchangeOWAAppPool on each Exchange 2013 Back End. This is needed to be done only if IM integration is not working in OWA.

       The second is to restart IIS on each Exchange 2013 Front End server. This is needed to be done only if IM integration is not working in OWA.

     16.    Open OWA. You should now be able to sign in and see this:


      The first thing you’ll notice over Exchange 2010 OWA integration is that the contact list is not shown on the left pane anymore. You have to get it from the People Hub.


     If you aren't seeing the above then you may have an OWA Mailbox Policy that isn't allowing IM. Perform in Powershell: Get-OWAMailboxPolicy to confirm against the affected users.

     In the event this is the issue, use:

     "Set-OWAMailboxPolicy -identity 'OWAMailboxPolicy' -InstantMessagingType OCS" to fix.

    That’s it! Take care.

     Oliver Moazzezi - MVP Exchange Server




scurlaruntings said...

Thanks for the guide Oliver but i'm having some trouble getting this to work.My set up is very elementary. One exchange server with both roles and a Lync server.

I get the error below when adding the following lines to the webconfig file:

Server Error in '/owa' Application.

Configuration Error
Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

Parser Error Message: The configuration section cannot contain a CDATA or text element.

Source Error:

Line 170:
Line 171:
Line 172: .
Line 173: .
Line 174:

Source File: C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\owa\web.config Line: 172

Any ideas why my thumbprint is causing the problem?

Oliver Moazzezi said...

Hi there,

Thanks for reading my blog :-)

I had to ensure both the FE and BE certificates were trusted by Lync, so I ensured they were from the same CA which is the internal CA for Active Directory in my case.

I recommend completing these steps for the BE roles rather than using the self signed cert as I don't believe it will work.

scurlaruntings said...

Hi Oliver

Sorry for numerous posts?!!? Not entirely sure what happened there...Anyway got it to work...Turns out there was a trailing dot at the end of each line that cause IIS to throw a mini wobbler. Soon as i removed that happy days :-)
Anway great blog dude. You just need to do something about your bot moderator as it seems quite flakey for hence the numerous posts from me i presume? Feel free to clean up my posts :-)

Oliver Moazzezi said...

Glad you got it working - i'll clean up the posts.

H Limbada said...

Hi Oliver,

I'm setting up my Exchange & Lync 2013. Just read your post. You mentioned, FE and BE for Exchange, I have only with both mailbox and client access roles. what steps would I need to do differently?



Oliver Moazzezi said...


If you have the Exchange 2013 Front End and Back End roles combined then the steps are exactly the same, you just do them all on the one server.

Let me know how you get on!

overmyhead said...

I have a front and Lync server, two mailbox servers and two cas servers, all on server 2012 with 2013 apps. I have followed all the steps and the owa/lync integration will not work. it worked in my lab, but that was before they decided to go with two cas servers and a dag setup. I imagine it has to do with the extra servers I now have, but for the life of me I can't figure out why it won't work. I'm not getting any error messages on the lync or exchange servers or on the client machine. completely at a loss at this point.

Oliver Moazzezi said...

Hi there,

Have you ensured your OWA Mailbox Policy allows IM?

Unknown said...


I am receiving this error on my Lync servers:

Two servers cannot be configured at the same FQDN with different server version numbers.

Cannot configure a server at FQDN [EX-MBOX4.hosted.local] because another server is already configured there with a different server version number. Existing server has role 'Authorized Host' (version 0) with GUID {F27F12C6-C061-4EC7-A1E5-2E22E2D7B546}. New server has role 'Application Server' (version 6) with GUID {9801D0C3-DC90-5270-9297-DDE00538D722}.

ALL servers at this FQDN will be removed from the configuration until this conflict is resolved.

Cause: This is a configuration problem.
Review the server roles that are configured at this FQDN and ensure that they have identical version numbers.

Any idea why this may be?


Oliver Moazzezi said...

Hi Ben,

Have you checked to ensure the Lync servers in the same FQDN pool are at the same Lync patch and CU level? Use Get-CsComputer or Get-CsPool, or indeed use UpdateInstaller.exe to verify.

Unknown said...

Thanks for this - all worked great, and much better than the TechNet docs!

Oliver Moazzezi said...

hehe - yeah there's been a few rushed TechNet articles recently! Glad it helped out dude.

Ravikant Chaturvedi said...

Hi Oliver,

I followed your blog, I am using Mailbox and client access on same server. my problem is I didn't get any issue while executing but still I am not able to signing in Instant messaging

thank you.

Unknown said...

Thanks for the info. I just used it to configure my environment. It works. I was able to use the thumbprint of my public exchange certificate instead of the self-signed cert.

Oliver Moazzezi said...

Glad you found it useful Gregory

BlackLight said...

Hi Oliver,
Awesome write up ..thanks for it.

In step 9 you said "It is important to note that the thumbprint you enter in each web.config file is the thumbprint of the Certificate you have created on each Back End server"

I have 6 back-end servers, does this mean that the config file on each of these server will contain the thumbprint from each of the BE servers? Or will the config file on each server be updated with its respective certificate thumbprint.

I appreciate your clarification on this.



Erik Nettekoven said...

Hi Oliver, What an excellent and comprehensive guide! Despite the great quality of your write up, I am unable to get it to work.

I have followed every step of the guide but IM is unable to sign in in OWA. The instant messing log on the backend server shows the following error: 2015-01-20T16:08:32.083Z,67,5,,,,0,DEBUG:Globals.Initialize: Initialization failed.,. (This by the way better than before, because then I got this error: ERROR:UCWEB Failure: Code=TlsFailure. But since I followed your guide, it gives me the initialization error).

Do you have any clue where I can look next?

In forward thanks!

Oliver Moazzezi said...


Use the thumbprint that is from the certificate on each BackEnd server. If you are sharing a certificate across all BackEnd servers then the thumbprint will be the same, if not it is unique.

Oliver Moazzezi said...

Hi Erik,

What certificate are you using? Users with wildcard certs appear to have had the same issue here: