I was asked this by a university in the Midwest with 18 unique Exchange organizations. They wanted to share calendar information amongst the Exchange orgs. (Most diagrams courtesy of Exchange Product team)
What are the benefits of Exchange 2010 Federated Sharing?
Exchange Federated Sharing is convenient
Exchange Federated Sharing is secure
Exchange Federated Sharing works with online services
What are my choices for calendar federation?
There are two levels of calendar federation available:
Can I control how my org’s calendar info is shared info per external domain (external org), department or users share calendar information externally?
Yes, by using org level relationship controls or by using a Sharing Policy.
Example of org level relationship sharing controls:
Find information about external org: Get-FederationInformation –DomainName contoso.com Create a new org relationship: New-OrganizationRelationship Create what level of calendar sharing allowed with external org: Set-OrganizationRelationship –FreeBusyAccessEnabled $TRUE -FreeBusyAccessLevel LimitedDetails Optional: set limits as to which department can share information: Set-OrganizationRelationship -FreeBusyAccessScope department1
Find information about external org:
Create a new org relationship:
Create what level of calendar sharing allowed with external org:
Optional: set limits as to which department can share information:
More on Org relationships sharing here
Example of a sharing policy:
This is set via GUI or cmdlets. (More here)
How does Federated Sharing work?
It uses a combination of Exchange web services on the CAS server and a federation trust with the Microsoft Federation Gateway.
The nice part is you no longer need to setup directory synchronization like you did with Exchange 2007 nor do you need to setup Active Directory trusts or AD service accounts.
The Microsoft Federation Gateway acts a trust broker to allow for requests over SSL. No need to open RPC ports for AD trusts or share AD service accounts, etc.
What do I need to do to get it work?
Four things needed to get you started:
1) Obtain a X.509 certificate from a Trusted Root CA (GoDaddy, Entrust, etc) for use with Microsoft Federation Gateway (MFG) for signing and encrypting delegation tokens. (more here). Here is a list of Trusted Root CAs that MFG is aware of here.
2) Create a Federation Trust using cmdlet with the MFG (more here):
3) Provide domain ownership by creating a DNS TXT record similar to (more here):
Contoso.com IN TXT AppId = 1C2
4) Add your SMTP domains (other Exchange Orgs) and add Federated domains to trust calendar information with (other org must accept) using cmdlet (more here):
Set-FederatedOrganizationIdentifier - to enable your SMTP domains for federation sharing with the MFG
Add-FederatedDomain – to add other External Orgs to share calendar information with
Can I share my calendar with the Exchange Online and other Microsoft cloud services?
Yes, this is possible with cloud services like Azure today and will be possible with Exchange Online and Live@Edu (Outlook Live) by the end of Summer 2010.
For more specific details on the Federation process visit here.
I was in Maryland this week and one of my customers wanted to know how to integrate OCS with Exchange for OWA Chat and Presence. To get Office Communication Server IM integration with Outlook Web Apps, we need to work on the following area:
· Install OCS 2007 R2 Web Service Provider
· Obtain information about the certificate used by the CAS server to communicate with OCS 2007 R2
· Edit the Outlook Web Apps Web.Config file with integration information
· Enable the IM Integration
· Restart IIS service on the CAS server
· OCS 2007 R2 Configuration
Install OCS 2007 R2 Web Service Provider
The CWAOWASSPMain is available here.
To install the OCS 2007 R2 Web Service Provider, follow the procedure below:
1. Start and install CWAOWASSPMain.msi
2. Locate the “C:\Web Services Provider Installer Package” directory
3. Double-click on vcredist_x64.exe to install the Visual C++ 2008 Redistributable Setup.
4. Double-click on UcmaRedist.msi to install Office Communication Server R2 API Core Redistributable Setup.
5. Open a CMD windows with Admins privileges, and run the CWAOWASSP.MSI to install the Office Communication Server Web Service Provider.
To verify if the installation of the above packages are completed correctly, check the following entries:
1. Key “InstantMessaging” has been created in registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchange OWA\
2. String Value under InstantMessaging with name "ImplementationDLLPath" and value "<Your Exchange Install Path>\ClientAccess\owa\bin\Microsoft.Rtc.UCWeb.dll" has been created.
3. The DLL Microsoft.Rtc.UCWeb.dll is present in the directory <Your Exchange Install Path>\ClientAccess\Owa\Bin.
4. The DLLs SIPEPS.dll and Microsoft.Rtc.Collaboration.dll are present in the Microsoft .NET Framework Global Assembly Cache (GAC).
In order for the Office Communication Server Web Service Provider to connect to the Office Communication Server to provide service, it needs a certificate to establish MTLS (Mutual TLS) between the CAS server and the Office Communication Server Front-End server. The best option is to obtain a certificate for the CAS server, from the same CA/Issuer as the OCS server. That way, you don’t have to worry about if the machine trusts the CA of the certificate used by the other party.
To get the certificate information on the CAS server, open an Exchange Management Shell session on the Exchange 2010 CAS Server. Type in the following cmdlet:
The items we are interested are:
· Issuer: which most like in the format like this for internal CA “CN=contoso-NADC-CA, DC=contoso, DC=edu”
· SerialNumber: which is a 20 digits hex number. .For example, “60e5d58300000000003c”
The information attributes needed for Office Communication Server Web Service Provider to work with Outlook Web Apps are already added to the Web.Config file under Outlook Web Apps, but some of the detail regarding the OCS server name and certificate need to be filled in.
Using the Windows Explorer, navigate to the following location:
C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa
Locate and open the web.config file, using notepad, and apply the following:
1. Search for IMPoolName. You will see the following three entries:
<add key="IMPoolName" value="" /> <add key="IMCertificateIssuer" value="" /> <add key="IMCertificateSerialNumber" value=""/>
2. Populate the server name:
<add key="IMPoolName" value="FQDN_OF_THE_OCS_POOL" />
Example: <add key="IMPoolName" value="NAOCS7.contoso.edu" />
3. Populate the Certificate Issuer:
<add key="IMCertificateIssuer" value="<issuer>" />
Example: <add key="IMCertificateIssuer" value=" CN=contoso-nadc-ca, DC=contoso, DC=edu " />
If the certificate issuer value contains double quotes (“), use the example shown below:
<add key="IMCertificateIssuer" value=’CN=…, OU="(c) 2008 Contoso, Inc.", OU=www.contoso.edu/CPS is incorporated by reference, OU=…, OU=…, O="Contoso, University.", C=US’ />
Just to clarify, this certificate issuer value is your CAS server certificate. It is needed so when the OCS Web Service Provider starts, it knows which issuer certificate to pick up.
4. Populate the Certificate SerialNumber:
<add key="IMCertificateSerialNumber" value="<SerialNumber with space between each octet>" />
<add key="IMCertificateSerialNumber" value="60 D5 83 00 00 00 00 00 00 00 3C" />
5. Save and close Web.config.
Once the Web.Config file is updated with the correct CAS certificate information, OCS IM integration on the Outlook Web Apps can be enabled. . To enable it, open an Exchange Management Shell and enter this cmdlet:
Get-OwaVirtualDirectory | Set-OwaVirtualDirectory –InstantMessagingType OCS
The last step on the Exchange Server 2010 side is the restart the IIS service on the CAS server. To do it, open a command prompt window and type in “IISReset”.
The Exchange Server 2010 Outlook Web Access IM Integration component is implemented as an OCS 2007 end-point. In order for the integration component to be able to sign-in to OCS 2007 R2 it is necessary to configure the OCS 2007 R2 server to trust the Exchange Client Access Server.
This is configured by adding the Exchange Client Access Server as a trusted server on the OCS 2007 R2 Front-End.
The following steps can be followed to perform this operation:
1. As an OCS administrator, start the Office Communications Server 2007 R2 management console
2. Navigate to your OCS 2007 R2 Pool (ocsse.contoso.edu) and open the Front-End Properties
3. Click the “Host Authorization” tab. Add the FQDN for your CAS Server. This must be the same as the subject name of the cert you have configured on the CAS Server.
4. Ensure you check that the connected is to be treated as authenticated and throttle as server.
You need to add an entry for every Client Access Server that has the IM Integration components installed.
5. Validate the configuration changes by clicking OK.
6. You may need to stop and restart the OCS Front-End services if you wish the changes to take effect immediately. This will however disconnect any active users. For more info on this from Technet go to this article: http://technet.microsoft.com/en-us/library/ee633458.aspx
I get asked if we have any step by step Exchange 2010 deployment templates/documents quite often. The nice part about these guides are they are in Word format so you can build your own production build out documentation for your Exchange 2010 deployment.
Grab the newly released step by step install docs for Exchange 2010 here.
Here is a sample of the type of Step by Step from the DAG Installation Word template:
Database Availability Group Network Configuration
1. Launch the Exchange Management Shell with an account that has been delegated the Organization Management role.
2. When the Windows Failover Cluster is formed it will create a cluster-managed network for each subnet detected within the failover cluster. When the DAG is formed, the initial DAG network configuration is based on the enumeration of the cluster networks. If the DAG will span subnets, the recommendation is to collapse the DAG networks into a single MAPI network and a single replication network. You can do this by adding the additional subnets to the appropriate DAG networks and deleting unused networks. For example, consider the following environment:
· Two Active Directory sites: Exchange-1 and Exchange-2
· DAG members MBX-1 and MBX-2 located in Exchange-1
· DAG members MBX-3 and MBX-4 located in Exchange-2
· MBX-1 and MBX-2 have MAPI networks on 192.168.0.0/24
· MBX-3 and MBX-4 have MAPI networks on 192.168.1.0/24
· MBX-1 and MBX-2 have replication networks on 10.0.0.0/24
· MBX-3 and MBX-4 have replication networks on 10.0.1.0/24
The database availability group networks are configured as follows:
3. To collapse these networks, run the following commands.
Set-DatabaseAvailabilityGroupNetwork <DAGName>\DAGNetwork01 -Subnets 192.168.0.0/24,192.168.1.0/24 Set-DatabaseAvailabilityGroupNetwork <DAGName>\DAGNetwork02 -Subnets 10.0.0.0/24,10.0.1.0/24 Remove-DatabaseAvailabilityGroupNetwork <DAGName>\DAGNetwork03 Remove-DatabaseAvailabilityGroupNetwork <DAGName>\DAGNetwork04
4. To rename the networks according to their behavior, run the following commands.
Set-DatabaseAvailabilityGroupNetwork <DAGName>\DAGNetwork01 -Name MAPINetwork Set-DatabaseAvailabilityGroupNetwork <DAGName>\DAGNetwork02 -Name ReplicationNetwork
5. If both MAPI and replication networks are deployed, run the following command to enable replication and seeding traffic on the replication network (unless it is unavailable).
Set-DatabaseAvailabilityGroupNetwork <DAGName\MAPINetworkName> –ReplicationEnabled $false
A common question that I get with Academic customer in implementation of Unified Messaging is around the addition of Announcements into the Automated Attendants. They typically use their old voice mail system to provide information such as school or campus closures. These messages need to be changed without involving the Exchange administrator. The prompt would need to be changed to something like “Due to inclement weather the school of XYZ will be closed today”. This scenario also needs to be configured so that the Mailbox which is setup for this is not setup to accept any voicemail messages.
So what do we need to do? First this is something that could not be accomplished in Exchange 2007 UM and requires Exchange 2010 Unified Messaging. Role Based Access Control (RBAC) can be used to configure a delegated admin that only has the ability to create and modify UM custom prompts. We have a role out of box that does this called the UM Prompt Administrator.
Custom prompts can be changed but not created through the telephone user interface (TUI).
The process is as follows:
1. Person responsible for recording the prompt calls the appropriate Dial Plan Pilot number or Automated Attendant number.
2. While UM is playing the current prompt, the caller presses a special key sequence (#*) to indicate their intention to UM.
3. UM asks the caller to enter their extension number and PIN (standard Outlook Voice Access login dialog).
4. Caller enters extension number and PIN, and is taken to a menu where they can choose which prompt to replace (where there is more than 1, e.g. with AAs).
5. Caller chooses prompt, re-records it and accepts the changes.
6. Caller hangs up.
Note that this facility is disabled by default. To enable it, a UM Administrator must use the Exchange Management Shell (PowerShell):
[PS]> Set-UMDialPlan MyDialPlan –TUIPromptEditingEnabled $true
Note that any Automated Attendant will be associated with exactly one Dial Plan.
Another aspect to this scenario is that the UM Prompt administrator may not be a user on the Exchange system. In order for the above to work they need to login with the extension number and the PIN to access and change the prompts.
To setup a user that isn’t a domain user to manage this operation we need to create an account assign the group role to this account and then we can disable this account for interactive login.
Create an Exchange mailbox for the account, and UM-enable it. Since no-one will be leaving voice messages for this mailbox, the extension number can be fictitious. Certainly, don’t bother forwarding a phone. Create rules (or otherwise) stop e-mail delivery to the mailbox, too: it won’t be used for e-mail.
Give out the UM credentials (extension number and PIN) for the mailbox to the person(s) who will record the prompts. Make sure they know which number to call when they need to change a prompt for the Dial Plan, for Automated Attendant 1, for Automated Attendant 2, etc.
Now, armed with this information, the users can change UM custom prompts when required, with no more than a telephone call.
Note that some trusted UM administrator will need to create the custom prompts that will later be replaced. And they will need to use Exchange Management Console or the Exchange Management Shell to do this. However, they will also need a WAV (or, in Exchange 2010, WMA) file in an appropriate codec – and this file could have been recorded by the person who will later use TUI to change it.
Thanks to the Exchange Product team for providing insight into this scenario implementation!!!
So testing is complete and we now support Windows 2008 R2 for deployment with OCS 2007 R2. There are some scenarios that aren’t supported for Windows 2008 R2:
1. OCS 2007 R2 Group Chat won’t function in a Windows 2008 R2 forest or when GC member server are joined to R2 domain.
2. Group Chat on a Windows 2008 R2 server isn’t supported.
3. Upgrading the OS to Windows 2008 R2 for existing OCS installs isn’t supported.
4. R2 admin tools will on install in native 32bit or native 64 bit mode.
5. Development with R2 Speech server isn’t supported on Windows 2008 R2.
More info can be found here.
Yes, there are a few ways to leverage your existing SIP phones (Cisco, Avaya, SIP softphones):
SmartSIP from NET – allows you to connect your existing SIP phones such as Aastra, Cisco, and SIP softphone (X-lite, etc) on a Mac to OCS
SmartSIP Mac voice to OCS demo (Evangelyze sold SmartSIP to NET) here.
AudioCodes new SPS (SIP Phone Support) for Microsoft is an add-on for their gateways which allow for ANY SIP endpoint/phone to connect to OCS – Audiocodes 300HD SIP phone, – this also includes Mac SIP softphones to OCS
Just so it is clear, these solutions are not going to provide a full OCS voice/presence experience that you would receive with an OCS optimized endpoint so this is not a recommended long term solution for connecting to OCS. These solutions will however provide a temporary bridge when transitioning from your legacy PBX and legacy SIP phones to OCS and OCS optimized endpoints.
We can now share some of the new features coming with Exchange 2010 Sp1:
When is SP1 coming?
A beta is scheduled for public availability in June 2010. More info coming to Technet soon.
I was asked this by a school district in Utah converting their entire school district (12,000 seats) to Exchange 2010 voicemail. The answer is yes. We have tested several PBXes and developed PBX configuration notes you can leverage to assist you with your UM implementation:
Visit the PBX config notes here.
Here is sample of a PBX config note:
If you are looking to get a deeper dive on Microsoft’s UC stack, Tom Cross has put together a unique Microsoft Communications Server Expo/Conference this Summer in Boulder, Co. Read more below:
"MCS-Microsoft Communications Server Moving into Mainstream" Conference & Expo – June 15-16 - Boulder
Get Communications Server smart - Migration-Survivability-Reliability - Microsoft CS Migration - From Start to Finish
Full-program discounts for .edu, nonprofit, .gov, Gold, SIP Forum and others until June 1.
For more and free weekly newsletter go to http://www.mcsforum.org
An independent view of Microsoft Communications Server, Microsoft is a trademark of Microsoft Corporation. NOTE: Microsoft has deleted the term Office and now refers the product as Microsoft Communications Server 14 which is why it is called MCS. Microsoft may make further name changes. Some companies may refer to the product as OCS-Office Communications Server or MCS.
MCS Forum Expo Speaker Presentations Expanded to include:
- Security, Management and Compliance for OCS
- "Managing Migration Madness" - Migration-Survivability-Reliability - Microsoft MCS Migration - from start to finish
- MCS & QoS - "Irrational Exuberance" - Myth versus Reality - - MCS platform is not QoS-Ready - Understanding the Myth of QoS in today's network
- MCS from Past to Presence
- MCS/SIP-Session Initiation Protocol Network Architectures - Trunking - Benefits of SIP Trunking, Routing - Benefits of SIP Routing, Proxy Peering Networks - Benefits of SIP Proxy Peering Networks
- Exchange 2010 UM and OCS integration
- A Microsoft presenter on OCS/CS14 (either Mark Garcia or a special Microsoft guest) + Architecture whiteboarding/deep dive sessions around OCS 2007 R2/CS14
Here's some of the great MCS solutions presenting at MCS Forum Expo:
- Uncommon Solutions
- Gold Systems
- 911 Enable
- snom, and others.
To sign up for the Communications Server conference visit here.