CH A P T E R

Configuring Microsoft Exchange Server 2007 and

2010 for Integration with Cisco Unified Presence
(over EWS)
Revised: November 30, 2012
Note

This module describes the integration of Cisco Unified Presence with Microsoft Exchange Server 2007
and 2010 over Exchange Web Services (EWS). If you are integrating with the Exchange server 2003
or 2007 over WebDAV, see Chapter 2, Configuring Microsoft Exchange Server 2003 and 2007 for
Integration with Cisco Unified Presence (over WebDAV).For an overview of each type of Exchange
integration, we recommend that you review Chapter 1, Planning for Cisco Unified Presence Integration
with Microsoft Exchange.

Microsoft Exchange 2007 Configuration Checklist (EWS), page 3-1

Verifying Permissions on the Exchange 2007 Account, page 3-6

Microsoft Exchange 2010 Configuration Checklist (EWS), page 3-7

Verifying Permissions on the Exchange 2010 Account, page 3-10

How to Enable Authentication on the Exchange 2007/2010 Virtual Directories, page 3-11

Microsoft Exchange 2007 Configuration Checklist (EWS)

Before You Begin

Note that the steps required to configure Exchange 2007 server will differ depending on whether you use
Windows Server 2003 or Windows Server 2008.
Table 3-1 provides a summary checklist to follow when configuring access to mailboxes on the
Microsoft Exchange 2007 server on Windows Server 2003 and Window Server 2008. For detailed
instructions, see the Microsoft Server 2007 documentation at the following URL:
http://technet.microsoft.com/en-us/library/bb124558(EXCHG.80).aspx

Integration Guide for Configuring Cisco Unified Presence Release 8.5 and 8.6 with Microsoft Exchange

3-1

Chapter 3 Configuring Microsoft Exchange Server 2007 and 2010 for Integration with Cisco Unified Presence (over
Microsoft Exchange 2007 Configuration Checklist (EWS)

Table 3-1

Configuration tasks for Microsoft Exchange 2007 Components

Integration Guide for Configuring Cisco Unified Presence Release 8.5 and 8.6 with Microsoft Exchange

3-2

Chapter 3

Task

Configuring Microsoft Exchange Server 2007 and 2010 for Integration with Cisco Unified Presence (over
Microsoft Exchange 2007 Configuration Checklist (EWS)

Procedure

Ensure the Windows

See Windows Security Policy Settings, page 1-2.
security policy settings are
correct.

Important Notes
Cisco Unified Presence supports
NTLMv1 Windows Integrated
authentication only, and does not
currently support NTLMv2.

Integration Guide for Configuring Cisco Unified Presence Release 8.5 and 8.6 with Microsoft Exchange

3-3

Chapter 3 Configuring Microsoft Exchange Server 2007 and 2010 for Integration with Cisco Unified Presence (over
Microsoft Exchange 2007 Configuration Checklist (EWS)

Task

Procedure
Grant Users the Permission Exchange 2007 Configuration on Windows Server 2003
to Sign in to the Service
1. Sign into the Exchange 2007 server using a service
Account Locally
account that has been delegated the Exchange View
Only Administrator role.
2.

Open the Domain Controller Security Settings window

on the Exchange server.

3.

Under Sccurity Settings in the left frame, navigate to

Local Policies > User Rights Assignments.

4.

Double-click Allow Log On Locally in the right

frame of the console.

5.

Select Add User or Group and navigate to the service

account that you previously created and select it.

6.

Select Check Names, and verify that the specified

user is correct. Then select OK.

Important Notes

For Exchange impersonation to

work, all Exchange servers
must be members of the
Windows Authorization
Access Group.

The service account should not

be a member of any of the
Exchange Administrative
Groups. Microsoft Exchange
explicitly denies
Impersonation for all accounts
in those groups.

Exchange 2007 Configuration on Windows Server 2008

1.

Sign into the Exchange 2007 server using a service

account that has been delegated the Exchange View
Only Administrator role.

2.

Select Start.

3.

Type gpmc.msc

4.

Select Enter.

5.

Open the Domain Controller Security Settings window

on the Exchange server.

6.

Under Sccurity Settings in the left frame, navigate to

Local Policies > User Rights Assignments.

7.

Double-click Allow Log On Locally in the right

frame of the console.

8.

Ensure that the Define these policy settings check box

is selected.

9.

Select Add User or Group and navigate to the service

account that you previously created and select it. Then
select OK.

10. Select Check Names, and verify that the specified

user is correct. Then select OK.

11. Select Apply and OK in the Allow Log On Locally

Properties dialog box.

12. Determine if your users SMTP address is alias @

FQDN. If it is not, you must impersonate using the

user principal name (UPN). This is defined as
alias@FQDN.

Integration Guide for Configuring Cisco Unified Presence Release 8.5 and 8.6 with Microsoft Exchange

3-4

Chapter 3

Configuring Microsoft Exchange Server 2007 and 2010 for Integration with Cisco Unified Presence (over
Microsoft Exchange 2007 Configuration Checklist (EWS)

Task
Set Impersonation
Permissions at the Server
level

Procedure
Via the Exchange Management Shell (EMS)
1. Open the EMS for command line entry.

Important Notes

These cmdlets grant

impersonation permissions at
the server level. You can also
grant permissions at the
database, user, and contact
levels.

If you have multiple servers,

you must grant Impersonation
to each server (or database).
Exchange 2007 does not have
system-wide Impersonation
permission capability.

Verify that the SMTP address

of your users is defined as
alias@FQDN. If it is not, you
must impersonate the user
account using the User
Principal Name (UPN).

Via the Exchange Management Shell (EMS)

Set Active Directory
Service Extended
1. Run this Add-ADPermission command in the EMS to
Permissions for the Service
add the impersonation permissions on the server for
Account:
the identified service acccount (for example,
Exch2007).

You must set these permissions

(on the Client Access Server
(CAS)) for the service account
that performs the
impersonation.

Syntax
Add-ADPermission -Identity
(get-exchangeserver).DistinguishedName -User
(Get-User -Identity User | select-object).identity
-ExtendedRight ms-Exch-EPI-Impersonation

If the CAS is located behind a

load-balancer, grant the
ms-Exch-EPI-Impersonation
rights to the Ex2007 account
for all CAS servers behind the
load-balancer.

If your mailbox servers are

located on a different machine
to the CAS servers, grant
ms-Exch-EPI-Impersonation
rights for the Ex2007 account
for all mailbox servers.

You can also set these

permissions by using Active
Directory Sites and Services
or the Active Directory Users
and Computers user
interfaces.

2.

Run this Add-ADPermission command to add the

impersonation permissions on the server.

Syntax
Add-ADPermission -Identity
(get-exchangeserver).DistinguishedName -User
(Get-User -Identity User | select-object).identity
-AccessRights GenericAll -InheritanceType
Descendents
Example
Add-ADPermission -Identity
(get-exchangeserver).DistinguishedName -User
(Get-User -Identity Ex2007
select-object).identity -AccessRights GenericAll
-InheritanceType Descendents

Example
Add-ADPermission -Identity
(get-exchangeserver).DistinguishedName -User
(Get-User -Identity Ex2007
select-object).identity -ExtendedRight
ms-Exch-EPI-Impersonation

2.

Run this Add-ADPermission command in the EMS to

add the impersonation permissions to the service
account on each mailbox that it impersonates:

Syntax
Add-ADPermission -Identity
(get-exchangeserver).DistinguishedName -User
(Get-User -Identity User | select-object).identity
-ExtendedRight ms-Exch-EPI-May-Impersonate
Example
Add-ADPermission -Identity
(get-exchangeserver).DistinguishedName -User
(Get-User -Identity Ex2007
select-object).identity -ExtendedRight
ms-Exch-EPI-May-Impersonate

Integration Guide for Configuring Cisco Unified Presence Release 8.5 and 8.6 with Microsoft Exchange

3-5

Chapter 3 Configuring Microsoft Exchange Server 2007 and 2010 for Integration with Cisco Unified Presence (over
Verifying Permissions on the Exchange 2007 Account

Task

Procedure
Grant Send As Permissions Via the Exchange Management Shell (EMS)
to the Service Account and Run this Add-ADPermission command in the EMS to
User Mailboxes
grant Send As permisisons to the service account and all
associated mailbox stores:

Important Notes
You cannot use the Exchange
Management Console (EMC) to
complete this step.

Syntax
Add-ADPermission -Identity
(get-exchangeserver).DistinguishedName -User
(Get-User -Identity User | select-object).identity
-ExtendedRights Send-As
Example
Add-ADPermission -Identity
(get-exchangeserver).DistinguishedName -User
(Get-User -Identity Ex2007
select-object).identity -ExtendedRights Send-As

Grant Receive As
Permissions to the Service
Account and User
Mailboxes

Via the Exchange Management Shell (EMS)

Run this Add-ADPermission command in the EMS to

grant Receive As permisisons on the service account and
all associated mailbox stores:

You cannot use the Exchange

Management Console (EMC) to
complete this step.

Syntax
Add-ADPermission -Identity
(get-exchangeserver).DistinguishedName -User
(Get-User -Identity User | select-object).identity
-ExtendedRights Receive-As
Example
Add-ADPermission -Identity
(get-exchangeserver).DistinguishedName -User
(Get-User -Identity Ex2007
select-object).identity -ExtendedRights Receive-As

Troubleshooting Tips

Cisco Unified Presence only requires Receive As permissions on the account to enable it to sign in to
that account when it connects to the Exchange server. Note that this account does not typically receive
mail so you do not need to be concerned about allocating space for it.
What To Do Next

Verifying Permissions on the Exchange 2007 Account, page 3-6

Verifying Permissions on the Exchange 2007 Account

After you have assigned the permissions to the Exchange 2007 account, you must verify that the
permissions propagate to mailbox level and that a selected user can access the mailbox and impersonate
the account of another user. On Exchange 2007, it takes some time for the permissions to propagate to
mailboxes.
Before You Begin

Delegate the appropriate permissions to the Exchange account. See the Microsoft Exchange 2007
Configuration Checklist (EWS) topic.

Integration Guide for Configuring Cisco Unified Presence Release 8.5 and 8.6 with Microsoft Exchange

3-6

Chapter 3

Configuring Microsoft Exchange Server 2007 and 2010 for Integration with Cisco Unified Presence (over
Microsoft Exchange 2010 Configuration Checklist (EWS)

Procedure
Step 1

In the EMC on the Exchange 2007 server, right-click Active Directory Sites and Services in the console
tree.

Step 2

Point to View, and then select Show Services Node.

Step 3

Expand the service node, for example, Services/MS Exchange/First Organization/Admin

Group/Exchange Admin Group/Servers.

Step 4

Verify that the CAS is listed for th e service node that you selected.

Step 5

View the Properties of each CAS server, and under the Security tab, verify that:

Step 6

a.

Your service account is listed.

b.

The permissions granted on the services account indicate (with a checked box) that the Exchange
Web Services Impersonation permission is allowed on the account.

Verify that the service account (for example, Ex2007) has been granted Allow impersonationpermission
on the storage group and the mailbox store to enable it to exchange personal information and to send as
and receive as another user account.

Troubleshooting Tips

If the account or the impersonation permissions do not display as advised in Step 5, you may need
to recreate the service account and ensure that the required impersonation permissions are granted
to the account.

You may be required to restart the Exchange server for the changes to take effect. This has been
observed during testing.

What To Do Next

How to Enable Authentication on the Exchange 2007/2010 Virtual Directories, page 3-11.

Microsoft Exchange 2010 Configuration Checklist (EWS)

Table 3-3 provides a summary checklist to follow when configuring access to mailboxes on the
Microsoft Exchange 2010 server. For detailed instructions, see the Microsoft Server 2010 documentation
at the following URL: http://technet.microsoft.com/en-us/library/bb124558.aspx
Before You Begin

Before you integrate Microsoft Exchange 2010 server with Cisco Unified Presence over EWS, ensure
that you configure the following throttle policy parameter values on the Exchange server. These are the
values that are required for the EWS calendaring integration with Cisco Unified Presence to work.

Integration Guide for Configuring Cisco Unified Presence Release 8.5 and 8.6 with Microsoft Exchange

3-7

Chapter 3 Configuring Microsoft Exchange Server 2007 and 2010 for Integration with Cisco Unified Presence (over
Microsoft Exchange 2010 Configuration Checklist (EWS)

Table 3-2

Recommended Throttle Policy Parameter Values on Microsoft Exchange

Parameter

Recommended Configuration Value

EWSMaxConcurrency

It has been observed during Cisco tests that the

default throttling policy value is sufficient to
support 50% calendaring-enabled users. If you have
a higher load of EWS requests to the CAS, however,
we recommend that you increase this parameter to
100.

EWSPercentTimeInAD

50

EWSPercentTimeInCAS

90

EWSPercentTimeInMailboxRPC

60

EWSMaxSubscriptions

Null

EWSFastSearchTimeoutInSeconds

60

EWSFindCountLimit

1000

Integration Guide for Configuring Cisco Unified Presence Release 8.5 and 8.6 with Microsoft Exchange

3-8

Chapter 3

Table 3-3

Configuring Microsoft Exchange Server 2007 and 2010 for Integration with Cisco Unified Presence (over
Microsoft Exchange 2010 Configuration Checklist (EWS)

Configuration tasks for Microsoft Exchange 2010 Components

Task

Procedure

Ensure the Windows

security policy settings are
correct.

See Windows Security Policy Settings, page 1-2.

Set Exchange Impersonation Via the Exchange Management Shell (EMS)

Permissions for Specific
1. Open the EMS for command line entry.
Users or Groups of Users
2. Run the New-ManagementRoleAssignment command in the EMS to grant a specified
service account (for example, Ex2010) the permission to impersonate other user
accounts:
Syntax
new-ManagementRoleAssignment -Name:_suImpersonateRoleAsg
-Role:ApplicationImpersonation -User:user@domain
Example
new-ManagementRoleAssignment -Name:_suImpersonateRoleAsg
-Role:ApplicationImpersonation -User:Ex2010@domain

3.

Run this New-ManagementRoleAssignment command to define the scope to which the

impersonation permisisons apply. In this example, the Exch2010 account is granted the
permission to impersonate all accounts on a specified Exchange Server.

Syntax
new-ManagementScope -Name:_suImpersonateScope -ServerList:<server name>
Example
new-ManagementScope -Name:_suImpersonateScope -ServerList:nw066b-227

4.

Run the New-ThrottlingPolicy command to create a new Throttling Policy with the
recommended values defined in Table 3-2.

Syntax
New-ThrottlingPolicy -Name:<Policy Name> -EWSMaxConcurrency:100
-EWSPercentTimeInAD:50 -EWSPercentTimeInCAS:90 -EWSPercentTimeInMailboxRPC:60
-EWSMaxSubscriptions:5000
-EWSFastSearchTimeoutInSeconds:60
-EWSFindCountLimit:1000
Example
New-ThrottlingPolicy -Name:Cisco Unified Presence ThrottlingPolicy
-EWSMaxConcurrency:100 -EWSPercentTimeInAD:50 -EWSPercentTimeInCAS:90
-EWSPercentTimeInMailboxRPC:60 -EWSMaxSubscriptions:5000
-EWSFastSearchTimeoutInSeconds:60 -EWSFindCountLimit:1000

5.

Run the Set-ThrottlingPolicyAssociation command to associate the new Throttling

Policy with the service account used in Step 2 above.

Syntax
Set-ThrottlingPolicyAssociation -Identity <Username> -ThrottlingPolicy
<Policy Name>
Example
Set-ThrottlingPolicyAssociation -Identity Ex2010 -ThrottlingPolicy Cisco
Unified Presence ThrottlingPolicy

What To Do Next

Verifying Permissions on the Exchange 2010 Account, page 3-10

Integration Guide for Configuring Cisco Unified Presence Release 8.5 and 8.6 with Microsoft Exchange

3-9

Chapter 3 Configuring Microsoft Exchange Server 2007 and 2010 for Integration with Cisco Unified Presence (over
Verifying Permissions on the Exchange 2010 Account

Related Topics

For a complete description of the Microsoft Exchange server parameters, see here:
http://technet.microsoft.com/en-us/library/dd351045.aspx

Verifying Permissions on the Exchange 2010 Account

After you have assigned the permissions to the Exchange 2010 account, you must verify that the
permissions propagate to mailbox level and that a selected user can access the mailbox and impersonate
the account of another user. On Exchange 2010, it takes some time for the permissions to propagate to
mailboxes.
Before You Begin

Delegate the appropriate permissions to the Exchange account. See the Microsoft Exchange 2010
Configuration Checklist (EWS) topic.

Procedure
Step 1

Open the Exchange Management Shell (EMS) for command line entry.

Step 2

Verify that the service account has been granted the required Impersonation permissions:
a.

Run this command in the EMS:

Get-ManagementRoleAssignment -Role ApplicationImpersonation

b.

Ensure that the command output indicates role assignments with the Role
"ApplicationImpersonation for the specified account as follows:
Example: Command Output

Name

Role

RoleAssigneeName

------

----

- - - - - - - - - - - - - Type
------

_suImpersonate
RoleAsg

Step 3

ApplicationImpe ex 2010
rsonation

RoleAssignee

User

Assignment
Method

EffectiveUser
Name

-----

---------

Direct

ex 2010

Verify that the management scope that applies to the service account is correct:
a.

Run this command in the EMS:

Get-ManagementScope _suImpersonateScope

b.

Ensure that the command output returns the impersonation account name as follows:
Example: Command Output

Name

ScopeRestrictionType Exclusive

------

----

RecipientRoot Recipient
Filter

-------- ------

----_suImpersonate
Scope

Step 4

ServerScope

False

Verify that the ThrottlingPolicy parameters match what is defined in Table 3-2.
a.

Run this command in the EMS:

Integration Guide for Configuring Cisco Unified Presence Release 8.5 and 8.6 with Microsoft Exchange

3-10

ServerFilter

--------Distinguished
Name

Chapter 3

Configuring Microsoft Exchange Server 2007 and 2010 for Integration with Cisco Unified Presence (over
How to Enable Authentication on the Exchange 2007/2010 Virtual Directories

Get-ThrottlingPolicy -Identity <Policy Name> | findstr ^EWS

b.

Ensure that the command output has the same values defined in Table 3-2:

What To Do Next

How to Enable Authentication on the Exchange 2007/2010 Virtual Directories, page 3-11

How to Enable Authentication on the Exchange 2007/2010 Virtual

Directories
You must enable basic authentication on the Exchange virtual directories (/exchange and /exchweb) for
Microsoft Office Outlook Web Access to work properly. The /exchange directory handles mailbox
access requests for OWA and WebDAV. The /exchweb directory contains resource files used by OWA
and WebDAV. You can also optionally enable Windows Integrated Authentication on the Exchange
virtual directories. Furthermore, Forms Based Authentication can be optionally enabled.

Enabling Authentication on Exchange 2007 Running Windows Server 2003, page 3-11

Enabling Authentication on Exchange 2010 Running Windows Server 2008, page 3-12

Enabling Authentication on Exchange 2007 Running Windows Server 2003

Procedure
Step 1

From Administrative Tools, open Internet Information Services. and select the appropriate server.

Step 2

Select Web Sites.

Step 3

Select Default Web Site.

Step 4

Right click the EWS directory folders, and select Properties.

Step 5

Select the Directory Security tab.

Step 6

Under Authentication and access control, select Edit.

Step 7

Under Authentication Methods, verify that the following check box is unchecked:
Enable anonymous access

Step 8

Under Authentication Methods Authenticated Access, verify that one or both of the following check
boxes are checked:
Integrated Windows authentication.
Basic authentication (password is sent in clear text).

Step 9

Select OK.

What To Do Next

Configuring the Presence Gateway on Cisco Unified Presence for Microsoft Exchange Integration,
page 4-1

Integration Guide for Configuring Cisco Unified Presence Release 8.5 and 8.6 with Microsoft Exchange

3-11

Chapter 3 Configuring Microsoft Exchange Server 2007 and 2010 for Integration with Cisco Unified Presence (over
How to Enable Authentication on the Exchange 2007/2010 Virtual Directories

Enabling Authentication on Exchange 2010 Running Windows Server 2008

Procedure
Step 1

From Administrative Tools, open Internet Information Services and select the server.

Step 2

Select Web Sites.

Step 3

Select Default Web Site.

Step 4

Select EWS.

Step 5

Under the IIS section, select Authentication.

Step 6

Verify that the following Authentication methods are enabled:

Anonymous Authentication
Windows Authentication and/or Basic Authentication

Step 7

Use the Enable/Disable link in the Actions column to configure appropriately.

What To Do Next

Configuring the Presence Gateway on Cisco Unified Presence for Microsoft Exchange Integration,
page 4-1
Related Topics

http://technet.microsoft.com/en-us/library/aa998849.aspx

http://technet.microsoft.com/en-us/library/ee633481.aspx

Integration Guide for Configuring Cisco Unified Presence Release 8.5 and 8.6 with Microsoft Exchange

3-12