By integrating Lync Server and Exchange Server, Microsoft will have a powerful communications platform greater than the sum of its parts.
Microsoft’s “Better Together” strategy has helped the company capitalize on the synergy between key products. However, the 2013 versions of Lync Server and Exchange Server represent the first time that product releases will have been coordinated.
While each of these releases offers significant value and incentive to upgrade by themselves, the coordinated release adds compelling reasons for deploying these products together. There are new features available as a result of this integration, including archiving, a unified contact store and high-resolution photo support. There’s also a new authorization framework called OAuth, and changes to existing features such as Unified Messaging and IM integration with Outlook Web App (OWA).
As part of the new release of Lync Server 2013 and Exchange Server 2013, Microsoft has made a significant change to the underlying authorization framework required to facilitate the integration between Lync and Exchange. OAuth 2.0 is a standards-based framework that’s widely used across the Web services industry, as well as within other Microsoft products such as Xbox and Hotmail. However, the 2013 releases of Lync, Exchange and SharePoint include this technology for the first time.
OAuth typically involves three components—a trusted authorization server and two realms that need to communicate. The authorization or token server issues security tokens to the two realms. These tokens verify the authenticity of both realms and ensure that user credentials and passwords aren’t passed from one server to another. Instead, authentication and authorization is based on the existence of these tokens.
For example, the authorization server might issue tokens that verify users from a specific Lync Server 2013 realm are able to access a specific Exchange 2013 realm and vice versa. In Lync 2013 the default Session Initiation Protocol (SIP) domain acts as the OAuth realm.
As part of its implementation within the Microsoft Office family of server products (including Office 365 and the on-premises versions of Lync, Exchange and SharePoint), the OAuth framework supports three cloud, on-premises and hybrid (Office 365 plus some combination of on-premises servers) topologies. In an on-premises implementation, there’s no need to implement a trusted token server. Trust is established through the use of partner applications.
Implementing OAuth is straightforward within Lync and Exchange. You need to use some new cmdlets in the Exchange and Lync management shells. The first step is to ensure that you have a valid certificate for use by the OAuth framework. It’s highly recommended that you use the same certificate across Lync and Exchange, as this will simplify troubleshooting.
The simplest approach to configuring a certificate is to use the Lync certificate wizard to request and assign a certificate from your internal Certificate Authority (CA). Lync only has a single global realm, so the Subject Name of the certificate will be the default SIP domain. Once you have this certificate installed in Lync, export it to the Exchange environment. By default, Exchange will use a self-signed certificate, so you’ll need to replace the existing certificate using the Set-AuthConfig cmdlet in the Exchange Management Shell (EMS).
Once you’ve configured OAuth with the correct certificate, you’ll have to create a partner application for Lync in Exchange and for Exchange in Lync. Creating the partner application is what lets Lync and Exchange directly swap security tokens and bypass the need for a third-party token server.
To create a partner application in Exchange, you’ll have to run a Windows PowerShell script called Configure-EnterprisePartnerApplication.ps1. This Windows PowerShell script will create a disabled user account to which the UserApplication and ArchiveApplication management roles are assigned.
This account is then associated with the authentication document on the Lync server to create a partner application. This lets Lync read and write data to Exchange mailboxes on behalf of users. In Lync, a cmdlet in the management shell called New-CSTrustedApplication handles creating the partner application. It’s important to remember that prior to configuring the Lync partner application, you must configure the Exchange AutoDiscover service.
Prior to proceeding any further with Exchange and Lync integration, you’ll have to download and install the Unified Communications Managed API (UCMA) version 4.0 runtime in your Exchange environment.
While the Lync 2010 contact card was able to aggregate the data associated with a contact, it never offered a single location for storing all that contact-related data. However, if Lync 2013 and Exchange 2013 are deployed together, you can now do exactly that. The unified contact store lets you store all Lync contact data in the user’s Exchange 2013 mailbox. This presents a unified view of the data as well as a single storage location. Lync will retrieve data associated with a user’s contact list using Exchange Web Services, as opposed to the SIP request used in Lync 2010.
The process for configuring the unified contact store is straightforward and relies on a cmdlet in the Lync management shell called New-CSUserServicesPolicy -UCSAllowed $true. You can control application of this policy at a granular level, including the global, site, service or user level. As a result, you can have some of your users maintain their contacts in SQL Server, as they do in Lync Server 2010. Others can use their Exchange Server 2013 mailboxes.
In the event there’s a need to roll back a deployment of the unified contact store, you can set the UCSAllowed parameter to false. However, while this will prevent the use of Exchange as the storage point, it won’t copy existing data from the mailbox to the SQL Server used by the user’s Lync Server. In order to copy existing data from Exchange to SQL, use the Invoke-CSUserRollBack cmdlet from the Lync management shell.
While Lync has always had robust archiving capabilities, its discovery capabilities have been limited. By integrating Lync and Exchange 2013, both archiving and discovery have taken a major step forward. Lync administrators can configure archiving policy at either the global, site or service level using the New-CsArchivingConfiguration or Set-CsArchivingConfiguration cmdlets with the EnableExchangeArchiving parameter set to true.
Once you’ve enabled archiving, all data is archived to the Purges folder. This is a hidden folder in the Recoverable Items folder. While this data is not directly accessible by users, it’s indexed by the Exchange search engine and is discoverable using the Exchange discovery tools or the SharePoint Discovery Center.
Finally, there are some important points to consider with your Active Directory topology in support of Lync Server 2013 and Exchange Server 2013:
The ExchangeArchivingPolicy parameter can be one of four values:
When Lync and Exchange 2013 are integrated, they now support high-resolution photos. This support was added in response to specific limitations, such as restrictive size limits with images stored in Active Directory (as a result of relying on the thumbnailPhoto attribute), limited native support for photo modification and a long synchronization path.
The solution to these problems was to use Exchange as a storage point for photos. When a user uploads an image using OWA, the image is stored in the mailbox in a hidden folder the user can’t view. By using his own mailbox to store the photo, a user can now upload images as large as 20MB or 648 x 648 pixels. Microsoft actually recommends uploading at maximum resolution to ensure the best-possible quality.
Exchange will automatically resize the image for use by Active Directory (48 x 48) or by other Office applications, including OWA and the Outlook 2013 client (96 x 96). When a user migrates to Exchange 2013, he can automatically use this feature. No additional configuration is needed. You can also use the EMS cmdlet Set-UserPhoto to upload users’ photos.
Once a user has moved to Lync 2013, he won’t be able to use a Web URL as a source for his image. If a user is already using a Web URL for a certain image, the image will continue to display, but once he uploads a high-resolution image using OWA, he’ll no longer be able to point to a Web URL.
Some features that aren’t new will now play a more-significant role in the integrated Lync and Exchange 2013, most notably IM and presence features and unified messaging.
IM and presence with Outlook Web App While the core functionality of IM and presence as part of OWA remains unchanged in the 2013 releases of Exchange and Lync, there are some minor changes in the configuration process. IM is enabled by default when you install OWA, so there’s no need to run the Set-OwaVirtualDirectory with the InstantMessagingEnabled and InstantMessagingType parameters. However, you must configure OWA Mailbox policies in the same way using the Set-OwaMailboxPolicy cmdlet. There’s also a change in where you configure the IMCertificateThumbprint and IMServerName. In earlier versions, you found these values in the OWA Virtual Directory using Windows PowerShell. In Exchange Server 2013, they’re added to the web.config file.
Unified messaging From a user perspective, the most important changes related to unified messaging include improvements in accuracy for the speech-to-text functionality in Voice Mail Preview (courtesy of Microsoft Speech Engine version 11.0 and UCMA version 4.0) and improvements in Caller ID reliability (courtesy of the unified contact store). From an administrator perspective, the primary change related to configuration is the need to configure the unified messaging Call Router service using the Set-UMCallRouterSettings cmdlet. This is a new service running on the Client Access server (CAS). It’s also worth noting that under certain circumstances, you might need to configure a trusted application pool. While Lync can automatically discover servers that host an SIP URI unified messaging dial plan, this means if you split the CAS and Mailbox roles, you’ll need to create a trusted application pool for the servers running the CAS role.
As a result of the investments made by Microsoft in Exchange Server and Lync Server 2013, the company has added a lot of new features, functionality and flexibility to already strong products. While these changes make these latest releases a worthwhile upgrade in their own right, the benefits of using these products together is compelling. Features such as the unified contact store, high-resolution photos, and integrated archiving and discovery are of benefit to both you and your users.
Alan Maddison is an 18-year veteran of the IT industry, focusing primarily on Microsoft technologies. For the last seven years, he has worked as a consultant focusing on delivering professional services. He’s currently a senior consultant with Microsoft Consulting Services.