White Paper: Deploying Exchange 2007 Unified Messaging - Part 2
Tony Smith, Senior Technical Writer, Microsoft Exchange Server
September 2007
Summary
This white paper provides the technical information, prescriptive guidance, and configuration steps that are required to successfully deploy Microsoft Exchange Server 2007 Unified Messaging in your organization. The following information is included in this white paper:
Overview of Unified Messaging in Exchange Server 2007.
Planning a Unified Messaging Deployment for your organization.
Deploying Unified Messaging within your organization.
Applies To
Microsoft Exchange Server 2007
Table of Contents
Introduction
Overview of Unified Messaging in Exchange Server 2007
- Unified Messaging Features and Benefits
Planning a Unified Messaging Deployment
- PBX, IP PBX, and IP Gateway Configurations
Deploying Unified Messaging
Verify Installation of the Mailbox, Hub Transport, and Client Access Server Roles
Configuring Telephony Components
Deploying IP Gateways
Installation of the Unified Messaging Server Role
Create and Configure UM Active Directory Objects
Securing Your UM Deployment
UM-Enabled User PIN Security
Securing Unified Messaging Network Traffic
Configuring Permissions for Unified Messaging
Conclusion
Introduction
The telephony functionality found in Exchange 2007 Unified Messaging (UM) is new to the Microsoft Exchange product line. Its introduction combines multiple messaging infrastructures into a single messaging infrastructure. Unified Messaging includes many features and benefits for end users and administrators.
Objectives and acknowledgements Much of the information in this white paper originally appeared in individual Help topics in the Exchange Server 2007 Help. In this white paper, we have combined these topics to provide an end-to-end, printable guide that you can use to deploy Unified Messaging.
Note
To print this white paper, click Printer Friendly Version in your Web browser.
The content of this white paper is divided into the following sections:
Overview of Unified Messaging in Exchange Server 2007
Planning a Unified Messaging Deployment
Deploying Unified Messaging
Securing Your UM Deployment
Overview of Unified Messaging in Exchange Server 2007
Exchange 2007 provides distinct server roles that align with the way a messaging system is typically deployed and distributed in an organization. A server role is a unit that logically groups the features and components that are required to perform a specific function in the messaging environment. The Unified Messaging server role is one of the Exchange 2007 server roles that can be installed on a computer that is running Microsoft Windows Server 2003 or that is running Windows Server 2003 and Exchange 2007.
Unified Messaging combines voice messaging, fax, and e-mail messaging in the Exchange store. Exchange 2007 Unified Messaging integrates Microsoft Exchange with telephony networks and brings the Unified Messaging features to the core of Exchange. Exchange 2007 Unified Messaging puts all e-mail, voice, and fax messages into one Exchange 2007 mailbox that can be accessed from a variety of devices. After Unified Messaging servers are deployed on the network, users can access their messages from a telephone by using Outlook Voice Access, from a mobile device, or from the computer of a user who is running Microsoft Windows XP.
The Unified Messaging server role requires that an Exchange 2007 server that is running the Mailbox, Hub Transport, and Client Access server roles be installed in your organization. These server roles can be installed before or while you install the Unified Messaging server role. The following figure illustrates the relationship between telephony network components in an organization and the Exchange 2007 server roles that are required to deploy your Exchange 2007 Unified Messaging system.
The relationship between telephony components and Exchange 2007 Unified Messaging
In the previous figure, the Exchange 2007 Unified Messaging solution provides access to telephony systems by using standard Voice over IP (VoIP) protocols. These protocols include Session Initiation Protocol (SIP), Realtime Transport Protocol (RTP), and the T.38 protocol. The IP gateways provide interoperability for legacy Private Branch eXchange (PBX) systems.
Unified Messaging Features and Benefits
Today, employees of organizations frequently manage their voice and fax messages separately from their e-mail messages. Additionally, IT administrators frequently manage the voice mail or telephony networks and the e-mail systems or data networks as separate systems. In these situations, voice mail and e-mail are located in separate inboxes hosted on separate servers that are accessed through the desktop for e-mail and through the telephone for voice mail. Fax messages come to, and are sent from, physical stand-alone fax machines. Exchange 2007 Unified Messaging offers a single store for all messages, including e-mail, voice, and fax messages.
When you deploy Exchange 2007 Unified Messaging, your users will have access to their e-mail, voice mail, and fax messages from either Microsoft Office Outlook 2007 or the version of Outlook Web Access that is included with Exchange 2007. Additionally, users will be able to use the following features:
Access to Exchange information To offer a seamless voice mail experience for the user, UM-enabled users can access a full set of voice mail features from Windows Mobile powered devices, Outlook 2007, and Microsoft Outlook Web Access.
Play on Phone The Play on Phone feature lets UM-enabled users play voice messages over a telephone.
Voice mail form The Outlook 2007 voice mail form resembles the default e-mail form. It gives users an interface for performing actions such as playing, stopping, or pausing voice messages, playing voice messages on a telephone, and adding and editing notes.
Fax receiving Exchange 2007 Unified Messaging lets fax messages be delivered to a user's Exchange 2007 mailbox and also lets users receive fax messages in their mailbox. A fax message is sent to the user's mailbox as an e-mail message that has an image file with a .tif extension attached. Users who receive these messages in their mailbox can open the attached file by using a software application that can open and view image files that have a .tif extension. For more information about faxing in Unified Messaging, see Understanding Faxing in Unified Messaging.
User configuration settings A user who is enabled for Unified Messaging can configure several voice mail options for Unified Messaging by using Outlook Web Access. For example, the user can configure telephone access numbers and the voice mail Play on Phone number, and can reset a voice mail access PIN.
Call answering Call answering includes answering an incoming call on behalf of a user, playing their personal greeting, recording a message, and submitting it for delivery to their mailbox as an e-mail message.
Outlook Voice Access Subscribers can use Outlook Voice Access when they access the Unified Messaging system from an external or internal telephone. They can use Outlook Voice Access to access their Exchange 2007 mailbox, including their personal e-mail, voice messages, and calendar information. Subscribers can listen to, reply to, create, and forward unread e-mail messages by using the telephone. For more information about subscriber access in Unified Messaging, see Understanding Unified Messaging Subscriber Access.
Auto attendant An auto attendant is a set of voice prompts that gives external or internal users access to the Exchange 2007 Unified Messaging system. Users can use the telephone keypad or speech inputs to move through the auto attendant menu structure, place a call to a user, or locate a user and then place a call to that user.
Deploying Exchange 2007 Unified Messaging in your organization offers the following benefits:
A complete unified messaging solution Exchange 2007 Unified Messaging offers a true unified messaging system by using a single store, transport, and directory infrastructure.
An Exchange 2007 deployment and administration model By using the Exchange 2007 Unified Messaging solution, you take advantage of the Exchange 2007 server design. You can use your knowledge of Microsoft Exchange, including training and troubleshooting methodology, and apply it to managing your voice mail and fax messaging infrastructure.
An Exchange 2007 security model The Microsoft Exchange Unified Messaging service runs as an Exchange server account. This means that you do not have to create or manage a super user account for Unified Messaging.
Consolidation of voice mail systems Currently, most voice messaging systems require that all the voice messaging system components be installed in every physical office location in an organization. Unified Messaging lets you manage your voice mail system from a central location. To create a centralized management system for Unified Messaging, you can place all Unified Messaging servers in a datacenter or location, and then deploy IP gateways in each of your branch offices to replace the voice messaging system for each branch office. When you deploy a centralized voice messaging system in this manner, you can achieve a significant savings in hardware and administrative costs.
Speech enabled auto attendants When internal or external callers call in to the Exchange 2007 Unified Messaging system, a series of voice prompts assists them in moving through the auto attendant menu system. For more information about auto attendants, see Understanding Unified Messaging Auto Attendants.
Return to top
Planning a Unified Messaging Deployment
During the Exchange 2007 deployment phase, you install Exchange 2007 in your production environment. Before you begin the deployment phase, you should plan your Microsoft Exchange organization. For information about how to plan your Exchange 2007 organization, see Planning and Architecture or Planning for Unified Messaging Servers.
Before you deploy Exchange 2007, it is important to know which of the following organization types best describes your existing Exchange organization, and also which of these types you want your organization to be after you deploy Exchange 2007. Any supported Exchange organization can be categorized into one of these four Exchange organization types:
Simple Exchange organization
Standard Exchange organization
Large Exchange organization
Complex Exchange organization
For more information about recommended Exchange deployments, see Recommended Deployments.
When you plan your Exchange 2007 Unified Messaging deployment, you must consider design and other issues that may affect your ability to reach your organizational goals when you deploy Unified Messaging. The following are some areas that you should consider and evaluate when planning for Exchange 2007 in your organization:
Your business needs for Unified Messaging
Your telephony network and your current voice mail system
Your current data network design
Your current Active Directory environment
The number of users who you must support
The number of Unified Messaging servers you will need
The storage requirements for users
The placement of IP gateways, telephony equipment, and Unified Messaging servers
PBX, IP PBX, and IP Gateway Configurations
An organization that owns and maintains its telephony network must buy the required telephony hardware components. An organization must also consider the day-to-day maintenance of the telephony equipment and the training that is required for its staff to support the telephony system. Integrating Exchange 2007 Unified Messaging with your company's telephony network is one of the most significant deployment challenges when you deploy Unified Messaging. Your organization's ability to interoperate with Exchange 2007 Unified Messaging will depend on your specific PBX or IP PBX configurations and may also require that you install IP gateways, purchase additional PBX hardware, or configure and enable features on your PBXs or IP PBXs.
There are three types of basic telephony configurations in organizations: legacy (or traditional) PBX, IP PBX, and IP PBX hybrid. Examples of these telephony configurations are shown below.
The following figure illustrates a typical telephony and data network that includes a legacy or traditional PBX configuration.
Legacy (or traditional) PBX configuration
The following figure illustrates a typical telephony and data network that includes the two types of IP PBX configurations.
IP PBX configuration
IP PBX hybrid configuration
For more information about telephony configurations before you deploy Exchange 2007 Unified Messaging, see Understanding PBX and IP PBX Configurations. For more information about telephony concepts and components, see Overview of Telephony Concepts and Components.
Correctly configuring IP gateways for your organization is a difficult deployment task that must be completed to successfully deploy Exchange 2007 Unified Messaging. To help answer questions and give you the most up-to-date IP gateway configuration information, see the Telephony Advisor for Exchange Server 2007 Web site. This Web site gives you IP gateway configuration notes and files that you must have to correctly configure your IP gateways to work with Exchange 2007 Unified Messaging.
Bandwidth Considerations
Every incoming call that is received from an IP gateway will generate IP-based network traffic and will consume some amount of your available network bandwidth. Before you deploy Unified Messaging, you should perform an analysis of the network traffic to determine current usage patterns and identify any potential issues. On most networks, bandwidth demand is not evenly distributed throughout business hours. Because all the IP-based calls are routed directly to your Unified Messaging servers from the IP gateways on your network and this IP-based network traffic consumes some available bandwidth, you should follow these recommendations and guidelines:
Place your PBXs physically close to your IP gateways.
Place your IP gateways and your Unified Messaging servers on the same well connected network or within the same physical site.
Place your Unified Messaging servers on the same well connected network or within the same physical site as other computers that have Exchange 2007 server roles installed, including Mailbox, Hub Transport, and Client Access servers.
Terminate your Wide Area Network (WAN) connections close to where your telephony equipment is located.
In branch office scenarios or over WAN connections, use the G.723.1 codec instead of the G.711u or G.711A codec to minimize the network traffic that is passed between your IP gateways and your Unified Messaging servers.
For a recent list of supported IP gateways and other configuration information related to IP gateways, PBXs, and IP PBXs, see the Telephony Advisor for Exchange Server 2007 Web site. For more information about IP gateway, PBX and IP PBX support in Unified Messaging, see Supported IP Gateways or IP PBX and PBX Support.
Return to top
Deploying Unified Messaging
Exchange 2007 Unified Messaging provides an efficient and simple deployment model that is highly scalable but does not increase the complexity of the deployment. There are many deployment models for Unified Messaging in your organization. The recommended deployment model for Unified Messaging centralizes your Unified Messaging servers. All the available deployment options for Unified Messaging have several steps in common that are required to create a scalable and highly available system to support large numbers of Unified Messaging users. These steps are as follows:
Verify that you have correctly installed the Exchange 2007 server roles that are required by Unified Messaging.
Deploy and configure your telephony components for Unified Messaging.
Install the Unified Messaging server role.
Perform the required post-installation tasks.
Configure the required Unified Messaging Active Directory objects.
Securing your UM deployment.
Return to top
Verify Installation of the Mailbox, Hub Transport, and Client Access Server Roles
A variety of deployment paths are available for organizations that plan to deploy Exchange 2007. Although these paths all lead to the same end—a successful deployment of Exchange 2007—each path is slightly different because each customer's needs and starting points are different. Generally, however, there are common starting points and paths that cover all supported deployment scenarios, including new installations, transitions, and migrations. Because Unified Messaging relies on the functionality of other server roles found in Exchange 2007, the Unified Messaging server role will most likely be the last server role that you install in your Exchange 2007 organization. However, you must follow these steps to install the server roles other than Unified Messaging before you can install the Unified Messaging server role:
Verify that your existing infrastructure meets certain prerequisites before you install Exchange 2007.
For more information about existing infrastructure prerequisites, see Planning Checklist.
Verify that you have correctly installed the Exchange 2007 server roles required by Unified Messaging.
For more information about how to install other server roles in Exchange 2007, see one of the following topics:
After you install Exchange 2007, we recommend that you verify the installation and review the server setup logs.
For more information about how to verify a successful installation of Exchange 2007, see Verifying an Exchange 2007 Installation.
Return to top
Configuring Telephony Components
To successfully deploy an Exchange 2007 Unified Messaging server in an Exchange organization, the Exchange administrator must become knowledgeable about data networking concepts and telephony terminology and concepts and be able to correctly configure those telephony components. We recommend that all customers who plan to deploy Exchange 2007 Unified Messaging obtain the assistance of a Unified Messaging specialist. They will help make sure that there is a smooth transition to Unified Messaging from a legacy voice mail system. Performing a new deployment or upgrading a legacy voice mail system requires significant knowledge about PBXs and Exchange 2007 Unified Messaging. For more information about how to contact a Unified Messaging specialist, see the Microsoft Exchange Server 2007 Unified Messaging (UM) Specialists Web site.
Generally there are three tasks that must be completed to successfully configure the telephony components that are required by Unified Messaging:
Provision PBX lines The first step in deploying a scalable UM solution is to provision PBX lines.
Organize channels After you have provisioned PBX-based voice channels, you can organize the channels as hunt groups.
Deploy IP gateways After you have organized your voice channels as hunt groups, you end these channels at IP gateways. IP gateways are used with a legacy PBX to convert the circuit-switched protocols found on a telephony network to IP-based packet-switched protocols.
For a recent list of supported IP gateways and other configuration information related to IP gateways, PBXs, and IP PBXs, see the Telephony Advisor for Exchange Server 2007 Web site. For more information about IP gateway, PBX, and IP PBX support in Unified Messaging, see Supported IP Gateways or IP PBX and PBX Support.
Return to top
Deploying IP Gateways
IP gateway devices are integral to deploying Exchange 2007 Unified Messaging in your organization. There are two types of IP gateway devices that you can use with Unified Messaging: an IP PBX and an IP gateway. Both types of devices can exist in a single organization. However, you must configure each IP gateway or IP PBX device correctly to successfully deploy Unified Messaging.
The IP PBX or the IP gateway devices in your organization are the intermediary components between your organization's telephony network and your organization's data network. IP PBXs and IP gateways act as a translator and are used to convert the circuit-switched protocols that are found in your telephony network to the IP packet-switched protocol that is found in your data network.
When you integrate your organization's telephony and data networks during the deployment of Exchange 2007 Unified Messaging, you must configure the telephony and data networking components correctly. You must configure the following components or interfaces to successfully deploy Unified Messaging:
Configure the connection from the PBXs in your organization to communicate with your IP gateways.
For more information about how to configure the IP gateway to the PBX interface, see How to Configure an IP Gateway to Communicate with a PBX.
Configure the connection from the IP gateway interface to the PBX.
For more information about how to configure your PBX interface to communicate with your supported IP gateway, see the product documentation that is specific to your PBX. For more information about how to configure the IP gateway to the PBX interface, see How to Configure an IP Gateway to Communicate with a PBX.
Configure the connection from the IP gateway interface to the Exchange Server 2007 Unified Messaging server.
For more information about how to configure the supported IP gateway interfaces for Exchange 2007 Unified Messaging, see How to Configure an IP Gateway or IP PBX for Use with a Unified Messaging Server.
Configure the connection from the Unified Messaging server to the IP gateway interface.
For more information about how to configure the Unified Messaging server to communicate correctly with an IP gateway interface, see How to Connect a Unified Messaging Server to a Supported IP Gateway.
For more information about telephony components, see Overview of Telephony Concepts and Components.
Return to top
Installation of the Unified Messaging Server Role
After you have completed the deployment of your IP gateways or IP PBXs on your network, you must install the Unified Messaging server role on one or more computers in your Exchange environment. Depending on the needs of your business, to provide a highly scalable and available Unified Messaging system, consider installing the Unified Messaging server role on more than one computer. For more information about how to plan and deploy a highly available and scalable Unified Messaging system, see Planning for Unified Messaging Availability and Scalability.
Follow these steps to install the Unified Messaging server role:
Review the Exchange 2007 system requirements before installation.
Before you install the Unified Messaging server role, we recommend that you make sure that your network, hardware, software, clients, and other elements meet the requirements for Exchange 2007. For more information about the system resources that are required to install the Unified Messaging server role, see Exchange 2007 System Requirements.
Install the Unified Messaging server role.
There is more than one way to install the Unified Messaging server role on a computer that is running Exchange 2007. The Unified Messaging server role can be installed on a single computer that has no other Exchange 2007 server roles installed, or on a computer that is running another Exchange 2007 server role. Before you install the Unified Messaging server role, you must install the Mailbox, Hub Transport, and the Client Access server roles. However, you can install the Mailbox, Hub Transport, Client Access and the Unified Messaging server roles on the same physical computer.
For more information about how to install the Unified Messaging server role, see How to Install the Exchange 2007 Unified Messaging Server Role.
For more information about how to perform a custom installation, see How to Perform a Custom Installation Using Exchange Server 2007 Setup.
Verify your Exchange 2007 installation.
After you install Exchange 2007, we recommend that you verify the installation and review the server setup logs. If the Setup process fails or errors occur during installation, you can use the setup logs to track down the source of the problem. For more information about how to verify that you have successfully installed the Unified Messaging server role, see Verifying an Exchange 2007 Installation.
Use the Security Configuration Wizard to help secure Windows for Exchange server roles.
The Security Configuration Wizard (SCW) is a tool that was introduced with Windows Server 2003 Service Pack 1. Use the SCW to minimize the attack surface for servers by disabling Windows functionality that is not required for Exchange 2007 server roles. For more information about the Security Configuration Wizard, see Using the Security Configuration Wizard to Secure Windows for Exchange Server Roles.
Return to top
Create and Configure UM Active Directory Objects
Active Directory objects are required for the deployment and operation of Exchange 2007 Unified Messaging. Active Directory Unified Messaging objects connect the telephony infrastructure and the Unified Messaging Active Directory environment. For more information about UM Active Directory objects, see Overview of Unified Messaging Active Directory Objects.
Exchange 2007 Unified Messaging requires that you create at least one UM dial plan and that the UM dial plan has a Unified Messaging server and a UM IP gateway associated with it. After you install the Unified Messaging server role on a computer that is running Exchange 2007, you must associate the UM server with at least one UM dial plan. You can also associate a single UM server with multiple UM dial plans. After the UM server is associated with a UM dial plan, you must create a UM IP gateway and associate it with the UM dial plan that you have created.
After you have successfully installed the Unified Messaging server role on at least one computer, perform the following tasks.
Step 1: Create and configure UM dial plans
UM dial plans are integral to the operation of Exchange 2007 Unified Messaging and are required to successfully deploy Unified Messaging on your network. Although Unified Messaging has many Active Directory objects that must be created and configured during deployment, UM dial plan objects are the central component of the Unified Messaging system.
By default, UM dial plans and the Unified Messaging servers that are associated with the dial plan send and receive data without using encryption. Therefore, they are configured in unsecured mode. In unsecured mode, the VoIP and SIP traffic will not be encrypted. However, the UM dial plans and the Unified Messaging server that are associated with the UM dial plan can be configured by using the VoIPSecurity parameter. The VoIPSecurity parameter configures the dial plan to encrypt the VoIP and SIP traffic by using Mutual Transport Layer Security (mutual TLS). After you enable VoIP security on a UM dial plan, any UM IP gateways that will be associated with the secure dial plan must be created by using a fully qualified domain name (FQDN) and not an IP address.
After you have installed the Unified Messaging server role, perform one of the following procedures to create a new UM dial plan.
To use the Exchange Management Console to create a new Unified Messaging dial plan
In the console tree, expand the Organization Configuration node.
In the result pane, click Unified Messaging.
In the action pane, click New UM Dial Plan.
In the New UM Dial Plan wizard, in the Name section, type the name of the dial plan. The UM dial plan name that you type must be unique.
Important
Although the field for the name of the dial plan can accept 64 characters, the name of the dial plan cannot be longer than 49 characters. If you try to create a dial plan name that contains more than 49 characters, you will receive an error message. The message will say that the dial plan name could not be created because a default UM mailbox policy name could not be generated because the UM dial plan name is too long. This happens because, when you create a dial plan, a default UM mailbox policy is also created that has the name <DialPlanName> Default Policy. Therefore, the name of the UM mailbox policy is 15 characters longer than the name of the dial plan. The name parameter for both the UM dial plan and UM mailbox policy can be 64 characters long.
In the Number of digits in extension numbers section, type the number of digits in the extension numbers for the UM dial plan.
In the New UM Dial Plan wizard, click New.
Click Finish.
You can also use the Exchange Management Shell to create a new UM dial plan by using the New-DialPlan cmdlet.
To use the Exchange Management Shell to create a new Unified Messaging dial plan
Run the following command:
New-UMDialplan -Name MyNewDialPlan -NumberofDigits 5
If you must create and configure a UM dial plan that uses VoIP security, perform the following procedure.
To use the Exchange Management Shell to create a new Unified Messaging dial plan that uses VoIP Security
Run the following command:
New-UMDialplan -identity MySecureDialPlan -NumberofDigits 5 -VoIPSecurity SIPSecured
To use the Exchange Management Shell to enable VoIP security on an existing Unified Messaging dial plan
Run the following command:
Set-UMDialPlan -identity MySecureDialPlan -VoIPSecurity SIPSecured
For more information about syntax and parameters, see Set-UMDialplan (RTM).
For more information about UM dial plans, see Understanding Unified Messaging Dial Plans.
For more information about how to manage UM dial plans, see Managing Unified Messaging Dial Plans.
Return to top
Step 2: Create and configure your UM IP gateways
Exchange 2007 Unified Messaging relies on the ability of the IP gateway to translate Time Division Multiplex (TDM) or telephony circuit-switched based protocols, such as Integrated Services Digital Network (ISDN) or QSIG, from a PBX to protocols based on VoIP or IP, such as SIP, RTP, or T.38 for real-time facsimile transport.
A UM IP gateway is an Active Directory container object that contains one or more Active Directory UM hunt group objects and other UM IP gateway configuration settings. UM IP gateways are created within Active Directory to logically represent a physical hardware device called an IP gateway. The UM IP gateway can represent either an IP gateway or an IP PBX. The combination of the UM IP gateway object and a UM hunt group object establishes a logical link between an IP gateway hardware device and a UM dial plan.
When you create the first UM IP gateway and do not specify a UM dial plan at the time that you create the UM IP gateway, a default UM hunt group is also created. Creating and associating these objects in Active Directory enables the Unified Messaging server to receive calls from the IP gateway and then process incoming calls for users who are associated with the UM dial plan. When a call comes in to the IP gateway, the IP gateway forwards the call to a Unified Messaging server, and the Unified Messaging server tries to match the extension number of the user to the associated UM dial plan.
If you have created or enabled VoIP security on a dial plan and the UM IP gateway that you will create by using one of the following procedures in this section will be associated with a UM dial plan that uses VoIP security, you must use a fully qualified domain name (FQDN) to create the UM IP gateway, and not an IP address. You must also configure the UM IP gateway to use TCP port 5061. To configure a UM IP gateway, run the following command: Set-UMIPGateway -identity MyUMIPGateway -Port 5061. You must also verify that any IP gateways or IP PBXs have also been configured to listen on port 5061 for mutual TLS.
To create a new UM IP gateway, perform one of the following procedures.
To use the Exchange Management Console to create a new UM IP gateway
In the console tree of the Exchange Management Console, expand the Organization Configuration node.
In the console tree, click Unified Messaging.
In the result pane, click the UM IP Gateways tab.
In the action pane, click New UM IP Gateway.
In the New UM IP Gateway wizard, in the Name section, type the name of the UM IP gateway. This is the display name for the UM IP gateway.
In the IP Address section, type the IP address for the UM IP gateway, and then click New.
Note
Alternatively, you can enter an FQDN for the UM IP gateway. If you choose to use an FQDN, you must add the appropriate host records with the correct IP addresses to the DNS zone. If you are configuring a UM IP gateway that will be associated with a dial plan that is operating in secure mode, you must create the UM IP gateway with an FQDN.
On the New UM IP Gateway page, click New.
On the Completion page, click Finish.
You can also use the Exchange Management Shell to create a new UM IP gateway by using the New-UMIPGateway cmdlet.
To use the Exchange Management Shell to create a new UM IP gateway
Run the following command:
New-UMIPGateway -Name MyUMIPGateway -Address 10.10.10.1
For more information about syntax and parameters, see New-UMIPGateway.
For more information about Unified Messaging IP gateways, see Understanding Unified Messaging IP Gateways.
For more information about how to manage UM IP gateways, see Managing Unified Messaging IP Gateways.
Return to top
Step 3: Create and configure your UM hunt groups (optional)
Hunt group is a term that is used to describe a group of PBX or IP PBX resources or extension numbers that are shared by users. Hunt groups are used to efficiently distribute calls into or out of a given business unit. For example, a PBX or an IP PBX might be configured to have 10 extension numbers for the sales department. The 10 sales extension numbers would be configured as one hunt group. In a PBX or an IP PBX, hunt groups are used to efficiently locate an open line, extension, or channel when an incoming call is received.
If you have created a UM IP gateway and associated the UM IP gateway with a UM dial plan, a default UM hunt group is created. You can associate another UM hunt group with the same or a different UM IP gateway, depending on the number of UM IP gateways that you have created.
When you create a UM hunt group, you are enabling all Unified Messaging servers that are specified within the UM dial plan to communicate with an IP gateway. To create a new UM hunt group, perform one of the following procedures.
To use the Exchange Management Console to create a new UM hunt group
In the console tree of the Exchange Management Console, expand the Organization Configuration node.
In the result pane, click Unified Messaging.
In the work pane, click the UM IP Gateways tab.
In the work pane, select an UM IP gateway.
In the action pane, click New Hunt Group.
In the New UM Hunt Group wizard, in the Name field, type the name of the hunt group.
In the Dial plan field, click Browse.
On the Select Dial Plan page, click to select the UM dial plan, and then click OK.
In the Pilot identifier field, enter the appropriate pilot identifier and then click New.
Click Finish.
You can also use the Exchange Management Shell to create a new UM hunt group by using the New-UMHuntGroup cmdlet.
To use the Exchange Management Shell to create a new UM hunt group
Run the following command:
New-UMHuntGroup -Name MyHuntGroup -PilotIdentifier 51234 -UMDialplan MyDialPlan -UMIPGateway MyIPGateway
For more information about syntax and parameters, see New-UMHuntGroup.
For more information about how to manage UM hunt groups, see Managing Unified Messaging Hunt Groups.
Return to top
Step 4: Create and configure a UM mailbox policy (optional)
Unified Messaging mailbox policies are required when you enable users for Exchange 2007 Unified Messaging. They are useful for applying and standardizing Unified Messaging configuration settings for UM-enabled users. You create UM mailbox policies to apply a common set of policies or security settings to a collection of UM-enabled mailboxes.
The mailbox of each UM-enabled user must be linked to a single UM mailbox policy. After you create a UM mailbox policy, you link one or more UM-enabled mailboxes to the UM mailbox policy. This lets you control PIN security settings such as the minimum number of digits in a PIN or the maximum number of logon attempts for the UM-enabled users who are associated with the UM mailbox policy. If you prefer, you can also control message text settings or dialing restrictions for the same or a different group of UM-enabled mailboxes.
The following figure illustrates how UM mailbox policies can be created to control dialing restrictions and PIN security settings for three groups.
Example of Unified Messaging mailbox policies
Every time that you create a UM dial plan, a UM mailbox policy will also be created. The UM mailbox policy will be named <DialPlanName> Default Policy. However, if you have to create a new UM mailbox policy, perform one of the following procedures.
To use the Exchange Management Console to create a new UM mailbox policy
In the console tree, expand the Organization Configuration node.
In the console tree, click Unified Messaging.
In the work pane, click the UM Mailbox Policies tab.
In the action pane, click New UM Mailbox Policy.
In the New UM Mailbox Policy wizard, in the Name section, type the name of the UM mailbox policy. This is the display name for the UM mailbox policy.
Note
The name that you provide must be unique.
Next to the Select associated dial plan box, click Browse.
In the Select Dial Plan window, click the UM dial plan, and then click OK.
On the New UM Mailbox Policy page, click New.
On the Completion page, click Finish.
You can also use the Exchange Management Shell to create a new UM mailbox policy by using the New-UMMailboxPolicy cmdlet.
To use the Exchange Management Shell to create a new UM mailbox policy
Run the following command:
New-UMMailboxPolicy -Name MyNewUMPolicy -UMDialPlan MyDialPlan
For more information about syntax and parameters, see New-UMMailboxPolicy.
For more information about Unified Messaging mailbox policies, see Understanding Unified Messaging Mailbox Policies.
For more information about how to manage UM mailbox policies, see Managing Unified Messaging Mailbox Policies.
Return to top
Step 5: Add a Unified Messaging server to dial plans
Although the operational status of the Exchange 2007 Unified Messaging server is set to enabled after installation, there is a logical status parameter that is used to control the operational status of the Unified Messaging server. The intention of the logical status variable is to let you stop call processing so that the Unified Messaging server can be taken offline in a controlled way.
Unified Messaging requires that you create at least one UM dial plan and that the UM dial plan has a Unified Messaging server and a UM IP gateway associated with it. After you install the Unified Messaging server role on a computer that is running Exchange 2007, you must add the UM server to a UM dial plan. After you add the UM server to a dial plan, the UM server can then start answering incoming calls that are forwarded from an IP gateway.
A Unified Messaging server can be associated with a single or multiple UM dial plans. However, a single UM server can use either mutual TLS (secured) or TCP (unsecured), but not both. This is a limitation of the SIP signaling stack. Therefore, a single UM server can only be associated with multiple dial plans that have the same security configuration.
To add a UM server to a dial plan, perform one of the following procedures.
To use the Exchange Management Console to add a Unified Messaging server to a UM dial plan
In the console tree of the Exchange Management Console, expand the Server Configuration node.
In the result pane, select the Unified Messaging server.
In the action pane, click Properties.
On the UM Settings tab, under the Associated Dial Plans section, click Add.
In the Select Dial Plan window, select the dial plan that you want to add from the list of available dial plans, and then click OK.
Click OK again to accept your changes.
You can also use the Exchange Management Shell to add a Unified Messaging server to a dial plan by using the Set-UMServer cmdlet.
To use the Exchange Management Shell to add a Unified Messaging server to a UM dial plan
Run the following command:
Set-UMServer -Identity ExUMSrv -DialPlans MyDomainDialPlan
For more information about syntax and parameters, see Set-UMServer.
For more information about Unified Messaging servers, see Understanding Unified Messaging Servers.
For more information about how to manage Unified Messaging servers, see Managing a Unified Messaging Server.
Return to top
Step 6: Create and configure UM auto attendants (optional)
In telephony or unified messaging environments, an automated attendant or auto attendant menu system transfers callers to the extension of a user or department without the intervention of a receptionist or an operator. In many auto attendant systems, a receptionist or operator can be reached by pressing or saying zero. The automated attendant is a feature on most modern PBX and unified messaging solutions.
Exchange 2007 Unified Messaging enables you to create one or more UM auto attendants, depending on the needs of your organization. UM auto attendants can be used to create a voice menu system for an organization that lets external and internal callers move through the UM auto attendant menu system to locate and place or transfer calls to company users or departments in an organization.
A UM auto attendant lets callers move through the menu systems by using dual tone multi-frequency (DTMF) or voice inputs. However, for automatic speech recognition (ASR) or voice inputs to be used, you must speech-enable the UM auto attendant. For more information about how to speech-enable an auto attendant, see How to Speech-Enable a Unified Messaging Auto Attendant.
In the Active Directory directory service, each UM auto attendant that is created is represented as an object. There is no limit to the number of UM auto attendants that you can create in Active Directory. Each Exchange 2007 UM auto attendant can support an unlimited number of extensions. A UM auto attendant can reference one, and only one, UM dial plan. However, UM auto attendants can reference or link to other UM auto attendants. In Exchange 2007 Unified Messaging, you can create multiple UM dial plans and multiple UM auto attendants. A UM auto attendant object can be configured to use only a single UM dial plan. However, multiple auto attendants can be assigned to a single dial plan.
The following examples demonstrate how you can use UM auto attendants together with Exchange 2007 Unified Messaging:
Example 1: At a company called Contoso, Ltd., external customers can use three external telephone numbers: 425-555-1111 (Corporate Offices), 425-555-2222 (Product Support), and 425-555-3333 (Sales). The Human Resources, Administration, and Accounting departments have internal telephone extensions and must be accessed from the Corporate Offices UM auto attendant.
To create a UM auto attendant structure that supports this scenario, create and configure three UM auto attendants that have the appropriate external telephone numbers. Create three other UM auto attendants for each department in the Corporate Offices. Then configure each UM auto attendant based on your requirements, such as the greeting type or other navigational information.
The following figure is a graphical representation of how UM auto attendants can be used in Example 1.
How to configure multiple UM auto attendants with multiple outside business telephone lines
Example 2: At a company called Contoso, Ltd., external customers call one main number for the business, 425-555-1000. When an external caller calls the external number, the UM auto attendant answers and prompts the caller by saying, "Welcome to Contoso, Ltd. Please press or say 'One' to be transferred to corporate administration. Please press or say 'Two' to be transferred to product support. Please press or say 'Three' to be transferred to corporate information. Please press or say 'Zero' to be transferred to the operator." To create a UM auto attendant structure that supports this scenario, you create a UM auto attendant that has customized extensions that route the call to the appropriate extension number.
The following figure is a graphical representation of how UM auto attendants can be used in Example 2.
How to configure multiple UM auto attendants with a single outside business telephone line
Creating and using auto attendants is optional in Exchange 2007 Unified Messaging. However, if you have to create a new UM auto attendant, perform one of the following procedures.
To use the Exchange Management Console to create a new auto attendant
In the console tree of the Exchange Management Console, expand the Organization Configuration node.
In the console tree, click Unified Messaging.
In the work pane, click the UM Auto Attendants tab.
In the action pane, click New UM Auto Attendant.
In the New UM Auto Attendant wizard, in the Name text box, type the name of the auto attendant. This will be the display name for the auto attendant.
In the Select associated dial plan section, click Browse.
In the Select Dial Plan window, click the dial plan, and then click OK.
In the New UM Auto Attendant wizard, in the Extension numbers text box, type the telephone extension number for the auto attendant, and then click Add.
In the New UM Auto Attendant wizard, select the Create auto attendant as enabled if you want to enable the auto attendant as soon as the wizard is finished.
In the New Auto Attendant wizard, select the Create auto attendant as speech-enabled if you want to enable speech recognition on the auto attendant as soon as the wizard is finished.
On the New UM Auto Attendant page, click New.
On the Completion page, click Finish.
You can also use the Exchange Management Shell to create a new auto attendant by using the New-UMAutoAttendant cmdlet.
To use the Exchange Management Shell to create a new auto attendant
Run the following command:
New-UMAutoAttendant -Name MyNewAA -UMDialPlan MyDialPlan -PilotIdentifierList 51000 -Enabled True
For more information about syntax and parameters, see New-UMAutoAttendant.
After you have created a non-speech enabled or a speech-enabled auto attendant, you must create and configure key mappings so that the auto attendant can function correctly. If you do not enable key mappings for either business or non-business hours, callers will hear the voice prompts but will be unable to interact with the auto attendant. To create key mappings for an auto attendant, see the following topics:
How to Enable Business Hours Key Mappings on a Unified Messaging Auto Attendant
How to Enable Non-Business Hours Key Mappings on a Unified Messaging Auto Attendant
For more information about UM auto attendants, see Understanding Unified Messaging Auto Attendants.
For more information about how to manage UM auto attendants, see Managing Unified Messaging Auto Attendants.
Return to top
Step 7: Enable users for Unified Messaging
By default, when an Exchange 2007 recipient is created, it is not UM-enabled. After the recipient is enabled for Unified Messaging, you can manage, modify, and configure the UM-related properties for the user. You can then view and modify UM-related settings such as the associated UM dial plan, the associated UM mailbox policy, and the extension number for the user. When you enable a user for Unified Messaging, the user must be associated with or linked to an existing UM mailbox policy and you must provide the extension number for the user.
After the user is enabled for Unified Messaging, all e-mail, voice, and fax messages will be delivered to the user's Inbox. By using Outlook 2007, Outlook Web Access, a mobile device that is enabled for Exchange ActiveSync, or a regular or cellular telephone, the user can access their e-mail, voice and fax messages, and calendaring information.
There are two locations in which UM properties are stored for a user: the Mailbox object and the user's Active Directory object. When you enable a user for Unified Messaging, you set the UM property on the user's Mailbox object. After the Mailbox property is set to enabled for Unified Messaging, the user can use the Unified Messaging features in Exchange 2007.
After a user is enabled for UM, the user's UM properties are stored in the user properties and the user's mailbox. The user's UM properties, such as the user's extension number, spoken name, and other properties for the user, are stored in the user's properties in Active Directory.
To enable a user for Unified Messaging, perform one of the following procedures.
To use the Exchange Management Console to enable a user for Unified Messaging
In the console tree of the Exchange Management Console, expand the Recipient Configuration node.
In the result pane, select the user mailbox that you want to enable for Unified Messaging.
In the action pane, click Enable Unified Messaging.
In the Enable Unified Messaging wizard, on the Enable Unified Messaging page, in the Unified Messaging Mailbox Policy box, click Browse.
In the Select UM Mailbox Policy window, select the UM mailbox policy, and then click OK.
To configure the extension numbering information select from the following options:
Automatically generated mailbox extension
If you have configured an extension number for the user in the Business field on the Address and Phone tab in the user's properties, the extension number will be generated automatically.
Manually entered mailbox extension
If you have not configured an extension number for the user, enter the extension number for the user in the Manually entered mailbox extension box.
To configure the PIN settings for the user, select from the following options:
Automatically generate PIN to access Outlook Voice Access
Manually specify PIN
Require user to reset PIN at first telephone logon
If you have configured an extension number for the user in the Business field on the Address and Phone tab in the user's properties, the extension will be generated automatically. If you have not configured an extension number for the user, enter the extension number for the user in the Manually entered mailbox extension box.
In the Enable Unified Messaging wizard, on the Enable page, click Enable.
In the Enable Unified Messaging wizard, on the Completion page, click Finish.
You can also use the Exchange Management Shell enable a user for Unified Messaging by using the Enable-UMMailbox cmdlet.
To use the Exchange Management Shell to enable a user for Unified Messaging
Run the following command:
Enable-UMMailbox -Identity tonysmith@contoso.com -UMMailboxPolicy MyDomainUMPolicy
For more information about syntax and parameters, see Enable-UMMailbox (RTM).
For more information about Unified Messaging users, see Understanding Unified Messaging Users.
For more information about how to manage Unified Messaging users, see Managing Unified Messaging Users.
Return to top
Secure Your UM Deployment
There are three security-related areas to consider when you deploy Unified Messaging. You can help increase the level of protection for your network if you correctly plan a UM security strategy and then correctly configure the security settings that are available to administrators in the following areas:
UM-Enabled User PIN Security
When a subscriber or a UM-enabled user uses a telephone to connect to a computer that has the Unified Messaging server role installed, they use Outlook Voice Access to move through the UM menu system. However, before the user can access the UM system, the system prompts them to input their PIN.
A PIN is a numeric string that is used in certain systems, including unified messaging systems, so that a user can be authenticated and gain access. A PIN is a pass code that a user enters on the telephone to access their Microsoft Exchange mailbox. The strength of the PIN depends on its length, how well it is protected, and how difficult it is to guess. As the administrator, you can configure PIN settings and requirements and perform PIN management tasks.
In Exchange 2007 Unified Messaging, PIN policies are defined and configured on a UM mailbox policy. Multiple UM mailbox policies can be created depending on your requirements. When you enable a user for Exchange 2007 Unified Messaging, you associate the user with an existing UM mailbox policy. The UM PIN policies that are configured on the UM mailbox policy should be based on the security requirements of your organization. For more information about how to configure PIN settings for UM-enabled users, see Configuring Security for Unified Messaging Users.
To set PIN policies for UM users, you can either create a new UM mailbox policy or modify an existing UM mailbox policy. After a new UM mailbox policy is created, you can then configure the UM mailbox policy with the following PIN settings:
MinPasswordLength
PINLifetime
LogonFailuresBeforePINReset
MaxLogonAttempts
AllowCommonPatterns
PINHistoryCount
To configure PIN UM mailbox policy settings, perform one of the following procedures.
To use the Exchange Management Console to set PIN policies for Unified Messaging users
In the console tree of the Exchange Management Console, expand the Organization Configuration node.
In the result pane, click Unified Messaging.
In the work pane, click the UM Mailbox Policies tab.
In the work pane, click the UM mailbox policy that you want to change. This is the UM mailbox policy that is associated to the UM-enabled user.
In the action pane, click Properties.
In the UM mailbox policy Properties dialog box, click the PIN Policies tab.
On the PIN Policies tab, configure the PIN settings for the UM mailbox policy, and then click OK to accept your changes.
You can also use the Exchange Management Shell configure PIN settings for UM-enabled users by using the Set-UMMailboxPolicy cmdlet.
To use the Exchange Management Shell to set PIN policies for Unified Messaging users
Run the following command:
Set-UMMailboxPolicy -Identity MyUMMailboxPolicy -MinPasswordLength 8 -PINLifetime 30 -LogonFailuresBeforePINReset 3 -MaxLogonAttempts 7 -PINHistoryCount 10
For information about syntax and parameters, see Set-UMMailboxPolicy.
For more information about Unified Messaging mailbox policies, see Understanding Unified Messaging Mailbox Policies.
For more information about how to manage Unified Messaging mailbox policies, see Managing Unified Messaging Mailbox Policies.
Return to top
Securing Unified Messaging Network Traffic
There are several security methods that can help you protect the Unified Messaging servers and the network traffic in your organization. This includes traffic that is sent between your IP gateways and Unified Messaging servers and between your Unified Messaging servers and other Exchange 2007 servers in your organization. For more information about how to help secure the network traffic that is generated by Unified Messaging, see Securing Unified Messaging Network Traffic.
Unified Messaging can communicate with IP gateways, IP PBXs, and other Exchange 2007 computers in a secured or an unsecured mode, depending on how the UM dial plan has been configured and if the appropriate certificate trusts have been established between the IP gateways and Unified Messaging servers on your network. In unsecured mode, the VoIP and SIP traffic is not encrypted. However, the UM dial plans and the Unified Messaging servers that are associated with the UM dial plan can be configured by using the VoIPSecurity parameter. The VoIPSecurity parameter configures the dial plan to encrypt the VoIP and SIP traffic by using mutual TLS.
You must follow these steps to help secure your Unified Messaging environment and enable VoIP security between your Unified Messaging servers and IP gateways:
Install the Unified Messaging server role.
Create a UM dial plan and configure the UM dial plan to use VoIP security.
Add the Unified Messaging server to a UM dial plan.
Create and configure the UM IP gateways that are used to have a fully qualified domain name (FQDN).
Export and import the required certificates to enable the Unified Messaging servers, IP gateways, IP PBXs, and other servers that are running Exchange 2007 to use mutual TLS. For more information about how to import and export certificates, see Importing and Exporting Certificates.
For more information about VoIP security with Unified Messaging, see Understanding Unified Messaging VoIP Security.
Configuring Permissions for Unified Messaging
In many organizations, there are separate administrators for Microsoft Exchange, Active Directory, and the telecommunications equipment. Therefore, administrative functions must be delegated to maintain distinct boundaries between different levels of administrative permissions. For more information about the security permissions that are related to Unified Messaging, see Configuring Unified Messaging Permissions.
Return to top
Conclusion
This white paper has provided you with the necessary technical information and prescriptive guidance and configuration steps to successfully deploy Exchange 2007 Unified Messaging in your organization.
Additional Information
For more information about Unified Messaging, see Unified Messaging.
For more information about how to plan for Unified Messaging, see Planning for Unified Messaging Servers.
For more information about how to deploy Unified Messaging, see Deploying Server Roles.
For more information about how to manage Unified Messaging, see Managing Unified Messaging.