Wednesday, November 11, 2009

Implementing integrated OCS in Exchange 2010

UPDATED on 8/31/2010 for Exchange 2010 SP1 here!

This entry is to show you how to integrate OCS 2007 R2 into your Exchange 2010 OWA experience. This is based on the following Technet article:
http://technet.microsoft.com/en-us/library/ee633458%28EXCHG.140%29.aspx

First, download and extract OCS 2007 R2 Web Trust Tool from http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=ca107ab1-63c8-4c6a-816d-17961393d2b8 Running and installing this will only extract these additional files. Each of these will need to be installed on each CAS server in your environment that you are enabling OCS Messaging on. Remember, there is no right click run as Administrator for MSI's - so run from an elevated command prompt if needed!
  • Install the vc_redistx64
  • Install UCMAredist.msi
  • Install CWAOWASSP.msi

On your Exchange 2010 CAS server(s), edit c:\program files\Microsoft\Exchange\V14\ClientAccess\Owa\web.config - look for the IMPoolName field. Update the webconfig file as follows:




FieldInsert Value FromExample
IMPoolNameFQDN of OCS R2 Poolocsr2pool.domain.local
IMCertificateIssuerDN of IssuerCN=DigiCert Global CA, OU=http://www.digicert.com/, O=DigiCert Inc,C=US
IMCertificateserialNumberSerial Number

01 F9 4E 46 AA 3C 4C 9E BD 8F 2C

(include spaces between octets!)


Look for this:


And based on this (where thumbprint is the certificate your CAS server uses for IIS)
Get-ExchangeCertificate -Thumbprint BJBHDS78FG6D8GFYH49SDF34TH9 | ft Issuer, SerialNumber, subject

Change to this:


The "subject" gives us the common name that we use in a bit to configure OCS.

Additionally, if your Issuer has funky characters, you need to replace them as they will break your web.config file, causing generic IIS errors. Just removing those characters will make for application event log errors that the certificate was not found in your certificate store.

Since the web.config is an XML file, and you need to use XML character special escapes








entitycharactermeaning
""(double) quotation mark
&&ampersand
''apostrophe (= apostrophe-quote
&lt;<less-than sign
&gt;>greater-than sign

So if your SSL provider's issuer field causes you a problem here, this should help you work around it.


In Powershell, configure OCS:
Get-OWAVirtualDirectory -server SERVER | set-owaVirtualDirectory -InstantMessagingType 1

(The above line *did* say -InstantMessagingType OCS, but RTM documentation says 1 for OCS - thanks to Brian Day for this!)

Restart IIS (IISreset is fine)

On your OCS R2 Pool server, under the server properties of your pool, on the Hosts Authorization tab, you need to add the Client Access server. This can be FQDN or IP. If you use FQDN, OCS will additionally authenticate the FQDN against the certificate names - the FQDN here has to match the "subject" we found above (NOTE: Not the whole string, just the FQDN common name given in the subject) Additionally, you can choose to use FQDN and then use a hosts file to ensure that OCS is communicating with the correct server/IP.





Now I am able to log into OWA 2010 and get the light CWA client as well:


Upper right allows me to see and update my presence, as well as see how many IM conversations I have active and switch between them as well.

24 comments:

Alex Lewis said...

GREAT article Chris!!

Chris Lehr said...

One comment additionally - if you run through these steps and when sending IM's to an OWA/CWA user you get 501 errors, and IM's only appear to flow one way - check Windows Update on your Exchange Server, I found that there was this additional update to be applied to the OCS DLL's.

http://support.microsoft.com/?kbid=967674

Unknown said...

Great article Chris, minus an issue on my side everything works great!

Chris Lehr said...

Just gives me some fodder to post more - thanks!

Anonymous said...

hi, thanks for the info...im having an issue where im loads in owa, but when I send a conversation to user I get "the message could not be delivered to all recipients because some recipeints are offline or dont want to be disturbed" any idea?

Chris Lehr said...

Ensure you patch your Exchange servers OCS bits using KB967674

Anonymous said...

You rule. I saw your earlier post but I was reading it as "make sure your ocs servers have the patch" going to be interesting having to patch exchange servers with ocs updates :)

thanks again.

Anonymous said...

ok this is an odd one. after patching 2 way im is fine between 2 users. but with other users, all on the same server, i get 504 errors going one way. moc to moc is fine between these users, but owa to the same users get 504's 1 way. any help appreciated. odd one

Anonymous said...

Doh, my Exchange CA Cert is a wildcard cert, which works perfectly fine on OWA, but doesn't work on OCS. Once again, OCS's failure to recognize wildcard certs bites me in the a$$ once more.

Ed S said...

So when I get the issuer for my certificate it is:

SERIALNUMBER=07969286, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

Do I use the whole thing including Serialnumber (which is not the same as the certificate serial number by the way) and what do I do about the quotation marks around GoDaddy?

I have tried entering the whole string and changing the double quotes to single quotes. I haven't gotten the integration to work, but I am not sure if this is the only reason.

Chris Lehr said...

Ed - sorry, i thought i added this to my blog and I guess I did NOT

Additional lesson learned on this:

GoDaddy (and likely other vendors) may have funky characters in the "Issuer" field that will break your web.config file, causing generic IIS errors. Just removing those characters will make for application event log errors that the certificate was not found in your certificate store.

the web.config is an XML file, and you need to use XML character special escapes.

I found this:
http://en.wikipedia.org/wiki/Character_entity#XML_character_entity_references

Common ones:
& & (ampersand, U+0026)
< < (left angle bracket, less-than sign, U+003C)
> > (right angle bracket, greater-than sign, U+003E)
" " (quotation mark, U+0022)
&apos; ' (apostrophe, U+0027)

So if your SSL provider's issuer field causes you a problem here, this should help you work around it.

Admin said...

Hello All!

We are trying to get the OCS 200 R2 integration in OWA on Exchange 2010 Standard running. We followed all steps in http://chrislehr.com/2009/11/implementing-integrated-ocs-in-owa-2010.htm and http://evangelyze.net/cs/blogs/mike/archive/2009/11/12/ocs-r2-integration-with-exchange-2010-owa.aspx. Unfortunately, it does not work. There are no errors during installation and configuration. But when a user logs into OWA he does not see ANY of the presence functions in the OWA interface, not even greyed out. It´s looks like the presence extension is not installed at all. But it is.

The web.config file is edited, the firewall on the Exchange opened and the Exchange host is on the allowed list on the OCS. The certificate settings should be fine. If a enter a wrong information I get an event in the error log on the Exchange CAS server. So I think they should be okay if I don´t get an error in the Windows error log. CWA ist up and running, too. Accessing the CWA URL from a browser windows on the Exchange CAS server does not throw a certificate error either. IM is enabled on the Outlook Web App policy.


"Get-OwaVirtualDirectory |fl" show that the InstantMessagingType is OCS.

So everything should be fine. But WHY doesn´t it work?

We´ve investigated more than 20 hours searching for the reason but did not find ANYTHING! Is it possible to enable a kind of debugging which could helps us?!?

Thanks a lot for every help an answer!

Juergen

Unknown said...

After struggeling for numerous hours, I finally got this to work. It turned out (at least for me) that the CN in the certificate subject had to be added to the Host authorization list. I started of by adding the fqdn and ip-address of the server, but that didn't do the trick. The components were visible, but OWA was unable to log on to the OCS server. So finally after a little debugging, I added the CN value in the certificate subject and voila! :-)

Unknown said...

Hi

I have successfully enable the OCS features in exchange 2010 OWA. However, ONLY one of my users does not see the 'presence icon' in his web interface. The rest of my other users have no such problem. Any suggestion?

Mobiux said...

Hi Mikael, i have the same trouble than you, my OWA is unable to log on the OCS server and the components are visible.
Help me !!!

THX

GreigS said...

Like Ed S, I'm using a GoDaddy certificate and just can't get it to work for me.

Issuer: SERIALNUMBER=12345678, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.
com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

I've replaced the quotes around "GoDaddy.com, Inc." with " but I'm ALWAYS getting Error 87 "An exception was thrown while attempting to load the IM provider .dll file".

I've tried the serial number from the 'issuer' line, as well as the (longer) SerialNumber: value.

The certificate IS there in the Certificates (Local Computer) / Personal / Certificates/ store.

Can anyone point me to the plainly obvious step I've missed??

THanks.

GreigS said...

BINGO!! Fixed it.

The solution was in front of my eyes all the time: the key="IMCertificateIssuer" line needs to have the SERIALNUMBER=12345678 value included.

(All of the blogs that document the process started at "CN=" so I'd naturally stripped the serial number).

Thanks to Patricio Anderson's PS1 script for cluing me up!!
http://msmvps.com/blogs/andersonpatricio/archive/2010/01/26/script-integrating-ocs-and-owa-in-exchange-server-2010.aspx

Paul said...

GregS,

I am also using a Godaddy Certificate. Although i get not warning messages I still cant get it to work. This is what I have in my XML file.

Paul said...

I set the InstantMessaging Type to OCS because that is what the original instructions said to do.

Now when I try to type the correct command it says command completed successfully but no settings of Exchangefe1\OWA (Default Web Site) have been modified.

The Command is Set-OwaMailboxPolicy -InstantMessagingEnabled 1 -InstantMessagingType OCS -Identity

I have gone through everything with a fine comb and I am not getting the slightest indication that OCS is enabled on the OWA site, I see nothing at all, nothing greyed out even.

Chris Lehr said...
This comment has been removed by the author.
Chris Lehr said...

Paul,

You were using set-OwaMailboxPolicy - it's set-owavirtualdirectory. You might find it easier to pipe from get-owavirtualdirectory like this:

get-owavirtualdirectory -server exchangefe1 | Set-OwaVirtualDirectory -InstantMessagingEnabled 1 -InstantMessagingType 1

From Technet (http://technet.microsoft.com/en-us/library/bb123515.aspx)
"Set this parameter to 0 for no provider and 1 for Microsoft Office Communication Server."

Paul said...

Hi Chris thanks for the reply i tried exactly this:

get-owavirtualdirectory -server exchangefe1 | Set-OwaVirtualDirectory -InstantMessagingEnabled 1 -InstantMessagingType 1

Says "The Command Completed Successfully but no settings of ExchangeFe1\owa (Default webSite) have been modified"

GreigS said...

Hi Paul,


Are you seeing an errors in the Event Log on either the Exchange or OCS servers?


G.

Paul said...

I got the OCS contact list to finally show up in my OWA by moving the quote around the Godaddy certificate in the issuer field in the web.config file.

You have to use XML """ which will make a quote symbol.

So I finally got it to show up but now it will not sign into OCS it says "Instant Messaging isn't available right now. The contact list will appear when services become available." Any ideas?