Skype for Business and Exchange UM

Integration
This article covers the configuration steps for introducing voice mail support into a Skype
for Business (SfB) Server 2015 environment by integrating with Exchange Server 2013
Unified Messaging (UM). Note that this series of Exchange integration articles leverages
Exchange Server 2013 and will continue to do so for continuities’ sake. Microsoft has
recently released to the public the installation package for Exchange Server 2016 for use in
on-premises deployments. These articles also apply when using Exchange Server 2016,
with one exception related to Instant Messaging integration which will be the next topic
addressed in a future article.

The guidance provided here is a more detailed look at what is partially covered in the
official TechNet documentation. The following configuration covers generally the same
approach used to integrate previous version of Lync Server and Exchange Server which
was outlined in this older article. Unfortunately the official documentation is partially
incomplete and is also split across the separate product guides for SfB and Exchange
Server, making it difficult to understand what is needed for a successful integration. This
article will tie all steps into a single set of instructions which can be completed linearly.

One caveat to be aware of is the recommendation to configure UM integration before

enabling Instant Messaging (IM) integration with Outlook Web Access. Configuring UM
first will enable automatic discovery of the Exchange environment in Skype for Business
using the configured SIP domain namespace. Establishing this first will mean that when
the IM integration is tackled there will be no need to defined the Exchange Server as a
third-party Trusted Application in the SfB topology. If these are configured in the opposite
order, meaning that the Instant Messaging integration is performed first, then the setup of
Unified Messaging can break the IM integration due to duplicate, conflicting entries for the
Exchange Server in SfB. Thus is is recommended to start with UM integration and follow
these articles in the order they were posted.

The sections in this article are outlined in the following configuration steps. The steps in
red are part of the Exchange Server configuration and the steps in blue are performed on the
Skype for Business side.

Confirm Prerequisites

Assumptions made for the environment used with this article are that Exchange Server
2013 has been deployed with a relatively recent service pack or cumulative update
applied. The version used in this guide is Exchange Server 2013 CU8
(15.00.1076.009).

Partner Application

The prerequisites steps included in this previous article must be completed first to insure
that the Partner Application relationship has already been established between Skype for
Business and Exchange. Other SfB features provided by Exchange like High Resolution
Photos or the Unified Contact Store can be enabled in any order, only after the Partner
Application relationship is established.

Exchange Certificate

A long standing best practice surrounding the Exchange Server Certificate has to do with
how Lync Server parsed the SSL certificate presented to it by the Exchange Server during
establishment of TLS communications. The Lync Server would ignore the certificate’s
Common Name (CN) and look at only the Subject Alternative Name (SAN). With further
changes coming on how third parties issue SSL certificates it is becoming more common to
focus on the SAN field as the CN field will start to become optional, and eventually even
defunct. That being said the same best practice to making sure to always duplicate the CN
value in the SAN still holds true. Using the Exchange Server certificate wizard to create
requests will allow this type of configuration. At this point it is unknown if this limitation
has been addressed in Skype for Business Server 2015 but using a properly formatted
certificate makes this a moot point.

 Using the Exchange Management Shell validate that the existing certificate will be
sufficient for use with Skype for Business with the following Get-ExchangeCertificate
cmdlet.

Get-ExchangeCertificate | fl

As highlighted above the Certificate Domains field lists all of the Subject Alternative
Names on this certificate which includes the Exchange Server’s FQDN which is critical for
UM integration to function. In this example the Subject field shows that the certificate’s
Common Name is set to mail.jdskpye.net which is also duplicated in the SAN
field. Regardless of what the CN is set to make sure that value is duplicated in the SAN (as
per general best practices) and that the server FQDN is included in the SAN field.

This configuration is the most common and allows a single SSL certificate to be used for
all roles on the Exchange Server. In more complex environments with separate Exchange
UM servers or other configuration it is possible, but not necessary, to use a separate
dedicated certificate on the UM service.

Also make note of the Thumbprint value for the desired certificate as it will be used during
the configuration in the next section.

Configure UM Dial Plan

The steps in this section are all performed on the Exchange Server using either the
Exchange Management Shell or Management Console.

Create New UM Dial Plan

 Using the Exchange Management Shell create a new UM dial plan with the following New-
UMDialPlan cmdlet and the desired plan Name (e.g. Chicago).

New-UMDialPlan -Name "Chicago" -VoIPSecurity "Secured" -

NumberOfDigitsInExtension 4 -URIType "SipName" -
CountryOrRegionCode 1

In this deployment the VoIP Security option Secured is used so that both SIP signaling
traffic and RTP media traffic will be transmitted between SfB and Exchange using an
encrypted TLS communications. Alternatively opting to use the SIP Secured setting would
only encrypt the signaling traffic while all media traffic would be transmitted unencrypted.

Additionally a value of 4 is selected for the number of digits in extension numbers on the
pattern 312-555-xxxx where the last four digits are treated as the user’s extension.

 Using the Exchange Management Shell run the following cmdlet to set the following
recommended parameters.

Set-UMDialPlan "Chicago" -ConfiguredInCountryOrRegionGroups

"Anywhere,*,*,*" -AllowedInCountryOrRegionGroups "Anywhere"

Configure UM Services
  Assign the the UM server to the new UM dial plan and configure support for both TCP and
TLS connections with the following cmdlet. The Identity parameter is the Fully Qualified
Domain Name (FQDN) of the Exchange Server (e.g. exch.jdskype.net).

Set-UmService -Identity "exch.jdskype.net" -DialPlans

"Chicago" -UMStartupMode "Dual"

Now that TLS is enabled for the UM service the Exchange Server certificate needs to be
assigned to the service to support TLS communications for signaling and media.

 Enter the following cmdlet using the Thumbprint value of the same certificate that was
queried in the earlier prerequisites steps to insure that the proper certificate is assigned to
the UM service.

Enable-ExchangeCertificate -Server "exch.jdskype.net" -

Thumbprint "372EDC073A1C21C91FE2C6045FD70B26AD5E239C" -
Services "UM"

 To commit these changes and enable TLS communications on the UM service it needs to
be restarted, which can be performed quickly from PowerShell using the following cmdlet.

Restart-Service MSExchangeUM

 Next perform the same configuration as above on the UM Call Router service with the
following cmdlet.

Set-UMCallRouterSettings -Server "exch.jdskype.net" -

UMStartupMode "Dual" -DialPlans "Chicago"
  The UM Call Router service also need to be assigned to the same certificate as the UM
service.

Enable-ExchangeCertificate -Server "exch.jdskype.net" -

Thumbprint "372EDC073A1C21C91FE2C6045FD70B26AD5E239C" -
Services "UMCallRouter"

 Just like the UM service the UM Call Router service needs to be restarted to enable the
new configuration.

Restart-Service MSExchangeUMCR

Customize UM Dial Plan

When the new UM dial plan was created the Exchange Server will have automatically
created a default UM Mailbox Policy. This object will be named with the label ‘Default
Policy” appended to the dial plan’s name (e.g. Chicago Default Policy).

The TechNet documentation seems to omit this fact and instructs the creation of another
UM mailbox policy. A simpler approach is to just modify the default object using the
following cmdlet.

 To configure the recommended AllowedInCountryOrRegionGroups parameter use the

following cmdlet.

Get-UMMailboxPolicy | Set-UMMailboxPolicy -
AllowedInCountryOrRegionGroups "Anywhere" -MinPINLength "4" -
AllowCommonPatterns $true

As only a single policy exists then instead of querying for and entering the name of the
default mailbox policy use the Get-UMMailboxPolicy cmdlet to automatically pass the
results to the cmdlet as shown above. Additionally some optional parameters were
configured to allow for a four digit PIN to be defined instead of the default 6 digit
length. While not recommended for production environments this can be a welcome time
saver in lab or test environments.

Define Attendants

The next step to be performed on the Exchange Server is to define and configure the Auto
Attendant and Outlook Voice Access (formerly referred to as ’Subscriber Access’) numbers.

 Using the Exchange Admin Center navigate to the Unified Messaging > UM Dial Plans
section and then open the dial plan that was created earlier (e.g. Chicago).
 Click the Configure button to edit the dial plan and then select the Outlook Voice Access
section.
 Enter the desired phone number to be assigned to the Outlook Voice Access attendant in
the proper +E.164 format (e.g. +13125551001) and then add it to the configuration
using the ‘+’ button.

 Click Save to return to the main dial plan window and then scroll down to the UM Auto
Attendants section.
 Click the ‘+’ button to create a new Auto Attendant and then enter a unique Name (e.g.
ExchangeAA), enable the auto attendant, and then enter another unique phone number
(e.g. +13125551000).
Traditionally Exchange does not do well with spaces in auto attendant names and thus it is
still recommended to follow that guidance.

 Click Save to and then Close to commit these changes to the server.

Enable Users

To validate that the UM configuration is functional then at least one user account must be
enabled for Unified Messaging. This process can be completed from either the
management console or shell.

 To enable the first account launch the Exchange Admin Center which should default to the
Recipients > Mailboxes section.
 Highlight the desired user account and then select Enable under the Unified Messaging
section in the right-hand window pane.
 In the Enable UM Mailbox window browse for and select the default mailbox policy (e.g.
Chicago Default Policy) and then advance to the next window.
  Define a four digit Extension Number if one is not already populated and then, if desired,
enter a custom PIN and unselect the option to force the user to change this PIN after they
sign in.

In this example the users extension was pre-populated due to the existence of a defined
telephone number in the user’s Active Directory object. Because the dial plan policy was
created to use 4-digit extensions then Exchange will automatically take the last 4 digits of
the user’s phone number (e.g. 1100).

 Complete the wizard to save the changes and enable this account for Unified Messaging.

Alternatively the same steps can be performed using Exchange PowerShell cmdlets, so a
second account configuration using this process is also covered as an example.

 Using the Exchange Management Shell enter the following cmdlet to perform roughly the
same exact configuration on another existing Exchange user.

Enable-UMMailbox -Extensions 1101 -SIPResourceIdentifier

"steve@jdskype.net" -Identity "JDSKYPE\steve" -
UMMailboxPolicy "Chicago Default Policy"
Make sure to enter a unique extension or to omit that parameter if the account’s phone
number is already populated with the desired information. The PIN was not manually set
on this account which means Exchange will have automatically assigned a random PIN and
then sent an email to the user’s mailbox with that information.

Configure UM IP Gateway

This step is handled by a script which creates the UM IP Gateway and IP Hunt Group as
well as grants permissions to Skype for Business Server to read specific UM-related objects
in Active Directory.

Make sure to allow for any outstanding AD replication to complete before running this
script so that the newly created UM dial plan and any other changes are read by the script in
their updated state. If run too soon then sometimes the Dial Plans listed in the last line of
the script output will display as “not found” even though the configuration is correct up to
that point. If that happens it is safe to simply re-run the script, even multiple times if
needed, as it will identify any previously successful configuration and thus report that no
new changes were applied in those cases.

 Using the Exchange Management Shell execute the ExchUCUtil.ps1 script located in the
Exchange Server’s Scripts directory, as shown in the path below.

cd "C:\Program Files\Microsoft\Exchange Server\V15\Scripts"

C:\Program Files\Microsoft\Exchange
Server\V15\Scripts>.\ExchUCUtil.ps1
Note that in this example the Skype for Business Front End server shown at the bottom of
the script output displays “{(not found)}” for the DialPlans field. The value should
be displayed as the UM Dial Plan name (e.g. Chicago). As mentioned above this can
usually be resolved by going back and re-executing the script after a few minutes have
passed.

 If this issue appears then repeat the previous step until the results successfully report the
expected dial plan as shown below.

To validate the creation of the UM IP Gateway open the Exchange Management Console
and then navigate to the Unified Messaging > UM IP Gateways section. Refresh the page if
the new gateway does not appear at first.
Create Attendant Contacts

With the configuration now complete on the Exchange Server the remainder of the steps in
this article are performed on the Skype for Business Front End server.

The OcsUmUtil.exe utility is still used to create the Active Directory contact objects for
Skype for Business Server to resolve and locate the Exchange Outlook Voice Access and
Auto Attendant services.

In older versions of Exchange Server it was required to create an Enterprise Voice Dial
Plan in OCS/Lync that matched the exact FQDN of the Exchange UM Dial Plan. Since the
release of Exchange Server 2010 SP1 this is no longer required as indicated by the
informational text at the bottom of the utility. The UM Dial Plan will be automatically
discovered and thus no additional Enterprise Voice configuration is required on the SfB
Server to enable UM integration.

 Launch the OcsUmUtil.exe program located in the Skype for Business Server’s Support
directory, as shown in the path below.

C:\Program Files\Common Files\Skype for Business Server

2015\Support

 Click Load Data and the Active Directory forest name should appear in the Exchange UM
Dial Plan Forest field.
  Click Add to create the first contact for Outlook Voice Access, which is still referred to as
the Subscriber Access number in this tool.
 Select the desired AD Organizational Unit to save the new contact object and then enter a
unique Name for the contact (e.g. ChicagoSA).

While the remainder of the fields can be left with the default entries it is a common practice
to change the SIP Address to a less confusing SIP URI. In this examples the default value
(e.g. Chicago.jdskype.net@jdskype.net) has been changed to a simpler string
(e.g. ChicagoSA@jdskype.net).

 Click OK to save the configuration for the Subscriber Access contact.

 Click Add to create the second contact for the Auto Attendant.
 Change the Contact Type to Auto-Attendant and then enter a unique Name for the
contact (e.g. ChicagoAA). The same Organizational Unit value as defined for the
previous contact should already be populated.

Just as before either retain the default SIP address or edit it to use a customized address as
shown in this example (e.g. ChicagoAA@jdskpye.net).

 Click OK to save the configuration for the Auto Attendant contact.

 Close the Exchange UM Integration Utility and then open Active Directory Users and
Computers to browse to the target OU and validate that the new contacts were
successfully created.
Verify Integration

Now that the integration on both server platforms is complete the final step is to test UM
connectivity between Exchange and Skype for Business.

 Sign into a Skype for Business client with one of the UM-enabled user accounts (e.g.
jeff@jdskype.net) then search for the SIP URI of the Auto Attendant and place a
Skype Call to the contact.

At this point one of two things will occur: the call will work or it will not. If the integrated
voice response is “Thank you for calling Microsoft Exchange auto attendant” then the
integration was successful. If not then the following common issues could be the root
cause.

Call Failure

If the call fails without any response from the Exchange UM Server then one of the most
common reasons, other than a simple configuration mistake, could be that the Exchange
UM IP Gateway configuration script did not complete as mentioned earlier in this article.

 Check the Lync Server event log on the Skype for Business server to see if the following
error message was reported at the same time as the attempted call.

Log Name: Lync Server

Source: LS Exchange Unified Messaging Routing
Event ID: 44008
Task Category: (1040)
Level: Error
Keywords: Classic
Computer: FE.jdskype.net

Description:
Dial Plan Unknown

Dialplan [Chicago.jdskype.net] is not recognized by routing

application
Cause: Dial plan does not exist, or Skype for Business Server
2015 does not have permission to read the relevant Active
Directory objects.

Resolution:
If the dialplan is valid, then run exchucutil.ps1 in
appropriate Exchange forest to give permission to Skype for
Business Server 2015. If the dialplan is not valid, then
clean up proxyAddresses attribute for the affected users.

If this message exists then this is an indication that the ExchUmUtil.ps1 script that was run
earlier did not configure the UM IP Gateway correctly. As pointed out earlier the script
may have failed to associate the UM Dial Plan to the gateway, thus causing this error on the
Skype for Business server. Return to that step to re-run the Exchange script and validate
that the dial plan is displayed correctly, which should clear this error and then allow for
calls to reach the UM attendant services.

Unexpected Response

If the call successfully connects to the attendant but an unexpected response is heard then
this could point to a different issue. If the interactive voice response was “Please call back
later. Goodbye.” then this typically occurs when the UM configuration is brand new and
the server has not yet had a chance to generate the grammar speech files. As documented
in this blog article the pending generation process can be expedited by restarting the
Exchange Mailbox Assistants service.

 Using PowerShell enter the following cmdlet to quickly stop and restart the Mailbox
Assistant service.

Restart-Service MSExchangeMailboxAssistants

 View the Application Event Log on the Exchange server to verify that the following entry
has been logged after the service has been running for a few minutes.

Log Name: Application

Source: MSExchange Unified Messaging
Event ID: 1613
Task Category: UMCore
Level: Information
Keywords: Classic
Computer: EXCH.jdskype.net
Description:
Speech grammar generation started for "Enterprise". Run ID:
"7a97b157-b74f-4a21-b667-faf56e85f047", Recipient type:
"User"

At this point a call to the Auto Attendant should result in the proper welcome message.

This concludes the setup of Exchange Unified Messaging with Skype for Business Server
2015. If following along with this entire series of Exchange Server integration articles for
Skype for Business 2015 then at this point the Partner Application has been established and
leveraged to enable High Resolution Photos and now Unified Messaging.

Future articles will address Instant Messaging integration with Outlook Web Access as well
as other features like IM archiving and enabling the Unified Contact Store.