Saturday, November 4, 2017

Exchange/SFB UM Cross Forest with Selective Trust - Part 2

In Part 1 of this series I showed you how to allow the SFB servers and groups to authenticate with the Exchange servers over a Selective Trust.

In this post I'll show you how to create a certificate to use for Unified Messaging to allow SFB/UM integration.

Create A Certificate For UM

We'll need to create a certificate in Exchange in order for SFB/UM traffic to use TLS.

The main requirement is that the Exchange Server FQDN's need to be present on the cert.

**Note** If you have multiple Exchange servers, include each server name on a single cert.

We're going to use a Private CA (Certificate Authority) because this is internal only, so you don't need to spend money on a public cert.

Also, we won't be using our SAN cert since it's not good practice to use server FQDNs because it can cause problems.

Certificate Request

On an Exchange server, open the EAC and navigate to Servers > Certificates.

Click the + and leave the first option "create a request for a cert from a certificate authority" checked, and click Next

Request UM Cert 2

Name the cert something like Exchange UM, and click Next:

Request UM Cert 2

Just click Next, do not choose the wildcard option:

Request UM Cert 3

Click and select the Exchange server you're currently on, and click OK, then Next:

Request UM Cert 4

You don't need to touch anything here, just click Next:

Request UM Cert 5

Here, you will remove all entries except your namespace (eg. mail.exchangeitup.com) and add your Exchange servers.

Select each domain name and click - button, leaving your namespace.

Click the + and type in the FQDN of each Mailbox Server, then click Next:

Request UM Cert 6

Enter your company details and click Next:

Request UM Cert 7

Enter a UNC path to store the request file...it's easiest to use the exchange server you're on like \\mbx1.exchangeitup.com\c$\temp\cert\umcert.req:

Request UM Cert 8

Browse to the path where you saved the .req and submit that file to your Internal CA.

Fire up your browser and go to your Internal CA's enrollment webpage.

Click Request a certificate:

Request UM CA 1

Click submit an advanced cert request:

Request UM CA 2

Click submit a certificate request by using...blah blah...file:

Request UM CA 3

Open your umcert.req file in a text editor like Notepad and copy the whole block of text.

Then, paste it into the Saved Request form.

Change the cert type dropdown to Web Server.

And click Submit:

Request UM CA 4

When it's done, click the Download certificate:

Request UM CA 5

Save the .cer file on your Exchange server to somewhere like C:\Temp\Cert\ExchangeUM.cer

Complete Cert Request

Back in the EAC, you'll see your pending cert request:

Complete UM Cert Req 1

Select the request and click Complete in the right-pane:

Complete UM Cert Req 2

Provide the UNC of the .cer file and click OK:

Complete UM Cert Req 3
Once it's finished, you'll see the cert is installed and valid:

Complete UM Cert Req 4

Assign the UM Cert

Double-click your new UM cert to bring up the editor, and click services.

Put a check in the boxes for Microsoft Exchange Unified Messaging and Unified Messaging Call Router. Then click Save:

Assign UM Cert 1

If you are overwriting another cert that is assigned to those services, you will get a prompting asking to confirm. Click Yes.

Export/Import UM Cert To Other Exchange Servers

Select the UM cert and click the ..., then click Export exchange certificate:

Export UM Cert 1

Input a UNC path to save the .pfx file like \\mbx1.exchangeitup.com\C$\temp\cert\exchangeum.pfx and set a password click OK:

Export UM Cert 2

Click the ... again and select Import exchange certificate:

Import UM Cert 1

Enter your UNC path and password for the .pfx file:

Import UM Cert 2

Click the + and select all of your other Exchange servers and click OK, then Finish:

Import UM Cert 3
On each of your Exchange servers restart the UM Service and the UM Call Router Service by running the following cmdlets in the Exchange Management Shell (EMS):
Restart-Service MSExchangeUM
Restart-Service MSExchangeUMCR 
Export/Import UM Certificate on the SFB Server
On your Exchange server, browse where you stored the exchangeum.cer file (in our case C:\Temp\Cert\exchangeum.cer) and copy that file.
Now switch over to your SFB server and paste it somewhere like C:\Temp\Cert
Go to start and search for certlm.msc and open the certificate manager.
Navigate to Trusted Root Certification Authorities > Certificates
SFB Cert import 1
Right-click anywhere in the right-pane, select All Tasks > Import
Follow the wizard to import the Exchange UM cert:
SFB Cert import 2
SFB Cert import 3
SFB Cert import 4
SFB Cert import 5
Now we have allowed the Skype For Business server to authenticate with the Exchange forest, and set SFB to trust the Exchange UM certificate.
In the next post we will set up the actual UM integration.

No comments:

Post a Comment