Monday, January 9, 2017

UM Certificate Configuration in Exchange 2013 and Later

Hi folks,

Just wanted to quickly share with you about the configuration of Exchange certificate for Unified Messaging on Exchange 2013 and 2016 servers. In Exchange 2007 and 2010, as you remember, UM was a separate role and Set-UMServer was the command which did all the configuration magic. This has changed in Exchange 2013 as UM service has been spread between the Mailbox and CAS roles. Now Mailbox server run UM service which is manipulated by the Set-UMService cmdlet, while CAS service runs UM Call Router service which accepts all the SIP traffic and proxies it to the UM service on the Mailbox servers that hosts active DB copy for the mailbox where the call is being routed to. You can read more about UM in Exchange 2013 here. On the Exchange 2016 both of the services mentioned above are hosted on the Mailbox role.

So in order to configure certificate for UM on the Exchange 2013 and later server you will need to enable startup mode for UM and UM Call Router services either to TLS (for integration with Lync or Skype for Business) or Dual mode:

Set-UMService UMSRV01 -UMStartupMode Dual

Set-UMCallRouterSettings -Server UMSRV01 -UMStartupMode Dual

After which you will need to import certificate from the file and enable it for the appropriate services:

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path certfile.NET.pfx -Encoding byte -ReadCount 0)) -Password:(Get-Credential).password

Enable-ExchangeCertificate -Thumbprint XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX -Services UM,UMCallRouter

Don't forget that you will need a separate cert for each of the Exchange servers with a server hostname as subject name.