In this article I will show the steps for integrating Exchange Server 2013 OWA  and  Lync Server 2013 to enable Instant Messaging and presence in Outlook Web Access.

I have a structure of five virtual machines, all servers are part of the same  Active Directory Domain Services and are installed with Windows Server 2012 RTM. In the figure below lists the names and functions of virtual machines.

Active Directory Domain was created with the DNS name home.intranet  and a sip domain home.com.br that is also a authoritative domain on Exchange. 

Three users: user01, user02 and user03 were created  and enabled in Exchange and Lync. 

Active Directory Domain Service

DNS zone home.intranet support secure updates, 

FQDN  IP  Role
Domain Controller 
Hm02.home.intranet Lync Server 
Hm03.home.intranet  Exchange Server 
Hm10.home.intranet  SharePoint Server  
Hm11.home.intranet Office Web Apps 2013 

The DNS zone  home.com.br does not support dynamic updates, the following records were manually created:

Civil Registry  FQDN  IP 
Address Exchange AutoDiscover AutoDiscover.home.com.br
WebMail  mail.home.com.br
SIP Address
URL Dial-In dialin.home.com.br 
URL Meeting  meet.home.com.br 
Console URL Silverlight  admin.home.com.br 
SRV  sip.home.com.br  Name:  _sipinternaltls
Port Number: 5061

Protocol: _tcp
Host FQDN: sip.home.com.br 

Configuring Exchange Server

Digital Certificate

All traffic between Exchange and Lync is encrypted using SSL. Therefore configuring the connection between the two servers depends on information in digital certificates installed on both servers. The self-signed certificate must be replace with a new certificate emitted for trusted certification authority.
The certificate installed on Exchange Server 2013 BackEnd is configured with the following FQDNs


Creating a Connection in Outlook Web Access

To configure the connection between the servers you need to select a digital certificate for encrypting the traffic. In this scenario I will use the same certificate configured for OWA. I'll need Thumbprint  and Subject Name  of the certificate. Use the cmdlet to get this information 


The Thumbprint will be used to identify which certificate will be used for the connection. The  Subject Name will be used to create the  Trusted Application in Lync Server, the name of the Trusted Application must be identical to the name of the Subject Name n the certificate from Exchange Server.

To enable instant messaging execute cmdlet

Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -InstantMessagingEnable $True -InstantMessagingType OCS

Configure the access policy and enable the OWA IM function for all users
Get-OwaMailboxPolicy | Set-OwaMailboxPolicy -InstantMessagingEnabled $true –InstantMessagingType OCS

To finalize the configuration the file  web.config  must be changed on Exchange BackEnd. By default the file is located at   C: \Program Files\Microsoft\Exchange Server\V15\ClientAccess\Owa

Open the file with a text editor, locate the tag  <appSettings> and add the two lines in the configuration file
<add key="IMCertificateThumbprint" value="BackEnd Certificate Thumbprint "/>
<add key="IMServerName" value="Lync Server FQDN" />

Run the command to apply the changes in OWA
C:\Windows\System32\Inetsrv\Appcmd.exe recycle apppool /apppool.name:"MSExchangeOWAAppPool"

Setup Lync Server 

Trusted Application is an application based on  Microsoft Unified Communications Managed API  that is trusted by Lync Server.  To configure integration with OWA you must configure a trusted application between Exchange and Lync.

Creating a Trusted Application Pool

To create an application on Lync Server  first identify the site created at installation. Use the cmdlet  Get-CsSite


To create an application pool run the cmdlet 

New-CsTrustedApplicationPool -Identity <Certificate Subject Name of Client Access> -Registrar <FQDN do Pool Lync server> -Site <Lync Server SiteID> -RequiresReplication $False

Creating a Trusted Application for OWA 

To create the application that represents the OWA in Lync Server run the cmdlet 

New-CsTrustedApplication -ApplicationId OutlookWebAccess -TrustedApplicationPoolFqdn <Client Access Certificate Subject Name> -Port < available TCP port number>

Saving the Configuration

Run Enable-CsTopology to apply the changes in the topology of Lync Server

Accessing OWA

To verify that the settings were applied successfully access the Exchange 2013 OWA and verify that the presence has been activated and can be changed. 

To start a session just to click on the contact tab or email People 



If Exchange have few CAS and Mailbox servers

If you have Exchange with different confgiruration than all roles in one server, then following step for configuring integration.

We have 3 CAS servers(names cas01nX) and 3 Mailbox servers(mbx01nX).

1. Cmd let prepare CAS servers
Get-OwaVirtualDirectory -Server cas01n1 | Set-OwaVirtualDirectory -InstantMessagingEnable $True -InstantMessagingType OCS
Get-OwaVirtualDirectory -Server cas01n2 | Set-OwaVirtualDirectory -InstantMessagingEnable $True -InstantMessagingType OCS
Get-OwaVirtualDirectory -Server cas01n3 | Set-OwaVirtualDirectory -InstantMessagingEnable $True -InstantMessagingType OCS

Get-OwaMailboxPolicy  | Set-OwaMailboxPolicy -InstantMessagingEnabled $true –InstantMessagingType OCS

2. Export from CAS server certificate owa.contoso.com, and then import to all mailbox servers in Local computer - Personal Certificate .

Our Cas servers
owa.contoso.com – it is certificate for all services: iis,smtp,oab,owa on all CAS servers.

Our mailbox servers
owa.contoso.com - Same certificate installed.

3. Get thumbprint certificate owa.contoso.com at all mailbox servers

Get-ChildItem -path cert:\LocalMachine\My

and add on all mailbox servers to C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Owa\web.config

<add key="IMCertificateThumbprint" value="thumbprint_owa.contoso.com"/> 
<add key="IMServerName" value="lyncfe.contoso.com-our lync pool" />

4. Reset application pool MSExchangeOWAAppPool – for  all mailbox servers

5. For Lync server

Create apppool, where owa.contoso.com – it is our fqdn CAS servers
New-CsTrustedApplicationPool -Identity owa.contoso.com -Registrar lyncfe.contoso.com -Site 1 -RequiresReplication $False –verbose

Create application
New-CsTrustedApplication -ApplicationId OutlookWebAccess -TrustedApplicationPoolFqdn owa.contoso.com -Port 8081


You did it :)

Other Languages

 This article is also available in the following languages:

Brazilian Portuguese

This article was originally written by:
Fernando Lugão Veltem
blog:  http://flugaoveltem.blogspot.com  
twitter:  @ flugaoveltem