Table Of Contents
Configuring Access to Exchange Calendars and Contacts for Personal Call Transfer Rules
Task List for Allowing Access to Calendar and Contacts for Personal Call Transfer Rules
Creating an Active Directory Service Account (Exchange 2000 and Exchange 2003 Only)
Granting Exchange Permissions to the Service Account (Exchange 2000 and Exchange 2003 Only)
Creating and Installing SSL Certificates
Creating a Certificate Signing Request, and Issuing and Installing the Certificate (Exchange 2000 and Exchange 2003 Only)
Creating Certificate Signing Requests, and Issuing, Importing, and Enabling Certificates (Exchange 2007 Only)
Creating Connection External Services to Specify the Exchange Servers That Users Can Access
Configuring the Cisco Unity Connection Server to Trust Exchange Certificates
Requiring Secure Communication Between Connection and Exchange Servers (Optional But Recommended)
Synchronizing Clocks on the Cisco Unity Connection and Exchange Servers
Configuring Access to Exchange Calendars and Contacts for Personal Call Transfer Rules
For users who belong to a class of service enables them to use the Cisco Unity Personal Call Transfer Rules feature, you can also enable them to access their Outlook calendar and contacts. This allows Connection users to create rules based on who is calling and on the appointments in their calendars. In this chapter you configure Exchange and Cisco Unity Connection so users can create personal call transfer rules using Exchange calendar and contact information.
See the following sections:
•Task List for Allowing Access to Calendar and Contacts for Personal Call Transfer Rules
•Creating an Active Directory Service Account (Exchange 2000 and Exchange 2003 Only)
•Granting Exchange Permissions to the Service Account (Exchange 2000 and Exchange 2003 Only)
•Creating and Installing SSL Certificates
•Creating Connection External Services to Specify the Exchange Servers That Users Can Access
•Configuring the Cisco Unity Connection Server to Trust Exchange Certificates
•Requiring Secure Communication Between Connection and Exchange Servers (Optional But Recommended)
•Synchronizing Clocks on the Cisco Unity Connection and Exchange Servers
Task List for Allowing Access to Calendar and Contacts for Personal Call Transfer Rules
To allow users to access their Outlook calendar and contacts for use with Personal Call Transfer Rules, do the following tasks in the order presented:
1. Make sure that the users or templates are associated with a class of service that enables them to use the Cisco Unity Personal Call Transfer Rules feature.
2. Configure access to Exchange calendars and contacts:
a. If all of the Exchange calendars and contacts that users want to access are in Exchange 2007, skip to Step c.
If any of the Exchange calendars and contacts that users want to access are in Exchange 2000 or Exchange 2003, create an Active Directory service account that Connection uses to access Exchange data. See the "Creating an Active Directory Service Account (Exchange 2000 and Exchange 2003 Only)" section.
b. If any of the Exchange calendars and contacts that users want to access are in Exchange 2000 or Exchange 2003, grant the required permissions to the service account. See the "Granting Exchange Permissions to the Service Account (Exchange 2000 and Exchange 2003 Only)" section.
c. Create and install an SSL server certificate on each Exchange server on which you want to access calendar and contact data. See the "Creating and Installing SSL Certificates" section.
d. Create Connection external services. See the "Creating Connection External Services to Specify the Exchange Servers That Users Can Access" section.
e. Configure Connection to trust the SSL certificates that you created and installed on the Exchange servers. See the "Configuring the Cisco Unity Connection Server to Trust Exchange Certificates" section.
f. Configure IIS not to accept unencrypted communications from web clients including Connection. See the "Requiring Secure Communication Between Connection and Exchange Servers (Optional But Recommended)" section.
g. Configure the Connection server to access an NTP server. See the "Synchronizing Clocks on the Cisco Unity Connection and Exchange Servers" section.
3. For each user, create a Connection external service account that specifies the Exchange server on which the mailbox for the user is stored. This enables the user to access their calendar and contacts when they use the Personal Call Transfer Rules web tool. See the "Access to Exchange Calendars and Contacts for Personal Call Transfer Rules" section in the "Setting Up Features and Functionality That Are Controlled by User Account Settings" chapter of the User Moves, Adds, and Changes Guide for Cisco Unity Connection, available at http://www.cisco.com/en/US/products/ps6509/prod_maintenance_guides_list.html.
4. To teach users how to access their Outlook calendar and contacts for Personal Call Transfer Rules, refer them to the "Managing Personal Call Transfer Rules to Handle Incoming Calls" and the "Managing Your Personal Contacts List" chapters of the User Guide for Cisco Unity Connection, available at http://www.cisco.com/en/US/products/ps6509/products_user_guide_list.html.
Creating an Active Directory Service Account (Exchange 2000 and Exchange 2003 Only)
Cisco Unity Connection accesses Exchange 2000 and Exchange 2003 calendar and contact data by using an Active Directory account that acts as a proxy for Connection. Do the following procedure to create the service account.
To Create the AD Service Account That Cisco Unity Connection Uses to Access Exchange Data
Step 1 On a server on which Active Directory Users and Computers is installed, log on to Windows by using an account that has the right to create new users.
Step 2 On the Windows Start menu, click Programs > Microsoft Exchange > Active Directory Users and Computers or click Programs > Administrative Tools > Active Directory Users and Computers.
Step 3 In the left pane, expand the domain in which you want to create the account, right-click Users or the organizational unit where you want to create the account, and click New > User.
Step 4 Follow the on-screen prompts to create the service account, choosing the following options:
•When you choose password options, choose the option that prevents the password from expiring. If the password expires, Connection will stop working the next time the server is restarted.
•Do not create an Exchange mailbox.
Step 5 Close Active Directory Users and Computers.
Granting Exchange Permissions to the Service Account (Exchange 2000 and Exchange 2003 Only)
To enable the Active Directory service account to access Exchange 2000 and Exchange 2003 data, you delegate Exchange View Only Administrator control to the account, and you grant the account Administer Information Store, Send As, and Receive As permissions.
You can delegate control either at the organization level or at the administrative group level. If you delegate control at the administrative group level, you must delegate control in every administrative group that contains the following mailstores:
•An Exchange mailstore from which you want Connection users to be able to import contacts.
•An Exchange mailstore in which you want Connection to be able to access Exchange calendar data.
To Grant Exchange Permissions to the Service Account
Step 1 On a server on which Exchange System Manager is installed, log on to Windows by using an account that is an Exchange Full Administrator.
Step 2 On the Windows Start menu, click Programs > Microsoft Exchange > System Manager.
Step 3 In the left pane of Exchange System Manager, right-click either the organization name at the top of the tree control or an administrative group that contains mailstores in which you want to access calendar and contact data, and click Delegate Control.
Step 4 On the Welcome to the Exchange Administration Delegation Wizard page, click Next.
Step 5 In the Users or Groups dialog box, click Add.
Step 6 In the Delegate Control dialog box, click Browse.
Step 7 Specify the service account name, depending on the Exchange version:
Exchange 2003
|
a. In the Select Users, Computers, or Groups dialog box, in the Enter the Object Name to Select field, enter the user logon name for the account created in "To Create the AD Service Account That Cisco Unity Connection Uses to Access Exchange Data" procedure.
b. Click Check Names.
c. Click OK to close the Select Users, Computers, or Groups dialog box. The account you selected appears in the Group (Recommended) or User box.
|
Exchange 2000
|
a. In the Select Users, Computers, or Groups dialog box, in the Look In list, click the name of the domain in which you created the account in the "To Create the AD Service Account That Cisco Unity Connection Uses to Access Exchange Data" procedure.
b. In the list of users, computers, and groups, double-click the name of the service account.
The Delegate Control dialog box reappears. The account you selected appears in the Group (Recommended) or User box.
|
Step 8 In the Role list, click Exchange View Only Administrator.
Step 9 Click OK to close the Delegate Control dialog box.
Step 10 Click Next.
Step 11 Click Finish.
Step 12 If you selected the organization name at the top of the tree control in Step 3, skip to Step 13.
If you selected an administrative group in Step 3 and you want to access calendar and contact data in mailstores in other administrative groups, repeat Step 3 through Step 11 for each administrative group.
Step 13 In the left pane of Exchange System Manager, right-click the name of a mailbox store that contains mailboxes in which you want to access calendar and contact data, and click Properties.
Step 14 In the <Server name> Properties dialog box, click the Security tab.
Step 15 Click Add.
Step 16 Specify the service account name, depending on the Exchange version:
Exchange 2003
|
a. In the Select Users, Computers, or Groups dialog box, in the Enter the Object Names to Select field, enter the name of the service account.
b. Click Check Names.
|
Exchange 2000
|
a. In the Select Users, Computers, or Groups dialog box, in the Look In list, click the name of the domain in which you created the service account.
b. In the list of users, computers, and groups, double-click the name of the service account.
The Delegate Control dialog box reappears. The account you selected appears in the Group (Recommended) or User box.
|
Step 17 Click OK to close the dialog box.
Step 18 In the Mailbox Store <Server name> Properties dialog box, in the Group or User Names list, click the name of the service account.
Step 19 In the Permissions For <Account name> list, in the Allow column, check the following three check boxes:
•Administer Information Store
•Receive As
•Send As
Do not change any other permissions.
Step 20 Click OK to close the Mailbox Store <Server name> Properties dialog box.
Step 21 Repeat Step 13 through Step 20 for each additional Exchange server on which you want to access Exchange data.
Step 22 Close Exchange System Manager.
Creating and Installing SSL Certificates
In this section, you create and install an SSL certificate on each Exchange server that contains calendars and contacts that you want licensed Connection users to be able to access. This prevents Cisco Unity Connection from sending the credentials of the service account (for Exchange 2000 or Exchange 2003) or the credentials of individual users (for Exchange 2007) over the network as unencrypted text. It also prevents Exchange from sending calendar and contact data over the network in unencrypted text.
Do the following tasks to create and install an SSL certificate to secure Cisco Unity Connection access to Exchange calendars and contacts:
1. If you are using Microsoft Certificate Services to issue certificates, install Microsoft Certificate Services. See the "To Install the Microsoft Certificate Services Component" procedure.
If you are using another application to issue SSL certificates, install the application. See the manufacturer documentation for installation instructions. Then skip to Step 2.
If you are using an external certification authority to issue certificates, skip to Step 2.
2. Create certificate signing requests, and issue and install the certificates:
–Create a certificate signing request for each Exchange server on which you want to access calendar and contact data.
–For each certificate signing request, have an SSL certificate issued by an external certification authority, or issue the certificate yourself using Microsoft Certificate Services or another application with the same capabilities.
–For Exchange 2000 and Exchange 2003, install the SSL certificates. For Exchange 2007, import and enable the certificates. (The purpose is the same, but the terminology has changed for Exchange 2007.)
See the applicable section:
–Creating a Certificate Signing Request, and Issuing and Installing the Certificate (Exchange 2000 and Exchange 2003 Only)
–Creating Certificate Signing Requests, and Issuing, Importing, and Enabling Certificates (Exchange 2007 Only)
If you do not create and install SSL certificates, Connection may still send service account credentials in an encrypted format, depending on whether you have configured one or more authentication schemes in Exchange. However, the available Exchange authentication schemes encrypt only the user name and password, not calendar and contact data, and Exchange documentation indicates that the available schemes provide varying degrees of security. We recommend that you create and install SSL certificates.
Caution Cisco Unity Connection does not support Passport authentication.
To Install the Microsoft Certificate Services Component
Step 1 Locate a Windows Server 2003 disc, which you may be prompted to use to complete the installation of the Microsoft Certificate Services component.
Step 2 Log on to Windows by using an account that is a member of the local Administrators group.
Step 3 On the Windows Start menu, click Settings > Control Panel > Add or Remove Programs.
Step 4 In the left pane of the Add or Remove Programs control panel, click Add/Remove Windows Components.
Step 5 In the Windows Components dialog box, check the Certificate Services check box. Do not change any other items.
Step 6 When the warning appears about not being able to rename the computer or to change domain membership, click Yes.
Step 7 Click Next.
Step 8 On the CA Type page, click Stand-alone Root CA, and click Next. (A stand-alone certification authority (CA) is a CA that does not require Active Directory.)
Step 9 On the CA Identifying Information page, in the Common Name for This CA field, enter a name for the certification authority.
Step 10 Accept the default value in the Distinguished Name Suffix field.
Step 11 For Validity Period, accept the default value of 5 years.
Step 12 Click Next.
Step 13 On the Certificate Database Settings page, click Next to accept the default values.
If a message appears indicating that Internet Information Services is running on the computer and must be stopped before proceeding, click Yes to stop the services.
Step 14 If you are prompted to insert the Windows Server 2003 disc into the drive, insert either the Cisco Unity Connection disc, which contains the same required software, or a Windows Server 2003 disc.
Step 15 In the Completing the Windows Components Wizard dialog box, click Finish.
Step 16 Close the Add or Remove Programs control panel.
Creating a Certificate Signing Request, and Issuing and Installing the Certificate (Exchange 2000 and Exchange 2003 Only)
To Create Certificate Signing Requests for Exchange 2000 and Exchange 2003 Servers
Step 1 On an Exchange 2000 or Exchange 2003 server on which Cisco Unity Connection users have Exchange calendars and contacts, log on to Windows by using an account that is a member of the Domain Admins group.
Step 2 On the Windows Start menu, click Programs > Administrative Tools > Internet Information Services (IIS) Manager.
Step 3 If the server is running Windows Server 2003, on the Windows Start menu, click Programs > Administrative Tools > Internet Information Services (IIS) Manager.
If the server is running Windows 2000 Server, on the Windows Start menu, click Programs > Administrative Tools > Internet Services Manager.
Step 4 In the left pane of Internet Information Services, expand the name of this Exchange server.
Step 5 If the server is running Windows 2000 Server, skip to Step 6.
If the server is running Windows Server 2003, expand Web Sites.
Step 6 Right-click Default Web Site, and click Properties.
Step 7 In the Default Web Site Properties dialog box, click the Directory Security tab.
Step 8 Under Secure Communications, click Server Certificate.
Step 9 On the Welcome to the Web Server Certificate Wizard page, click Next.
Step 10 Click Create a New Certificate.
Step 11 Click Next.
Step 12 Click Prepare the Request Now, But Send It Later.
Step 13 Click Next.
Step 14 Enter a name for the certificate, and accept the default bit length.
Step 15 Click Next.
Step 16 Enter the organization information.
Step 17 Click Next.
Step 18 For the common name of the site, enter either the computer name or the fully qualified domain name of the Exchange server.
Remember whether you specified the computer name or the fully qualified domain name. You will need this information in a later procedure.
Caution The name must exactly match the host portion of any URL that will access the system by using a secure connection.
Step 19 Click Next.
Step 20 On the Geographical Information page, enter the applicable information.
Step 21 Click Next.
Step 22 On the Certificate Request File Name page, enter a path and file name, and write down the information. You will need it in a later procedure.
If this is not the server on which you installed Microsoft Certificate Services in the "To Install the Microsoft Certificate Services Component" procedure, try to choose a network location that you can access from the current server and from the server on which Microsoft Certificate Services is installed.
Step 23 Click Next.
Step 24 On the Request File Summary page, verify the request file information.
Step 25 Click Next.
Step 26 On the Completing the Web Server Certificate Wizard page, click Finish.
Step 27 Click OK to close the Default Web Site Properties dialog box.
Step 28 Close Internet Information Services Manager.
Step 29 If Microsoft Certificate Services is on another server and you were not able to save the certificate request file in a network location accessible to that server, copy the certificate request file to a removable medium (diskette, CD, or DVD).
Step 30 Repeat Step 1 through Step 29 to create a certificate signing request for each additional Exchange server that contains calendar and contact data that you want Connection users to be able to access.
Step 31 If you are not using an external certification authority, you are finished with this procedure.
If you are using an external certification authority, send the certificate request files to the CA. When the certificates return from the CA, skip to the "To Install the Certificates on Exchange 2000 and Exchange 2003 Servers" procedure.
Issue certificates or have them issued for each of the certificate signing requests that you created in the "To Create Certificate Signing Requests for Exchange 2000 and Exchange 2003 Servers" procedure:
•If you are using Microsoft Certificate Services to issue certificates, do the following procedure.
•If you are using an application other than Microsoft Certificate Services, see the documentation for the application for information on issuing server certificates and exporting trust certificates. When you export the trust certificate, which is uploaded to the Cisco Unity Connection server later in this chapter, issue it in base-64 encoded X.509 format with a .pem filename extension. Then continue with the "To Install the Certificates on Exchange 2000 and Exchange 2003 Servers" procedure.
•If you are using an external certification authority (CA) to issue certificates, send the certificate signing requests to the CA. Request that the CA provide the trust certificate, which is uploaded to the Cisco Unity Connection server later in this chapter, in base-64 encoded X.509 format with a .pem filename extension. When the certificates are returned, continue with the "To Install the Certificates on Exchange 2000 and Exchange 2003 Servers" procedure.
To Issue the Certificate (Only When You Are Using Microsoft Certificate Services to Issue the Certificate)
Step 1 On the server on which you installed Microsoft Certificate Services, log on to Windows by using an account that is a member of the Domain Admins group.
Step 2 On the Windows Start menu, click Programs > Administrative Tools > Certification Authority.
Step 3 In the left pane, expand Certification Authority (Local) > <Certification authority name>, where <Certification authority name> is the name that you gave to the certification authority when you installed Microsoft Certificate Services in the "To Install the Microsoft Certificate Services Component" procedure.
Step 4 Right-click the name of the certification authority, and click All Tasks > Submit New Request.
Step 5 In the Open Request File dialog box, browse to the location of the first certificate signing request file that you created in the "To Create Certificate Signing Requests for Exchange 2000 and Exchange 2003 Servers" procedure, and double-click the file.
Step 6 In the left pane of Certification Authority, click Pending Requests.
Step 7 Right-click the pending request that you submitted in Step 5, and click All Tasks > Issue.
Step 8 In the left pane of Certification Authority, click Issued Certificates.
Step 9 Right-click the new certificate, and click Open.
Step 10 In the Certificate dialog box, click the Details tab.
Step 11 Click Copy to File.
Step 12 On the Welcome to the Certificate Export Wizard page, click Next.
Step 13 On the Export File Format page, click Base-64 Encoded X.509 (.CER).
Step 14 Click Next.
Step 15 On the File to Export page, click Browse.
Step 16 In the Save As dialog box, choose a location and enter a file name.
If this is not a server on which Internet Information Services Manager is installed, try to choose a network location that you can access from the current server and from the server on which Microsoft Certificate Services is installed.
Step 17 Write down the path and file name. You will need it in a later procedure.
Step 18 Click Save to close the Save As dialog box.
Step 19 Click Next.
Step 20 On the Completing the Certificate Export Wizard page, click Finish.
Step 21 Click OK to clear the message that indicates that the export was successful.
Step 22 Click OK to close the Certificate dialog box.
Step 23 If you created more than one certificate signing request in the "To Create Certificate Signing Requests for Exchange 2000 and Exchange 2003 Servers" procedure, repeat Step 9 through Step 22 for each certificate signing request listed under Issued Certificates.
Step 24 Close Certification Authority.
Step 25 If Internet Information Services Manager is on another server and you were not able to save the certificate request files in a network location accessible to that server, copy the certificate request files to a removable medium (diskette, CD, or DVD).
Do the following procedure for every Exchange 2000 or Exchange 2003 server that contains calendar and contact data that you want Connection users to be able to access.
To Install the Certificates on Exchange 2000 and Exchange 2003 Servers
Step 1 On one of the Exchange 2000 or Exchange 2003 servers for which you have an SSL certificate, log on to Windows by using an account that is a member of the Domain Admins group.
Step 2 On the Windows Start menu, click Programs > Administrative Tools > Internet Information Services Manager.
Step 3 In the left pane, expand the name of this Exchange server.
Step 4 Right-click Default Web Site, and click Properties.
Step 5 In the Default Web Site Properties dialog box, click the Directory Security tab.
Step 6 Under Secure Communications, click Server Certificate.
Step 7 On the Web Server Certificate Wizard Welcome page, click Next.
Step 8 On the Pending Certificate Request page, click Process the Pending Request and Install the Certificate.
Step 9 Click Next.
Step 10 On the Process a Pending Request page, browse to the location where you saved the certificates, and specify the server certificate that you created using Microsoft Certificate Services or another application, or that you got from an external CA.
You may have to change the value of the Files of Type list to All Files (*.*) to see the certificates.
Step 11 On the Certificate Summary page, verify the certificate information.
Step 12 Click Next.
Step 13 On the Completing the Web Server Certificate Wizard page, click Finish to exit the Web Server Certificate wizard.
Step 14 Click OK to close the Default Web Site Properties dialog box.
Step 15 Restart IIS:
a. In the left pane of Internet Information Services Manager, right-click the name of this Exchange server, and click Restart IIS.
b. In the Stop/Start/Restart dialog box, click Restart Internet Services on <Server name>.
c. Click OK.
d. Close Internet Information Services Manager.
Step 16 Repeat Step 1 through Step 15 for each certificate that you want to install.
Creating Certificate Signing Requests, and Issuing, Importing, and Enabling Certificates (Exchange 2007 Only)
To Create Certificate Signing Requests on Exchange 2007 Servers
Step 1 On an Exchange 2007 server on which Cisco Unity Connection users have Exchange calendars and contacts, log on to Windows by using an account that has the permissions required to run the Exchange Management Shell New-ExchangeCertificate command.
Step 2 On the Windows Start menu, click Programs > Microsoft Exchange Server 2007 > Exchange Management Shell.
Step 3 Run the following command:
New-ExchangeCertificate -GenerateRequest -DomainName <domain name>
-PrivateKeyExportable $true -path <path and file name for certificate signing request>
Step 4 Close Exchange Management Shell.
Step 5 If you want to access calendar and contact data on other Exchange 2007 servers, repeat Step 1 through Step 4 on each server whose data you want to access.
Issue server certificates or have them issued for each of the certificate signing requests that you created in the "To Create Certificate Signing Requests on Exchange 2007 Servers" procedure:
•If you are using Microsoft Certificate Services to issue certificates, do the following procedure.
•If you are using an application other than Microsoft Certificate Services, see the documentation for the application for information on issuing server certificates and exporting a trust certificate. When you issue the trust certificate, which is uploaded to the Cisco Unity Connection server later in this chapter, issue it in base-64 encoded X.509 format with a .pem filename extension. Then continue with the "To Import and Enable the SSL Certificate on an Exchange 2007 Server" procedure.
•If you are using an external certification authority (CA) to issue certificates, send the certificate signing requests to the CA. Request that the CA issue the trust certificate, which is uploaded to the Cisco Unity Connection server later in this chapter, in base-64 encoded X.509 format with a .pem filename extension. When the certificates are returned, continue with the "To Import and Enable the SSL Certificate on an Exchange 2007 Server" procedure.
To Issue the Server Certificates (Only When You Are Using Microsoft Certificate Services to Issue the Certificate)
Step 1 On the server on which you installed Microsoft Certificate Services, log on to Windows by using an account that is a member of the Domain Admins group.
Step 2 On the Windows Start menu, click Programs > Administrative Tools > Certification Authority.
Step 3 In the left pane, expand Certification Authority (Local) > <Certification authority name>, where <Certification authority name> is the name that you gave to the certification authority when you installed Microsoft Certificate Services in the "To Install the Microsoft Certificate Services Component" procedure.
Step 4 Right-click the name of the certification authority, and click All Tasks > Submit New Request.
Step 5 In the Open Request File dialog box, browse to the location of the first certificate signing request file that you created in the "To Create Certificate Signing Requests on Exchange 2007 Servers" procedure, and double-click the file.
Step 6 In the left pane of Certification Authority, click Pending Requests.
Step 7 Right-click the pending request that you submitted in Step 5, and click All Tasks > Issue.
Step 8 In the left pane of Certification Authority, click Issued Certificates.
Step 9 Right-click the new certificate, and click Open.
Step 10 In the Certificate dialog box, click the Details tab.
Step 11 Click Copy to File.
Step 12 On the Welcome to the Certificate Export Wizard page, click Next.
Step 13 On the Export File Format page, click Base-64 Encoded X.509 (.CER).
Step 14 Click Next.
Step 15 On the File to Export page, click Browse.
Step 16 In the Save As dialog box, choose a location and enter a file name.
If this is not a server on which Internet Information Services Manager is installed, try to choose a network location that you can access from the current server and from the server on which Microsoft Certificate Services is installed.
Step 17 Write down the path and file name. You will need it in a later procedure.
Step 18 Click Save to close the Save As dialog box.
Step 19 Click Next.
Step 20 On the Completing the Certificate Export Wizard page, click Finish.
Step 21 Click OK to clear the message that indicates that the export was successful.
Step 22 Click OK to close the Certificate dialog box.
Step 23 If you created more than one certificate signing request in the "To Create Certificate Signing Requests on Exchange 2007 Servers" procedure, repeat Step 9 through Step 22 for each certificate signing request listed under Issued Certificates.
Step 24 Close Certification Authority.
Step 25 If Internet Information Services Manager is on another server and you were not able to save the certificate request files in a network location accessible to that server, copy the certificate request files to a removable medium (diskette, CD, or DVD).
Do the following procedure for every Exchange 2007 server that contains calendar and contact data that you want Connection users to be able to access.
To Import and Enable the SSL Certificate on an Exchange 2007 Server
Step 1 On a server for which you have an SSL certificate, log on to Windows by using an account that has the permissions required to run Exchange Management Shell Import-ExchangeCertificate and Enable-ExchangeCertificate commands.
Step 2 On the Windows Start menu, click Programs > Microsoft Exchange Server 2007 > Exchange Management Shell.
Step 3 Run the following command:
Import-ExchangeCertificate -path <path and file name for certificate>
Step 4 Copy to the Windows clipboard the thumbprint that was displayed by the Import-ExchangeCertificate command.
Step 5 In Exchange Management Shell, run the following command:
Enable-ExchangeCertificate -Thumbprint <thumbprint that you copied in Step 4> -Services IIS
Step 6 Close Exchange Management Shell.
Step 7 If you created more than one certificate signing request in the "To Create Certificate Signing Requests on Exchange 2007 Servers" procedure, repeat Step 1 through Step 6 on each Exchange 2007 server for which you have an SSL certificate.
Creating Connection External Services to Specify the Exchange Servers That Users Can Access
In Cisco Unity Connection Administration, you create and configure one Calendar and Personal Contacts external service for each Exchange server that contains calendar and contact data that you want Connection users to be able to access.
To Create Connection External Services to Specify the Exchange Servers That Users Can Access
Step 1 In Cisco Unity Connection Administration, expand System Settings, then click External Services.
Step 2 Click Add New.
Step 3 In the Type list, click Calendar and Personal Contacts.
Step 4 In the Display Name field, enter a name that will help you identify the service when you configure Connection users to access their calendar and contact information. (For example, in the name of the service, you might include the name of the Exchange server that contains the calendar and contact data that users are accessing.)
Step 5 In the Server Base URL field, enter the URL for the Exchange server that contains calendar and contact data that you want Connection users to be able to access. Use the format https://<Exchange server>/Exchange/ where <Exchange server> is the computer name, the fully qualified domain name (FQDN), or the IP address of the Exchange server.
If you enter the computer name or the fully qualified domain name of an Exchange 2000 or Exchange 2003 server, the value that you enter for <Exchange server> must exactly match the value that you entered in Step 18 of the "To Create Certificate Signing Requests for Exchange 2000 and Exchange 2003 Servers" procedure.
Step 6 Confirm that the Access Enabled check box is checked.
Step 7 If you are accessing an Exchange 2007 server:
a. Uncheck the Use Service Credentials check box.
b. Skip to Step 8.
If you are accessing an Exchange 2000 or Exchange 2003 server:
a. Check the Use Service Credentials check box.
b. In the Service Login field, enter the Active Directory user logon name of the service account that you created in the "To Create the AD Service Account That Cisco Unity Connection Uses to Access Exchange Data" procedure. Use the format <Domain name>\<Account name>.
Note the back slash (\) between <Domain name> and <Account name>. If you use a forward slash (/), the Calendar and Personal Contacts service will not work.
c. In the Service Password field, enter the password for the service account.
Step 8 Click Save.
Step 9 If you have created external services for all of the Exchange servers that you want to allow users to access, skip the rest of this procedure.
If you want users to be able to access additional Exchange servers, on the External Service menu, click New External Service.
Step 10 Repeat Step 3 through Step 9 until you have created all of the required external services.
Configuring the Cisco Unity Connection Server to Trust Exchange Certificates
To make the Cisco Unity Connection server trust the certificates for the Exchange servers, you need to upload, to the root certificate store on the Connection server, a trust certificate for each certification authority that issued certificates. Typically, you will use the same certification authority (for example, Microsoft Certificate Services or VeriSign) to issue all certificates.
To Configure the Cisco Unity Connection Server to Trust Exchange Certificates
Step 1 If you used Microsoft Certificate Services to issue the certificates, continue with Step 2.
If you used another application or an external certification authority to issue the certificates, skip to Step 21 to upload the trust certificates, in base-64-encoded X.509 format, to the root certificate store on the Connection server.
Step 2 On the server on which you installed Microsoft Certificate Services, log on to Windows by using an account that is a member of the local Administrators group.
Step 3 On the Windows Start menu, click Programs > Administrative Tools > Certification Authority.
Step 4 In the left pane, expand Certification Authority (Local).
Step 5 Right-click the name of the certification authority, and click Properties.
Step 6 In the <Certification authority name> Properties dialog box, on the General tab, in the CA Certificates list, click the name of one of the certificates that you issued for the Exchange servers.
Step 7 Click View Certificate.
Step 8 In the Certificate dialog box, click the Details tab.
Step 9 Click Copy to File.
Step 10 On the Welcome to the Certificate Export Wizard page, click Next.
Step 11 On the Export File Format page, click Base-64 Encoded X.509 (.CER).
Step 12 Click Next.
Step 13 On the File to Export page, enter a temporary path and file name of the trust certificate (for example, c:\cacert.pem). Use the filename extension .pem.
Caution The trust certificate must have a .pem filename extension or you will not be able to upload it on the Connection server.
Step 14 Write down the path and file name because you will need it later in this procedure.
Step 15 Click Next.
Step 16 On the Completing the Certificate Export Wizard page, click Finish.
Step 17 Click OK to close the "Export successful" message box.
Step 18 Click OK to close the Certificate dialog box.
Step 19 Click OK to close the <Server name> Properties dialog box.
Step 20 Close Certification Authority.
Step 21 Copy the trust certificate to a network location that is accessible to the Connection server.
Step 22 On the Connection server, log on to Cisco Unified Operating System Administration.
Step 23 On the Security menu, click Certificate Management.
Step 24 On the Certificate List page, click Upload Certificate.
Step 25 On the Upload Certificate page, in the Certificate Name list, click Connection-trust.
Step 26 In the Root Certificate field, enter the name of the certificate file that you issued using Microsoft Certificate Services or another certification authority, or that you got from a CA.
Step 27 Click Browse.
Step 28 In the Choose File dialog box, browse to the location of the certificate file, click the name of the file, and click Open.
Step 29 On the Upload Certificate page, click Upload File.
Step 30 When the Status area reports that the upload succeeded, click Close.
Step 31 If you issued certificates or had them issued by more than one certification authority, repeat Step 24 through Step 30 for each trust certificate.
Requiring Secure Communication Between Connection and Exchange Servers (Optional But Recommended)
Several of the procedures earlier in this chapter help to secure, by encryption, the calendar and contact data that is transferred from Exchange to Cisco Unity Connection. However, if you specified an http URL instead of an https URL when you did the procedure in the "Creating Connection External Services to Specify the Exchange Servers That Users Can Access" section, the data is not encrypted before it is sent over the network.
We recommend that you do the following procedure on each Exchange server so that if a Connection administrator accidentally specifies an http URL when updating the list of Exchange servers that users can access, any attempt to transfer unencrypted Exchange data will fail.
Caution This is a global setting. For every Exchange server on which you have done this procedure, all web clients that access Exchange data on that server will be required to use an https URL.
To Configure IIS to Require Secure Communication with Cisco Unity Connection (Optional But Recommended)
Step 1 Confirm that no other applications will be affected when Internet Information Services is configured to require Web clients to use https URLs to access Exchange data.
Step 2 Log on to an Exchange server that contains mailboxes from which Connection users want to import calendars or contacts.
Step 3 If the server is running Windows Server 2003, on the Windows Start menu, click Programs > Administrative Tools > Internet Information Services (IIS) Manager.
If the server is running Windows 2000 Server, on the Windows Start menu, click Programs > Administrative Tools > Internet Services Manager.
Step 4 In the left pane of Internet Information Services, expand the name of this Exchange server.
Step 5 If the server is running Windows 2000 Server, skip to Step 6.
If the server is running Windows Server 2003, expand Web Sites.
Step 6 Right-click Default Web Site, and click Properties.
Step 7 In the Default Web Site Properties dialog box, click the Directory Security tab.
Step 8 Under Secure Communications, click Edit.
Step 9 In the Secure Communications dialog box, check the Require Secure Channel (SSL) check box.
Step 10 Click OK to close the Secure Communications dialog box.
Step 11 Click OK to close the Default Web Site Properties dialog box.
Step 12 Close Internet Information Services.
Step 13 If you are prompted to turn on this setting for child nodes, select the child nodes on which you want to enable this setting and click OK.
Step 14 Repeat Step 1 through Step 13 on each Exchange server that contains mailboxes from which Cisco Unity Connection users want to import calendar or contact data.
Synchronizing Clocks on the Cisco Unity Connection and Exchange Servers
Personal call transfer rules that are based on calendar data require that the system clocks be synchronized for the Cisco Unity Connection server and all of the Exchange servers on which Connection is accessing calendar data.
Caution If the time on the Connection server does not match the time on Exchange servers on which calendar data is being accessed, personal call transfer rules that are based on calendar data will route calls incorrectly.
To Configure the Cisco Unity Connection and Exchange Servers to Access an NTP Server
Step 1 On the Connection server, log on to Cisco Unified Operating System Administration.
Step 2 On the Settings menu, click NTP Servers.
Step 3 Click Add New.
Step 4 In the Hostname or IP Address field, enter the DNS name (FQDN) or the IP address of an NTP server that can be resolved by the Connection server and by every Exchange server on which Connection is accessing calendar data.
Step 5 Click Save.
Step 6 Configure all Exchange servers on which Connection is accessing calendar data to synchronize their clocks with the same NTP server that you chose for the Cisco Unity Connection server in Step 4.
For more information, see the Microsoft website.