Lync Server 2013 Event 44009 (Um Integration with Exchange Server 2013)

When configuring Lync Server 2013 UM integration with Exchange server, the standard dialplan security configuration is configured as “Secured”. But, recently i came across with the issue where the dial plan security is set to “Secured” and the UM Service and the UM Call Router services are set to use “TLS”, i get the below error event on Lync front end server.Lync error

And when logged in to the Exchange Database server, there were plenty of warning event messages complaining that the voice encryption does not match with the Dial Plan configuration. UM Error

Thinking about the Dial Plan’s security configuration, It came to me that, then the services are set to use “TLS” instead of “Dual”, then the Dial Plan muct be configured as “SIP Secure” or elase it’ll come up with the abouve error.SIpSecure

After changing the Dial Plan security configuration and restarting UM service on both the Exchange database servers and UM Call Router on CAS server, it finally started working.

This wouldn’t be a problem if the services are set to use “Dual” instead of TLS. But, it’s recommended to use TLS as all traffic between Exchange servers and Lync servers are encrypted



Lync Server 2013 January Update (cumulative update 5.0.8308.577)

Lync Server 2013 January Cumulative Update is here. This is a Server end update which addressed to fix several bugs. This is a Cumulative update and it carries all other updates before it.

Please go to the official KB article using and follow the instructions.

Don’t forget to update the back end Databases!!

Lync 2013 version15.0.4551.1005 (November Update)

Microsoft has released a new Cumulative Update for Lync 2013 Client couple days ago. This fix addressed bunch of issues including,

  • Presence status isn’t updated based on Exchange calendar in Lync 2013
  • You can’t drag a contact from Lync 2013 to another application
  • Proxy authentication dialog box appears when you sign in to Lync 2013

Note that once updated, there is a known issue with this fix.

  • Screen readers cannot read aloud keystrokes during a Lync 2013 application or desktop sharing session in Windows

Before applying the CU Update, Verify that below prerequisites are installed.

  • MSO (KB2727096)
  • MSORES (KB2817624)
  • IDCRL (KB2817626)

You can download above patches and the CU update from

Lync Server October CU (KB 2809243)

Lync Server October Cumulative Update has been released. To install this update, please go through following steps.

1. Get the Pool Upgrade Readiness Status (For Enterprise Edition Front End Servers)

Run the command get-CsPoolUpgradeReadinessState and verify that all Front End servers returns as “Ready”


Once the servers are ready, run Stop-CsWindowsService to immediately stop the Lync Server related Windows Services.

Now Download and run the “LyncServerUpdateInstaller.exe”. This can be downloaded from

For Lync Server 2013 Standard Edition Servers

Download and run the “LyncServerUpdateInstaller.exe”. This can be downloaded from

2. Apply the Back End Database update (For Enterprise Edition)

This is the one that most of the system administrators forget to do. If the environment has SQL Server High Availability configured on SQL Mirroring, verify that the Principle is set to Primary SQL Server by running  Invoke-CsDatabaseFailover -NewPrincipal Primary This will set the Principle as the Primary Server

If all databases including Archiving/Monitoring, Persistent Chat, run below command to upgrade the Database

Install-CsDatabase -ConfiguredDatabases -SqlServerFqdn FEBE.FQDN -Verbose

3. Apply the Central Management Store Update (For Lync Server 2010 and 2013 Plaforms)

This step is only require if the Lync Server platform was upgraded to February 2013 Cumulative Update.  Run the below command,

Install-CsDatabase -CentralManagementDatabase -SqlServerFqdn CMS.FQDN -SqlInstanceName DBInstanceName -Verbose

4. Enable Mobility Services (For Lync Server 2010 and 2013 Platforms)

To enable Mobility Services run, Enable-CsTopology command.

Publish Lync Server External Web Services using ISS ARR

Ever since Microsoft decided to retire the TMG, Everyone’s concern about what would be the platform that can be used to Publish Lync Server external web services URLS. It’s obvious that these URLs need to be reverse proxy in to the Front End pool and there’s not much options available to get the job done.

This is where the ISS ARR (Internet Information Service Application Request Routing) comes in to the picture. URL Re-Routing option was there since 2011 but it was never highlighted since the ISA\TMG was doing it’s job. Now both the ISA\TMG is going out, ARR is in the front row for the Reverse Proxy job.

Now let’s deploy the IIS ARR Server. I used the Server 2008 R2 Application Server with IIS deployed with default options. use link to download and install ARR component on top of the IIS Application Server.

Now to configure SSL over port 443 and assign the certificate.


Note that this certificate must contain all the SAN records that associate to all the web farms that getting created within this ISS Server.


Configure the Web Farm. I’ll take “ as an example here. Set the farm as “On Line”.


Configure the Server Address. This will be the Next Hop that URLs getting Reverse Proxy in to. It can be a Front End pool or a Director. Set the ports as 8080 for HTTP and 4443 as HTTPS. Add the server once done.


Click on “Yes” to confirm to proceed with creating the rule.


Server is added and Farm is online.


Go in to Caching and take out the “Enable Disk Cache” check box. Apply the changes and go back to the farm.


Select the “Proxy” option. Set everything as default and increase the “Keep Alive” time more than 180. I’ve set it as 200.


Go in to the “Routing Rules” and take out the SSL offloading. Apply the changes and go back to the server farm.


Select the IIS Server and select “URL Rewrite” option.


In URL Rewrite, there will be two options, HTTP and HTTPS\SSL. HTTP option can be removed as we are not interested in HTTP.


Edit the HTTPS\SSL rule. in Conditions, click on Add to add another rule.


In Add Condition, Start typing {HTTP_… and select {HTTP_HOST} from the list.


Leave it as “Match the Pattern” and set the pattern as meet.* set the option “Ignore Case”.


Test the pattern to verify that the configured pattern functions as expected. Go back to the URL Rewrite once done.


The newly created rues should looks like this.


Now test the published URL from outside of the domain and it should reverse proxy in to the Front End pool


Now publish the rest of the URL and create Web Farms in ISS ARR accordingly.


For Mobility clients, you might experience that the “Server configuration have changed. Please restart the client” alert keep on coming. To fix this, set the Proxy time out parameter to 960 instead of 200 in ARR rule.


For the Office Web App external URl publishing, It’s little different than the rest of the ARR rules. Not only the server proxy ports has top be 443 and 80 instead of 8080 and 4443, the ARR rule need to be configured to use Regular Expressions instead of Wildcards. Below is the standard configuration of a ARR rule for WAC server.



Skype Integration with Lync Server 2013

Finally the long waited Skype integration for Lync is here. Although the Integration is there now, but it’s currently available for only Audio calls. Video calling is not yet supported. I’m sure in this will be in place with future Cumulative Update.

This article will guide you in Provisioning and Configuration of Skype as a public Provider in Lync Server 2013 and 2010.

As a prerequisite for this, The Edge server must be deployed and Federation must be enabled. Although Microsoft suggest to have _SIPFederationTLS._TCP.DOMAIN.COM SRV has to be in place, But this is not mandatory. As long as you have an “A” record for Assess Edge service, that’s all it needs.

First of all the Processioning has to be done. To do this you need to have an active Microsoft partnership (Licensing Agreement). It can be a Volume License Agreement, MPN (Microsoft Partner Network).

If all in place, go to https://pic.lync.comPIC 1

Sign in using your Windows Live ID and select the Licensing agreement type that you have. check the terms and condition box and enter the agreement ID. Submit when ready.PIC 2

Fill the details of the Primary Contact and Alternate Contact. Proceed when ready. This is the contact that Microsoft will notify when the provisioning process is completed.PIC 3

Configure the Access Edge FQDN and add SIP Domains that you have in Lync. There can be only one Access Edge FQDN. Proceed to submit the Request to Microsoft to get on with the provisioning process. This can take up to 30 days to complete. PIC 4

Go back to Lync Server control Panel and verify that Federation is enabled along side with to communicate with Public UsersPIC 7

Open Lync management Shell and run Remove-CsPublicProvider -Identity Messenger to remove the MSN provider. Federation with MSN is no longer available and it’s replaced by SkypePIC 5

Configure Skype as a Public Provider by running

New-CsPublicProvider -Identity Skype -ProxyFqdn -IconUrl “” VerificationLevel 2 -Enabled 1 PIC 6

Go back to the Management Shell and verify that the new Skype Provider is there and enabled PIC 8

At this point, the Skype integration is fully configured and active. Once Microsoft get done with the Provisioning process, you can add Skype users in to Lync.

There’s a catch for adding Skype users. You need to add Skype users by their Windows Live or their Hotmail ID. not the regular Skype ID. To the the communication going, the Skype users must log in to Skype using the Windows Live or Hotmail ID. PIC 9

If you need in detailed information regarding the process, please go to and follow the document.

Lync Server 2013 Integration with Exchange UM 2013

Exchange 2013 is here and with it, a new and improved Unified Messaging architecture has introduced. Unlike it’s predecessors, UM 2013 is distributed among the Mailbox Server and the CAS Server.

Mailbox server hold the Unified Messaging Service and the CAS Server holds the Unified Messaging Call Router service. Those roles are collocated in to the CAS and Database servers. To understand in detail about the new voice architecture within new UM 2013, visit

Let’s move on to the UM configuration process. Below are the steps i’m going to follow through out the deployment process

1. Configure Certificates and assign 

Configuring and assigning certificates are pretty much the same as Exchange 2010. Only one difference is that the Certificate need to be assigned to both UM Service and UM Call Router service

Request a new certificate from the internal CA and import the certificate to Exchange certificate wizard to complete the request


Assign the new certificate to UM Service and UM Call Router Service. Both mentioned windows services has to be restarted to get the change to effect. Both the services will not come up until the Start up mode is completed.


2. Setting the Service Start up mode for UM Service

The UM and UM Call router Services will not come up as expected. Now jump in to the Exchange Server Management Shell and run,

Set-UMService -Identity “<Exchange DB Server FQDN>” -IPAddressFamily any -UMStartupmode TLS

Now, Restart the UM windows service.

once you set the startup mode to “TLS” and the certificate is not assigned, the UM Service will not come up


3. Configure UM Dial Plan 

Fire up the Exchange Management Console Web Tool and select the Unified Messaging component. Select to create a new UM Dial Plan. Specify a name to the Dial Plan and set the Security mode as Secured.


Click on “Configure” to configure the rest of the Dial Plan.


The General Configuration of the Dial Plan.


Unlike Exchange 2010, now you can upload a customized Welcome greeting for Outlook Voice Access. Configure a number for Subscriber Access and save.


Configure the Settings for the Dial Plan. Here, you can specify the operator Extension which the calls can send to if the name look up fails. Save the configuration once completed. I’ve left the defaults there.


Configure the Dialing Rule. This part is important as here you configure rules to route calls to Extensions within the UM Dial plan. If Dialing Rules are not configures, dialing extensions while in Auto Attendant and Play On Phone feature in Outlook for Voice mail will fail.


This is the Dialing Rule that I’ve created. This rule will allow any digit without any restriction.


Set the Dialing Authorization and associate the above created Dialing Rule.


This completes the UM Dial Plan configuration. Now to configure the UM Auto Attendant.

4. Configure UM Auto Attendant

Select to create a new UM Auto Attendant. Configure a Number for the Attendant and set the attendant to respond to voice commands


Now the Dial Plan and Auto Attendant configuration is complete.


5. Setting the Service Start up mode for UM Call Router Service

Now to set the star up mode for UM Call Router Service. Run,

Set-UMCallRouterSettings -Dialplans <created dial plan> -Server <CAS Server FQDN> -UMStartupMode TLS

Now, Restart the Um Call Router windows service.

A certificate need to be assigned in to UM Call router service. Else, the service will  not start.


6. Assigning the UM Dial Plan to Um Servers.

Now to assign the Dial Plan to Servers. run,

Set-UMService -Identity <DB Server FQDN> -MaxCallsAllowed 50 -DialPlans <Name of the Dial Plan>

Set-UMCallRouterSettings -Dialplans <Name of the Dial Plan> -IPAddressFamily Any -Server <CAS Server FQDN>


7. Configure the UM IP Gateway for Lync Server 2013

Before going to this stet, verify that the UM Call Router and the UM services are up and running.

Jump in to Exchange Management Shell and navigate to, C:\Program Files\Microsoft\Exchange Server\V 15\Scripts and run .\EXUMUCUtil.ps1

This Script will create the UP IP gateway for Lync Server by getting the server configuration from the AD.


8. Configure Objects in Lync Server for Subscriber Access and the Auto Attendant

Navigate to C:\Program Files\Common Files\Microsoft Lync Server 2013\Support and run the OCSUMUtil.exe tool. Refresh to import the configured objects in UM Server.


Click on “Add” and select the “Subscriber Access”. Specify the name for the Subscriber Access and specify a OU for the object to be created. Check the Pilot Identifier number is correct and click on OK to configure the Object.


Now, Select the “Auto Attendant” and specify a Name for the Auto Attendant and set an OU to create the object (I’ve left the name for UM and SA as the same so i had to change the OU). Click on OK once done.


8. Enable users in to UM and Test

Enable users in to UM. Verify that the AD phone Number field is populated with the users DID number before proceed with this.


Now test both the Subscriber Access and Auto Attendant by dialing the Pilot Identifier numbers.

Call Pickup configuration for Lync Server 2013

Getting another step closer in to the PBX Domain, Lync Server 2013 finally support Call Pickup Groups. This was a basic PBX feature which Lync Server could not able to cater. Being said that, the configuration for the Call Pickup is not really straight forward.

To do this, it require as Trusted Application server running SEFAUtil (Secondary Feature Activation Utility) that comes with Resource Kit Tools. This application must be running on a separate box as running on the Front End servers are not supported.

Before getting through with the configuration, the Lync Server 2013 platform must be upgraded to Lync Server 2013 CU1.

This can be done for the Lync Server 2013 Management Shell or the topology builder. I’ve used the topology builder. Download the topology and configure the Trusted Application Server. My Application Server name is


Configure the next hop server as the Front End Server Pool


Publish the topology


Now to configure the Trusted Application. In Lync Server 2013 Management Shell Run,

New-CsTrustedApplication -ApplicationId “SefaUtil” -TrustedApplicationPoolFqdn <Trusted Application Server FQDN> -Port 7788

The Application ID must be configured as “SefaUtil”. The Port can be anything other than obvious ports that used by the Lync Server.

Run, Enable-CsTopology to replicate the changes


Install the Lync Server deployment Wizard on the Application Server.Run the deployment Wizard and select “Install or Update Lync Server System”


Run the “install Local Configuration Store” and select to retrieve the store automatically.


Proceed and complete this step.


After that, run “Setup or Remove Lync Server Systems”. Proceed with the setup and complete this step. It’s normal that there will not be a green check mark next to the step.


Request and install a Certificate.


Configuration is now completed. Start the services and close the deployment wizard.


Download and install the Lync Server 2013 Resource Kit Tools. This can be found in


Configure a Call Park Orbit for as a call pickup group. run,

New-CsCallParkOrbit -Identity “Call Pickup” -NumberRangeStart – 100 – NumberRangeEnd 150 -CallParkService <Lync Server Pool FQDN> -Type grouppickup


Add users in to the Call Pickup Group. Open the Windows PowerShell and navigate to the ResKit folder. Run,

>sefautil.exe /enablegrouppickup:”110″ /server:<Front End Pool FQDN> <>

If the deployment is done properly and the command is correct, The result will be shown as below.


If all good, test it out.

Note that there are limitations for this. Call Pickup doesn’t work if the call is routed via a Response Group, Simultaneous Ring scenario.

Configuring SQL Server High Availability for Lync Server 2013

Lync Server 2013 platform only support SQL Mirroring as the only Database High Availability option. SQL Cluster not supported. Below steps indicate ow to configure SQL Database Mirroring for Lync Server 2013.

It is important that a Witness to be configured for the principle database as with the witness configured, the fail over will be quick and automatic. If there’s no witness configured, the System Administrator has to manually invoke the fail over and at this moment, the active users will get effected.

Let’s start with the Topology configuration. Download the topology form the topology builder and save a copy as a backup. In Pool properties, check the “Enable SQL Server store mirroring” and select New.


Configure the SQL Server FQDN, Instance and the Mirror port


Check the “Use SQL Server mirroring witness to enable automatic fail over” box. Configure the witness server FQDN and the Instance. Leave the default port number.


Now Publish the topology. at this point, a File Share need to be created to replicate the databases between the principle and the mirrored SQL servers. Select “Settings”


Specify the share location. Note that this file share must have read and write assess to the user account that use to create the databases in primary SQL Server.


Continue with the Topology publish. and make sure that the topology get published successfully.


If the topology fail to publish due to a configuration error, trouble shoot and fix the problem. once done, instead of publishing the topology, select “Install Databases. This step will skip what ever the databases already installed and continue with the rest.


At this point, the mirror databases will get created and synchronize with the primary SQL Server. give it some time to get settled.


Once all settled, It’s time to do some Fail-over testing.

Fail-over the User databases by running below,

Invoke-CsDatabaseFailover -NewPrincipal Primary -PoolFQDN <Front End Pool FQDN> -DatabaseType User



Fail-over the Management Store databases by running below,

Invoke-CsDatabaseFailover -NewPrincipal Primary -PoolFQDN <Front End Pool FQDN> -DatabaseType Centralmgnt


Fail-over the Application databases by running below,

Invoke-CsDatabaseFailover -NewPrincipal Primary -PoolFQDN <Front End Pool FQDN> -DatabaseType Application


Open the SQL Server Management Studio and see if the Databases state changed from Mirror to Principal.

Now Try turning down the Principal Server SQL Service to verify that the Databases are getting fail-over to Mirror automatically.


All looking good. System was able to connect to the Mirrored Databases successfully.

Office Webapps 2013 Server Deployment

Office WebApps Server is introduced in Lync Server 2013 platform to handle Powerpoint sharing in a Web Conference.

Below are the steps to deploy the Office WebApps 2013 server.

Deploy on Windows Server 2008 R2

Install the following prerequisites and update the server with latest Windows Patches.

Install the Server roles and Services and restart the Server.

Import-Module ServerManager

Add-WindowsFeature Web-Server,Web-WebServer,Web-Common-Http,Web-Static-Content,Web-App-Dev,Web-Asp-Net,Web-Net-Ext,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Includes,Web-Security,Web-Windows-Auth,Web-Filtering,Web-Stat-Compression,Web-Dyn-Compression,Web-Mgmt-Console,Ink-Handwriting,IH-Ink-Support


Now to request a certificate for Office WebApps Farm. Go to IIS and select to Create Certificate Request


Specify the Common name and the rest of the parameters and proceed with saving the request file. Get a Web Server certificate from the internal CA and complete the certificate request in IIS


Install the Office WebApps 2013 software in application Server. Software can be downloaded from


Download and Install the Office WebApps server update from Restart the server once done.

Now to configure the OfficeWebApps Farm. Run the below command on Windows Powershell with Administration privilege

New-OfficeWebAppsFarm -InternalUrl "" -ExternalUrl "" -CertificateName "Office Web Apps Certificate" -EditingEnable 

Test the deployed farm by using the discovery URL It should come up with below response.

if you get “500 Web Service Exception”, run below command in Command Prompt

%systemroot%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -iru

Restart the IIS

iisreset /restart /noforce

Configure the Office WebApps server in Lync Server 2013 Topology and publish.


Check the Event Viewer and verify that this event is triggered and the Office WebApps URL s are discoverable


Server deployment is done. Test the feature by running a Powerpoint Sharing session.


Office Web Apps Server 2013 deployment is done.