Integrating Lync 2013 with Exchange 2013 OWA using UM Certificate

In this article we'll go through integrating Lync 2013 with Exchange 2013 OWA utilising the existing Unified Messaging certificate.

Scenario
Exchange 2013 multi-role server has a public signed wildcard certificate *.domain.com being used for client access. Internally CA signed certificate is installed for Unified Messaging with the Exchange server fqdn in the subject and SAN (trusted by the Lync server).

Goal
Exchange 2013 client access server integrated with Lync 2013.

NOTE - If you don't have a unified messaging certificate installed with the server FQDN in subject & SAN, you will need to create a new certificate request, then get it signed by your internal CA to be used for the Lync/OWA integration.

Exchange Steps

1. Enable the OWA virtual directory for instant messaging
Run this in Exchange Management Shell:
Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -InstantMessagingEnabled $true -InstantMessagingType OCS

2. Get the UM certificate thumbprint 
Get-ExchangeCertificate

3. Configure OWA web.config file
Open web.config from your %Exchange install drive%\Microsoft\Exchange Server\V15\ClientAccess\Owa

Search for </appsettings> and add the following lines above it:

<add key="IMCertificateThumbprint" value="%%%CERTIFICATETHUMBPRINT%%%" />
<add key="IMServerName" value="%%%LyncPoolName%%%" />   

Save the web.config

4. Apply OWA Changes
Run this command:
C:\Windows\System32\Inetsrv\Appcmd.exe recycle apppool /apppool.name:"MSExchangeOWAAppPool"

Lync Steps

5. Create Trusted Application Pool
Get-CsSite

Note your Site ID

Create Trusted Application Pool by running:
New-CsTrustedApplicationPool -identity %ExchangeFQDN% -Registrar poolname.domain.com -Site 1 -RequiresReplication $False

6. Create Trusted Application 

Choose a free port for the application. Use netstat -a to see what ports are currently being used
New-CsTrustedApplication -Applicationid OWA -TrustedApplicationPoolFqdn %ExchangeFQDN% -Port 5059

7. Enable the Lync topology
Run Enable-CsTopology

8. Test integration
Log into OWA and check that it has signed into Lync

Troubleshooting if sign in fails

Log files are on the Exchange server under %Exchangeinstalldrive%\Microsoft\Exchange Server\V15\Logging\OWA\InstantMessaging

If you see TLS errors, this is due to the certificate not being right. If you try to do this integration using a wildcard certificate you will see TLS errors such as :

"ERROR:UCWEB Failure: Code=TlsFailure, SubCode=TlsRemoteDisconnected, Reason=\r\nMicrosoft.Rtc.Internal.UCWeb.Utilities.UCWException: Unknown error (0x80131500)"