Skype for Business and Exchange UM Integration

Skype for Business and Exchange UM Integration

This article covers the configuration steps for introducing voice mail support into a Skype for Business (SfB) Server 2015 environment by integrating with Exchange Server 2013 Unified Messaging (UM).  Note that this series of Exchange integration articles leverages Exchange Server 2013 and will continue to do so for continuities’ sake.  Microsoft has recently released to the public the installation package for Exchange Server 2016 for use in on-premises deployments.  These articles also apply when using Exchange Server 2016, with one exception related to Instant Messaging integration which will be the next topic addressed in a future article.

The guidance provided here is a more detailed look at what is partially covered in the official TechNet documentation.  The following configuration covers generally the same approach used to integrate previous version of Lync Server and Exchange Server which was outlined in this older article.  Unfortunately the official documentation is partially incomplete and is also split across the separate product guides for SfB and Exchange Server, making it difficult to understand what is needed for a successful integration.  This article will tie all steps into a single set of instructions which can be completed linearly.

One caveat to be aware of is the recommendation to configure UM integration before enabling Instant Messaging (IM) integration with Outlook Web Access.  Configuring UM first will enable automatic discovery of the Exchange environment in Skype for Business using the configured SIP domain namespace.  Establishing this first will mean that when the IM integration is tackled there will be no need to defined the Exchange Server as a third-party Trusted Application in the SfB topology.  If these are configured in the opposite order, meaning that the Instant Messaging integration is performed first, then the setup of Unified Messaging can break the IM integration due to duplicate, conflicting entries for the Exchange Server in SfB.  Thus is is recommended to start with UM integration and follow these articles in the order they were posted.

The sections in this article are outlined in the following configuration steps.  The steps in red are part of the Exchange Server configuration and the steps in blue are performed on the Skype for Business side.


Assumptions made for the environment used with this article are that Exchange Server 2013 has been deployed with a relatively recent service pack or cumulative update applied.  The version used in this guide is Exchange Server 2013 CU8 ().

Partner Application

The prerequisites steps included in this previous article must be completed first to insure that the Partner Application relationship has already been established between Skype for Business and Exchange.  Other SfB features provided by Exchange like High Resolution Photos or the Unified Contact Store can be enabled in any order, only after the Partner Application relationship is established.

Exchange Certificate

A long standing best practice surrounding the Exchange Server Certificate has to do with how Lync Server parsed the SSL certificate presented to it by the Exchange Server during establishment of TLS communications.  The Lync Server would ignore the certificate’s Common Name (CN) and look at only the Subject Alternative Name (SAN).  With further changes coming on how third parties issue SSL certificates it is becoming more common to focus on the SAN field as the CN field will start to become optional, and eventually even defunct.  That being said the same best practice to making sure to always duplicate the CN value in the SAN still holds true.  Using the Exchange Server certificate wizard to create requests will allow this type of configuration.  At this point it is unknown if this limitation has been addressed in Skype for Business Server 2015 but using a properly formatted certificate makes this a moot point.

  • Using the Exchange Management Shell validate that the existing certificate will be sufficient for use with Skype for Business with the following Get-ExchangeCertificate cmdlet.

As highlighted above the Certificate Domains field lists all of the Subject Alternative Names on this certificate which includes the Exchange Server’s FQDN which is critical for UM integration to function.  In this example the Subject field shows that the certificate’s Common Name is set to which is also duplicated in the SAN field.  Regardless of what the CN is set to make sure that value is duplicated in the SAN (as per general best practices) and that the server FQDN is included in the SAN field.

This configuration is the most common and allows a single SSL certificate to be used for all roles on the Exchange Server.  In more complex environments with separate Exchange UM servers or other configuration it is possible, but not necessary, to use a separate dedicated certificate on the UM service.

Also make note of the Thumbprint value for the desired certificate as it will be used during the configuration in the next section.

The steps in this section are all performed on the Exchange Server using either the Exchange Management Shell or Management Console.

Create New UM Dial Plan

  • Using the Exchange Management Shell create a new UM dial plan with the following New-UMDialPlan cmdlet and the desired plan (e.g. ).

In this deployment the VoIP Security option Secured is used so that both SIP signaling traffic and RTP media traffic will be transmitted between SfB and Exchange using an encrypted TLS communications.  Alternatively opting to use the SIP Secured setting would only encrypt the signaling traffic while all media traffic would be transmitted unencrypted.

Additionally a value of 4 is selected for the number of digits in extension numbers on the pattern where the last four digits are treated as the user’s extension.

  • Using the Exchange Management Shell run the following cmdlet to set the following recommended parameters.
  • Configure UM Services

  • Assign the the UM server to the new UM dial plan and configure support for both TCP and TLS connections with the following cmdlet.   The parameter is the Fully Qualified Domain Name (FQDN) of the Exchange Server (e.g. ).

Now that TLS is enabled for the UM service the Exchange Server certificate needs to be assigned to the service to support TLS communications for signaling and media.

  • Enter the following cmdlet using the value of the same certificate that was queried in the earlier prerequisites steps to insure that the proper certificate is assigned to the UM service.
  • To commit these changes and enable TLS communications on the UM service it needs to be restarted, which can be performed quickly from PowerShell using the following cmdlet.
  • Next perform the same configuration as above on the UM Call Router service with the following cmdlet.
  • The UM Call Router service also need to be assigned to the same certificate as the UM service.
  • Just like the UM service the UM Call Router service needs to be restarted to enable the new configuration.

Customize UM Dial Plan

When the new UM dial plan was created the Exchange Server will have automatically created a default UM Mailbox Policy.  This object will be named with the label ‘Default Policy” appended to the dial plan’s name (e.g. ).

The TechNet documentation seems to omit this fact and instructs the creation of another UM mailbox policy.  A simpler approach is to just modify the default object using the following cmdlet.

  • To configure the recommended AllowedInCountryOrRegionGroups parameter use the following cmdlet.

As only a single policy exists then instead of querying for and entering the name of the default mailbox policy use the Get-UMMailboxPolicy cmdlet to automatically pass the results to the cmdlet as shown above.  Additionally some optional parameters were configured to allow for a four digit PIN to be defined instead of the default 6 digit length.  While not recommended for production environments this can be a welcome time saver in lab or test environments.

Define Attendants

The next step to be performed on the Exchange Server is to define and configure the Auto Attendant and Outlook Voice Access (formerly referred to as ’Subscriber Access’) numbers.

  • Using the Exchange Admin Center navigate to the Unified Messaging > UM Dial Plans section and then open the dial plan that was created earlier (e.g. ).
  • Click the Configure button to edit the dial plan and then select the Outlook Voice Access section.
  • Enter the desired phone number to be assigned to the Outlook Voice Access attendant in the proper +E.164 format (e.g. ) and then add it to the configuration using the ‘+’ button.
  • Click Save to return to the main dial plan window and then scroll down to the UM Auto Attendants section.
  • Click the ‘+’ button to create a new Auto Attendant and then enter a unique Name (e.g. ), enable the auto attendant, and then enter another unique phone number (e.g. ).

Traditionally Exchange does not do well with spaces in auto attendant names and thus it is still recommended to follow that guidance.

  • Click Save to and then Close to commit these changes to the server.

To validate that the UM configuration is functional then at least one user account must be enabled for Unified Messaging.  This process can be completed from either the management console or shell.

  • To enable the first account launch the Exchange Admin Center which should default to the Recipients > Mailboxes section.
  • Highlight the desired user account and then select Enable under the Unified Messaging section in the right-hand window pane.
  • In the Enable UM Mailbox window browse for and select the default mailbox policy (e.g. ) and then advance to the next window.
  • Define a four digit Extension Number if one is not already populated and then, if desired, enter a custom PIN and unselect the option to force the user to change this PIN after they sign in.

In this example the users extension was pre-populated due to the existence of a defined telephone number in the user’s Active Directory object.  Because the dial plan policy was created to use 4-digit extensions then Exchange will automatically take the last 4 digits of the user’s phone number (e.g. ).

  • Complete the wizard to save the changes and enable this account for Unified Messaging.

Alternatively the same steps can be performed using Exchange PowerShell cmdlets, so a second account configuration using this process is also covered as an example.

  • Using the Exchange Management Shell enter the following cmdlet to perform roughly the same exact configuration on another existing Exchange user. 

Make sure to enter a unique extension or to omit that parameter if the account’s phone number is already populated with the desired information.  The PIN was not manually set on this account which means Exchange will have automatically assigned a random PIN and then sent an email to the user’s mailbox with that information.

This step is handled by a script which creates the UM IP Gateway and IP Hunt Group as well as grants permissions to Skype for Business Server to read specific UM-related objects in Active Directory.

Make sure to allow for any outstanding AD replication to complete before running this script so that the newly created UM dial plan and any other changes are read by the script in their updated state.  If run too soon then sometimes the Dial Plans listed in the last line of the script output will display as “not found” even though the configuration is correct up to that point.  If that happens it is safe to simply re-run the script, even multiple times if needed, as it will identify any previously successful configuration and thus report that no new changes were applied in those cases.

  • Using the Exchange Management Shell execute the ExchUCUtil.ps1 script located in the Exchange Server’s Scripts directory, as shown in the path below.

Note that in this example the Skype for Business Front End server shown at the bottom of the script output displays “” for the DialPlans field.  The value should be displayed as the UM Dial Plan name (e.g. ).  As mentioned above this can usually be resolved by going back and re-executing the script after a few minutes have passed.

  • If this issue appears then repeat the previous step until the results successfully report the expected dial plan as shown below.

To validate the creation of the UM IP Gateway open the Exchange Management Console and then navigate to the Unified Messaging > UM IP Gateways section.  Refresh the page if the new gateway does not appear at first.


With the configuration now complete on the Exchange Server the remainder of the steps in this article are performed on the Skype for Business Front End server.

The OcsUmUtil.exeutility is still used to create the Active Directory contact objects for Skype for Business Server to resolve and locate the Exchange Outlook Voice Access and Auto Attendant services.

In older versions of Exchange Server it was required to create an Enterprise Voice Dial Plan in OCS/Lync that matched the exact FQDN of the Exchange UM Dial Plan.  Since the release of Exchange Server 2010 SP1 this is no longer required as indicated by the informational text at the bottom of the utility.  The UM Dial Plan will be automatically discovered and thus no additional Enterprise Voice configuration is required on the SfB Server to enable UM integration.

  • Launch the OcsUmUtil.exe program located in the Skype for Business Server’s Support directory, as shown in the path below.
  • Click Load Data and the Active Directory forest name should appear in the Exchange UM Dial Plan Forest field.
  • Click Add to create the first contact for Outlook Voice Access, which is still referred to as the Subscriber Access number in this tool.
  • Select the desired AD Organizational Unit to save the new contact object and then enter a unique Name for the contact (e.g. ).

While the remainder of the fields can be left with the default entries it is a common practice to change the SIP Address to a less confusing SIP URI.  In this examples the default value (e.g. has been changed to a simpler string (e.g. .

  • Click OK to save the configuration for the Subscriber Access contact.
  • Click Add to create the second contact for the Auto Attendant.
  • Change the Contact Type to Auto-Attendant and then enter a unique Name for the contact (e.g. ).  The same Organizational Unit value as defined for the previous contact should already be populated.

Just as before either retain the default SIP address or edit it to use a customized address as shown in this example (e.g. ).

  • Click OK to save the configuration for the Auto Attendant contact.
  • Close the Exchange UM Integration Utility and then open Active Directory Users and Computers to browse to the target OU and validate that the new contacts were successfully created.

Now that the integration on both server platforms is complete the final step is to test UM connectivity between Exchange and Skype for Business.

  • Sign into a Skype for Business client with one of the UM-enabled user accounts (e.g. ) then search for the SIP URI of the Auto Attendant and place a Skype Call to the contact.

At this point one of two things will occur: the call will work or it will not.  If the integrated voice response is “Thank you for calling Microsoft Exchange auto attendant” then the integration was successful.  If not then the following common issues could be the root cause.

Call Failure

If the call fails without any response from the Exchange UM Server then one of the most common reasons, other than a simple configuration mistake, could be that the Exchange UM IP Gateway configuration script did not complete as mentioned earlier in this article.

  • Check the Lync Server event log on the Skype for Business server to see if the following error message was reported at the same time as the attempted call.

If this message exists then this is an indication that the ExchUmUtil.ps1 script that was run earlier did not configure the UM IP Gateway correctly.  As pointed out earlier the script may have failed to associate the UM Dial Plan to the gateway, thus causing this error on the Skype for Business server.  Return to that step to re-run the Exchange script and validate that the dial plan is displayed correctly, which should clear this error and then allow for calls to reach the UM attendant services.

Unexpected Response

If the call successfully connects to the attendant but an unexpected response is heard then this could point to a different issue.  If the interactive voice response was “Please call back later. Goodbye.” then this typically occurs when the UM configuration is brand new and the server has not yet had a chance to generate the grammar speech files.  As documented in this blog article the pending generation process can be expedited by restarting the Exchange Mailbox Assistants service.

  • Using PowerShell enter the following cmdlet to quickly stop and restart the Mailbox Assistant service.
  • View the Application Event Log on the Exchange server to verify that the following entry has been logged after the service has been running for a few minutes.

At this point a call to the Auto Attendant should result in the proper welcome message.

This concludes the setup of Exchange Unified Messaging with Skype for Business Server 2015.  If following along with this entire series of Exchange Server integration articles for Skype for Business 2015 then at this point the Partner Application has been established and leveraged to enable High Resolution Photos and now Unified Messaging.

Future articles will address Instant Messaging integration with Outlook Web Access as well as other features like IM archiving and enabling the Unified Contact Store.

Filed under Exchange, Skype for Business, Voice · Tagged with 2015, Deployment

About Jeff SchertzSite Administrator

Leave a Reply

Your email address will not be published. Required fields are marked *