Exchange 2010 Free/Busy Interop

From Zimbra :: Wiki

Jump to: navigation, search
Admin Article

Article Information

This article applies to the following ZCS versions.
  ZCS 7.0 Article  ZCS 7.0
  ZCS 6.0 Article  ZCS 6.0

Contents

System Requirements

  • Windows Server 2008 with SP2/ Windows Server 2008R2 with Exchange 2010 SP2. [Tested using Typical install of Exchange 2010]
  • Zimbra Collaboration Suite 6.x or later.

Note:- In the following procedure we will consider '@exchange10.lab' the domain of the users on Exchange 2010 server and '@zimbra.lab' is the domain of the users on Zimbra server.

What we need from Exchange 2010 Server So We Can Configure Zimbra Server

  • Create a service account on MS Exchange 2010 server, which will be used in configuring the Free/Busy Interop setting on ZCS server.
    • Create a new user account that will be used for the Exchange Server Service Account; this user must be a member of the Local Administrators Group on the local server.
    • Assign the following permissions to the account:
  1. Act as part of the operating system.
  2. Logon as a service.
  3. Restore Files and Directories.
  4. Assign the same password as the current service account.
Note:- Service account name that we will use during this procedure is 'Interop2010'.
  • Ensure that this Service Account 'Interop2010' can update Exchange Free-Busy folder. You may do this by using the following EMS Command:-
[PS] C:\> add-publicfolderclientpermission -identity "\NON_IPM_SUBTREE\SCHEDULE+ FREE BUSY\EX:/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)" –user interop2010 -accessrights owner
  • Make sure your server have a commercial certificate or if a self-signed certificate is installed on your server you need to export the CA ROOT certificate from Exchange server.
    • In case of commercial certificate, no need to export anything as ROOT certificate of commercial certificate will be deployed on Zimbra server.
    • In case of Self-Signed certificate deployed on your server you need to export the CA ROOT certificate and import it on Zimbra Server so Zimbra Server can identify the Certificate. For that you need to do following steps:-
  1. On Exchange server, Go to Start->Run->mmc
  2. On the popup windows go to File->Add/Remove Snap-in...
  3. Select Certificates from Available Snap-in and click on Add.
  4. On the popup window select 'Computer account' and click Next->Next->OK
  5. Certificate(Local Computer) will be added in MMC. Now, expand Certificate->Personal->Certificates and you will see a root CA certificate on right side.
  6. Select the certificate, right click->export and proceed with exporting of certificate, make sure you export the certificate in 'DER encoded binary x.509(.CER)' format.
Note:- You will have to copy this exported .CER file to Zimbra server, you can use WinSCP for this or you can use any other medium to copy this file to Zimbra Server.
  • 'legacyExchangeDN' attribute value, which we will need to configure Free/Busy interop on Zimbra Server, Use the ADSIEDIT tools on the AD/Exchange server find this. You may find out the legacyExchangeDN by following this method.
  1. On the AD/Exchange Server, click START > Run > Type adsiedit.msc
  2. Select your Domain’s Node and expand the tree until you reach the node “CN=Users”. Now expand this node to find the container “CN=<Your Service Account Name>” (e.g. “CN=interop2010”).
  3. Right click this container and select “Properties” to open the properties screen.
  4. Scroll down on the Popup window to locate the legacyExchangeDN attribute. Click on “Edit”
  5. From the “String Attribute Editor” window obtain (copy) the part of the string appearing before “/cn=Recipients/cn=interop2010”. The copied string should look something like “/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)”.
  6. Close all the windows, keep in mind not to modify any attribute values appearing in the ADSIEDIT Interface.
Note:- Keep the string safe; we will use it further down to configure the Zimbra System.

Steps To Do On Zimbra Server To Configure Free/Busy Interop So Zimbra Users Can View Free/Busy Information Of Exchange 2010 server User

You can configure Free/Busy interop on Zimbra Server using Admin Console OR using Command Line, we will cover both below

Setup Using Admin Console

  • Login to Admin Console using Global Administrator and go to Global Settings->Free/Busy Interop tab.
    • Here you will have to fill the data in each field:-
  1. Microsoft Exchange Server URL : This is the web URL to the Exchange Web Services (e.g https://exchange-server/ews/exchange.asmx)
  2. Microsoft Exchange Authorization Scheme: Select Basic from the dropdown menu, currently we only support 'Basic' Authentication with Exchange 2010.
  3. Microsoft Exchange Server Type: Select EWS from the dropdown menu, as we are configuring the Free/Busy Interop for Exchange 2010 we need 'EWS', 'WebDAV' is not supported on Exchange 2010.
  4. Microsoft Exchange User Name and Password: This is the user credentials of service account that we created on Exchange server i.e interop2010@exchange10.lab.
  5. O and OU used in legacyExchangeDN attribute: Value of this will be the value copied from legacyExchangeDN attribute value, which must be like /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT).
  6. Save the setting, and then click on Check Settings to confirm if the settings are working or not, you must see Check OK.
  • Now, if your Exchange server is running on Self-Signed Certificate then you will get SSL_HANDSHAKE_FAILED error when you click on Check Settings, for this you will have to deploy the CA ROOT Certificate on Zimbra server.
    • We have already exported the CA ROOT Certificate in Step 2 in 'Steps To Do On Exchange 2010 Server' section, and had copied that on Zimbra server say on '/root' folder.
    • You need to deploy this using following command, you will also need to restart Zimbra MailboxD service so the CA is recognized using and then check the settings using 'Check Setting' button:-
# cd /root
# /opt/zimbra/bin/zmcertmgr addcacert exchange.cer
# su - zimbra
$ zmmailboxdctl restart
were exchange.cer is the certificate that we exported from Exchange server.

Setup Using Command Line

$ zmprov mcf zimbraFreebusyExchangeURL 'https://exchange-server/EWS/exchange.asmx' zimbraFreebusyExchangeAuthUsername 'interop2010@exchange10.lab' zimbraFreebusyExchangeAuthPassword '<password>' zimbraFreebusyExchangeAuthScheme 'basic' zimbraFreebusyExchangeServerType 'ews' zimbraFreebusyExchangeUserOrg '/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)'

Note:- There is no way to test the setting in command line as we can do in GUI, so once you issue the command, to test the settings you will have to go to the Admin Console->Global Settings->Free/Busy Interop and click on Check Settings.

At this point, login to Zimbra Web Client and create a event and add one exchange user in the attendee list and you must be able to see the free/busy information of that Exchange user.

Steps To Do On Exchange 2010 Server So Exchange Users Can View Free/Busy Information Of Zimbra Server User

  • Make Exchange 2010 server aware of the presence of “Public Folders” in the Zimbra domain. You may do this by using the following EMS Command:-
[PS] C:\> Add-AvailabilityAddressSpace -forestname zimbra.lab -accessmethod publicfolder
  • Create a "Zimbra" OU in Active Directory. Make sure all your Zimbra users are created as “Exchange 2010 Mail Contact Objects” in this OU. As a BEST PRACTICE, to reduce the risk of a collision in namespace a suffix can be added to denote a Zimbra account (i.e. “_zimbra”). You may create a this user by using the following EMS Command:
[PS] C:\> New-MailContact -ExternalEmailAddress 'SMTP:user@zimbra.lab' -Name 'user_zimbra' -Alias 'user_zimbra' -OrganizationalUnit 'exchange10.lab/Zimbra' -FirstName 'user_zimbra' -Initials  -LastName 
  • For each of the mail-contact objects that you create here, set one of the available/not-set “Exchange Extension Attributes (extensionAttribute1 to extensionAttribute15)” to an optional tag (say “_zimbra”).
  1. On the AD/Exchange Server, click START > Run > Type adsiedit.msc
  2. Select your Domain’s Node and expand the tree until you reach the node “CN=Zimbra”. Now expand this node to find the container “CN=user_zimbra”.
  3. Right click this container and select “Properties” to open the properties screen.
  4. Scroll down on the Popup window to locate the extensionAttribute1 attribute. Click on “Edit”
  5. Under Value field you will see <not set>, delete that and enter '_zimbra' and click 'OK' to set this value.
  6. As you have opened this property window also locate 'legacyExchangeDN' attribute and make sure the value is something like '/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=use_zimbra'.

Note:- Sometime you may see some value at the end of 'cn=user_zimbra' in the legacyExchnageDN attribute, something like '/cn=user_zimbra 13b' or something differnet, edit and make sure the the value is only '/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=use_zimbra'

Save and Close all the windows and close ADSIEdit.msc.

Exchange configuration part is over at this point, now we need to make sure Zimbra Server is ready to POST Free/Busy Information in Exchange 2010 Servers Public Folder so Exchange can pick it up and display when user do a Free/Busy lookup.

What we need from Zimbra Server So Exchange 2010 Server Users Can View Free/Busy Information Of Zimbra Server Users

  • On Zimbra Server, we need to do only one setting and that is adding an attribute 'zimbraForeignPrincipal' for each user, value of this attribute must be the user name of a contact that exists on Exchange Server. In 'Steps To Do On Exchange 2010 Server So Exchange Users Can View Free/Busy Information Of Zimbra Server User' section above we created a mail contact for each Zimbra user, which is 'user_zimbra', we need to use this value to configure 'zimbraForeignPrincipal' attribute on Zimbra server, you can do this using following command:-
$ zmprov ma user@zimbra.lab zimbraForeignPrincipal ad:user_zimbra

Once you set this attribute for a user, ask user to create one appointment in his mailbox from Zimbra Web Client and look at /opt/zimbra/log/mailbox.log. You'll see a request made to a URL that looks like this:-

http://<exchange URL>/public/NON_IPM_SUBTREE/SCHEDULE%2B%20FREE%20BUSY/EX:_xF8FF_o=First%20Organization_xF8FF_ou=First%20Administrative%20Group/USER-_xF8FF_cn=RECIPIENTS_xF8FF_cn=user_zimbra.EML

This line means that the Free/Busy information for the user is posted on Exchange 2010 Server in Public Folder and can be viewed on Exchange Server when you invite 'user_zimbra' contact in attendee list.

'user_zimbra' is a contact on Exchange Server who's mail address is 'user@zimbra.lab'.

Configure GAL On Zimbra and Exchange Server So Users On Both Server Can Easily Locate And Add The Attendees While Creating Appointment

  • For Exchange Server there is nothing to configure as we have already created a Mail Contact for each Zimbra User in AD and that will be visible when you check GAL while adding Attendees in appointment.
  • For Zimbra Server we will have to configure External GAL so that users can locate Exchange Users and add then as an attendee in appointment.
    • Zimbra Server shows GAL in two ways, one if directly from company directory i.e from LDAP and other is using a GAL Sync Account, which generates GAL from company directory and Zimbra refers this GalSync account to show GAL. It is recommended to use this GalSync account on your server so that we know what are the contents of GAL, one more advantage of this account is that using this we can fetch more then one external domain GAL information.Enabling a GAL sync account will permit browsing and paging of the global address list when selecting contacts during message composition with the Zimbra web client. The galsync account is a resource account and does not consume a Zimbra license.

Setting Up A Gal Sync Account And Configuring Internal and External Exchange Server GAL Sync

Create GalSync Account and Internal DataSource

For the internal setup, the internal datasource is automatically created when using the following steps.

Setup Using Admin Console
  1. In the server admin console, select a domain for GAL sync under "Domains".
  2. Click "Configure GAL".
  3. Set "GAL mode:" "Internal".
  4. Enter a value for "Most results returned by GAL Search".
  5. Enter a new account name for "GAL sync account name".
  6. Set "Datasource name for Internal GAL" to InternalGAL.
  7. Enter a InternalGAL polling interval. The GAL polling interval is the time between syncs to the internal LDAP. (Set it to 1 day)
  8. Next, then Finish.
  9. To force sync, go to the CLI and use zmgsautil
zmgsautil forceSync -a galsync@zimbra.lab -n InternalGAL
Setup Using Command Line

You can setup a GalSync account using command line as well, here is the command to create a galsync account with a datasource called 'InternalGAL' and to forceSync it so GAL is generated:-

zmgsautil createAccount -a galsync@zimbra.lab -n InternalGAL --domain zimbra.lab -t zimbra -f _InternalGAL -p 1d
zmgsautil forceSync -a galsync@domain.com -n InternalGAL

Create External DataSource And Syncing External Exchange Server

Now, we have a GalSync account on Zimbra server but that is only configured to for Internal GAL, we need to configure it sync External GAL from the Exchange Server so that we can locate the Exchange Server users while creating Calendar events, here is what we have to do now:-

Setup Using Admin Console
  1. In the server admin console, select a domain for GAL sync under "Domains".
  2. Click "Configure GAL".
  3. Set "GAL mode:" "Both".
  4. Enter a value for "Most results returned by GAL Search".
  5. Leave the value unchanged for "GAL sync account name". ( As we have already created a GalSync account for this domain you will see the name of galsync account 'galsync@zimbra.lab')
  6. Leave the value unchanged for "Datasource name for Internal GAL". ( As created above, you will se the value set to 'InternalGAL')
  7. Enter a "InternalGAL polling interval". The GAL polling interval is the time between syncs to the internal LDAP. ( We earlier set this to 1 day)
  8. Set "Datasource for External GAL" name to ADGAL.
  9. Enter a "External GAL polling interval". The GAL polling interval is the time between syncs to the internal LDAP. ( Set it to 1 day)
  10. In "Server Type" select "LDAP" from the drop down menu. You will see option of "Active Directory" but it is good to ignore it and go with "LDAP", this allows us to set search filter as per our choice, which is not available if you go with "Active Directory" Option.
  11. In "LDAP URL" enter the URL of your AD Server to which Exchange Server is connected, it will be "ldap://exchange-server" and the port will be "3268" as AD Global Catalogue Server runs on port 3268 to which we must connect.
  12. In "LDAP Filter" enter the search filter that you want so that the GAL is generated accordingly, we need all users from AD Server so enter "(&(objectClass=user)(mail=*))".
  13. In "Autocomplete filter" you can leave the value unchanged, if it is empty, you can enter "(|(cn=%s*)(sn=%s*)(gn=%s*)(mail=%s*))" in it.
  14. In "LDAP Search Base" you will have to enter the search base of your AD Server, in this case it will be "dc=exchange10,dc=lab" ( It is the domain name mentioned in your exchange users mail address. You can confirm this from your AD Server and use accordingly )
  15. Next
  16. On Next screen enter the value, select "Use DN/Password to Bind to External Server".
  17. In "Bind DN" enter the bind DN username, which can be your administrators credentials or a service account credentials, so enter "interop2010@exchange10.lab"
  18. In "Bind Password" enter the password for the username specified above, so enter '<password>' (password of user interop2010@exchange10.lab)
  19. In "Confirm Bind Password" enter the same password again.
  20. Next
  21. Leave the settings intact and proceed to next screen, Click Next
  22. In "Please provide a search term" enter any users usearname from your exchange server and click "Test", this will check the settings and you will see "Search Test Successful" screen with Search result.
  23. Next
  24. Click "Test", you will again see the same "Sync Test Successful" message.
  25. Next, then Finish
  26. To force sync, go to the CLI and use zmgsautil
zmgsautil forceSync -a galsync@zimbra.lab -n ADGAL
Setup Using Command Line

Same process of Setting up External AD GAL Datasource can be done using command line, here the command to add the datasource and to forceSync it so GAL is generated:-

zmgsautil createAccount -a galsync@zimbra.lab -n ADGAL --domain zimbra.lab -t ldap -f _ADGAL -p 1d
zmprov mds galsync@domain.com ExternalContactsGAL zimbraGalSyncLdapBindDn interop2010@exchange10.lab zimbraGalSyncLdapBindPassword <password> zimbraGalSyncLdapFilter "(&(objectClass=contact)(mail=*))" zimbraGalSyncLdapSearchBase dc=exchange10,dc=lab zimbraGalSyncLdapURL ldap://exchange-server:3268
zmgsautil forceSync -a galsync@domain.com -n ADGAL


Once you finish all the above step users in Exchange 2010 Server will be able to see Free/Busy Information of users residing on Zimbra Server and vice-a-verse.


Verified Against: ZCS 7.0, ZCS 6.0 Date Created: 05/07/2012
Article ID: http://wiki.zimbra.com/index.php?title=Exchange_2010_Free/Busy_Interop Date Modified: 05/8/2012
Personal tools