Exchange 2013 Free/Busy Interop

Revision as of 18:12, 11 July 2015 by Jorge de la Cruz (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Exchange 2013 Free/Busy Interop

   KB 21329        Last updated on 2015-07-11  

(0 votes)

System Requirements

  • Windows Server 2008 R2 SP1/ Windows Server 2012 R2 with Exchange 2013 SP1. [Tested using Typical install of Exchange 2013]
  • Zimbra Collaboration Suite 6.x, 7.x, 8.0.x, 8.x or later.

Note:- In the following procedure we will consider:

  • @zimbralab.local the domain of the users on Exchange 2013 server.
  • @zimbra.local is the domain of the users on Zimbra server.

Configure the Exchange 2013 Server

Create a service account on MS Exchange 2013 Server

Will be used in configuring the Free/Busy Interop setting on ZCS server.


Needs to looks like the next screenshot


    • Create a new user account that will be used for the Exchange Server Service Account; this user must be a member of the Local Administrators Group on the local server.
    • Assign the following permissions to the account:
  1. Act as part of the operating system.
  2. Logon as a service.
  3. Restore Files and Directories.
  4. Assign the same password as the current service account.


Note:- Service account name that we will use during this procedure is 'zimbra'.

Create the Public Folder for Free/Busy in Exchange 2013

In this step, new in Exchange 2013, we need to create a Public Folder Database first, after that create all the Public Folders.

Creating the Public Folder Database

We will use the the Exchange Management Shell, we will call it EMS.


First of all, we will launch this command for be sure of the name of our Exchange Server and our Mailbox Database name:

   [PS] C:\Windows\system32>Get-MailboxDatabase
   Name                           Server          Recovery        ReplicationType
   ----                           ------          --------        ---------------
   Mailbox Database 2028622478    DC              False           None

In my case:

  • In this lab, the Exchange Server name is DC
  • In this lab, the Exchange Mailbox Database name is 'Mailbox Database 2028622478'

Now, run the next command into our EMS to create the Public Folder Database, in this lab the name is FREEBUSY:

   [PS] C:\Windows\system32>New-Mailbox -PublicFolder -Database "Mailbox Database 2028622478" -Name "FREEBUSY"

Next step, is create the correct Public Folders in our Exchange Admin Center, we will call it EAC, once logged and in the proper location, press the + Icon under the Public Folders section, and then we will create a Folder called NON_IPM_SUBTREE.


Once created, click in this new Public Folder and then press again the + Icon to create one new Public Folder under the previous one, called SCHEDULE+ FREE BUSY


Return to EMS console, and then create the last Public Folder with the next command:

   [PS] C:\Windows\system32>New-Publicfolder -name "EX:/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)" -path "\NON_IPM_SUBTREE\SCHEDULE+ FREE BUSY"

This it will be the result of this command

   Name                                                        Parent Path
   ----                                                        -----------
   EX:/o=First Organization/ou=Exchange Administrative Grou... \NON_IPM_SUBTREE\SCHEDULE+ FREE BUSY
  • Ensure that this Service Account 'zimbra' can update Exchange Free-Busy folder. You may do this by using the following EMS Command:-
   [PS] C:\Windows\system32>add-publicfolderclientpermission -identity "\NON_IPM_SUBTREE\SCHEDULE+ FREE BUSY\EX:/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)" -user zimbra -accessrights owner

This it will be the result of this command

   FolderName           User                 AccessRights
   ----------           ----                 ------------
   EX:/o=First Organ... zimbra zimbra. zi... {Owner}

Allow the basic auth in Exchange 2013

We will use basic auth in our Zimbra Server, so we need to allow it in our Exchange 2013 Server. First go to your EAC > Servers > Virtual Directories > EWS


Then, please mark the checbox with the Basic Authentication, and press Save.


Working with Exchange 2013 SSL Certificates

  • Make sure your server have a commercial certificate or if a self-signed certificate is installed on your server you need to export the CA ROOT certificate from Exchange server.
    • In case of commercial certificate, no need to export anything as ROOT certificate of commercial certificate will be deployed on Zimbra server.
    • In case of Self-Signed certificate deployed on your server you need to export the CA ROOT certificate and import it on Zimbra Server so Zimbra Server can identify the Certificate. For that you need to do following steps:-
  1. On Exchange server, Go to Start->Run->mmc
  2. On the popup windows go to File->Add/Remove Snap-in...
  3. Select Certificates from Available Snap-in and click on Add.
  4. On the popup window select 'Computer account' and click Next->Next->OK
  5. Certificate(Local Computer) will be added in MMC. Now, expand Certificate->Personal->Certificates and you will see a root CA certificate on right side.
  6. Select the certificate, right click->export and proceed with exporting of certificate, make sure you export the certificate in 'DER encoded binary x.509(.CER)' format.
Note:- You will have to copy this exported .CER file to Zimbra server, you can use WinSCP for this or you can use any other medium to copy this file to Zimbra Server.
  • 'legacyExchangeDN' attribute value, which we will need to configure Free/Busy interop on Zimbra Server, Use the ADSIEDIT tools on the AD/Exchange server find this. You may find out the legacyExchangeDN by following this method.
  1. On the AD/Exchange Server, click START > Run > Type adsiedit.msc
  2. Select your Domain’s Node and expand the tree until you reach the node “CN=Users”. Now expand this node to find the container “CN=<Your Service Account Name>” (e.g. “CN=zimbra”).
  3. Right click this container and select “Properties” to open the properties screen.
  4. Scroll down on the Popup window to locate the legacyExchangeDN attribute. Click on “Edit”
  5. From the “String Attribute Editor” window obtain (copy) the part of the string appearing before “/cn=Recipients/cn=zimbra”. The copied string should look something like “/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)”.
  6. Close all the windows, keep in mind not to modify any attribute values appearing in the ADSIEDIT Interface.
Note:- Keep the string safe; we will use it further down to configure the Zimbra System.

Configure Free/Busy Interop in Zimbra Server

You can configure Free/Busy interop on Zimbra Server using Admin Console OR using Command Line, we will cover both below

Setup Using Admin Console

  • Login to Admin Console using Global Administrator and go to Global Settings->Free/Busy Interop tab.
    • Here you will have to fill the data in each field:-
  1. Microsoft Exchange Server URL : This is the web URL to the Exchange Web Services (e.g https://exchange-server/ews/exchange.asmx?wsdl)
  2. Microsoft Exchange Authorization Scheme: Select Basic from the dropdown menu, currently we only support 'Basic' Authentication with Exchange 2013.
  3. Microsoft Exchange Server Type: Select EWS from the dropdown menu, as we are configuring the Free/Busy Interop for Exchange 2010 we need 'EWS', 'WebDAV' is not supported on Exchange 2013.
  4. Microsoft Exchange User Name and Password: This is the user credentials of service account that we created on Exchange server i.e zimbra.
  5. O and OU used in legacyExchangeDN attribute: Value of this will be the value copied from legacyExchangeDN attribute value, which must be like /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT).
  6. Save the setting, and then click on Check Settings to confirm if the settings are working or not, you must see Check OK.


If everything going well, this is the result


Note:- You can go into /opt/zimbra/log/mailbox.log to trace the possible errors.

  • Now, if your Exchange server is running on Self-Signed Certificate then you will get SSL_HANDSHAKE_FAILED error when you click on Check Settings, for this you will have to deploy the CA ROOT Certificate on Zimbra server.
    • We have already exported the CA ROOT Certificate in Step 2 in 'Steps To Do On Exchange 2013 Server' section, and had copied that on Zimbra server say on '/root' folder.
    • You need to deploy this using following command, you will also need to restart Zimbra MailboxD service so the CA is recognized using and then check the settings using 'Check Setting' button:-
# cd /root
# /opt/zimbra/bin/zmcertmgr addcacert exchange.cer
# su - zimbra
$ zmmailboxdctl restart
were exchange.cer is the certificate that we exported from Exchange server.

Setup Using Command Line

$ zmprov mcf zimbraFreebusyExchangeURL 'https://exchange-server/EWS/exchange.asmx' zimbraFreebusyExchangeAuthUsername 'zimbra' zimbraFreebusyExchangeAuthPassword '<password>' zimbraFreebusyExchangeAuthScheme 'basic' zimbraFreebusyExchangeServerType 'ews' zimbraFreebusyExchangeUserOrg '/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)'

Note:- There is no way to test the setting in command line as we can do in GUI, so once you issue the command, to test the settings you will have to go to the Admin Console->Global Settings->Free/Busy Interop and click on Check Settings.

At this point, login to Zimbra Web Client and create a event and add one exchange user in the attendee list and you must be able to see the free/busy information of that Exchange user.

Testing Free/Busy, Zimbra asking Exchange

Create an appointment in one of the Exchange Accounts


And then, let's go to Zimbra and try to invite the Exchange Person


Steps to do on Exchange 2013 Server so Exchange users can view Free/Busy Information of Zimbra Server user

  • Make Exchange 2013 server aware of the presence of “Public Folders” in the Zimbra domain. You may do this by using the following EMS Command:-
[PS] C:\> Add-AvailabilityAddressSpace -forestname zimbra.local -accessmethod publicfolder
  • Create a "Zimbra" OU in Active Directory. Make sure all your Zimbra users are created as “Exchange 2013 Mail Contact Objects” in this OU. As a BEST PRACTICE, to reduce the risk of a collision in namespace a suffix can be added to denote a Zimbra account (i.e. “_zimbra”). You may create a this user by using the following EMS Command:
[PS] C:\> New-MailContact -ExternalEmailAddress 'SMTP:user@zimbra.local' -Name 'user_zimbra' -Alias 'user_zimbra' -OrganizationalUnit 'zimbralab.local/Zimbra' -FirstName 'user_zimbra' -Initials  -LastName 
  • For each of the mail-contact objects that you create here, set one of the available/not-set “Exchange Extension Attributes (extensionAttribute1 to extensionAttribute15)” to an optional tag (say “_zimbra”).
  1. On the AD/Exchange Server, click START > Run > Type adsiedit.msc
  2. Select your Domain’s Node and expand the tree until you reach the node “CN=Zimbra”. Now expand this node to find the container “CN=user_zimbra”.
  3. Right click this container and select “Properties” to open the properties screen.
  4. Scroll down on the Popup window to locate the extensionAttribute1 attribute. Click on “Edit”
  5. Under Value field you will see <not set>, delete that and enter '_zimbra' and click 'OK' to set this value.
  6. As you have opened this property window also locate 'legacyExchangeDN' attribute and make sure the value is something like '/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=use_zimbra'.

Note:- Sometime you may see some value at the end of 'cn=user_zimbra' in the legacyExchnageDN attribute, something like '/cn=user_zimbra 13b' or something differnet, edit and make sure the the value is only '/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=use_zimbra'

Save and Close all the windows and close ADSIEdit.msc.

Exchange configuration part is over at this point, now we need to make sure Zimbra Server is ready to POST Free/Busy Information in Exchange 2013 Servers Public Folder so Exchange can pick it up and display when user do a Free/Busy lookup.

What we need from Zimbra Server So Exchange 2013 Server users can view Free/Busy Information of Zimbra server users

  • On Zimbra Server, we need to do only one setting and that is adding an attribute 'zimbraForeignPrincipal' for each user, value of this attribute must be the user name of a contact that exists on Exchange Server. In 'Steps To Do On Exchange 2013 Server So Exchange Users Can View Free/Busy Information Of Zimbra Server User' section above we created a mail contact for each Zimbra user, which is 'user_zimbra', we need to use this value to configure 'zimbraForeignPrincipal' attribute on Zimbra server, you can do this using following command:-
$ zmprov ma user@zimbra.lab zimbraForeignPrincipal ad:user_zimbra

Once you set this attribute for a user, ask user to create one appointment in his mailbox from Zimbra Web Client and look at /opt/zimbra/log/mailbox.log. You'll see a request made to a URL that looks like this:-

http://<exchange URL>/public/NON_IPM_SUBTREE/SCHEDULE%2B%20FREE%20BUSY/EX:_xF8FF_o=First%20Organization_xF8FF_ou=First%20Administrative%20Group/USER-_xF8FF_cn=RECIPIENTS_xF8FF_cn=user_zimbra.EML

This line means that the Free/Busy information for the user is posted on Exchange 2010 Server in Public Folder and can be viewed on Exchange Server when you invite 'user_zimbra' contact in attendee list.

'user_zimbra' is a contact on Exchange Server who's mail address is 'user@zimbra.lab'.

Configure GAL On Zimbra and Exchange Server So Users On Both Server Can Easily Locate And Add The Attendees While Creating Appointment

  • For Exchange Server there is nothing to configure as we have already created a Mail Contact for each Zimbra User in AD and that will be visible when you check GAL while adding Attendees in appointment.
  • For Zimbra Server we will have to configure External GAL so that users can locate Exchange Users and add then as an attendee in appointment.
    • Zimbra Server shows GAL in two ways, one if directly from company directory i.e from LDAP and other is using a GAL Sync Account, which generates GAL from company directory and Zimbra refers this GalSync account to show GAL. It is recommended to use this GalSync account on your server so that we know what are the contents of GAL, one more advantage of this account is that using this we can fetch more then one external domain GAL information.Enabling a GAL sync account will permit browsing and paging of the global address list when selecting contacts during message composition with the Zimbra web client. The galsync account is a resource account and does not consume a Zimbra license.

Setting Up A Gal Sync Account And Configuring Internal and External Exchange Server GAL Sync

Create GalSync Account and Internal DataSource

For the internal setup, the internal datasource is automatically created when using the following steps.

Setup Using Admin Console
  1. In the server admin console, select a domain for GAL sync under "Domains".
  2. Click "Configure GAL".
  3. Set "GAL mode:" "Internal".
  4. Enter a value for "Most results returned by GAL Search".
  5. Enter a new account name for "GAL sync account name".
  6. Set "Datasource name for Internal GAL" to InternalGAL.
  7. Enter a InternalGAL polling interval. The GAL polling interval is the time between syncs to the internal LDAP. (Set it to 1 day)
  8. Next, then Finish.
  9. To force sync, go to the CLI and use zmgsautil
zmgsautil forceSync -a galsync@zimbra.lab -n InternalGAL
Setup Using Command Line

You can setup a GalSync account using command line as well, here is the command to create a galsync account with a datasource called 'InternalGAL' and to forceSync it so GAL is generated:-

zmgsautil createAccount -a galsync@zimbra.lab -n InternalGAL --domain zimbra.lab -t zimbra -f _InternalGAL -p 1d
zmgsautil forceSync -a -n InternalGAL

Create External DataSource And Syncing External Exchange Server

Now, we have a GalSync account on Zimbra server but that is only configured to for Internal GAL, we need to configure it sync External GAL from the Exchange Server so that we can locate the Exchange Server users while creating Calendar events, here is what we have to do now:-

Setup Using Admin Console
  1. In the server admin console, select a domain for GAL sync under "Domains".
  2. Click "Configure GAL".
  3. Set "GAL mode:" "Both".
  4. Enter a value for "Most results returned by GAL Search".
  5. Leave the value unchanged for "GAL sync account name". ( As we have already created a GalSync account for this domain you will see the name of galsync account 'galsync@zimbra.lab')
  6. Leave the value unchanged for "Datasource name for Internal GAL". ( As created above, you will se the value set to 'InternalGAL')
  7. Enter a "InternalGAL polling interval". The GAL polling interval is the time between syncs to the internal LDAP. ( We earlier set this to 1 day)
  8. Set "Datasource for External GAL" name to ADGAL.
  9. Enter a "External GAL polling interval". The GAL polling interval is the time between syncs to the internal LDAP. ( Set it to 1 day)
  10. In "Server Type" select "LDAP" from the drop down menu. You will see option of "Active Directory" but it is good to ignore it and go with "LDAP", this allows us to set search filter as per our choice, which is not available if you go with "Active Directory" Option.
  11. In "LDAP URL" enter the URL of your AD Server to which Exchange Server is connected, it will be "ldap://exchange-server" and the port will be "3268" as AD Global Catalogue Server runs on port 3268 to which we must connect.
  12. In "LDAP Filter" enter the search filter that you want so that the GAL is generated accordingly, we need all users from AD Server so enter "(&(objectClass=user)(mail=*))".
  13. In "Autocomplete filter" you can leave the value unchanged, if it is empty, you can enter "(|(cn=%s*)(sn=%s*)(gn=%s*)(mail=%s*))" in it.
  14. In "LDAP Search Base" you will have to enter the search base of your AD Server, in this case it will be "dc=exchange10,dc=lab" ( It is the domain name mentioned in your exchange users mail address. You can confirm this from your AD Server and use accordingly )
  15. Next
  16. On Next screen enter the value, select "Use DN/Password to Bind to External Server".
  17. In "Bind DN" enter the bind DN username, which can be your administrators credentials or a service account credentials, so enter "interop2010@exchange10.lab"
  18. In "Bind Password" enter the password for the username specified above, so enter '<password>' (password of user interop2010@exchange10.lab)
  19. In "Confirm Bind Password" enter the same password again.
  20. Next
  21. Leave the settings intact and proceed to next screen, Click Next
  22. In "Please provide a search term" enter any users usearname from your exchange server and click "Test", this will check the settings and you will see "Search Test Successful" screen with Search result.
  23. Next
  24. Click "Test", you will again see the same "Sync Test Successful" message.
  25. Next, then Finish
  26. To force sync, go to the CLI and use zmgsautil
zmgsautil forceSync -a galsync@zimbra.lab -n ADGAL
Setup Using Command Line

Same process of Setting up External AD GAL Datasource can be done using command line, here the command to add the datasource and to forceSync it so GAL is generated:-

zmgsautil createAccount -a galsync@zimbra.lab -n ADGAL --domain zimbra.lab -t ldap -f _ADGAL -p 1d
zmprov mds ExternalContactsGAL zimbraGalSyncLdapBindDn interop2010@exchange10.lab zimbraGalSyncLdapBindPassword <password> zimbraGalSyncLdapFilter "(&(objectClass=contact)(mail=*))" zimbraGalSyncLdapSearchBase dc=exchange10,dc=lab zimbraGalSyncLdapURL ldap://exchange-server:3268
zmgsautil forceSync -a -n ADGAL

Once you finish all the above step users in Exchange 2010 Server will be able to see Free/Busy Information of users residing on Zimbra Server and vice-a-verse.

Verified Against: ZCS 8.0, ZCS 8.5 Date Created: 11/27/2014
Article ID: Date Modified: 2015-07-11

Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search