When you integrate Skype for Business Server instant messaging with Exchange Server 2013 or Exchange Server 2016 you might encounter the following error in the OWA InstantMessaging log files.
ERROR:UCWEB Failure: Code=TlsFailure, SubCode=TlsRemoteDisconnected, Reason=\r\n
Microsoft.Rtc.Internal.UCWeb.Utilities.UCWException: Unknown error (0x80131500)
---> Microsoft.Rtc.Signaling.TlsFailureException: Unknown error (0x80131500)
---> Microsoft.Rtc.Internal.Sip.RemoteDisconnectedException: Peer disconnected while outbound capabilities negotiation was in progress
---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host\r\n
at System.Net.Sockets.Socket.EndReceive(IAsyncResult asyncResult)\r\n
at Microsoft.Rtc.Internal.Sip.TcpTransport.OnReceived(Object arg)\r\n
--- End of inner exception stack trace ---\r\n
--- End of inner exception stack trace ---\r\n
at Microsoft.Rtc.Signaling.Helper.EndAsyncOperation[T](Object owner, IAsyncResult result)\r\n
at Microsoft.Rtc.Internal.UCWeb.UCWAuthenticatedEndpoint.OotyUserEndpointEstablish_callback(IAsyncResult asyncResult)\r\n
--- End of inner exception stack trace ---\r\n
at Microsoft.Rtc.Internal.UCWeb.Utilities.AsyncHelper.EndAsyncCall[T](IAsyncResult asyncResult, String methodName, T ucwScopeInstance)\r\n
at Microsoft.Rtc.Internal.UCWeb.UCWAuthenticatedEndpoint.EndSignIn(IAsyncResult asyncResult)\r\n
at Microsoft.Exchange.Clients.Owa2.Server.Core.InstantMessageOCSProvider.<>c__DisplayClass33.<SignInCallback>b__32(RequestDetailsLogger logger)
The log files are located at
\Program Files\Microsoft\Exchange Server\V15\Logging\OWA\InstantMessaging
The Exchange Server OWA host name must be the common name (CN) of the SSL certificate used securing OWA communication.
The Skype for Business client merges contact data from different sources when displaying the contact card. The merged data is used to perform name resolution when performing a user search. In a more complex deployment scenario where an email domain name is in shared use in two in Active Directory forests you might run into a situation where the Skype for Business client tries to use the wrong target address.
Such a scenario would look like as follows.
Forest A is used as a dedicated infrastructure for developers. When logged on to the development network the users should be able to skype with colleagues currently connected to the default office client network.
Forest B is the default office client network.
Clients logged on to forest A connect to the Skype for Business infrastructure in forest B as external clients. Forest A is used for user account authentication while forest B is used for Skype for Business connection and authentication.
Forest A runs an Exchange Server 2013 organization.
Forest B runs an Exchange Server 2013 organization and a full Skype for Business 2015 server deployment.
Both Active Directory forests to not have trust of any sort established.
Such a configuration would result in forest A users trying to contact a Skype for Business user using the wrong address. Instead of using John.Doe@Sedna-Ltd.com the Skype for Business client of Jane Doe@Sedna-Ltd.com (logged on to forest A) would try to contact John.Doe@dev.Sedna-Ltd.com. As there is no endpoint defined for dev.Sedna-Ltd.com a connection could not be established. Therefore, no availability information is available and no call or chat connection could be established.
The Skype for Business client uses merged data pulled from the Skype for Business address and from the local (Forest A) Active Directory (GAL). This results in a connection attempt to John.Doe@dev.Sedna-Ltd.com.
Enjoy Skype for Business
My guest post about Modern Attachments with OneDrive for Business was published in the ENow Exchange & Office 365 Solutions Engine Blog (ESE) yesterday.
Enjoy reading here: http://blog.enowsoftware.com/solutions-engine/modern-attachments-with-onedrive-for-business
Microsoft Docs provides detailed documentation on modern Exchange Server mail flow and the transport pipeline. That article helps you to
The detailed diagram showing the Exchange Server 2016 transport pipeline in the TechNet documentation does not show the TCP ports being used by the Exchange Server 2016 components.
The following diagram is an updated version of the original diagram showing the TCP ports being used by
By default Exchange Server implements the following receive connectors
Cross-server SMTP communication occurs on either TCP 2525 or TCP 475.
Enjoy Exchange Server!
Office 365 supports the upload of PST files to Azure storage for a direct import to mailboxes hosted in Exchange Online. The steps are described in detail in the online documentation at Microsoft Docs.
Import CSV using an email address
But you might encounter the following error after starting the import job using the Security & Compliance dashboard.
X-Psws-Exception: Microsoft.Exchange.Configuration.Tasks.ManagementObjectAmbiguousException,The operation couldn't be performed because 'TeamMailbox-Sales@varunagroup.de' matches multiple entries.
X-Psws-Warning: When an item can't be read from the source database or it can't be written to the destination database, it will be considered corrupted. By specifying a non-zero BadItemLimit, you are requesting Exchange not copy such items to the destination mailbox. At move completion, these corrupted items will not be available at the destination mailbox.
Before you were able to start the import job the job configuration, the CSV file, and the content of the PST file were analyzed successfully. There was no hint of multiple entries for the target mailbox.
The detailed error message can be retrieved using the View log link. A clear text message is stated in the Status detail column, but you need to expand the width of the column.
The hint provided in the status detail column states that there are multiple identities for the primary email. At this point in time, I do not know, how this possible when the target account is synchronized with AAD Connect.
Use the target mailbox GUID instead of the target email address as the target address in the CSV configuration file.
Connect to Exchange Online Remote PowerShell session and query the mailbox GUID for the target mailbox(es).
# Query target mailbox GUID for a single mailbox
Get-Mailbox TeamMailbox-Sales@varunagroup.de] | FL Guid
Create a new import job referencing the same PST file already copied to the Azure storage.
Import CSV example using the mailbox GUID
The import job will now be executed as expected.
Do you need assistance with your Exchange Server platform? You have questions about your Exchange Server organization and implementing a hybrid configuration with Office 365? You are interested in what Exchange Server 2019 has to offer for your company?
Contact me at email@example.com
Follow at https://twitter.com/stensitzki
You might have the requirement to authenticate mobile devices and authorize user access to on-premises Exchange Server mailboxes using a multi-vendor strategy. This blog post focuses on the configuration of a Kemp LoadMaster located in an internal network segment. The Kemp LoadMaster ESP functionality is used to allow ActiveSync connections for members of a dedicated security group only.
This results in the following authentication and authorization endpoints:
The following diagram shows a simplified overview for mobile devices connecting to an on-premises Exchange Server. The perimeter and internal network segments are omitted for simplification reasons.
The following screenshots illustrate a working setup for a virtual service load balancing mobile device connections from MobileIron Sentry to Exchange Server. It's assumed that you've already configured the following:
The SSL Traffic is offloaded and re-encrypted as we need to authenticate the user with ESP. Ensure to select a Cipher Set that does not provide any weak or unsecure cipher suites. In this example I've selected the predefined set BestPractices.
Enable ESP to activate the ESP configuration section. The settings are as follows:
In the Real Servers section you add all member servers of your Exchange Server DAG. Ensure to use the HTTPS protocol the health checks and ensure to query the /Microsoft-Server-ActiveSync/healthcheck.htm document.
Using this configuration you've added your Kemp LoadMaster as an additional authentication endpoint to secure mobile device access to Exchange Server mailboxes.
This scripts creates a new shared mailbox (aka team mailbox) and security groups for full access and and send-as delegation. The security groups are created using a naming convention. If required by your Active Directory team, you can add group prefixes or department abbreviations as well.
The script uses a Xml configuration file to simplify changes for variables unique for your environment.
High level steps executes by the script:
The following example creates an empty shared mailbox for an internal Exchange Admin team with empty security groups.
.\New-TeamMailbox.ps1 -TeamMailboxName "TM-Exchange Admins" `
-TeamMailboxDisplayName "Exchange Admins" `
-TeamMailboxAlias "TM-ExchangeAdmins" `
-TeamMailboxSmtpAddress "ExchangeAdmins@mcsmemail.de" `
The following Create-TeamMailbox.ps1 script simplifies the process of creating a team mailbox even more.
$teamMailboxName = 'TM-Exchange Admin'
$teamMailboxDisplayName = 'Exchange Admins'
$teamMailboxAlias = 'TM-ExchangeAdmin'
$teamMailboxSmtpAddress = 'ExchangeAdmins@mcsmemails.de'
$departmentPrefix = 'IT'
$groupFullAccessMembers = @('exAdmin1','exAdmin2')
$groupSendAsMember = @('exAdmin1','exAdmin2')
.\New-TeamMailbox.ps1 -TeamMailboxName $teamMailboxName `
-TeamMailboxDisplayName $teamMailboxDisplayName `
-TeamMailboxAlias $teamMailboxAlias `
-TeamMailboxSmtpAddress $teamMailboxSmtpAddress `
-DepartmentPrefix $departmentPrefix `
-GroupFullAccessMembers $groupFullAccessMembers `
-GroupSendAsMember $groupSendAsMember -Verbose