Configuring Exchange on-premises for One-Touch Join
This topic describes how to implement Pexip Infinity's One-Touch Join feature in a Microsoft Exchange on-premises environment, by using a service account authenticated using basic authentication to enable the One-Touch Join service to access calendars used for OTJ.
The process involves the following steps, described in detail in the sections that follow:
-
Creating a service account for One-Touch Join. This service account will be used by One-Touch Join to read each room resource's calendar.
This should be a different service account to that used for VMR Scheduling for Exchange, because the configuration will be different.
-
Configuring Application Impersonation on the service account.
For more information and guidelines on the use of application impersonation in Exchange, see Permitting the service account to access calendars.
- Enabling the authentication method used for the service account — either NTLMv2 or basic authentication.
- Configuring calendar processing within Exchange.
-
Creating an associated Exchange integration on Pexip Infinity.
Prerequisites
Before you begin, ensure that the following configuration is complete:
- Ensure each physical room that will have a One-Touch Join endpoint in it has an associated room resource with an email address.
- Enable auto calendar processing for each room resource, so that the room will automatically accept meeting requests if it is available, and automatically decline an invitation if it is already booked.
- We recommend that if you are using Safe Links, you modify your Safe Links policy so that URLs are not rewritten in any meeting invitations sent to room resources used by One-Touch Join endpoints.
- Ensure you have access to your Exchange Admin Center (EAC) web interface, and access to Exchange Management PowerShell.
- If your Exchange server does not use a globally trusted certificate, you must upload a custom CA certificate.
In this step, you create a service account that will be used to log in to Exchange to access the calendars of the room resources being used for One-Touch Join.
This service account should only be used with One-Touch Join. However, you can use the same Exchange service account for multiple One-Touch Join integrations.
You can create a new service account using either EAC or PowerShell, as follows:
EAC | PowerShell |
---|---|
The first command lets the administrator type in a password for the service account as a secure string. This password variable is then used in the second command to create a mailbox for the service account. The third command ensures the password of the service account will not expire. $password = Read-Host "Enter password" -AsSecureString New-Mailbox -Name "<Account Name>" -UserPrincipalName "<UPN>" -Password $password -Alias "<Account Alias>" -FirstName "<Account First Name>" -LastName "<Account Last Name>" -DisplayName "<Account Name>" Set-ADUser -Identity "<UPN>" -PasswordNeverExpires $true For example: New-Mailbox -Name "Pexip OTJ Service Account" -UserPrincipalName pexip-otj-svc@example.com -Password $password -Alias pexip-otj-svc -FirstName "Pexip OTJ" -LastName "Service Account" -DisplayName "Pexip OTJ Service Account" Set-ADUser -Identity pexip-otj-svc@example.com -PasswordNeverExpires $true |
In this step, you create a new Distribution Group, and add the rooms to be used for One-Touch Join to the group. You then use PowerShell commands to make it so that the service account will only be able to impersonate members of that Group.
Configuring Application Impersonation in this way means that if rooms are added or removed from the group, this automatically updates whether or not the service account can impersonate them.
Creating a new Distribution Group
- Log in to your recipients > groups. as an administrator and go to
- Select the + icon and select add a new Distribution Group.
-
Add the rooms you want to impersonate to the group.
Note that the service account should not be added as a member of this distribution group. Instead, this step allows the service account to impersonate any member of this distribution group (i.e. any of the room resources).
- Make sure to uncheck the option to make the group owner a group member. Otherwise the service account will be able to impersonate your account.
- Also make sure to lock the group down so people cannot accidentally add themselves as group members. Do this by selecting Closed: Members can be added / removed only by the group owners.
Configuring application impersonation
We recommend that you use combined PowerShell commands to configure application impersonation for the service account. This allows you to use variables, thus reducing possible copy and paste errors.
-
Configure the following variables with the values you actually want to use:
- otj_group_id: the email of the distribution list whose members you want to be impersonated.
- otj_service_account: the email of the service account you want to grant impersonation to.
- management_scope_to_create: the name you want the newly created management scope to have.
- impersonation_role_name_to_create: the name you want the newly created impersonation role to have.
For example:
$otj_group_id = "otjrooms@example.com" $otj_service_account = "pexip-otj-svc@example.com" $management_scope_to_create = "OTJ Management Scope" $impersonation_role_name_to_create = "OTJ Impersonation"
-
Create the management scope:
$otj_group = Get-DistributionGroup -Identity $otj_group_id $otj_group_dn = $otj_group.DistinguishedName $restriction_filter = "MemberOfGroup -eq ""$otj_group_dn""" New-ManagementScope -Name $management_scope_to_create -RecipientRestrictionFilter $restriction_filter
Example output:
Name ScopeRestrictionType Exclusive RecipientRoot RecipientFilter ---- -------------------- --------- ------------- --------------- OTJ Management Scope RecipientScope False MemberOfGroup -eq 'CN=OTJ Rooms2111430164340,OU...
-
Set up application impersonation using the previously created management scope:
New-ManagementRoleAssignment -Name $impersonation_role_name_to_create -Role ApplicationImpersonation -User $otj_service_account -CustomRecipientWriteScope $management_scope_to_create
Example output:
Name Role RoleAssigneeName RoleAssigneeType AssignmentMethod EffectiveUserName ---- ---- ---------------- ---------------- ---------------- ---------------- OTJ Impersonation ApplicationImp... pexip-otj-svc User Direct
-
Verify that the above commands worked as expected. In the following command, replace <resource_email> with the email of the room resource mailbox you want to test. If it is a room which is a member of the distribution list, it should show the OTJ Impersonation in the returned roles. If it is anything else outside of the distribution list, it should not have the OTJ Impersonation listed, which means the OTJ service account does not have permission to impersonate that user.
Get-ManagementRoleAssignment -Role ApplicationImpersonation -WritableRecipient "<resource_email>" | Format-List Name, Role, RoleAssignee, CustomRecipientWriteScope
Expected output:
Name : OTJ Impersonation Role : ApplicationImpersonation RoleAssignee : pexip-otj-svc
In this step you enable your Exchange on-premises deployment to support your chosen authentication method for the service account. One-Touch Join uses basic authentication by default, but you can elect to use NTLMv2 authentication instead.
For both forms of authentication, Pexip Infinity stores the credentials in encrypted form and all authentication is carried out over a secure TLS channel.
NTLMv2 authentication
NTLM Authentication will not work if a Layer 7 load balancer is in use. To work around this issue we recommend reconfiguring your load balancer to Layer 4.
In most on-premises Exchange deployments, NTLMv2 authentication is enabled by default. To confirm that it has been enabled in your environment:
- Open Server Manager and select the server on which Exchange is installed.
- From the top right options select Tools > Local Security Policy.
- On the tree on the left, expand Local Policies then select Security Options.
- Scroll down to Network security: Restrict NTLM: Incoming NTLM traffic.
- Ensure this is either left to the default value of Not Defined, or set to Allow All.
Basic authentication
If you are using basic authentication with on-prem Exchange you need to ensure it is enabled for
You can do this using either Windows Service Manager or PowerShell, as follows:
Windows Service Manager | PowerShell |
---|---|
To enable basic authentication for Autodiscover:
|
This command enables basic authentication for Autodiscover on a specific server: Set-AutodiscoverVirtualDirectory -Identity "<server>\Autodiscover (Default Web Site)" -BasicAuthentication $true For example, if your server name is PEXCHANGE then: Set-AutodiscoverVirtualDirectory -Identity "PEXCHANGE\Autodiscover (Default Web Site)" -BasicAuthentication $true |
To enable basic authentication for EWS:
|
This command enables basic authentication for EWS on a specific server: Set-WebServicesVirtualDirectory -Identity "<server>\EWS (Default Web Site)" -BasicAuthentication $true For example, if your server name is PEXCHANGE then: Set-WebServicesVirtualDirectory -Identity "PEXCHANGE\EWS (Default Web Site)" -BasicAuthentication $true |
In this step, you change the calendar processing settings for room resources from the default to those required to support One-Touch Join.
Recommended configuration
To take full advantage of the functionality offered by One-Touch Join, we recommend that, for One-Touch Join room resources, you change the following calendar processing options from the default:
- The meeting invite body is deleted by default. If you want One-Touch Join to parse meeting details from the body then you must set the DeleteComments property to False. If you leave this set to True, only those rules that process information in the calendar headers can be used (because the body will be deleted).
-
When a meeting invite is received by a resource mailbox, by default the meeting subject is deleted and is replaced with the name of the organizer (for more information, see this Microsoft article).
Because One-Touch Join accesses the meeting invites through the resource mailboxes, this default behavior means it won't have access to the original subject. You can choose to leave the default behavior for privacy reasons, or you can modify the calendar processing options for each mailbox so that the meeting subject is available and thus can be displayed on the meeting room endpoints.
- The private flag is cleared by default. If you want meetings that are marked as private by the organizer to remain marked as private in the room mailbox, you must set the RemovePrivateProperty flag to False.
- Room resources created using PowerShell commands may by default have AutomateProcessing set to AutoUpdate. In these cases it should be changed to AutoAccept.
- When the meeting room accepts the invitation, a response is sent to the original requester (including requesters external to your organization if you have allowed forwarding of external invitations). To avoid any confusion as to why they would be receiving a response from a room that may not have been included in their original invitation, you can configure additional text that is sent to the requester using the -AddAdditionalResponse flag and -AdditionalResponse setting.
PowerShell command
To modify the calendar processing on a room from the default settings to those we recommend for One-Touch Join, connect to Exchange Online PowerShell and use the following PowerShell command (replacing <resource_email> with the address of the room resource whose processing you want to change):
Set-CalendarProcessing -Identity <resource_email> -DeleteComments $False -DeleteSubject $False -AddOrganizerToSubject $False -RemovePrivateProperty $False -AutomateProcessing "AutoAccept" -AddAdditionalResponse $true -AdditionalResponse "Participants can join the meeting from this room using Pexip One Touch Join."
Optional configuration
Hiding invitation details from other users
In order for One-Touch Join to function fully, the
In the following command, replace resource_name with the name of the room resource, and replace role with one of the following roles:
- AvailabilityOnly: users can view the room's availability, but nothing else.
- LimitedDetails: users can view the room's availability and the meeting subject and location, but not the body of the invitation.
Set-MailboxFolderPermission "resource_name:\Calendar" -User Default -AccessRights role
Allowing forwarding of external invitations
Below is some recommended configuration to enable external invitations to be forwarded to your internal OTJ room resources so that the meetings can be joined from those endpoints. In all cases, we recommend that you consult your Exchange administrator to determine what is appropriate in your environment.
-
If you want to enable users to forward invitations from other organizations to your OTJ room resources, you must set the ProcessExternalMeetingMessages flag to True. Note that this will allow any users external to your organization to invite the resource directly. To prevent this, you can use an Exchange transport rule similar to the example shown below so that only users internal to your organization can forward external invitations to OTJ meeting rooms.
- If your Microsoft Exchange environment uses a security application (such as Office 365 ATP, or Mimecast) to re-write URLs, this may prevent OTJ from being used to join external Microsoft Teams meetings (for example, when a user inside your organization forwards an external Microsoft Teams meeting invitation to an OTJ room resource in order to join the meeting from that endpoint). To enable users to join these meetings using OTJ, you must ensure that the security application's URL re-write rules include an exception for any URL starting with the domain https://teams.microsoft.com/
Checking calendar processing settings
The following PowerShell command can be used to check calendar processing settings on all of the rooms in the
We recommend copying and saving this as a file and running it from within PowerShell.
Before running, ensure that you edit $otj_group_id = "otjrooms@example.com" to use the email of the Distribution Group used in your own deployment.
$deleted_subjects = @()
$organizer_added = @()
$deleted_bodies = @()
$private_flag_reset = @()
$not_auto_accept = @()
$process_external = @()
$otj_group_id = "otjrooms@example.com"
Get-DistributionGroupMember -Identity $otj_group_id -ResultSize Unlimited | ForEach-Object {
Write-Host "Checking room '$($_.name)'"
$processing = Get-CalendarProcessing -Identity $_.name
$pass = $true
if ($processing.DeleteSubject) {
Write-Host "WARNING: The room '$($_.name)' is deleting the meeting subject" -ForegroundColor Red
$deleted_subjects += $_.name
$pass = $false
}
if ($processing.AddOrganizerToSubject) {
Write-Host "WARNING: The room '$($_.name)' is adding the organizer to the meeting subject" -ForegroundColor Red
$organizer_added += $_.name
$pass = $false
}
if ($processing.DeleteComments) {
Write-Host "WARNING: The room '$($_.name)' is deleting the meeting body" -ForegroundColor Red
$deleted_bodies += $_.name
$pass = $false
}
if ($processing.RemovePrivateProperty) {
Write-Host "WARNING: The room '$($_.name)' is clearing the private flag on meetings" -ForegroundColor Red
$private_flag_reset += $_.name
$pass = $false
}
if ($processing.AutomateProcessing -ne "AutoAccept") {
Write-Host "WARNING: The room '$($_.name)' is not configured to Auto Accept. Processing='$($processing.AutomateProcessing)'" -ForegroundColor Red
$not_auto_accept += $_.name
$pass = $false
}
# Optional permission for allowing the external invites:
if ($processing.ProcessExternalMeetingMessages) {
Write-Host "The room '$($_.name)' is configured to process external (forwarded) meetings"
$process_external += $_.name
}
if ($pass) {
Write-Host "INFO: All checks passed for room '$($_.name)'" -ForegroundColor Green
}
}
Write-Host "Summary:"
Write-Host "There are $($deleted_subjects.count) rooms deleting the meeting subject"
if ($deleted_subjects) {
Write-Host $deleted_subjects -Separator ", "
Write-Host ""
}
Write-Host "There are $($organizer_added.count) rooms adding the organizer to the meeting subject"
if ($organizer_added) {
Write-Host $organizer_added -Separator ", "
Write-Host ""
}
Write-Host "There are $($deleted_bodies.count) rooms deleting the meeting body"
if ($deleted_bodies) {
Write-Host $deleted_bodies -Separator ", "
Write-Host ""
}
Write-Host "There are $($private_flag_reset.count) rooms clearing the private flag on meetings"
if ($private_flag_reset) {
Write-Host $private_flag_reset -Separator ", "
Write-Host ""
}
Write-Host "There are $($not_auto_accept.count) rooms not configured to Auto Accept"
if ($not_auto_accept) {
Write-Host $not_auto_accept -Separator ", "
Write-Host ""
}
Write-Host "There are $($process_external.count) rooms configured to process external (forwarded) meetings"
if ($process_external) {
Write-Host $process_external -Separator ", "
Write-Host ""
}
In this step you log in to the Pexip Infinity Administrator interface and add details of the Exchange deployment you are integrating with, including details of the service account username and password (based on the configuration you have just set up in Exchange).
From the Pexip Infinity Administrator interface, go to .
Option | Description |
---|---|
Name | The name of this One-Touch Join Exchange integration. |
Description | An optional description of this One-Touch Join Exchange integration. |
Service account username |
The username of the service account to be used by the One-Touch Join Exchange integration. If you are using NTLMv2, this must be in the format name@domain. Otherwise, the format may be either domain\name or name@domain, depending on your domain. |
Enable OAuth |
Leave this option disabled. (OAuth 2.0 is supported for Exchange in Office 365 only.) |
Enable NTLM |
Enable this option to authenticate the service account using NTLMv2. (This option is only supported for Exchange on-premises.) Leave this option disabled to authenticate the service account using basic authentication. |
Service account password |
(Available if OAuth has not been enabled) The password of the service account to be used by the One-Touch Join Exchange integration. |
Advanced options | |
Find Items Request Quota |
The number of Find Item requests that can be made by OTJ to your Exchange Server in a 24-hour period. The default of 1,000,000 should be sufficient for most deployments — for more information, see Frequency of and limitations on calendar requests. We do not recommend increasing this quota unless you have deployed a dedicated One-Touch Join platform, because it will impact the performance of the Conferencing Nodes. |
EWS URL | The URL used to connect to Exchange Web Services (EWS) on the Exchange server. If specified, all Autodiscover lookups (including any OTJ Exchange Autodiscover URLs that have been configured) will be disabled and this EWS URL will be used for connecting to every mailbox using this Exchange Integration. |
OTJ Exchange Autodiscover URLs | |
This section is optional and will generally only be required if the Autodiscover URLs in your deployment do not use a standard location. Any URLs configured here will be tried first, with a fallback to the default URL. |
|
Name | The name of this Exchange Autodiscover URL. |
Description | An optional description of this Exchange Autodiscover URL. |
Autodiscover URL |
The URL used to connect to the Autodiscover service on the Exchange deployment. If you are using Office 365, you may need to enter your autodiscover URL manually, particularly if you are using a hybrid Exchange deployment. If your OTJ room resources and service account are hosted on O365, then you should enter https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc as the Autodiscover URL. The URL must end in .svc; URLs ending in .xml are not supported. |
Next steps
You must now configure the remainder of the One-Touch Join components on Pexip Infinity, as described in Configuring Pexip Infinity for One-Touch Join.