What FQDN to use when Setting Up OWA/Lync Integration?

I was setting up OWA/Lync integration in my lab and ran into an interesting issue.  After completing all the necessary steps, I logged into OWA as a test user and got the following error message: "Instant Messaging isn't available right now. The Contact List will appear when the service becomes available."

This error typically means one of two things, either you didn't complete all the necessary steps for integration to work, or you have a certificate issue.  Since I know that I completed all the steps required, I started looking into a possible certificate issue.  After verifying that the CAS array name was listed on the certificate bound to IIS on the CAS Server and that both the CAS Server and the Lync Front End Server trusted each other's certificates, I started looking at logging to see if I could figure out what was wrong.

I took SIPStack tracing on the Front End Servers to see if I could spot where the error was coming from.  After logging back into OWA and taking a look at the log in Snooper, I saw the following:

 

TL_ERROR(TF_CONNECTION) [0]0AC0.1278::12/20/2011-20:45:01.704.000003ca (SIPStack,SIPAdminLog::TraceConnectionRecord:SIPAdminLog.cpp(160))$$begin_record
LogType: connection
Severity: error
Text: The peer is not a configured server on this network interface
Peer-IP: 172.16.3.11:15365
Transport: TLS
Result-Code: 0xc3e93d6a SIPPROXY_E_CONNECTION_UNKNOWN_SERVER
Data: fqdn="deitterick.com"
$$end_record

 

As you can see highlighted above, the Lync Front End Server is rejecting the connection from the CAS Server because it can't find a trusted server object for "deitterick.com".  Looking in Topology Builder, you can see that I created a trusted application pool for "mail.deitterick.com", my CAS array name, and that I defined "LAB-EX2010.lab.deitterick.com", my CAS Server name, as well:

The above looks correct, so why does the Lync Front End Server think that the connection is coming from "deitterick.com", instead of "mail.deitterick.com"?  I next looked at the certificate on the Exchange CAS Server, that I was using for IIS.  As you can see below, the subject name is "deitterick.com"!

So because the subject name on the certificate is "deitterick.com" and not "mail.deitterick.com", the Lync Front End Server is looking for the wrong trusted application pool name.  There are two options to resolve this issue.  The first is to reissue the certificate on the Exchange CAS Server and make sure that the CAS array name is the subject name on the certificate.  The second is to change the trusted application pool name.  Unfortunately you can't just edit the pool name in Topology Builder.  You have to delete the trusted application pool from the topology, publish the topology, and then create the new trusted application pool and create the trusted application again.

The second option is the one that I chose, and after changing the trusted application pool name:

I published the topology, created the trusted application again, and now when I log into OWA, IM integration works:

 

So the important thing to remember when setting up OWA/Lync integration is to make sure that when you create the trusted application pool in Topology Builder, that you use the subject name defined on the certificate bound to IIS on your CAS Server(s).