Tag Archives: cwa

Communicator Web Access Observations in a Lync Environment

I’ve recently deployed Communicator Web Access into what was basically a greenfield environment (no previous versions of OCS or LCS) and came across some interesting stuff in the process.
Usually when you deploy CWA, you’ve already got an OCS 2007 R2 Standard Edition or Enterprise Edition pool deployed, and the CWA deployment goes in nice and easy. Throw Lync into the mix without any existing R2 infrastructure, and you get some interesting behaviour.

Environment Preparation

Prior to deploying our Lync environment or any CWA components, we need to update AD accordingly for OCS 2007 R2 first. I won’t go into the details here because Randy Wintle has already done a good job of it.

Once AD is good to go, we can start building the CWA server.

Want to use Web Enrolment? Think again

Because there is no existing OCS 2007 R2 infrastructure and no Admin Tools to run against it, we can’t use the Certificate Wizard. My next step was to try using the CA’s web enrolment tool to retrieve a certificate.

I attempted this, and could request and retrieve a certificate fine. However, when it came to assigning this certificate for CWA to use, the Deployment Wizard would throw back an error saying please use a valid certificate and wouldn’t let me proceed. There is however, an alternative method.

Using a Certificate Request Policy File

To get a certificate for CWA that it likes, we need to go deep on this one and create a Certificate Request Policy file. We will use this to create a Certificate Signing Request on the local computer which we can use to request a certificate from the CA. For the process below, you can download an example one here.


  1. Copy the certificate request policy file to the server. Make note of where you copy this to (e.g. C:\).
  2. Log onto the server corresponding to the filename. Open CMD and run the following command:
    Certreq –new C:\SERVERNAME.txt SERVERNAME_Out.txt
    (change the filename to whatever it is you’ve named the file and then give the _Out file any name you like).
  3. It will generate a SERVERNAME_Out.txt for each one you run. These are our CSR (certificate signing request) files that we will submit to the Web Enrolment Tool.
  4. Open up the CSR file in Notepad, copy the contents out and use it to request a certificate using the Web Enrolment tool. ADCS will spit out a certificate for you and it’ll work for CWA.

This can be a bit tricky, so let me know in the comments if you have any troubles or questions.

Server Activation

If you’re deploying CWA into a Greenfield environment with no previous versions of OCS, you must have at least one OCS 2007 R2 pool deployed. This is because during activation, the CWA Deployment Wizard looks for a valid pool in AD to list in the drop-down menu as the next hop. If there’s no pools present in AD, the Activation Wizard will fail.

So there’s a few things to think about and plan for when it comes to deploying CWA into your new Lync environment. Any questions or comments, drop them below.