How to remotely view and test certificate, intermediate certs, and root certificate

There are a few instances during a Lync deployment (Edge, Mobility, EWS) when you need to see all the information about a public certificate, but you do not have easy access to the system that contains the certificate, intermediates, and root certificates.

I have found the help page at Digicert to give me all the information I need, even if the certificate is not issued by Digicert.

Normally you would just type in a server name and off it goes and queries port 443 by default. That works great if you are testing a cert on port 443. But if you have a cert of port 5061?

it is as easy as <Server Name>:5061

Digicert SSL Certificate Check returns the certificate with Common Name, Subject Alternative Names, and Issuer. Most importantly though, if you look further down you will see the entire certificate chain.

Having this information is especially handy if you are dealing with GoDaddy certs.

IM an Expert has been updated to version 1.5

Another Engineer at Time2Market was getting ready to deploy IM an Expert for a customer and mentioned to me that the Admin and End User docs were recently updated (March 8, 2012). So I pulled down the Admin doc and noticed it had version 1.5 on the title page. Also, on Page 13 is a section that highlighted the changes in 1.5.

Below I have highligted the changes on Page 13... having the bot running as a service is reason enough to upgrade. The other change that I found intriging was "Conversation Following". Enjoy!

Changes for Version 1.5

The latest version of IM an Expert replaces V1.0 of the system which shipped in March 2011. For the V1.5 release there are a number of feature additions and bug fixes.

New Features

1. Support of Resource Forests: Version 1.0 of IM an Expert did not work for organizations where Lync was setup with a resource forest configuration. Such a configuration has a set of users with information such as SIP address in a different domain/forest from the one that is their actual user account. So, when they visit the IM an Expert webpage, the site could not locate their information. To fix this, we improved the way we retrieved user SIP/Name/Email so that we search for the user in resource forests as well as the current forest. IM an Expert now offers a sophisticated highly-configurable mechanism to allow admins to specify how user identities are resolved from Active Directory. More information about deploying Lync Server 2010 in resource forests can be found here http://technet.microsoft.com/en-us/library/gg670909.aspx
2. Content-type Adaptation: If a message sent by IM an Expert cannot be received by the client (e.g., the message is sent as HTML and the client does not support HTML), then the system will automatically switch to plain text, resend the current message, and use plain text for the remainder of the conversation. The occurrence of the adaptation is governed by the SIP error code that IM an Expert receives when it tries to relay the first message in the conversation. The BotSipErrorCodesForPlainTextResend configuration parameter can be used to specify the list of SIP error codes for which content-type adaptation should be attempted.
3. Message Content-type Specification: Messages can be sent in plain text or HTML. This can be specified using the BotMessageContentType parameter in the imx.config file: “text/plain” for plain text, and “text/html” for HTML.
4. Lync Mobile and Outlook Web Access: IM an Expert will now work with Lync Mobile client (tested for iPad, iPhone, and Windows Phone), and Outlook Web Access (OWA).
5. Run as Service: IM an Expert can now be configured to be run as a service which can be configured to start automatically when the server hosting the Bot boots up. Note that the Bot can still be run as an executable.
6. Conversation Following: If a candidate answerer declines a question invitation they receive via IM, they now have the option of subscribing to the conversation by typing “follow” in response to the invite. At the conclusion of the dialog between the asker and another answerer (if one is found), all followers will be emailed a link to the transcript of the dialog on the IM an Expert website, where they can also add follow-up comments and additional answers.
7. Usage Statistics on Homepage: Administrators can now display usage statistics on the IM an Expert homepage, including a stacked bar chart of the ratings assigned to answered questions and other statistics such as the average time to answer and average number of users contacted to get an answerer.
8. Memory Management: The Bot should now consume less memory on the server on which it is running, especially in situations where the Bot is running for prolonged periods. To do this, we store less in memory, clear in-memory data structures more frequently, and periodically request garbage collection.
9. Support for More Sophisticated PageCrawler Regexes: The PageCrawler now supports multiple regular expressions for the same page and as multiple match groups for a page within the same regular expression. This allows administrators to extract multiple items from a web page via a single regular expression, multiple regular expressions, or some combination of the two.
10. Resetting Bot Status: Allows administrators to set the Bot’s Lync status to variable (“Online” or “Offline”, depending on whether the Bot is running) after being set to “Always Online”. In V1.0, once the Bot was set into an Always Online state, it could not be undone by IM an Expert. 

Bug Fixes

1. SIP Address Normalization: In V1.0, SIP addresses were not being normalized. In companies with uppercase domain names, this caused a non-match between user SIP addresses as far as we knew them (e.g., user@company.com and SIP addresses returned by Lync when we queried for presence status (it would give us user@company.com). This has been fixed so that IM an Expert normalizes all SIP addresses by lowercasing the sip: and the domain portions and leaving the username portion unchanged.
2. PageCrawler Configuration: Corrected errors with parsing of special fields such as EMAIL, SIP, and SIPALIAS, which are meant to be replaced by the current user’s email/SIP/SIP alias/etc.
3. Website Viewstate Validation: Occasionally, users would get a “validation of viewstate MAC failed” exception when using forms on the IM an Expert website. This has been fixed.

So.... You want to be a Lync Master?

I recently spent three weeks in Redmond, WA attending a Microsoft Certified Masters course for Lync Server 2010 and thought I would share some thoughts and tips based on my experience there.

LOST in Building 40
First of all, the class was amazing and better than I ever hoped it would be. 

Going to Lync Masters is like attending an IT version of LOST. When you attend training you are told to cut off communications (or at least limit them) and responsibilities with everyone in your work and personal life. Although necessary, this creates a island like effect. Once you arrive in Redmond... you are stuck on this island with other Masters attendees and slowly, over the course of three weeks, your previous life begins to seem more like a dream.

You now have this alternative life on the island (Microsoft Building 40 in our case) where you will form relationships and create alliances (study groups). If you are fortunate, like I was, you will find someone that is experienced in areas you are weak in.

After the first day you will feel like you have got this class nailed or at the very least can handle it. The second day you might still have the same feeling but not quite as confident. The third day the new information just keeps coming and coming non-stop and then the black cloud appears. You start to feel fatigue and if you are not careful... you will miss what the instructors are trying to teach you. Eating and sleeping well become very important at this point. There will be no break to fully recover until you get off the island.

When you start your second week there...you will not feel as on top of the game as you did the first day. The information and ah ha moments just keep coming... Things really start getting weird the second week when people start talking about dreaming of Call Admission Control. At the same time everyone in the class also is figuring out that it is really futile to remember "everything". This is when you should start to focus on what you and your study group thinks is important for the exam and qualification lab. Or for some people they start to think about how they are going to get off this island.

The third week now you are spending nearly all your waking moments taking in yet more information and when that is not happening, constantly going back over all the other content from previous episodes (uhh... I mean days) trying to keep all of it fresh in your head for the knowledge exam and then the qualification lab.

After being tested by the island(exam and qualification lab is done), you are now dealing with whether or not you are a Lync Master and you have to head back to your previous life.

For me, my real life seemed like a dream and the life back at Building 40 seemed like reality for at least a week.... probably longer. Life will not seem right... or normal for awhile...maybe not ever. The wife and kids will wonder why you are easily overwhelmed with all their attention. In some extreme cases, you might come home and be speaking of smashing the lab (this would be if you did really well on the qualification lab)




Tips for the class...

Taking Notes
First of all, do not even begin to think about attending a Lync Masters course until you have become familiar with every single workload in the product (yes, even Group Chat, which I have a new respect for). The instructors from day one expect you have done this and they will not be covering the basics. As an example, there is a significant amount of time dedicated to the voice workload and if you have limited expereience in this area I would not use this class as a time to learn that.

For our rotation all the slide decks were delivered to us in OneNote. This makes taking notes extremely handy. I also added audio recording to my notes using the Jabra Speak 410.

What is great about this setup is that as you are recording and typing, OneNote will keep track of both. This will allow you to go back later and click on the specific text to hear the audio at that point when you were typing. When I had slides that had no notes I still put a letter "A" as a place holder so I could come back and hear the audio at that point. You will want to work with this before you get to day one of the class because at that point you will not have time to be messing with setting up OneNote to do this.

Make sure before you spend a lot of money on a microphone that you check with whoever is running that rotation, to be sure it will be permitted. I strongly suggest a USB microphone of some sort because any analog mic I used had a hum in the background (probably something with my laptop).

Also, it should be expected that you will encounter a lot of content that you have not seen before. Do not come to class and expect that you know most of the content. Be preparred to learn lots of new content.

Study Groups
This was probably the single best reason why I passed. Find people you get along with that are strong in the areas you are weak...and hopefully you are strong in areas the others are weak. My study group consisted of 3 people to begin with, but mushroomed to 6 by the second weekend. There were times we were going over previous material in the classroom late at night or on the weekend and others would just join in... and make it that much better.

One thing that really seemed to help was that one person in the study group suggested we write our own exam questions based on the content we had learned and share them with each other. Each of us wrote questions in areas that we were really familiar with. There were some really tough questions that pushed us to understand the content even better. But even more benefitial was we decided to write some of the questions on content that we were weak in to really help cement the knowledge in our own heads...  By the end of the second weekend we had a pool of 47 questions. We had errors at first, but we found that was helpful too. If we had someone that didn't understand why an answer was right we tried to help them understand why we thought it was right...and that led to more discussions.

Also, as far as study groups go, make sure to give each other space as well... a few nights/days throughout the three weeks is what we did. Everyone needs some downtime.

Eating and Sleeping
Above all else... eating and sleeping should be a priority. Class is hard enough without feeling terrible from eating too much junk food and not sleeping because you want to study.

Sleeping will be a huge challenge for those coming from Central and Eastern time zones or from overseas. Several in our class found they were waking up at 4 or 5am. Adjust as much as you can to get as much sleep as possible.

There will be junk food all around you. Lots of candy and chips... and Microsoft provides a variety of drinks free for the taking. Resist it as long as you can.

As far as dining out... I really thought I would not have time to do this often. So did several others in the class based on the amount of food that was bought the Sunday before class started for each of our hotel rooms. I bought some fruit and some other things to snack on... and I did fair...although I had a huge bag of tortilla chips and jar of salsa I hardly touched. My point is that you will want to get away from studying and class and feel human for little while. Below are a list of places my study group enjoyed.

Food Suggestions
The cafeteria at Building 40 was being renovated while we were there so Microsoft arranged for some Food Trucks to come by at lunch time. I was extremely pleased with the quality food and some of them accepted credit cards. You can get an idea what is available here (Cafe 41).

Jimmy John's
I've always felt these guys have great subs... others in the class that never had them before became passionate about them. They have online ordering available and even though they won't deliver to Microsoft Buildings the drive to get this piece of heaven is fairly short.

17875 NE Redmond Way
Suite #124
Redmond, WA 98052

Five Guys Burgers and Fries
If you have never had a Five Guys Burger and Fries you are truly missing out on something special. Just go. Be warned that for most people their "Little Burger" is plenty big. Also a table of four people can share an "order of fries".

15011 Northeast 24th Street  
Redmond, WA 98052

Spazzo
Do not judge this place by the name. Great italian food. We did have one waiter that was borderline stalking us... finding us in the restaurant every time we came in and remember everything we ordered the first time we ate there.

Redmond Town Center
16499 NE 74th St
E255
Redmond, WA 98052

Red Robin
Red Robin is known for their Grourmet Burgers and sandwiches. They have bottomless fries that are great as well.

Near Redmond Town Center
7597 170th Ave NE
Redmond, WA 98052

Near Building 40
2390 148th Ave
Redmond, WA 98052

Earls
The food is awesome and if you like to people watch this is the place to come.

700 Bellevue Way NE
Suite 130
Bellevue, WA 98004

Joey's
Great food and this was the place that some of us got together the Sunday before class started.

800 Bellevue Way NE
Suite 118
Bellevue, WA 98004

Azteca
Great Mexican that is close to Microsoft

3040 148th Ave NE
Redmond, WA 98052

Neville's (The British Pantry)
Fish and chips were great....  and the Shepherds Pie was well liked as well.

8125 161st Ave NE
Redmond, WA 98052

Claim Jumper
This place will give you the most calories for your buck (the food tastes great too). One Masters student finished off a Widow Maker Burger (1149 calories) with Fries (346) and a mini I Declair (1075) in one sitting. One meal that shocked all of us was the Ore Cart (2724 calories).

7210 164th Ave NE
Redmond, WA 98052



This post brought to you by a Jimmy John's #9 with hot peppers and a Shamrock Shake

Automatic Root Certificates Update Insanity

I have no doubt that Microsoft was trying to solve a big problem when they came up with the Automatic Root Certificates Update solution. Ideally, with Automatic Root Certificates Update a PC/Server can keep the list of Root Certificate Authorities up to date on demand. Also, Automatic Root Certificate Update would allow for the addition of other Root Certificate Authorities that may not have been approved when the OS was first released.
Unfortunately, I have found that the Automatic Root Certificate Update solution creates some problems when there are customized properties on Trusted Root Certificates.

As an example, the proper installation of GoDaddy Intermediate Certificates requires the disabling or deletion of an existing Trusted Root Certificate.

NOTE: If the Go Daddy Class 2 Certification Authority root certificate is currently installed on your machine you will need to disable it from the Trusted Root Certification Authorities folder.

So now you have a properly installed GoDaddy certificate, right? You won't for long.

At some point in the future the server will query Windows Update and realize that the disabled GoDaddy certificate is no longer enabled and it will update the certificate and re-enable it. There will be an Event Viewer message from the source of CAPI2.

A simple update of the Trusted Root certificate will not break your server software component that has that certificate assigned. The services will have to be restarted. Which means, at some point in the future when someone reboots the server suddenly things do not work and you have no idea why. This has been observed with both Lync Edge servers and Front End servers that were using GoDaddy certificates. Now that is fun.

So... yes we can disable Automatic Root Certificate Update, but there is a downside I've noticed. Much like on Windows Server 2003, we now have to download and install Trusted Root Certificates manually that are not part of the original OS.

Now you are thinking I will never go with GoDaddy certificate because of this. Guess what, I've personally seen an issue with Digicert and I've seen mention of Entrust based certificates also having issues with Automatic Root Certificate Update.
So... I don't have any really great answers for making this a non-issue at this point. If you do, please send me an email or send me a message on twitter.

Here is the procedure to disable Automatic Root Certificate Update.

Turn off Automatic Root Certificates Update

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To turn off Automatic Root Certificates Update:

 Click Start, and then click Run. 

1. Type gpedit.msc and then click OK.
2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
3. Double-click Administrative Templates, double-click System, double-click Internet Communication Management and then click Internet Communication settings.
4. Double-click Turn off Automatic Root Certificates Update, click Enabled and then click OK.
5. Close the Local Group Policy Editor.

The Days of the Telephone Number are Dwindling

Dialing a number to reach a person or business will become the exception, rather than the rule.

Today if you wanted to reach Microsoft Sales by phone you would need to dial (800) 642-7676.

But, would it not be easier to remember sales@microsoft.com?

I came to this realization back in 2003 when I started working with SIP based Unified Communications products from Nortel.

That Nortel product had a number configured for a user, but the phone number was not required. A call could be placed to another person if you had their SIP URI (john@example.com). The number for the most part was so they could interact with the PSTN.

They had both PBX and Carrier version of their SIP product that were intended to work together to provide SIP trunking and Federation with other organizations. Some thought this vision was a bit early for the market to really understand the value, but Nortel also did not evangelize the vision. 

Fast forward a few years and now we have Unified Communications well evangelized from multiple vendors. Nortel lost the opportunity that came with being early to market with a revolutionary product idea.

Now others, like Microsoft can capitalize on those ideas and add their own. 

For years, Microsoft, has provided an efficient way to connect organizations together that use Microsoft based Unified Communications. These organizations can communicate seamlessly across the Public Internet without any VPN. This is done through the Edge Server role in Office Communications Server and now Lync Server 2010.

No PSTN involved.

No big SIP server in the sky.

No dialing of a phone number.

It is all simply done through the existing DNS system by calling a users SIP URI (john@example.com).

Much like an email address the SIP URI contains all the information needed to route the call to an organization (example.com) and which user or endpoint should receive the call once we reach that organization (john).

So today, if you use a Microsoft based Unified Communications system and communicate with partner organizations or vendors usig the Edge Server role you could potentially make a call to a SIP URI like sales@microsoft.com and have that reach a real person. Again...

No PSTN involved.

No big SIP server in the sky.

No dialing of a phone number.

But, what hasn't happened yet, is a way to fully Federate (IM, Presence, Voice, Video, Desktop Sharing etc.) between all the disparate UC/Communications systems.

Recently, Microsoft has made a historic acquisition of Skype. Microsoft, in one move, has the pieces to become a SIP trunking provider, but more importantly they now have the ability to provide Federation to other organizations that are not using Microsoft Unified Communications.

Consider this...

Work has been done on a Avaya solution to connect to Skype.

Although the agreement has not been renewed, work was also done with Asterisk. The agreement possibly lapsed because both Microsoft and Asterisk wanted to revisit the relationship and possibly might leverage the Skype for SIP interface instead. Just a theory of mine at this point.

With the Skype for SIP interface, what is to stop Microsoft from making it interoperate with ANY communication system? If a communications system doesn't support SIP then a PRI SIP Gateway can be used.

Skype for SIP already supports the following PBX systems:

• 3CX
• Avaya
• Cisco
• Freetalk
• Grandstream
• LG Ericsson
• NEC
• ShoreTel
• Siemens
• SIPfoundry

and the following PRI SIP Gateways:

• Audiocodes
• Grandstream
• Net
• VoSKY

So, now ponder these final thoughts...

Disparate systems all talking SIP can connect to Skype and no longer have to make a connection through the PSTN.

The only real need for a phone number with this scenario is to provide backwards compatibility with the PSTN.

Dialing a number to reach a person or business will become the exception, rather than the rule.

SSL Cipher Order strikes again

Issue:

Lync Server 2010 would intermittently fail to communicate with AOL AIM clients via PIC.

But wait...

That's not all... At the same time I also noticed the edge failing to negotiate TLS with Federated Partners that had Entrust certificates (may affect other CAs, but I noticed Entrust in my eventlog)

Note that this would only be reproduciable if your Lync/OCS 2007 R2 Edge role is running Windows Server 2008 (x64) or Windows Server 2008 R2 (x64); not Windows Server 2003 (x64).

Resolution:

Modify the SSL cipher order so that the OCS/Lync Edge role will initially establish the SSL dialog using the TLS_RSA_WITH_RC4_128_MD5 cipher suite.

In order to change the cipher suite order, do the following on your Windows Server 2008 (x64) or Windows Server 2008 R2 Edge server (if the edge server is joined to a DMZ domain then the Group Policy on the Domain Contorller will need to be modified instead of the local machine):

1. Start -> Run -> regedit.exe -> OK
2. Within the Registry Editor, locate the following Key
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002

3. Right-click the key and select "Export"
4. Select the Desktop and type in an a filename to export the registry key to.
5. Right-click the file on the desktop and select “Edit”
6. The contents of the file should look like this if you have not set the cipher suite order yet:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]

7. If you have set the cipher suite order before then there may be a value for the key that looks similar to this:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
"Functions"="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,SSL_CK_RC4_128_WITH_MD5,SSL_CK_DES_192_EDE3_CBC_WITH_MD5,TLS_RSA_WITH_NULL_MD5,TLS_RSA_WITH_NULL_SHA"

(Note there may be some truncation at the end because Group Policy Editor has a limit of 1023 characters) Thanks to Alex Lewis for pointing this out.

8. The goal is to move TLS_RSA_WITH_RC4_128_MD5 to be at the front of the list. So, in your exported registry key file, find TLS_RSA_WITH_RC4_128_MD5, cut it, navigate to the beginning of your long SSL cipher string, and paste TLS_RSA_WITH_RC4_128_MD5.. (Note: if your string was truncated before you might want to use the example below instead) The new order should look like the following:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
"Functions"="TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_CK_RC4_128_WITH_MD5,SSL_CK_DES_192_EDE3_CBC_WITH_MD5,TLS_RSA_WITH_NULL_MD5,TLS_RSA_WITH_NULL_SHA"

9. Check the string for accuracy and make sure there are no line breaks within the SSL cipher string.
10. Save the file and then double-click the file to merge the changes with your current Registry.
11. To verify, in the Registry Editor, navigate to
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
12. For the changes to take effect, restart your Windows Server.

Another way to do this is also via PowerShell take a look at this site for an example (Thanks to John A Cook for sending this along):

http://derek858.blogspot.com/2010/06/powershell-command-to-change-windows.html

Exchange 2007 UM on Server 2008 R2

This last week I was deploying Lync 2010 with Excahnge 2007 UM and I ran into the following error on the Exchange 2007 UM server.

The Unified Messaging server failed to exchange the required certificates with an IP gateway to enable Transport Layer Security (TLS) for an incoming call. Check that this is a configured TLS peer and that the correct certificates are being used. More information: A TLS failure occurred. The error code was "-2146893052" and the message was "The Local Security Authority cannot be contacted"..
After doing some research, I found out the problem was related to the Exchange 2007 UM role being deployed on Server 2008 R2.

Fortunately, Exchange 2007 SP3 adds support for Server 2008 R2 and once it was installed everything worked as expected.

Here is the Technet article that covers Exchange 2007 SP3.
     http://technet.microsoft.com/en-us/library/ff607226(EXCHG.80).aspx