Been through many troubleshooting articles and still cannot resolve the "There's a problem with IM" message in OWA. Have confirmed the following:

• web.config on all servers
• Trusted partnership on Exchange and Lync
• OwaVirtualDirectory (all servers) and OWAMailboxPolicy for users
• SIP type address for users
• Configured Lync with and without CSTrustedApplicationPool and CSTrustedApplication applications with no affect.

What remains are certificate issues. The major problem seems to be that all guides and troubleshooting tips are for test environments or micro environments with one Exchange box and one Lync FE. We have a Lync enterprise config that is load balanced and 2 Exchange servers with all roles one each and it is load balanced. The breakdown seems to be in what certificate is used on the Exchange systems but not sure if that is truly the case. Present configuration is such:

Exchange

2 Servers with MBX, CAS, U, and UC roles

CAS is load balanced using SAN cert (mail.contoso.com, autodiscover.contoso.com) whereas the servers have domain FQDN's of EX1.domain.local and EX2.domain.local. Therefore there are two certs that are IIS enabled. The mail.contoso.com cert and a self-signed cert. Cannot change that without breaking things unless the new cert has a subject name of mail.contoso.com

Lync

2 FE servers that are load balanced using a SAN cert with names such as lyncpool.contoso.com, lyncadmin.contoso.com, dialin.contoso.com, lyncdiscover.contoso.com, lyncdiscoverinternal.contoso.com, meet.contoso.com, LyncFE1.domain.local, lyncFE2.domain.local

Attempted from Lync side to perform

set-CsTrustedApplicationPool -Identity mail.contoso.com -registrar lyncpool.contoso.com -Site lyncsite and then add CsTrustedApplications for each Exchange server

set-CsTrustedApplicationPool -identity mailcontoso.com -registrar lyncpool.contoso.com -Site lyncsite -ComputerFqdn ex1.domain.local and then adding another computer by new-CsTrustedApplicationComputer -identity ex2.domain.local -Pool mail.contoso.com. Still no dice

Does the cert being used on the Exchange servers, since they hold CAS and MBX roles have to be a SAN cert like such as:

Subject: mail.contoso.com; SANs: autodiscover.contoso.com, ex1.domain.local, ex2.domain.local

for this to work properly?

Hi Peter,

Some questions for you.

What do you mean by "Therefore there are two certs that are IIS enabled."

As same IIS service can't be linked to 2 certs at a time.

CAS is load-balanced using what NLB,HLB,DNS RR?

Is your Exchange a multirole, do you have DAG?
NLB and DAG can't coexist.

Are your certs trusted by each other Lync, Exchange

Which article are you refering for this configuration.

Integrating Microsoft Lync Server 2013 and Microsoft Exchange Server 2013:

https://technet.microsoft.com/en-us/library/jj688098(v=ocs.15).aspx