Using SEFAUtil – Part 1 – Prerequisites and Installation

Using SEFAUtil – Part 1 – Prerequisites and Installation

SEFAUtil is part of the Lync Server Resource Kit. This Kit is a collection of various tools to help with tasks while deploying and managing Lync Server.

This two part series of posts is all about SEFAUtil:

  • Part 1 – Prerequisites and Installation: Set up a Trusted Application Server and get SEFAUtil to run
  • Part 2 – Perform configuration using the tool


What is SEFAUtil?

As said SEFAUtil is part of the Lync Server Resource Kit tools. It’s a command-line tool that enables you to configure the following options:

  • delegate-ringing
  • call-forwarding
  • simultaneous ringing
  • team-call settings
  • group call pickup

Most of the options can be configured by the Lync user himself using the “call forwarding” settings within the Lync client. It therefore allows the administrator to enable/disable/modify call forwarding or simultaneously ringing on behalf of the user. You can also just read the currently active configuration.



SEFAUtil needs to be used on a computer that is part of a Trusted Application Pool. The tool needs to be defined as a Trusted Application. Additionaly, UCMA 3.0 must be installed on that computer. Therefore, the following steps are necessary for using SEFAUtil:

  1. Identify a server you want to use in a Trusted Application Pool
  2. Define the Server as a Trusted Application Pool
  3. Define SEFAUtil as a Trusted Application
  4. Get your Trusted Application server ready
  5. Celebrate because your SEFAUtil works


Set up a Trusted Application Pool and Trusted Application

First you want to identify the server you will use in a Trusted Application Pool. This can basically be any Windows Server, even a Lync Server, although you should not use a Front End Server. Within larger deployments I usually recommend using a small extra server, that can be used for all kinds of administrative tasks (e.g. syslog, Lync Administrative tools, etc.).

Next, set up a Trusted Application Pool. You can create it using the Lync Topology Builder or, of course, PowerShell.

Lync Topology Builder


Within your Lync Topology create a “New Trusted Application Pool”.


You’ll be asked to define a FQDN.


Next you can associate a next hop pool. That’s the last step.


Lync PowerShell

Of course you can also create the Trusted Application Pool directly using Powershell.

New-CsTrustedApplicationPool -id <Pool FQDN> -Registrar <Pool Registrar FQDN> -site Site:<Pool Site>

New-CsTrustedApplicationPool -id taps01.lab01.local -Registrar lspool01.lab01.local -site Site:Dresden

You can get the name of your configured Sites using the following command:


Next you have to set SEFAUtil as a Trusted Application and connect it to the Trusted Application Pool (TAP) you created. This step you have to perform in PowerShell.

New-CsTrustedApplication -ApplicationId <ID of Application> -TrustedApplicationPoolFqdn <TAP FQDN> -Port <Port>
New-CsTrustedApplication -ApplicationId sefautil -TrustedApplicationPoolFqdn taps01.lab01.local -Port 7489

For the port you can use pretty much any free port you want.


To enable the changes run the following command:



Get your Trusted Application Server ready

Now that the topology configuration is complete, you can move on to the Trusted Application server itself. As said, you need to install UCMA 3.0. Usually I use the Lync installation for that step, because I will make use of the Lync Deployment Wizard later on for the certificate. This is not a must, I just think it’s a nice and easy way.

After the installation is done (and you have installed the local configuration store), request and assign a certificate with the Certificate Wizard. The default information is already sufficient, you don’t really have to make any changes.


Install the Lync Server Resource Kit. The current version for Lync 2013 can be found here:



Use your SEFAUtil

By default you can find the tool in C:\Program Files\Microsoft Lync Server 2013\ResKit.

You should start your PowerShell as an administrator. After navigating to the location above you can use SEFAUtil.



More about how to use SEFAUtil will follow in Part 2 – Perform configuration using the tool.




My name is Simone Liebal and I’m working as a Cloud Solution Architect at Microsoft in Germany with the focus point on Cloud Voice.
I support partners with their Skype for Business projects and offerings following the Skype Operations Framework.

Opinions displayed on this blog and my social media pages are my own and do not express the views and opinions of Microsoft.

3 thoughts on “Using SEFAUtil – Part 1 – Prerequisites and Installation

  1. Miguel Oliveira

    Hi Simone,

    Thank you for this article and the detail of the information regarding the SEFAUtil. I have a question though:

    I have 3 different pools (PROD, TEST, DEV) and my question is: Can I have the same Trusted App Server assigned to all of them in order to use the same SEFAUtil deployment to manage the different users in those pools?

    Thanks in advance.

    1. SimoneSimone Post author

      Hi Miguel,

      thank you for your comment.

      I assume these three Front End pools can communicate with each other and they are part of the same topology. If that is the case, you can use one SEFAUtil Deployment to get information from users across multiple Front End pools.

      As said in the post above, your Trusted Application Pool/Server needs a next hop pool (if you use the Topology Builder) / Registrar (if you use PowerShell).
      Let’s say you define your PROD Front End pool as the next hop for your Trusted Application pool and you want to use SEFAUtil within that Trusted Application pool to get information from users whose registrar pool is TEST or DEV. In this case it is important to name the registrar of the user with the “/server” switch when you use SEFAUtil. E.g.: “.\sefautil.exe sip:test01@lab.local /server:TEST.lab.local ”

      I hope that helps.

Leave a Reply

Your email address will not be published. Required fields are marked *