Exchange2013 and Asterisk Trunk

hi there.
I have an Asterisk and Exchange2013 UM, and I want to create a SIP trunk between them.
I created the trunk like the bellow mentioned:

host=10.10.150.59
type=peer
insecure=port,invite
transport=tcp
port=5065
canreinvite=no
context=from-internal
unsolicited_mailbox=@default
qualify=yes

and also an outbound route directed to this trunk:

(+) |[3990]
[3XXX]

but when I called to 3990, 3920 or other numbers, I received these error messages:

[2013-10-21 16:54:58] WARNING[3421][C-00000038]: chan_sip.c:22927 handle_response_invite: Received response: “Forbidden” from ‘“khk” sip:5001@10.10.150.86;tag=as0c66acd4’

[2013-10-21 16:54:58] WARNING[3706][C-00000038]: app_dial.c:2437 dial_exec_full: Unable to create channel of type ‘SIP’ (cause 20 - Subscriber absent)

[2013-10-21 16:55:02] WARNING[3706][C-00000038]: channel.c:4816 ast_prod: Prodding channel ‘SIP/5001-00000062’ failed

what is my problem? please help me in this case because it is very important and critical for us.
thank you and waiting…

You are not authorised to make calls to 3900, unencrypted and over UDP, from port 5060 to port 5065, with user being the caller ID from the upstream, domain being the address of the Asterisk box, and no authentication data. What does Exchang 2013 actually require? (Note that Lync works in terms of canonical international numbers, so Exchange may want this too. Also, Lync requires TCP, and would normally use port 5061.)

(Some of this assumes a default general section.)

Although not directly relevant to the problem:

canreinvite is deprecated.

insecure=invite does nothing if there is no secret, or if the only secret is a remotesecret.

insecure=port is largely orthogonal to insecure=invite, and may well not be needed.

hi david and thank you for your help.
I read your post and I think I got your point.
I configured Exchange UM to use TCP, using port number 5065.
also, when creating my dialplan, I configured it to be UNSECURED.
so, it can let others to dial without being authenticated.
besides, Exchange only lets E.164 standard extension number to be defined. so I prepend a “+” to the numbers that are called from the side of Asterisk to access to their Voice Mailboxes on Exchange.
so, what do you think now?

Hello…
Can anyone help me in this case?