Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Exchange enabling TLS

Posted on 2009-07-13
7
Medium Priority
?
936 Views
Last Modified: 2013-11-30
I need to enable TLS between an exchange 2007 and exchange 2003 organization each having a single bridgehead server.  I have the steps outlined by microsoft exchange team as follows:
http://msexchangeteam.com/archive/2006/10/04/429090.aspx

The issue is that my exchange sits inside my network and I have a barracuda on a DMZ which forwards port 25 through my firewall.  My outbound connector setup would be straight forward as it would simply pass-through the barracuda and forward to the other organization.

The article recommends setting up a second IP and using that dedicated IP for the traffic received from the remote exchange server.  SInce I have a dedicated IP on the DMZ forwarding from the barracuda to the exchange I am not sure how to accomplish the inbound connector for the TLS connection.  I do not see how I can assign a dedicated IP with this configuration.
0
Comment
Question by:MarkGho
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 11

Expert Comment

by:kyodai
ID: 24844832
It is best practice to have a separate IP for TLS but if you can't you can also do it with one single IP.
0
 

Author Comment

by:MarkGho
ID: 24844865
The question of the day would be is it possible to assign a second IP and if so where would that be accomplished given that I have a DMZ setup with a barracuda spam filter?
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24845131
Unless the appliance can support TLS you will have to bypass it.
TLS needs to be direct point to point, or the servers involved need to be able to take the TLS traffic and then pass it on.

You would have to use either an alternative IP address or port as Exchange 2003 cannot do opportunist TLS. If you have an appliance, I would check with them first whether they can support a TLS connection both inbound and outbound.

If they will not do it outbound, that is easily fixed by simply setting up an SMTP connector to point directly to the Exchange 2007 system and setting it to use TLS.

Simon.
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:MarkGho
ID: 24850038
The appliance does support TLS.  

This feature is enabled on the Advanced > SMTP/TLS page (set Enable SMTP over TLS/SSL to Yes). When set to Yes, SMTP over TLS will be enabled for incoming connections and attempted for outgoing connections (the other server needs to support it).

SMTP over TLS/SSL defines a new SMTP command, STARTTLS. This command advertises and negotiates an encrypted channel with the peer for this SMTP connection. The certificate information, including hostname and certificate type, is taken from the information entered on the Advanced > Secure Administration page.

My question becomes how do I dedicate a new IP.  It appears that the appliance will respond to TLS do I need a new IP?
0
 
LVL 65

Accepted Solution

by:
Mestha earned 2000 total points
ID: 24850131
It sounds like the appliance will support opportunist TLS, so you may not need to have a second IP address. You will need a trusted SSL certificate for your host name though for inbound email to use TLS.

Simon.
0
 

Author Comment

by:MarkGho
ID: 24850488
That is what I was thinking.  The appliance will enable TLS through the certificate.  Any traffic identified from that host will automatcally enable a TLS session and the rest of the traffic will connect normally.
0
 

Author Comment

by:MarkGho
ID: 24881834
The confusion is how will the barracuda despite doing opportunistic TLS deal with receiving exchange 2003 mail?  
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Know the reasons and solutions to move/import EDB to New Exchange Server. Also, find out how to recover an Exchange .edb file and to restore the file back.
The core idea of this article is to make you acquainted with the best way in which you can export Exchange mailbox to PST format.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question