How do I force TLS encryption from one Exchange 2007 server to another?

I understand from that TLS is enabled by default for server-to-server traffic.

I, also, read "SSL certificates are installed by default in Exchange Server 2007, enabling broad use of SSL and TLS encryption from clients such as Outlook Web Access and other SMTP servers."

I am unclear on a couple items:
1. Must I purchase 3rd party certificates?
2. Must I purchase a 3rd party certificate for both servers?
3. What is needed to encrypt data between the (full blown) Outlook client and its own Exchange Server (and then the remote domain)?
4. Is there a good step-by-step for forcing TLS exchange 2007 to exchange 2007 encryption?
(other than this one:

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

No, you don't need to purchase 3rd party certificates for Exchange to Exchange encryption in your org. There are certificates automatically provided by your active directory infrastructure and since your Exchange servers are both members  of the domain they trust the certificates.

For encryption between Exchange and Outlook within the org, encryption is automatic. If you are using Outlook Anywhere to allow Outlook clients to connect without VPN, then you do need to purchase a 3rd party certtificate.

Also, the article you mentioned is fine for encryption info.
kblumenAuthor Commented:
This is to another organization outside of my forest completely. A separate company. I need to force all mail to and from this organization to be encrypted.  
kblumenAuthor Commented:
Also... My clients do connect with Outlook Anywhere (RPC over HTTPS) without a VPN.  Where would the certificate be installed if it is already in place?  I am new to this organization.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

kblumenAuthor Commented:
I do see on my front end exchange servers that a certificate is installed in the RPC directory.  I do not see where that certificate lives on my laptop.  Can anyone help me understand what I am missing.

kblumenAuthor Commented:
When checking out my Trust Root Certificate Authority on my Laptop, the certificate for our organization does not contain (.com) after our domain name.  Is this the certificate that Outlook Anywhere uses?  I would have guessed it would have the .com top-level domain in the subject.
kblumenAuthor Commented:
So must I buy 3rd party certificates for both servers?
Yes, you need 3rd party certs for both your server and the one for the other organization. The certificate that is installed on your server can be used for both TLS connections and Outlook anywhere.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.