Help on TLS in Exchange 2007
We have an Exchange 2007 server and one of our customers has asked the following questions:
Can we enforce TLS for their domain?
Can we enforce Verisign-signed certificate for TLS?
This is looking at setting up secure email but can anyone help explain techncially what I need to do to satisfy this request as I ve never looked at TLS or certificates before.
Can we enforce TLS for their domain?
Can we enforce Verisign-signed certificate for TLS?
This is looking at setting up secure email but can anyone help explain techncially what I need to do to satisfy this request as I ve never looked at TLS or certificates before.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
To add to our company:
1) We dont have a trusted SSL certificate in place.
2) We route email out via a Smart Host.
How will this impact on using TLS with Exchange 2007.
1) We dont have a trusted SSL certificate in place.
2) We route email out via a Smart Host.
How will this impact on using TLS with Exchange 2007.
Why do you use the smart host?
You will need to bypass the smart host for email to that client. Whether that causes a problem will depend on the reason for using the smart host.
Same for inbound email - does that come direct or via another service?
Do you not offer remote access to your Exchange server then? No OWA, ActiveSync or Outlook Anywhere?
You will need to get a commercial signed certificate - this is how to do it, although the examples do not use Verisign.
http://exchange.sembee.info/2007/install/multiplenamessl.asp
Simon.
You will need to bypass the smart host for email to that client. Whether that causes a problem will depend on the reason for using the smart host.
Same for inbound email - does that come direct or via another service?
Do you not offer remote access to your Exchange server then? No OWA, ActiveSync or Outlook Anywhere?
You will need to get a commercial signed certificate - this is how to do it, although the examples do not use Verisign.
http://exchange.sembee.info/2007/install/multiplenamessl.asp
Simon.
ASKER
At present we use Star and Messagelabs as our ISP and they also provide us with a managed offsite firewall. All our outgoing email is routed through their SMTP servers as we don't use direct MX/DNS for outgoing email.
We do use OWA but don't have a trusted certificate in place.
I'm still learning TSL but I'm assuming that we will need direct DNS for this customer and a trusted public certicate to make TSL work for this client.
We do use OWA but don't have a trusted certificate in place.
I'm still learning TSL but I'm assuming that we will need direct DNS for this customer and a trusted public certicate to make TSL work for this client.
You are going to need a seperate host name for TLS, as it is direct point to point communication. Message Labs could probably do TLS for you, as they are now owned by Symantec, who also own Verisign SSL certificates. However that may not be acceptable to your client.
What I would suggest is that you use the same host name as you do for OWA, then the same common name on the SSL certificate will work for both OWA and SMTP.
Simon.
What I would suggest is that you use the same host name as you do for OWA, then the same common name on the SSL certificate will work for both OWA and SMTP.
Simon.
ASKER
Will I require a publically trusted certificate to make this work?
Yes.
That is why you need to buy a certificate - from Verisign or someone else.
Simon.
That is why you need to buy a certificate - from Verisign or someone else.
Simon.
ASKER
Another question i'm being asked is can we read Verisign signed certificates for TLS?
I'm assuming we can't unles we have a certificate.
I'm assuming we can't unles we have a certificate.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hope this helps you.
http://technet.microsoft.com/en-us/library/ee428172%28v=exchg.80%29.aspx
joyofsharing