Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 965
  • Last Modified:

Exchange 2010 TLS

Currently we have an exchange 2010 DAG. 2x mailbox servers and 2x CAS/HUB servers. The CAS servers relay off of a watchguard appliance which send the mail to Microsoft Forefront Protection Servers. I have a requirement to setup TLS with a specific domain, if TLS fails the email transmission should fail so oportunistic is not an option. As I understand it I will have to purchase a qualified SSL cert, create a send connector in exchange which will force the TLS. My question is do I have to set this up at every hop? Whatguards and FOPE?
Thank you in advance.
1 Solution
Simon Butler (Sembee)ConsultantCommented:
Usually with TLS it is direct. So whatever else is being used is bypassed so that Exchange sends and receives directly with the TLS enabled host. Does the watchguard support enforced TLS? It would need to be on every hop, otherwise what is the point? The client wants the email secure from them to you. If the email isn't secure once it is inside then that fails their security test.

You can still use MS Forefront Online if you wish - they have options to use TLS on outgoing mail to specifci domains, etc.


You must have TLS, you say?
Sure you have trusted business partners, but your messaging back and forth should be trustworthy too. FOPE now provides several forced Transport Layer Security (TLS) options through policy rule settings. Now your inbound and outbound email routing channels can use TLS with the partners you designate. Did we go too deep already? TLS is a cryptographic protocol that provides enhanced security for communications over the Internet. Find out more about the TLS options in our soon-to-be viral video titled “Regulated Partner With Forced TLS” on TechNet Edge. More details are in our latest forced-TLS scenario product documentation too.

So you can choose either one via Forefront or through an Exchange Hub Transport.

If you use MS Exchange you will have to get a NAT-ed IP address or a publis IP address. Create a new send connector with the address space of that domain and configure the TLS options. And as you stated best to work with a purchased SSL here. And assign SMTP to that certificate.

No you would only have to setup TLS on that send connector to the remote server/domains.

London2012Author Commented:
Thank you for the feedback. I will follow up with FOPE.
Cheers and have a good day.

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now