Exchange 2010 TLS

Posted on 2012-09-14
Last Modified: 2012-09-17
Currently we have an exchange 2010 DAG. 2x mailbox servers and 2x CAS/HUB servers. The CAS servers relay off of a watchguard appliance which send the mail to Microsoft Forefront Protection Servers. I have a requirement to setup TLS with a specific domain, if TLS fails the email transmission should fail so oportunistic is not an option. As I understand it I will have to purchase a qualified SSL cert, create a send connector in exchange which will force the TLS. My question is do I have to set this up at every hop? Whatguards and FOPE?
Thank you in advance.
Question by:London2012
    LVL 63

    Expert Comment

    by:Simon Butler (Sembee)
    Usually with TLS it is direct. So whatever else is being used is bypassed so that Exchange sends and receives directly with the TLS enabled host. Does the watchguard support enforced TLS? It would need to be on every hop, otherwise what is the point? The client wants the email secure from them to you. If the email isn't secure once it is inside then that fails their security test.

    LVL 15

    Accepted Solution

    You can still use MS Forefront Online if you wish - they have options to use TLS on outgoing mail to specifci domains, etc.

    You must have TLS, you say?
    Sure you have trusted business partners, but your messaging back and forth should be trustworthy too. FOPE now provides several forced Transport Layer Security (TLS) options through policy rule settings. Now your inbound and outbound email routing channels can use TLS with the partners you designate. Did we go too deep already? TLS is a cryptographic protocol that provides enhanced security for communications over the Internet. Find out more about the TLS options in our soon-to-be viral video titled “Regulated Partner With Forced TLS” on TechNet Edge. More details are in our latest forced-TLS scenario product documentation too.

    So you can choose either one via Forefront or through an Exchange Hub Transport.

    If you use MS Exchange you will have to get a NAT-ed IP address or a publis IP address. Create a new send connector with the address space of that domain and configure the TLS options. And as you stated best to work with a purchased SSL here. And assign SMTP to that certificate.

    No you would only have to setup TLS on that send connector to the remote server/domains.


    Author Closing Comment

    Thank you for the feedback. I will follow up with FOPE.
    Cheers and have a good day.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Find out how to use dynamic social media in email signatures with this top 10 DOs & DON’Ts.
    Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
    In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
    This video discusses moving either the default database or any database to a new volume.

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now