Currently we have an exchange 2010 DAG. 2x mailbox servers and 2x CAS/HUB servers. The CAS servers relay off of a watchguard appliance which send the mail to Microsoft Forefront Protection Servers. I have a requirement to setup TLS with a specific domain, if TLS fails the email transmission should fail so oportunistic is not an option. As I understand it I will have to purchase a qualified SSL cert, create a send connector in exchange which will force the TLS. My question is do I have to set this up at every hop? Whatguards and FOPE?
Thank you in advance.