Procedure to configure mutual TLS on SBS 2008 ( Exchange 2007)

hounschell
hounschell used Ask the Experts™
on
I need to create a mutual TLS connection with a client, Our SBS 2008 server has always used self signed certificates which I know will not work for this configuration, Can anyone walk me thru the process from the type of public exchange certificate I buy to installing the certificate to creating the exchange connector for the mutual connection. I'm assuming I would create a connector just for communications with this client, since the purpose of this exercise is their requirement.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2016

Commented:
you can use your internal CA's certificates if you each import the others certificate.. Same with the other party they can use their internal CA certificate the stipulation is you must trust each others root certificate authority . Trusting another companies CA infastructure is more common than the majors (verisign, godaddy, rapidssl, et al) would want you to believe. It does mean planning your PKI settings and your PKI policies and you may only trust one subordinate CA and not others..  This requires a sharing of policy information between both companies

one example is @ http://technet.microsoft.com/en-us/library/bb123543%28v=exchg.141%29.aspx#Step1

Author

Commented:
ve3ofa,

I spoke with the clients support team and they are requesting that we upgrade to a Public Certificate  (FYI, this is a connection to a bank) So lets proceed knowing that requirement.

This is their certificate info if it helps....
Client xyz is using a public VeriSign certificate signed by
VeriSign Class 3 Secure Server CA - G3
VeriSign Class 3 Public Primary Certification Authority - G5
Top Expert 2016

Commented:
Ok then any cert will do.. Instructions on how to create a certificate request
http://technet.microsoft.com/en-us/library/dd351057%28v=exchg.141%29.aspx
for the Hub Transport Server

Enter the FQDN of your Hub Transport server if you'll be using mutual TLS to help secure Internet mail or if you'll be using a Hub Transport server for POP and IMAP client submission.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Most Valuable Expert 2014
Commented:
A regular UC type certificate will be fine. That way it will protect everything on the server, including ActiveSync, OWA, Outlook Anywhere as well as the SMTP traffic flow.

SBS 2008 needs the SSL certificate done in a certain way.
http://exchange.sembee.info/2007/install/sbs2008ssl.asp

A cheap GoDaddy SSL certificate will be fine, that will still do the TLS that is required.

Once you have the SSL certificate in place, follow the instructions on Technet for Mutual TLS.

Simon.

Author

Commented:
Sembee2,

Thanks this article looks quite helpful, I'll get started on this next week

Author

Commented:
Thank you ,, cert install,, next I need to create a mutual connection between our server and thiers

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial