Solved

Setting up Mutual TLS on Exchange 2010 with External organisation

Posted on 2014-01-14
1
951 Views
Last Modified: 2014-06-26
Hi.
We have an Exchange 2010 setup where some customers run their emails off our Exchange servers.
One customer has been approached by a bank to setup Mutual TLS in their communications.
I get the gist of the TLS setup but the process in our environment has me a little stumped so hoping for some direction please.

Current environment:
2 Edge servers  (edge1 & edge2)
2 CAS servers (certificates located here - cas1 & cas2)
2 Mailbox servers (mb1 & mb2)

On each CAS server there is a self signed certificate which has IMAP\POP\SMTP services enabled.

There is a single GoDaddy Secure CA certificate installed on the CAS servers which handles IIS service for our clients to use webmail and activesync e.g  owa.host.com
__

Because we have other customers running on the same servers its hard to test and makes me apprehensive but my thoughts are to:

1. enable godaddy cert for SMTP on both CAS servers
2. create send and receive connector for bank.com domain and enable TLS option
3. exchange certs with bank IT and we add these into Trusted sections on our Edge servers

If anyone cold correct me I'd appreciate it :)
I've read the MS technet article but it confuses me and I'm unsure if we can use the 3rd party cert we currently have in place or if we have to use something with the customer domain name in it?
0
Comment
Question by:core3
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 23

Accepted Solution

by:
Malli Boppe earned 500 total points
ID: 39781410
The bank email server would communicate with your EDge servers on mutaul TLS.
So you need to have a SAN certificate with the following names.

CAS1.domain.com
CAS2.domain.com
Edge1.domain.com
edge2.domain.com
Webmail.domain.com
Autodiscover.domain.com

Install the cert on cas1,cas2,edge1 and edge2. Assign  SMTP, IIS,POP,IMAP for the cert.
make sure TLS is enabled on the receive conenctors on EDGE transport servers.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
how to add IIS SMTP to handle application/Scanner relays into office 365.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question