Implementing TLS with Exchange 2010 and IronPort C170
Posted on 2014-04-14
We have recently been required to enable TLS for sending and receiving email to a company we work with. We have an IronPort C170 as our email gateway / spam filter with an Exchange 2010 server inside our network. We also use a Barracuda Message Archiver that archives email from Exchange using a Journal Rule.
We have a UC certificate with multiple SAN names installed on our Exchange 2010 server:
- ServerName. Int_DomainName.law
Our current UC certificate matches our External FQDN that points to IronPort (mail.Ext_DomainName.com). Internally the IronPort use a different name.
The certificate is installed on our Exchange 2010 server only.
We have SANs for OWA, Autodiscover, and the internal names of the Exchange server.
To setup TLS we will need to install the certificate on IronPort and setup transport rules on Exchange and IronPort to make use of the TLS encryption feature.
We would like to know the following:
1. Our External FQDN matches our certificate and points to IronPort, but the internal name is different. Do we need to add a SAN to the certificate to match both internal and external names of the IronPort? In other words, do ALL names have to match or only the EXTERNAL FQDN for TLS to work?
2. We have the option to create a copy of the UC certificate for installation on a different server which we could use for the IronPort. Will this break the existing certificate on Exchange?
3. If we setup TLS from Exchange to IronPort will this break the Journaling Rule to the Barracuda Message Archiver?
4. We also want to add SSL to the Barracuda for outside access to the archive using the iOS APP. Is it better to create a new SSL certificate for that device? Or add a SAN to the UC certificate and reinstall on Exchange, etc.?
I am not sure if it is better to just have one certificate that covers all devices or separate certificates. What is the best practice for this scenario?