Solved

Implementing TLS with Exchange 2010 and IronPort C170

Posted on 2014-04-14
4
2,997 Views
1 Endorsement
Last Modified: 2015-07-14
We have recently been required to enable TLS for sending and receiving email to a company we work with.  We have an IronPort C170 as our email gateway / spam filter with an Exchange 2010 server inside our network.  We also use a Barracuda Message Archiver that archives email from Exchange using a Journal Rule.

Current Setup

We have a UC certificate with multiple SAN names installed on our Exchange 2010 server:  

- Mail.Ext_DomainName.com
- Autodiscover.Int_DomainName.law
- ServerName. Int_DomainName.law
- Webaccess.Ext_DomainName.com
- Autodiscover.Ext_DomainName.com
- ServerName
- Webaccess.SecondExt_DomainName.com


Our current UC certificate matches our External FQDN that points to IronPort (mail.Ext_DomainName.com).  Internally the IronPort use a different name.
 
The certificate is installed on our Exchange 2010 server only.  

We have SANs for OWA, Autodiscover, and the internal names of the Exchange server.

To setup TLS we will need to install the certificate on IronPort and setup transport rules on Exchange and IronPort to make use of the TLS encryption feature.

We would like to know the following:

1.  Our External FQDN matches our certificate and points to IronPort, but the internal name is different.  Do we need to add a SAN to the certificate to match both internal and external names of the IronPort?  In other words, do ALL names have to match or only the EXTERNAL FQDN for TLS to work?

2.  We have the option to create a copy of the UC certificate for installation on a different server which we could use for the IronPort.  Will this break the existing certificate on Exchange?

3.  If we setup TLS from Exchange to IronPort will this break the Journaling Rule to the Barracuda Message Archiver?

4.  We also want to add SSL to the Barracuda for outside access to the archive using the iOS APP.  Is it better to create a new SSL certificate for that device?  Or add a SAN to the UC certificate and reinstall on Exchange, etc.?  

I am not sure if it is better to just have one certificate that covers all devices or separate certificates.  What is the best practice for this scenario?

Thanks
1
Comment
Question by:jfhayes
  • 2
4 Comments
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40000055
you will need an appropriate certificate on each listener of the ironport, and on the exchange server.

the outside listener will need to have the external FQDN certificate, and will handle TLS to and from the outside facing listener to and from the internet.

the inside listener will have to have a certificate that trusting parties (i.e. exchange) can verify, and match the internal name. this certificate can (and probably should be) self-issued, with the signing key for it on the exchange server so that it can verify the ironport for TLS.

the exchange server will have to have a SAN certificate matching its various internal names, but need not have an external name unless something from the internet has direct access to it.

if you have any exchange services fronted by TMG, then TMG needs the external facing certificate(s) for those service(s)

treat each connection as separate, and ask what you would need to trust and verify on that connection.
0
 

Author Comment

by:jfhayes
ID: 40002396
We only have one listener on our IronPort.  

Inbound mail is NAT'd  to IronPort through ASA.
Outbound mail from our Exchange server is relayed through the IronPort.  

In this scenario can we setup TLS?

If so, can we just use the existing UCC cert since the SAN matches the outside name of the IronPort?

OR

Will we need to setup separate inside and outside listeners to get TLS working?

Which is best practice?

Thanks
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 40003517
You CAN use just one listener, but then the certificate on there needs to cover both internal and external use (you can only have one certificate per listener)

The key with a TLS certificate is that
a) the certificate must contain either a CN or SAN reference to the name the connecting machine uses to connect (so, if its by IP, it should use IP, but if its by DNS name, it should contain that dns name)
b) the certificate must be "valid" (within its date range, and optionally signed by a CA. you will be surprised how many sites will happily accept a self-signed TLS cert without checking though. Or appalled, one of the two)

Having two listeners is easier, but not necessarily better. with two listeners, you can have two separate certificates, one for inside users and one for external access.

Which to use is your choice, but if the existing UCC cert will cover ALL usage cases, then go for that :)
0
 

Expert Comment

by:TTAF4
ID: 40880796
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question