Solved

Implementing TLS with Exchange 2010 and IronPort C170

Posted on 2014-04-14
4
2,790 Views
1 Endorsement
Last Modified: 2015-07-14
We have recently been required to enable TLS for sending and receiving email to a company we work with.  We have an IronPort C170 as our email gateway / spam filter with an Exchange 2010 server inside our network.  We also use a Barracuda Message Archiver that archives email from Exchange using a Journal Rule.

Current Setup

We have a UC certificate with multiple SAN names installed on our Exchange 2010 server:  

- Mail.Ext_DomainName.com
- Autodiscover.Int_DomainName.law
- ServerName. Int_DomainName.law
- Webaccess.Ext_DomainName.com
- Autodiscover.Ext_DomainName.com
- ServerName
- Webaccess.SecondExt_DomainName.com


Our current UC certificate matches our External FQDN that points to IronPort (mail.Ext_DomainName.com).  Internally the IronPort use a different name.
 
The certificate is installed on our Exchange 2010 server only.  

We have SANs for OWA, Autodiscover, and the internal names of the Exchange server.

To setup TLS we will need to install the certificate on IronPort and setup transport rules on Exchange and IronPort to make use of the TLS encryption feature.

We would like to know the following:

1.  Our External FQDN matches our certificate and points to IronPort, but the internal name is different.  Do we need to add a SAN to the certificate to match both internal and external names of the IronPort?  In other words, do ALL names have to match or only the EXTERNAL FQDN for TLS to work?

2.  We have the option to create a copy of the UC certificate for installation on a different server which we could use for the IronPort.  Will this break the existing certificate on Exchange?

3.  If we setup TLS from Exchange to IronPort will this break the Journaling Rule to the Barracuda Message Archiver?

4.  We also want to add SSL to the Barracuda for outside access to the archive using the iOS APP.  Is it better to create a new SSL certificate for that device?  Or add a SAN to the UC certificate and reinstall on Exchange, etc.?  

I am not sure if it is better to just have one certificate that covers all devices or separate certificates.  What is the best practice for this scenario?

Thanks
1
Comment
Question by:jfhayes
  • 2
4 Comments
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
you will need an appropriate certificate on each listener of the ironport, and on the exchange server.

the outside listener will need to have the external FQDN certificate, and will handle TLS to and from the outside facing listener to and from the internet.

the inside listener will have to have a certificate that trusting parties (i.e. exchange) can verify, and match the internal name. this certificate can (and probably should be) self-issued, with the signing key for it on the exchange server so that it can verify the ironport for TLS.

the exchange server will have to have a SAN certificate matching its various internal names, but need not have an external name unless something from the internet has direct access to it.

if you have any exchange services fronted by TMG, then TMG needs the external facing certificate(s) for those service(s)

treat each connection as separate, and ask what you would need to trust and verify on that connection.
0
 

Author Comment

by:jfhayes
Comment Utility
We only have one listener on our IronPort.  

Inbound mail is NAT'd  to IronPort through ASA.
Outbound mail from our Exchange server is relayed through the IronPort.  

In this scenario can we setup TLS?

If so, can we just use the existing UCC cert since the SAN matches the outside name of the IronPort?

OR

Will we need to setup separate inside and outside listeners to get TLS working?

Which is best practice?

Thanks
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
Comment Utility
You CAN use just one listener, but then the certificate on there needs to cover both internal and external use (you can only have one certificate per listener)

The key with a TLS certificate is that
a) the certificate must contain either a CN or SAN reference to the name the connecting machine uses to connect (so, if its by IP, it should use IP, but if its by DNS name, it should contain that dns name)
b) the certificate must be "valid" (within its date range, and optionally signed by a CA. you will be surprised how many sites will happily accept a self-signed TLS cert without checking though. Or appalled, one of the two)

Having two listeners is easier, but not necessarily better. with two listeners, you can have two separate certificates, one for inside users and one for external access.

Which to use is your choice, but if the existing UCC cert will cover ALL usage cases, then go for that :)
0
 

Expert Comment

by:TTAF4
Comment Utility
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now