Implementing TLS with Exchange 2010 and IronPort C170

We have recently been required to enable TLS for sending and receiving email to a company we work with.  We have an IronPort C170 as our email gateway / spam filter with an Exchange 2010 server inside our network.  We also use a Barracuda Message Archiver that archives email from Exchange using a Journal Rule.

Current Setup

We have a UC certificate with multiple SAN names installed on our Exchange 2010 server:  

- Mail.Ext_DomainName.com
- Autodiscover.Int_DomainName.law
- ServerName. Int_DomainName.law
- Webaccess.Ext_DomainName.com
- Autodiscover.Ext_DomainName.com
- ServerName
- Webaccess.SecondExt_DomainName.com


Our current UC certificate matches our External FQDN that points to IronPort (mail.Ext_DomainName.com).  Internally the IronPort use a different name.
 
The certificate is installed on our Exchange 2010 server only.  

We have SANs for OWA, Autodiscover, and the internal names of the Exchange server.

To setup TLS we will need to install the certificate on IronPort and setup transport rules on Exchange and IronPort to make use of the TLS encryption feature.

We would like to know the following:

1.  Our External FQDN matches our certificate and points to IronPort, but the internal name is different.  Do we need to add a SAN to the certificate to match both internal and external names of the IronPort?  In other words, do ALL names have to match or only the EXTERNAL FQDN for TLS to work?

2.  We have the option to create a copy of the UC certificate for installation on a different server which we could use for the IronPort.  Will this break the existing certificate on Exchange?

3.  If we setup TLS from Exchange to IronPort will this break the Journaling Rule to the Barracuda Message Archiver?

4.  We also want to add SSL to the Barracuda for outside access to the archive using the iOS APP.  Is it better to create a new SSL certificate for that device?  Or add a SAN to the UC certificate and reinstall on Exchange, etc.?  

I am not sure if it is better to just have one certificate that covers all devices or separate certificates.  What is the best practice for this scenario?

Thanks
Jeanie Francis-HayesEnterprise Applications AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

 
Dave HoweSoftware and Hardware EngineerCommented:
you will need an appropriate certificate on each listener of the ironport, and on the exchange server.

the outside listener will need to have the external FQDN certificate, and will handle TLS to and from the outside facing listener to and from the internet.

the inside listener will have to have a certificate that trusting parties (i.e. exchange) can verify, and match the internal name. this certificate can (and probably should be) self-issued, with the signing key for it on the exchange server so that it can verify the ironport for TLS.

the exchange server will have to have a SAN certificate matching its various internal names, but need not have an external name unless something from the internet has direct access to it.

if you have any exchange services fronted by TMG, then TMG needs the external facing certificate(s) for those service(s)

treat each connection as separate, and ask what you would need to trust and verify on that connection.
0
 
Jeanie Francis-HayesEnterprise Applications AdministratorAuthor Commented:
We only have one listener on our IronPort.  

Inbound mail is NAT'd  to IronPort through ASA.
Outbound mail from our Exchange server is relayed through the IronPort.  

In this scenario can we setup TLS?

If so, can we just use the existing UCC cert since the SAN matches the outside name of the IronPort?

OR

Will we need to setup separate inside and outside listeners to get TLS working?

Which is best practice?

Thanks
0
 
Dave HoweSoftware and Hardware EngineerCommented:
You CAN use just one listener, but then the certificate on there needs to cover both internal and external use (you can only have one certificate per listener)

The key with a TLS certificate is that
a) the certificate must contain either a CN or SAN reference to the name the connecting machine uses to connect (so, if its by IP, it should use IP, but if its by DNS name, it should contain that dns name)
b) the certificate must be "valid" (within its date range, and optionally signed by a CA. you will be surprised how many sites will happily accept a self-signed TLS cert without checking though. Or appalled, one of the two)

Having two listeners is easier, but not necessarily better. with two listeners, you can have two separate certificates, one for inside users and one for external access.

Which to use is your choice, but if the existing UCC cert will cover ALL usage cases, then go for that :)
0

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.