Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Exchange 2010 TLS and Certificate Question.

Posted on 2015-02-18
5
Medium Priority
?
148 Views
Last Modified: 2015-02-18
Newly built Exchange 2010 fully updated.  Initiating a certificate request and am wondering about Mutual TLS.

The server is already responding with opportunistic TLS because I see the TLS response during a telnet
test:  250-STARTTLS.

Do I even need to select Mutual TLS in the certificate request wizard?  Is it reccomended?

Hub Transport Server : Use mutual TLS to help secure internet mail

Finally I have test mailbox that I online moved to the new server and I have connected that outlook 2010 account to the new Exchange 2010 server yet I see the certificate from the old Exchange 2010 server when I configure a new outlook connection.   Currently the two Exchange 2010 servers are co-existing but is this normal to see the old server's self signed cert in new outlook clients of the new server?

Thanks,
Rich
0
Comment
Question by:rjearley1966
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40617104
For complete details on Mutual TLS I would refer to the technet below which outlines the entire process.
https://technet.microsoft.com/en-us/library/bb123543%28v=exchg.141%29.aspx

Do you have your CAS servers load balanced? You are using Exchange 2010 so when you get a new certificate you will need to update the cert on all of the Exchange 2010 servers. You will also need to run the Enable-ExchangeCertificate -Thumbprint <> -Services "pop,imap,smtp,iis" as well on all of your CAS Servers.

Once you have tested this you can remove old certs using the Remove-ExchangeCertificate -Thumbprint <> -Services "pop,imap,smtp,iis"

Depending on how your have your virtual directories set for your internal URL's you might have to keep the self singed cert if you are pointing to the fqdn of the server name. Personally if you have split DNS configured I would be have the External and Internal URL's the same for simplicity.

Will.
0
 
LVL 1

Author Comment

by:rjearley1966
ID: 40617115
Hello Will,

No CAS Servers we are doing an in place transition from physical Exchange Server 2010 to Virtual Exchange 2010.  

So currently our two Exchange Servers are essentially sharing a self signed cert?  

I just went through the wizard and submitted the request to Digicert.
0
 
LVL 1

Author Comment

by:rjearley1966
ID: 40617121
There is a pending cert request on the new server only.  Nothing under the old server except for the old self signed cert which is set to expire in June.
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 1500 total points
ID: 40617223
If you have 2 CAS servers in your environment and they are not being properly load balanced (they are dependent on each other), meaning it will be a round robin affect when clients access their mailboxes. They will reference Active Directory for a CAS server and AD shows 2 CAS servers and will send a the request to either one.

Now if you power off one of the CAS servers you you will run into issues because as stated above, they are dependent on each other. AD does not show these machines in any time of load balancing configuration so it will send requests to both CAS servers even when one is offline. This will create error messages for clients etc.

Will.
0
 
LVL 1

Author Comment

by:rjearley1966
ID: 40617272
Understood thanks.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Know the reasons and solutions to move/import EDB to New Exchange Server. Also, find out how to recover an Exchange .edb file and to restore the file back.
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question