Exchange 2013 Mutual TLS - Secure Connection for Healthcare

I was wondering what most healthcare providers use for secure email between partners? Back when I was supporting Exchange 2003 we used to have secure site to site connections setup for email communication. Since Exchange 2010 they now have Mutual TLS, but I hear it can be difficult to setup. However our customer has a partner that wants us to setup Mutual TLS with them. Is it worth pursuing this, or is there a better way that would meet HIPAA compliance?

When I was in financial we used ZixMail, but this customer says they want to avoid having anything setup on the end user computer. Last I remember, ZixMail requires an application to be installed and configured.
Keith PratolaSenior Systems ArchitectAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
Where did you hear that Mutual TLS is difficult to setup? As it isn't.
I have two sites that use it for communicating with large clients here in the UK and it takes a few minutes to configure.

I have instructions on how to set it up here:

As long as you have the relevant trusted SSL certificates in place, then it shouldn't take more than a few minutes to configure.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Adam BrownSr Solutions ArchitectCommented:
As long as you have solid communication with the other party you are setting up Mutual TLS with, it isn't terribly difficult. It just takes a good bit of powershell work. has some good info on the topic. Ultimately it just involves setting up send and receive connectors for Mutual TLS domains, setting up the Domain Auth list, and applying the right settings to the connectors. As long as both sides are using valid third party certificates for SMTP, there shouldn't be a need to exchange certificates.

However, if both servers are set up to accept TLS, there isn't a strict need to configure Mutual Auth TLS. The compliance requirements can be met by setting up a Transport Rule that blocks messages to specific domains that cannot be sent over a secure connection. You could potentially set it up so no messages are ever sent out of your environment unless a TLS connection has been established, but you end up with a lot of email not getting through because of bad Email Admins on the other end.

That said, there are actually a lot of cloud solutions that provide a secure Stubbing functionality, where secured emails are sent to an intermediary service, which then sends a notification to the recipient telling them they have received a secure email and to log into a portal to retrieve it. Communication between the mail server and the intermediary is secured with TLS, and the messages are stored in an encrypted format. There is also no need for application installation (though some will install browser add-ins when users open the notification link). The downside to this, though, is that the intermediary will usually send an email to the recipient with a link for them to click on, and that goes counter to the training IT people have been trying to pound into people for years, "Don't open links in emails!"
Keith PratolaSenior Systems ArchitectAuthor Commented:
Thanks. I also found this article which seems most relevant to setting it up on Exchange 2013.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.