Enforce TLS for certain domain names.

Dear Experts,

We have Microsoft Exchange Server 2010, and use SSL certificate from GoDaddy.  Recently I was requested by our client to "enforce TLS" for the domain names they have, for encryption purposes.  I have contacted GoDaddy, and explained what I needed to do, but they wanted to sell us more certificates, which does not seem correct.  From what I learned so far, it is modification on our server settings with Transport layer.  I have not been able to find an instruction that makes sense.  Please advise.
yballanAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
Basic SSL/TLS certificates are issued for a specific domain name so it is not surprising that they wanted to sell you more certificates.  You might be able to get one of the more advanced (and expensive) certificates that will cover more than one domain name.
yballanAuthor Commented:
Dear Dave Baldwin,

Thank you for your reply, I do have certificates that cover 5 domain names, (UCC) but dedicating each certificate is not what client is requiring.  I walked through this with my client and GoDaddy tech support, my client is looking to do something like "mutual TLS"

https://technet.microsoft.com/en-us/library/JJ723154%28v=EXCHG.150%29.aspx

I do know how to designate certificates to each domain name, but that is not what the client is talking about, and when I asked him to please forward the instructions, he told me that that is against his department policy.....
Dave BaldwinFixer of ProblemsCommented:
I would simply quit at the point where he refused to share the instructions he wanted you to follow.
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

gheistCommented:
It is against standards to deny unencrypted SMTP mail.
yballanAuthor Commented:
Dear Dave and gheist,

Thank you for your responses, I am not sure if I am in the position to be able to quit at this time, since it is our client who is making this request, and my supervisor seem to think that not being able to do this would be pretty bad.
I did more reading and found this link.
http://exchange.sembee.info/2010/hub/mutualtls.asp

But I am not sure if this is exactly what I should be doing, I was hoping to find out if anyone has done this procedures before.
gheistCommented:
Yes, there is no problem having TLS on 2 servers and overriding transport to never use 3rd party ost. But why not enterprise CA and VPNs and care not about comms channel taken
Dave BaldwinFixer of ProblemsCommented:
If the client refused to share the instructions he wanted you to follow, then you are most certainly doomed to fail since they have refused to define what success would be.  Point this out to your supervisor and get him to pressure the client for accurate information.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
yballanAuthor Commented:
Thank you Dave & gheist,
I am meeting with my supervisor and CSO to discuss this matter, and see if we can get our client to forward more information before we proceed.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Servers

From novice to tech pro — start learning today.