Jeff Brubaker
asked on
Exchange Hybrid - Possible send connector or SSL Problem
Greetings,
I have single, Exchange 2013 server running in Full Hybrid Mode.
There are no on-premise mailboxes
Today, mail stopped flowing and I realized the SSL Cert had expired. (Woops!)
I quickly renewed the SSL Certificate and mail started working again immediately.
However, our phone voicemail system to email is not working. Tried rebooting the voicemail system and still no luck.
I'm wondering if it has to do with the "outbound to office 365" send connector. The reason I am suspicious is when I go to delete the expired SSL Cert from Exchange ECP, I get an error message "
But, if the expired SSL Cert is still tied to that send connector, how is my other email flowing ok?
If I do a Get-SendConnector "outbound to office 365" | fl It just returns the basic information, not the thumbprint so I can't tell if it's the expired cert or not.
Any suggestions?
I have single, Exchange 2013 server running in Full Hybrid Mode.
There are no on-premise mailboxes
Today, mail stopped flowing and I realized the SSL Cert had expired. (Woops!)
I quickly renewed the SSL Certificate and mail started working again immediately.
However, our phone voicemail system to email is not working. Tried rebooting the voicemail system and still no luck.
I'm wondering if it has to do with the "outbound to office 365" send connector. The reason I am suspicious is when I go to delete the expired SSL Cert from Exchange ECP, I get an error message "
|
If I do a Get-SendConnector "outbound to office 365" | fl It just returns the basic information, not the thumbprint so I can't tell if it's the expired cert or not.
Any suggestions?
Last Comment
ASKER
Hayes Jupe,
Yes, it seems like that is the problem
The old cert, which I'm unable to delete is still using IIS and SMTP
Yes, it seems like that is the problem
The old cert, which I'm unable to delete is still using IIS and SMTP
yep, thats not uncommon - focus on getting the right cert being used for TLS on your SMTP rather than deleting the old cert.
update the config using
enable-exchange certificate -thumbprint <thumbprint of the new cert> -services SMTP
then re-start your exchange transport service.
update the config using
enable-exchange certificate -thumbprint <thumbprint of the new cert> -services SMTP
then re-start your exchange transport service.
ASKER
I ran the command and it completed successfully but I don't think anything has changed. The expired cert is still using SMTP and IIS as the new one is also.
Here is a "fix" from another thread. Your thoughts?
First, delete the expired Cert from MMC - Certificates - Personal - Certificates
Here is a "fix" from another thread. Your thoughts?
First, delete the expired Cert from MMC - Certificates - Personal - Certificates
- Run $cert = Get-ExchangeCertificate -Thumbprint <newcertthumbprint>
- Set a new variable and assign it the concatenated values of the Issuer and Subject values of the certificate (must also include <I> and <S> before each field):
$TLSCert = (‘<I>’+$cert.issuer+'<S>’+$cert.subject) - Update the send connector with the new values
Set-SendConnector -Identity “Send Connector Name” -TLSCertificateName $TLSCert
yep, that's a fair point, you will need to update the connectors with the new cert as well... sorry - that is correct and i missed it.
so yes, run that command against the connector that is used for your voicemail system (and any other connectors that may also use TLS)
so yes, run that command against the connector that is used for your voicemail system (and any other connectors that may also use TLS)
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Hi Ben County,
I checked and the IIS\Exchange Back End was NOT bound to the new Cert.
Still unable to get emails from our voicemail system. Regular emails are working fine.
Here is what I have done
1. Manually deleted the expired Cert from MMC
2. Ran $cert = Get-ExchangeCertificate -Thumbprint <thumbprintofnewcert>
3. Ran $TLSCert = (‘<I>’+$cert.issuer+'<S>’+$cert.subject)
4. Ran Set-SendConnector -Identity “Send Connector Name” -TLSCertificateName $TLSCert but got the message
"WARNING: The command completed successfully but no settings of 'Outbound to Office 365' have been modified"
5. Ran the Hybrid Configuration Wizard as per someone else's recommendation. The HCW completed successfully but changed the name of the Outbound to Office 365 connector to "Outbound to Office 365 - 949ft714-fab3-460b-a944-468e489597f4"
6. Checked the Exchange Back End bindings as you suggested and found it was not bound to the new Cert. Changed it and did a iisreset
Do I need to re-run the command Set-SendConnector -Identity “Send Connector Name” -TLSCertificateName $TLSCert again?
I checked and the IIS\Exchange Back End was NOT bound to the new Cert.
Still unable to get emails from our voicemail system. Regular emails are working fine.
Here is what I have done
1. Manually deleted the expired Cert from MMC
2. Ran $cert = Get-ExchangeCertificate -Thumbprint <thumbprintofnewcert>
3. Ran $TLSCert = (‘<I>’+$cert.issuer+'<S>’+$cert.subject)
4. Ran Set-SendConnector -Identity “Send Connector Name” -TLSCertificateName $TLSCert but got the message
"WARNING: The command completed successfully but no settings of 'Outbound to Office 365' have been modified"
5. Ran the Hybrid Configuration Wizard as per someone else's recommendation. The HCW completed successfully but changed the name of the Outbound to Office 365 connector to "Outbound to Office 365 - 949ft714-fab3-460b-a944-468e489597f4"
6. Checked the Exchange Back End bindings as you suggested and found it was not bound to the new Cert. Changed it and did a iisreset
Do I need to re-run the command Set-SendConnector -Identity “Send Connector Name” -TLSCertificateName $TLSCert again?
Hi Jeff,
I don't think you need to rerun the command to apply the certificate on the connector.
Sounds like you need to assign the new certificate to your voicemail system, not sure what products you are using, but if its utilising Exchange Unified Messaging you will need to assign the UM service to the new certificate if not already done.
Under the certificate services there should be a tick box for "Unified Messaging Call Router" which you need to tick for the certificate on each server.
Cheers
Ben
I don't think you need to rerun the command to apply the certificate on the connector.
Sounds like you need to assign the new certificate to your voicemail system, not sure what products you are using, but if its utilising Exchange Unified Messaging you will need to assign the UM service to the new certificate if not already done.
Under the certificate services there should be a tick box for "Unified Messaging Call Router" which you need to tick for the certificate on each server.
Cheers
Ben
ASKER
Thanks Ben!
It looks like I was barking up the wrong tree anyway. The voicemail system is rather old. When I updated the SSL Cert on my client's Exchange Server, it was no longer accepting emails from it.
The SMTP Setup for the Voicemail System only has a checkbox "Enable Encryption." It doesn't say what it is, but I would bet it's TLS 1.0
Works great now with no encryption.
Thanks for your expert replies.
It looks like I was barking up the wrong tree anyway. The voicemail system is rather old. When I updated the SSL Cert on my client's Exchange Server, it was no longer accepting emails from it.
The SMTP Setup for the Voicemail System only has a checkbox "Enable Encryption." It doesn't say what it is, but I would bet it's TLS 1.0
Works great now with no encryption.
Thanks for your expert replies.
Exchange
Exchange is the server side of a collaborative application product that is part of the Microsoft Server infrastructure. Exchange's major features include email, calendaring, contacts and tasks, support for mobile and web-based access to information, and support for data storage.
213K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
you will be able to see which services have been allocated to which cert thumbprint.
You need to allocate the "new" certificate to the SMTP service, then restart your transport service.