Edge Server Cert Configuration Exchange 2010 TLS

Edge Server Cert Configuration Exchange 2010 TLS

Log into HUB CAS Server open up the EMC and Export the Exchange SSL cert

1.      In the console tree, click Server Configuration.

2.      Select the server that contains the certificate, and then select the certificate you want to export.

3.      In the action pane, click Export Exchange Certificate.

4.      On the Export Exchange Certificate page, select the certificate you want to export. The services that are checked are currently assigned to the certificate.

5.      When you click Export, the Progress Page will confirm your selections and try to export the certificate.

6.      The Completion page will display the status of the request together with the syntax of the Shell cmdlet needed to export the certificate.

Assign the SMTP services on both HUBCAS servers to the self signed cert

1.      In the console tree, select Server Configuration.

2.      In the action pane, click Assign Services to Certificate to open the Assign Services to Certificate wizard.

a.      This wizard helps you assign the appropriate services to your certificate for your Exchange organization. For assistance creating a certificate, see Create a New Exchange Certificate.

3.      On the Assign Services page, use the check boxes in the Assign Services section to choose the services you want to assign to your certificate. If you chose services during certificate creation, these services will already be checked. Click Assign.

4.      On the Completion page, verify that all of the services were assigned properly.

If you attempt to assign the Unified Messaging service to the certificate and the certificate is running in TCP mode only, assignment will fail. In order to use a certificate for Unified Messaging, it must be set to run in TLS mode or Dual mode.

Log into the Edge Server and run Exchange PowerShell as an administrator

Place the cert exported from HUB CAS Server in the C:\Certs folder and

Run the following command

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\certs\Ex2010Cert.pfx -Encoding byte -ReadCount 0)) -Password:(Get-Credential).password | Enable-ExchangeCertificate -Services SMTP

 It will prompt for username and password, put in any username and pfx password used when creating pfx

On Edge run

 Get-ExchangeCertificate

View the certs and mark the thumbprint of the cert that is self signed. You will know it is self signed as the cert will have the server name and will not include the top level domain name. This cert is created when the Edge server is first installed.

Run

Remove-ExchangeCertificate –Thumbprint (Paste the thumbprint of the self signed cert here)

Press A (agree to remove cert)

Edge - Restart MS Exchange ADAM service

Recreate Edge Subscription on both Edge Servers

Open up Exchange Powershell on the Edge Servers and run

New-EdgeSubscription –Filename C:\EdgeSub1

1.      Log into the Hub Cas server and

2.      In the console tree, navigate to Organization Configuration > Hub Transport.

3.      In the result pane, click the Edge Subscriptions tab.

4.      In the action pane, click New Edge Subscription. On the New Edge Subscription page, complete the following fields:

a.      Active Directory site   Click Browse, and then select an Active Directory site in the drop-down list. This field identifies the Active Directory site where the Hub Transport server is connecting to the Edge Transport server for which the Edge Subscription exists.

b.      Subscription file   Click Browse, and then select an Edge Subscription file.

c.      Automatically create a Send connector for this Edge Subscription   Select this check box to automatically create a Send connector that routes messages from the Exchange organization to the Internet. The Edge Subscription is configured as the source server for the Send connector. The Send connector is configured to route messages to all domains by using Domain Name System (DNS) MX resource records.

5.      Click New to create the new Edge Subscription.

6.      On the Completion page, review the following, and then click Finish to close the wizard:

a.      A status of Completed indicates that the wizard completed the task successfully.

b.      A status of Failed indicates that the task wasn't completed. If the task fails, review the summary for an explanation, and then click Back to make any configuration changes.

Configure the HUB CAS send connector for TLS and to use TLS when sending to specific domains

Open up the Exchange Management Shell and run

Get-SendConnector

The default send connector will replace Internet in the below command

Set-SendConnector Internet -DomainSecureEnabled:$true

Get-Receive Connector

The default receive connector will replace Internet in the below command

Set-ReceiveConnector Internet -DomainSecureEnabled $true -AuthMechanism TLS

Set-TransportConfig -TLSReceiveDomainSecureList trusteddomain1.com,.trusteddomain2.com,trusteddomain3.com, (etc. All  other trusted domains where you want the traffic to route using TLS)