Forum Discussion
Certificate for Hybrid Connector
Hi Adam,
I have a similar scenario where the SSL certificate is to expire soon and a new SSL certificate has been provided and imported (new certificate authority rather than a renewal) to all of the Exchange 2010 servers but no services assigned yet. There's two hub transport only servers, two CAS only servers and two mailbox servers (with the CAS role as well for legacy public folders).
1) Would I need to re-run the HCW on any of the servers with the CAS role to select the new SMTP SSL certificate or do I need to re-run it on all of the servers?
2) Do I need to assign the SMTP service on the two hub transport servers but not replace the existing SSL certificate in preparation for running the HCW or will that assign the services as well?
Thanks,
Dale
Hey Dale,
Sorry for the delay, I had a pretty busy monday :0
So some background first. I came from a managed services provider. Allot of times my clients had a Hybrid exchange server because they needed it for O365. As such they typically had 1, maybe in a stretch 2 exchange servers that were never really used for anything other than metadata edits, the normal Active Directory work, and some SMTP traffic. For them, the HCW re-run was almost always the easiest to understand, and simplest to execute, as they had done it before and we only had one server to hit (often a 2016 that did everything).
1. I would actually in your case update the SSL certs on your legacy servers manually, rather than re-running the HCW over and over. https://docs.microsoft.com/en-us/Exchange/architecture/client-access/renew-certificates?view=exchserver-2019 . I believe the SSL cert is just needed on the CAS servers, but to be honest its been a bit since ive done this on 2010, so someone may know better than me. With that said, if you setup a secure connector in the past (which the HCW would have done by default) you have to look there too.
- If you want the communication between O365 and your server to be secure/use the cert, you would also need to update the connector that handles communication from your server and O365. I would recommend rather than messing with this to just re-run the HCW on one of the servers (likely the one you ran it on last time). But instead of running this twice (or 4 times) based on your CAS servers, just update it manually once or twice, and run the HCW once.
2. I think I addressed this in the above subpoint if I understood your question. If you are talking about SMTP traffic with O365, then the connector will need to be updated, which the HCW should do. If you are talking about SMTP traffic with the outside work, you likely need to update the SSL cert on those servers the same way discussed in the first part of the previous question (which again if you know your way around your servers *which you do* manually is quicker).
Hope this helps!
Adam