Forum Discussion

mridley's avatar
mridley
Copper Contributor
Jul 12, 2022

Exchange Hybrid DNS and Certificate

Hi,   I am currently planning Exchange Hybrid (Exchange2019) in a test domain. The current configuration is Internal Exchange 2019 servers are load balanced through a third party load balancer and...
migration
EmekaNgene's avatar
EmekaNgene
MCT
Aug 08, 2022

Hello mridley 

 

1) Does the external certificate required for the Transport certificate replace the existing internal certificate already on the Exchange servers. i.e. I would need to create a new external certificate with all the SANS I have already and use this certificate on the same Exchange Servers and for the same Exchange services as well as installing it on the new Edge server?

 

Yes you would need an external certificate,

Certificates: Assign Exchange services to a valid digital certificate that you purchased from a trusted public certificate authority (CA). Although you should use self-signed certificates for the on-premises federation trust with the Microsoft Federation Gateway, you can't use self-signed certificates for Exchange services in a hybrid deployment.

 

The Internet Information Services (IIS) instance on the Exchange servers that are configured in the hybrid deployment require a valid digital certificate purchased from a trusted CA.

The EWS external URL and the Autodiscover endpoint that you specified in your public DNS must be listed in the Subject Alternative Name (SAN) field of the certificate. The certificates that you install on the Exchange servers for mail flow in the hybrid deployment must all be issued by the same certificate authority and have the same subject.

 

When configuring a hybrid deployment, you must use and configure certificates that you have purchased from a trusted third-party CA. The certificate used for hybrid secure mail transport must be installed on all on-premises Mailbox (Exchange 2016 and newer), and Mailbox and Client Access (Exchange 2013 and older) servers.

https://docs.microsoft.com/en-us/exchange/hybrid-deployment-prerequisites

 

https://docs.microsoft.com/en-us/exchange/certificate-requirements

 

2) The HCW asks for the organization FQDN which I believe is used to configure the outbound connector from EOP to on-premises. I presume this would be configured on the Edge server. Would the FQDN be what I am already using internally i.e. mail.mydomain.com or would it be mydomain.com or does it relate to the transport certificate selected earlier and could be anything such as mailhybrid.mydomain.com.

 

it would be mydomain.com which has been verified in your tenant.

Go through this link below 

https://docs.microsoft.com/en-us/exchange/hybrid-deployment-prerequisites

 

HCW

https://docs.microsoft.com/en-us/exchange/hybrid-configuration-wizard

 

 

 

Resources