Forum Discussion
Certificate for Hybrid Connector
Currently I have a UCC certificate on our Exchange Server (2010) which has been setup as a Hybrid to O365. That certificate was originally installed on the server within Exchange (Server Configuration/Exchange Certificates), later added to the Hybrid configuration (I believe via the HCW) which can be seen via O365/EAC/Connectors. All has been good in the world.
That certificate is up for renewal EOM. On renewal, I assume I need to add it back into our OnPremise Exchange Server and then rerun the HCW and update the certificate so that our Hybrid connectors will continue to work. Is that correct?
Second, I noticed while looking at the connector in O365, I could opt to use an IP address instead of a certificate. What is the disadvantages with that process instead of a certificate?
Lastly, we have running into some issues dealing with a web server that send emails out via EO. SMTP submission is not an option for us as emails being sent from that server does not use one email address (around 40+ email addresses are used -- invoices@, paid@, purchases@, etc.) Option 2 does not allow for external addressees. Option 3 mentions adding the external IP address. The problem of course is that I already have the connector for the hybrid using a certificate (not the IP address). If I continue to use the certificate, would I need to add the web server that is sending emails out to the Subject Name for the UCC?
This is the article I am going by on the last issue. https://support.office.com/en-us/article/How-to-set-up-a-multifunction-device-or-application-to-send-email-using-Office-365-69f58e99-c550-4274-ad18-c805d654b4c4
Thanks.
Hey Jeff,
Hope you are having a good morning. I will do my best to address all your questions ><
1. Yes, I have found that is the easiest way to do it most times, just re-run the HCW, insert the new cert, and you should be good to go.
2. So your question to me really comes off about exchange connectors. When you go there you have the option. I can say for connectors I always recommend my clients use the cert (when possible), as then you are confident everything is securely transmitted, and done so using the cert you control. IPs can work, and realistically are there as sometimes you are going to be setting up a connector to another organization that all you have to go on is an IP (think a third party service that you need to send directly too). But when you are talking hybrid, it is a more secure organizational relationship, which is why the HCW is defaulting into the cert method.
3. So I have done this a number of times, both for clients on-prem, as well as clients that have servers in things like azure. Its actually kind of nice, as with the TLS connector, you dont get limited by allot of the pretty restrictive things that O365 SMTP sending does. In short, they only really care if you are sending spam.
I have always created a new connector based on IP to do this. Since the reason I was creating this connector was to send external mail, I essentially had one connector on-prem that sent mail to O365 based on my internal domain, and one connector on-prem that followed the path described in option 3 of you article. That connector was set to get everything else. They both sent to O365, but since I had it setup as such, it would send mail to O365 then externally.
Adam
Hi Adam,
I have a similar scenario where the SSL certificate is to expire soon and a new SSL certificate has been provided and imported (new certificate authority rather than a renewal) to all of the Exchange 2010 servers but no services assigned yet. There's two hub transport only servers, two CAS only servers and two mailbox servers (with the CAS role as well for legacy public folders).
1) Would I need to re-run the HCW on any of the servers with the CAS role to select the new SMTP SSL certificate or do I need to re-run it on all of the servers?
2) Do I need to assign the SMTP service on the two hub transport servers but not replace the existing SSL certificate in preparation for running the HCW or will that assign the services as well?
Thanks,
Dale
Hey Dale,
Sorry for the delay, I had a pretty busy monday :0So some background first. I came from a managed services provider. Allot of times my clients had a Hybrid exchange server because they needed it for O365. As such they typically had 1, maybe in a stretch 2 exchange servers that were never really used for anything other than metadata edits, the normal Active Directory work, and some SMTP traffic. For them, the HCW re-run was almost always the easiest to understand, and simplest to execute, as they had done it before and we only had one server to hit (often a 2016 that did everything).
1. I would actually in your case update the SSL certs on your legacy servers manually, rather than re-running the HCW over and over. https://docs.microsoft.com/en-us/Exchange/architecture/client-access/renew-certificates?view=exchserver-2019 . I believe the SSL cert is just needed on the CAS servers, but to be honest its been a bit since ive done this on 2010, so someone may know better than me. With that said, if you setup a secure connector in the past (which the HCW would have done by default) you have to look there too.
- If you want the communication between O365 and your server to be secure/use the cert, you would also need to update the connector that handles communication from your server and O365. I would recommend rather than messing with this to just re-run the HCW on one of the servers (likely the one you ran it on last time). But instead of running this twice (or 4 times) based on your CAS servers, just update it manually once or twice, and run the HCW once.
2. I think I addressed this in the above subpoint if I understood your question. If you are talking about SMTP traffic with O365, then the connector will need to be updated, which the HCW should do. If you are talking about SMTP traffic with the outside work, you likely need to update the SSL cert on those servers the same way discussed in the first part of the previous question (which again if you know your way around your servers *which you do* manually is quicker).
Hope this helps!Adam
