cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Exchange Hybrid DNS and Certificate

mridley
Copper Contributor

‎Jul 12 2022 08:53 AM

‎Jul 12 2022 08:53 AM

Exchange Hybrid DNS and Certificate

Hi,

 

I am currently planning Exchange Hybrid (Exchange2019) in a test domain.

The current configuration is Internal Exchange 2019 servers are load balanced through a third party load balancer and a DNS entry of mail.domain.com is used for all https services such as ews, auto discover etc. There is no external access to Exchange

A single Internally generated certificate with multiple SANs is used which includes mail.mydomain.com, imap.mydomain.com, pop.mydomain.com etc. It is bound to the IMAP, POP, IIS and SMTP services

There are no edge servers and incoming and outgoing email is delivered through a third party appliance.

I will however introduce an edge server to be used for secure email between Exchange and Exchange Online.

I'm a bit confused about what the externally supplied certificate required for Exchange Hybrid and DNS entries should be in order to configure the HCW.

 

1) Does the external certificate required for the Transport certificate replace the existing internal certificate already on the Exchange servers. i.e. I would need to create a new external certificate with all the SANS I have already and use this certificate on the same Exchange Servers and for the same Exchange services as well as installing it on the new Edge server?

 

If the certificate does replace the existing certificate I presume that I would need to keep the same DNS name i.e. mail.mydomain.com and configure this on the external DNS server

 

If the certificate does not replace the existing certificate would it only be installed on the edge server?

 

If the certificate is only installed on the Edge server I presume I can create a DNS entry called say mailhybrid.mydomain.com and a certificate to match. This cert will only be installed on the edge server and has no bearing on the internal Exchange servers and I will not need to replace the certificate on them.

 

2) The HCW asks for the organization FQDN which I believe is used to configure the outbound connector from EOP to on-premises. I presume this would be configured on the Edge server. Would the FQDN be what I am already using internally i.e. mail.mydomain.com or would it be mydomain.com or does it relate to the transport certificate selected earlier and could be anything such as mailhybrid.mydomain.com.

 

Sorry for all the questions and I hope they make sense.

Labels:
3,148 Views
0 Likes
1 Reply
Reply
1 Reply
EmekaNgene

‎Aug 08 2022 03:19 AM - edited ‎Aug 08 2022 03:20 AM

‎Aug 08 2022 03:19 AM - edited ‎Aug 08 2022 03:20 AM

Re: Exchange Hybrid DNS and Certificate

Hello @mridley 

 

1) Does the external certificate required for the Transport certificate replace the existing internal certificate already on the Exchange servers. i.e. I would need to create a new external certificate with all the SANS I have already and use this certificate on the same Exchange Servers and for the same Exchange services as well as installing it on the new Edge server?

 

Yes you would need an external certificate,

Certificates: Assign Exchange services to a valid digital certificate that you purchased from a trusted public certificate authority (CA). Although you should use self-signed certificates for the on-premises federation trust with the Microsoft Federation Gateway, you can't use self-signed certificates for Exchange services in a hybrid deployment.

 

The Internet Information Services (IIS) instance on the Exchange servers that are configured in the hybrid deployment require a valid digital certificate purchased from a trusted CA.

The EWS external URL and the Autodiscover endpoint that you specified in your public DNS must be listed in the Subject Alternative Name (SAN) field of the certificate. The certificates that you install on the Exchange servers for mail flow in the hybrid deployment must all be issued by the same certificate authority and have the same subject.

 

When configuring a hybrid deployment, you must use and configure certificates that you have purchased from a trusted third-party CA. The certificate used for hybrid secure mail transport must be installed on all on-premises Mailbox (Exchange 2016 and newer), and Mailbox and Client Access (Exchange 2013 and older) servers.

https://docs.microsoft.com/en-us/exchange/hybrid-deployment-prerequisites

 

https://docs.microsoft.com/en-us/exchange/certificate-requirements

 

2) The HCW asks for the organization FQDN which I believe is used to configure the outbound connector from EOP to on-premises. I presume this would be configured on the Edge server. Would the FQDN be what I am already using internally i.e. mail.mydomain.com or would it be mydomain.com or does it relate to the transport certificate selected earlier and could be anything such as mailhybrid.mydomain.com.

 

it would be mydomain.com which has been verified in your tenant.

Go through this link below 

https://docs.microsoft.com/en-us/exchange/hybrid-deployment-prerequisites

 

HCW

https://docs.microsoft.com/en-us/exchange/hybrid-configuration-wizard

 

 

 

0 Likes
Reply