MMCUG Blogs

Securing your email connectivity

This next section I am writing as I am on a plane flying from Chicago to Seattle for the Exchange 14 Airlift. I will be writing more about Exchange 14 in the coming months once Exchange 14 has become public, but for now let's continue on course in our next of a three part series surrounding MSONLINE also known as BPOS or Business Productivity Online Suite. Our next requirement in the configuration of Exchange online is to secure our email traffic between our internal organization and MSONLINE. This is highly recommended as your internal organizations email will now be traveling over the internet during co-existence. We will encrypt our email between both the internal environment and our external environment by the use of TLS (Transport Layer Security).

Certificate Requirements for TLS

To secure the email between the two environments we will need to utilize a trusted third party certificate.

Your Exchange environment will have a set of its servers which are responsible for communication of internet mail to and from the Internet. These servers are typically known as Bridgeheads in Exchange 2000 and 2003, Hub Transports, or Edge Servers in Exchange 2007.

Each of the servers responsible for internet email flow will require the third party certificate and a connector configured for TLS. This will not be needed on your Backend or Mailbox servers unless these servers are also acting as your Bridgeheads in the case of Exchange 2000 or 2003 or share the role of Hub Transport in the case of Exchange 2007.

If you have separate bridgehead servers for sending and receiving e-mail via the Internet, you will need to acquire and install a certificate on each SMTP server sending and receiving email to and from the internet that is running Exchange. You will need to set up a connector and enable TLS only on the server or servers that are used for sending e-mail to and from the Internet.

Of course if your email is relayed to and from the Internet by a third party outside of Exchange this will need to be configured for secured email traffic via TLS per the vendors requirements. Follow the steps per http://go.microsoft.com/fwlink/?LinkID=117208&clcid=0x409 to acquire certificate which will include the following.

1. Perform a certificate request via IIS for Exchange 200x or via PowerShell for Exchange 2007.
2. Obtain the certificate, for Exchange 2007 the recommended certificate type will be a Unified communications certificate also known as a SAN (Subject Alternative Name) certificate.
3. You will need to ensure that the certificate is from a recognized third party. Self signed certificates now found on Exchange 2007 cannot be used for this purpose when configuring TLS with Exchange online.
4. Use ESM to install the certificate for Exchange 200x or PowerShell in the case of Exchange 2007.
5. Now create an SMTP connector for Exchange 200x or a send connector for Exchange 2007.

To create an SMTP connector for Exchange 200x

1. In Exchange System Manager, right-click Connectors, and then select New SMTP Connector.
2. Type a name for the connector, which in my example will be known at MSONLINE.
3. On the General tab, select Forward all e-mail through this connector to the following smart host, and then type mail.global.frontbridge.com.
4. Under Local Bridgeheads, click Add, and then select your Exchange Bridgehead Servers.
5. On the Address Space tab, click Add, followed by your Microsoft Online Services e-mail routing domain in my case msmcduffie1.microsoftonline.com which will have been assigned to you when signing up for BPOS.

To create a SEND connector for Exchange 2007

1. See how to Create a New Send Connector at http://technet.microsoft.com/en-us/library/aa998814.aspx

Configure TLS for the Exchange 200x server sending and receiving email

1. For Exchange 200x in ESM, expand Connectors and find the MSONLINE connector previously created.
2. Right-click the connector, and then click Properties.
3. On the Advanced tab, click Outbound Security, and then select TLS Encryption.

Precursors to sending email to and from Exchange Online

Now we are ready to test email flow between the internal organization and Exchange Online. This will require the creation of an Exchange Online mailbox and of course one internal mailbox. Additionally the following is assumed.

1. The internal organization is registered on the internet and has a valid MX (Mail Exchange) record.
2. You have established that email flow works to and from another internet bound registered email domain.
3. You have a registered domain name with Microsoft Online usually in the form of msyourcomanyname1.microsoftonline.com.
4. The Exchange online test user now exists with an email address in the form of useremailalias@yourorganization1.msonline .com
5. You have a user in your internal organization from which you can send email to and from the internet.

Now it is time to validate email verify your e-mail traffic flow

1. Log on to your internal test mailbox and send an email to your Exchange Online test user at useremailalias@yourorganization1.msonline.com which in my case is test1@msmcduffie1.microsoftonline.com.
2. Log on to Microsoft Online Services and start OWA as useremailalias@yourorganization1.microsoftonline.com
3. Validate the receipt of the email message from your internal user.
4. Now send an e-mail message to your internal user which is in my case is fmcduffie@oswegohomesil.net .
5. Verify receipt of the message from your MSONLINE account within the internal user.
6. Reply to this message and validate receipt by the MSONLINE user.
7. Reply to this message and validate receipt by the internal user.

In part 3 of this 3 part series we will discuss Enabling Directory Synchronization and migrating your first Mailbox to Exchange Online.