Exchange with TLS

The following is Network Diagram of this example:

If you does not know how to build AD DS, you can view this post “Building AD DS for Lab “.

If you does not know how to install Exchange, you can view this post “Building Exchange Server for Lab “.

If you does not know how to build AD CA, you can view this post “Active Directory Certificate Service (AD CS) “.

Before we setup exchange server, we need to setup DNS for 3 exchange:

Why we use secondary DNS Zone, not conditional forwarder or stub zone?
It is because i find that using conditional forwarder and stub zone, the exchange will have some problem.
In the exchange server, I can nslookup the MX of other server and in queue will show that it cannot find the domain.

We need to create secondary DNS Zone of EX02, EX03 at EX01:

#Create Secondary DNS Zone of EX02 and EX03 at EX01
Add-DnsServerSecondaryZone -MasterServers 10.20.20.20 -Name EX02.LOCAL -ZoneFile EX02.LOC
Add-DnsServerSecondaryZone -MasterServers 10.20.20.40 -Name EX03.LOCAL -ZoneFile EX03.LOC
#Set Zone transfer for EX01’s primary zone to EX02’s and EX03’s secondary zone
$servers = “10.20.20.20”,”10.20.20.40″
Set-DnsServerPrimaryZone -Name “EX01.LOCAL” –Notify Notifyservers –notifyservers $servers -SecondaryServers $servers –SecureSecondaries TransferToSecureServers

We also need to create secondary DNS Zone of EX01 at EX02:

#Create Secondary DNS Zone of EX01 at EX02
Add-DnsServerSecondaryZone -MasterServers 10.20.20.30 -Name EX01.LOCAL -ZoneFile EX01.LOC

#Set Zone transfer for EX02’s primary zone to EX01’s secondary zone
$servers = “10.20.20.30”
Set-DnsServerPrimaryZone -Name “EX02.LOCAL” –Notify Notifyservers –notifyservers $servers -SecondaryServers $servers –SecureSecondaries TransferToSecureServers

We also need to create secondary DNS Zone of EX01 at EX03:

#Create Secondary DNS Zone of EX01 at EX03
Add-DnsServerSecondaryZone -MasterServers 10.20.20.30 -Name EX01.LOCAL -ZoneFile EX01.LOC
#Set Zone transfer for EX03’s primary zone to EX01’s secondary zone
$servers = “10.20.20.30”
Set-DnsServerPrimaryZone -Name “EX03.LOCAL” –Notify Notifyservers –notifyservers $servers -SecondaryServers $servers –SecureSecondaries TransferToSecureServers

We will create Receive and Send connector without TLS at EXA,EX01.LOCAL and EXB.EX03.LOCAL.

How to create Receive and Send Connector in EXA.EX01.LOCAL:

New-Receiveconnector `
-Name “Receive from EXC.EX03.LOCAL” `
-RemoteIPRanges “10.20.20.40/32” `
-Bindings “0.0.0.0:25” `
-TransportRole “FrontendTransport” `
-Usage “Custom” `
-Server “EXA.EX01.LOCAL” `
-AuthMechanism None `
-PermissionGroups “AnonymousUsers”
New-Sendconnector `
-Name “Send to EXC.EX03.LOCAL” `
-AddressSpaces *.EX03.LOCAL `
-IgnoreSTARTTLS $true

How to create Receive and Send Connector in EXC.EX03.LOCAL:

New-Receiveconnector `
-Name “Receive from EXA.EX01.LOCAL” `
-RemoteIPRanges “10.20.20.30/32” `
-Bindings “0.0.0.0:25” `
-TransportRole “FrontendTransport” `
-Usage “Custom” `
-Server “EXC.EX03.LOCAL” `
-AuthMechanism None `
-PermissionGroups “AnonymousUsers”
New-Sendconnector `
-Name “Send to EXA.EX01.LOCAL” `
-AddressSpaces *.EX01.LOCAL `
-IgnoreSTARTTLS $true

We will create Receive and Send connector with TLS at EXA,EX01.LOCAL and EXB.EX02.LOCAL.

How to create Receive and Send Connector in EXA.EX01.LOCAL:

New-Receiveconnector `
-Name “Receive from EXB.EX02.LOCAL” `
-RemoteIPRanges “10.20.20.20/32” `
-Bindings “0.0.0.0:25” `
-TransportRole “FrontendTransport” `
-Usage “Custom” `
-Server “EXA.EX01.LOCAL” `
-RequireTLS $true `
-PermissionGroups “AnonymousUsers”
New-Sendconnector `
-Name “Send to EXB.EX02.LOCAL” `
-AddressSpaces *.EX02.LOCAL `
-TlsAuthLevel DomainValidation `
-TlsDomain *.EX02.LOCAL `
-RequireTLS $true

How to create Receive and Send Connector in EXB.EX02.LOCAL:

New-Receiveconnector `
-Name “Receive from EXA.EX01.LOCAL” `
-RemoteIPRanges “10.20.20.30/32” `
-Bindings “0.0.0.0:25” `
-TransportRole “FrontendTransport” `
-Usage “Custom” `
-Server “EXB.EX02.LOCAL” `
-RequireTLS $true `
-PermissionGroups “AnonymousUsers”
New-Sendconnector `
-Name “Send to EXA.EX01.LOCAL” `
-AddressSpaces *.EX01.LOCAL `
-TlsAuthLevel DomainValidation `
-TlsDomain *.EX01.LOCAL `
-RequireTLS $true

In EXA and EXB, we create a folder (C:\tmp) and share it as “tmp”.
We will assign everyone with read and write permission on this folder.
We create certificate in EXA using the following powershell:

# FriendlyName of the Certificate, it also is the file name of REQ and CER.
$FriendlyName = “EX02SANCert”
# Create Certificate’s request file
New-ExchangeCertificate -GenerateRequest -RequestFile \\EXB\tmp\$FriendlyName.req -FriendlyName $FriendlyName -SubjectName CN=EXB.EX02.LOCAL -DomainName exb.ex02.local,legacy.ex02.local,mail.ex02.local,autodiscover.ex02.local

# Send the request file
certreq -config EXB.EX02.LOCAL\EX02-EXB-CA -attrib "CertificateTemplate:webserver" -submit \\EXB\tmp\$FriendlyName.req \\EXB\tmp\$FriendlyName.cer

# Import CER file into Exchange Server
Import-ExchangeCertificate -FileName \\EXB\tmp\$FriendlyName.cer

# Set the usage of the Certificate
$Cert = Get-ExchangeCertificate | where-object {$_.FriendlyName -eq $FriendlyName}
Enable-ExchangeCertificate -Thumbprint $Cert.Thumbprint -Services POP,IMAP,IIS,SMTP -Force

We export EXA’s and EXB’s CA root certificate to network folder:

# In EXA.EX01.LOCAL, we export CR root certificate to EXB
Certutil -ca.cert \\EXB\tmp\EXA-CA-root.cer
# In EXB.EX02.LOCAL, we export CR root certificate to EXA
Certutil -ca.cert \\EXA\tmp\EXB-CA-root.cer

We import EXA’s and EXB’s CA root certificate to Trusted Root Certification Authorities:

# In EXA.EX01.LOCAL, we import EXB’s CR root certificate
certutil -addstore “Root” \\EXA\tmp\EXB-CA-root.cer
# In EXB.EX02.LOCAL, we import EXA’s CR root certificate
certutil -addstore “Root” \\EXB\tmp\EXA-CA-root.cer

Joe's choice

Exchange with TLS

Author: Joe Chan

Search Me

Recent Posts

Author: Joe Chan

Search Me

Recent Posts

Tag Cloud