Forced TLS with Partner settings

This question is not answered This question is not answered

Hi all,

 

I am working with a trusted partner to arrange a TLS connection between our environments.

We have no on-premise servers, so our side is handled entirely with Office 365/ Exchange Online/FOPE.

 

The partner has requested that we answer the following questions, and i'm un sure what the answers are, hopefully someone can help...

 

1. The partner wishes to know the mail-routing method, whether it is using public MX record or via a static route to a designated host name or IP address.

 

2. The partner wishes to know the details of the certificates used for the connection (Issuer, Key Size, Encryption), if this is provided by FOPE how do I get this information?

 

3. The partner wants us to install their entrust root CA certificates. Is this possible?

 

Any help greatly appreciated.

 

James

 

All Replies
  • Hi James,

    I understand you’d like to arrange TLS connection with your partner.

    I’d like to reply you one by one:

    1), Office 365 uses Public MX record for mail-routing.

    2),  The FOPE inbound hostname is mail.messaging.microsoft.com. You can let your partner trust this Certificate name on their side.
    To troubleshoot why a forced TLS recipient is not receiving messages, you can refer to  
    http://social.technet.microsoft.com/wiki/contents/articles/fope-troubleshooting-why-a-forced-tls-recipient-is-not-receiving-messages.aspx

    3), It’s not possible to install a new certificate, but FOPE supports many popular root CAs. For more information, you can refer to FOPE Trusted Root CA's.

    Fore more information, you can refer to the following artcles:
    Understanding Transport Layer Security (TLS) in FOPE
    FOPE TLS FAQs

    If you have any additional questions, please feel free to post them in the forum.

    Thanks,
    Evan Zhang

  • Hi Evan,

    That's really helpful thanks.

    Is it possible to get the details of the mail.messaging.microsoft.com certficate details? Encryption, Key size etc?

    Thanks

    James

  • Hi James,

    Here is an article about Certificate Management for your reference:
    http://technet.microsoft.com/en-us/library/ee808052(v=WS.10).aspx

  • Hi James,

    How are things going? Did Ayarn's information help you or do you need any further assistance?

    Best Regards,

    Evan Zhang

  • Hi Evan,

    I don't think Ayarn's post is relevant to this topic. I just need to know the key size, and encryption details of the mail.messaging.microsoft.com certificate.

  • Hello James,

    Thank you for your reply.

    As I understand, you want to setup a secure mail flow channel with your trusted partners using TLS connections.

    For this situation, you may ask your partner to setup the secure mail flow channel with Office 365 referring following tips on their side.

    1. Create the Outbound connectors with your Office 365 domain as Recipient Domain.

    2. Make sure their organization trust the certificate mail.messaging.microsoft.com.
       Note: It is not neccessary to concern about Issuer, Key Size, Encryption information of certificate mail.messaging.microsoft.com.

    3. Configure TLS settings for connector

    For detailed steps about configuring forced TLS connections between FOPE and regulated partner, please refer to article below.
    Regulated Partner with Forced TLS Scenario
    http://technet.microsoft.com/en-us/library/gg430177.aspx

    Thank you.
    Jack Sun

  • Hello James,

    Did the above reply answer your questions? If you need additional information on this problem, feel free to let us know. Thank you.

    Jack Sun

     

  • Hi Jack,

    I have managed to enable to TLS and the trusted company have connected ok, however they raised the following concern:

    "...the MX record and the 220, 250 banners are not matching. This is a prerequisites for proper TLS establishment."

    How can I change the banners to meet this requirement?

    Thanks

    James

  • Hi James,

    You mentioned that you are setting this up with a trusted partner. Is this a Microsoft Partner? Are you connecting to their Office 365 account or are you connecting to an on premise Exchange server? If it is an on premise Exchange server, what version is it?

    If they are using Office 365 or Exchange 2010 SP2 they have a pre-established trust relationship with the Microsoft Federation Gateway, as you do as an Office 365 customer, and they don't need the MX record. They just need to use powershell to establish the trust relationship between your organization and theirs.

    If they have an on premise Exchange server, this document explains how to establish the trust relationship:

    technet.microsoft.com/.../dd335198.aspx

    Also, here are a couple excellent documents that explain how federation works:

    community.office365.com/.../federation-in-office-365-and-exchange.aspx

    technet.microsoft.com/.../dd638083.aspx

    Let me know if that helps,

    Dave

  • Hi David,

    It is with an on-premise 2007 server I believe.

    I will go back to them with that information.

    Thakns

    James

  • Hi All,

    I would like to join the discussion since I have a similar thread open at community.office365.com/.../208734.aspx

    My partner (PARTNER.COM) is asking me to provide the certificate details so he can setup his part. He is asking for Gateways, TLS certificate DN, TLS certificate issuer CA (Please provide CA name and URL to CA public key download) would you point me to the place where this information can be downloaded.

    Btw. the partner is not on Office365 and most likely is not using any of the Mirosoft products except Exchange.

    Alternatively I would like to setup my own CA certrificate on FOPE/Office365. Is this possible? If yes - how?

    Thx!

    Best

    Thomas

  • James,

    If they are using an Exchange 2007 server, this article may be more on point:

    technet.microsoft.com/.../hh310374.aspx

    It looks like they will need to add a Exchange 2010 server with the Client Access server role installed in order to setup federated delegation.

    Dave

  • So I can't set up a forced TLS connection to exchange 2007? They need to have 2010?

  • Hi Thomas,

    If you look through the documents I listed in my previous post, you will see how federated delegation works in Office 365. Since all Office 365 customers already have a trusted relationship with the Microsoft Federated Gateway, the organization that you want to federate with just needs to establish a trusted relationship with the gateway as well, then it will be simple to create the trust between your organizations.

    Dave

  • If I'm reading the docs right, not directly with the 2007 server. But since the server isn't hosting mailboxes it may not be as expensive and may be able to be run from a virtual host. Here is a link to the licensing info for Exchange server:

    www.microsoft.com/.../licensing-exchange-server-email.aspx

    Dave