Exchange, TLS and FOPE

Ploppy2k3 · 5 Oct 2014 at 11:49

OK so I’ll start off but saying this isn’t hardware related but there really isn’t anywhere else to put this kinda question.
Forced TLS with external partner and client being FOPE!

So we have a client behind Office365 Online Protection for email security and they are asking for a Forced TLS to the 3rd party partner. With normal Exchange to Exchange this is straight forward but because of FOPE the certificate wont match the company domain and hence wont connect or so I’m told. The main issue here is that we cant actually test it as such and its going to be a one hit “go live” rollout so I need advice on this.
So can anyone advise how this is done? Step by Step preferably. I am no stranger to Exchange but TLS is a blind spot for me.

cheers

Battery! · 6 Oct 2014 at 12:43

The tenant should not be using FOPE anymore, these were migrated to EOP quite a while ago, maybe one slipped the net.

What are you specifying in the connectors for the certificate?

Have you actually seen the configuration in EOP?

Quite a good article here on how to set this up.

http://technet.microsoft.com/en-US/library/jj723154(v=exchg.150).aspx

Ploppy2k3 · 6 Oct 2014 at 19:28

my bad it is EOP! doh!

the config seems straight forward but are there any prerequisites? the bit Im really confused about is the certs. surely the partner org is going to bounce you as you will appear to be microsoft.com rather than mycomany.com?

Battery! · 6 Oct 2014 at 19:41

It's just connectors do I'm not sure what you mean about prerequisits.

The only prerequisits, if any, are the certificates.

Did you look at the link I added, that pretty much covers everything.

Ploppy2k3 · 6 Oct 2014 at 19:52

i had looked at this previously but it doesnt answer the cert question.

I though TLS (or Verify TLS) checks the sending domain by cert. So when an email originates at mycompany.com and then is send via EOP the receiving server expects mycompany.com but instead will get a microsofteop.com cert?

I could have course be talking utter crap. its just part of exchange that I am completely blind on.

Ploppy2k3 · 11 Oct 2014 at 13:04

update.

the first company worked fine. they had setup their end to be "opportunistic" and we just forced our end with certs and its all working without issue.

The second company however are refusing to allow the connection with certs as the cert is from MS and not the sending company. grrrr. it looks like we will have to create a dedicated send/receive connector from the CAS which will involve a whole lot of hassle and red tape.

again grrr