TLS should be enabled on the bridgehead server of your local Exchange Server environment. That is the computer that directs your organization's e-mail to and from the Internet. For more information about bridgehead servers and Exchange Server message routing, see Exchange Server 2003 Message Routing Topology.

If you have separate bridgehead servers for sending and receiving e-mail from the Internet, you will need to acquire and install a certificate on the SMTP server of each bridgehead server computer running Exchange Server; however, you will need to set up a connector and enable TLS only on the server that is used for sending e-mail to the Internet.

Note:

If your Exchange Server environment relies on an external relay server to send and receive e-mail to and from the Internet, you will need to contact the administrator of the external service about their TLS support. When TLS has been enabled on the external service, secure e-mail will flow between their relay server and Microsoft Online Services. If you have third-party bridgehead software or service, refer to that documentation to see how you can configure TLS.

If you have a local Exchange Server bridgehead server running the standard SMTP virtual server, continue reading this topic.

Use Exchange System Manager in Exchange Server to generate a certificate request on your bridgehead server. You must provide the fully qualified domain name (FQDN) of the bridgehead server. For more information, see Creating a Certificate or Certificate Request for TLS.

Locate a recognized certification authority (CA), such as VeriSign, Comodo, or GoDaddy. Submit the certificate request file that you generated in the previous section. The CA will provide you with a certificate (CER) file that contains the certificate for your server.

Use Exchange System Manager to install the certificate file. You must provide the path to the certificate file that you received from the CA.

Create an SMTP connector for sending e-mail to Microsoft Online Services.

1. In Exchange System Manager, right-click Connectors, and then click New SMTP Connector.

2. Type a name for the connector (for example, MicrosoftOnline).

3. On the General tab, select Forward all e-mail through this connector to the following smart host, and then type mail.global.frontbridge.com.

4. Under Local Bridgeheads, click Add, and then select your bridgehead server computer running Exchange Server.

5. On the Address Space tab, click Add, and then type your organization's Microsoft Online Services e-mail routing domain (for example, contoso1.microsoftonline.com).

Note:
To determine your organization's Microsoft Online Services e-mail routing domain, log on to the Microsoft Online Services Administration Center, click the Migration tab, and then click E-Mail Coexistence. The domain will be listed in the E-Mail Routing Information pane.

For more information about creating SMTP connectors, see How to configure the SMTP connector in Exchange 200x.

After you install the certificate, your server will be able to receive TLS e-mail. However, it cannot send TLS e-mail until you enable TLS.

1. In Exchange System Manager, expand Connectors and locate the MicrosoftOnline connector that you created in the previous procedure.

2. Right-click the connector, and then click Properties.

3. On the Advanced tab, click Outbound Security, and then select TLS Encryption.

Tasks

Other Resources