Export (0) Print
Expand All
6 out of 9 rated this helpful - Rate this topic

Scenario: Regulated Partner with Forced TLS

Exchange 2013
 

Applies to: Exchange Online Protection, Exchange Online

Topic Last Modified: 2014-01-31

If you want to ensure secure communication with a partner, you can use Inbound and Outbound connectors to provide security and message integrity. You can configure forced inbound and outbound Transport Layer Security (TLS) on each connector, using a certificate. TLS is an encryption protocol that provides security for communications over the Internet.

In this sample scenario, Contoso has a secure mail-routing channel with Fabrikam bank. Contoso uses Exchange Online to host their mailboxes. When they exchange mail with Fabrikam bank, it is secured.

The following video shows the configuration steps:

Your browser does not support video. Install Microsoft Silverlight, Adobe Flash Player, or Internet Explorer 9.

The following graphic illustrates regulated-partner mail flow:

EOP_connector_regulated_partner

Use the following steps to create Inbound and Outbound connectors and configure a regulated-partner relationship:

Use the EAC to configure an EOP Inbound connector for a regulated partner
  1. In the EAC, navigate to mail flow > connectors. Under Inbound Connectors, click Add Icon to create a new connector.

  2. Give the connector a name. For Connector Type, choose Partner for this scenario. Add a description in the Comment text box. For Connection Security, choose Force TLS and specify your partner’s certificate name.

  3. Under Domain Restrictions, choose None (the default), Restrict domains by certificate (the service will accept messages only from the specified domains where the source matches the certificate), or Restrict domains by IP addresses (the service will accept messages only from the specified domains where the source IP addresses are represented in the specified IP addresses).

  4. Under Domains, click Add Icon to add a domain.

  5. In the add domain dialog, specify the domain name of your partner organization and click ok.

  6. Once you add the domain, it appears in the Domains list.

  7. Under IP addresses, click Add Icon to add IP addresses.

  8. In the add ip address dialog, enter the IP address or IP address range to use for the connector. Click ok. The IP address will appear in the ip addresses list.

  9. Click save to save the connector. It appears in the Inbound Connectors list. Make sure ENABLED is checked. You can edit the connector’s settings by clicking Edit Icon.

Use the EAC to configure an EOP Outbound connector for a regulated partner
  1. In the EAC, navigate to mail flow > connectors. Under Outbound Connectors, click Add Icon to create a new connector.

  2. Enter a name for your connector. Make sure Enable outbound connector is checked. Choose Partner for the connector type. Add a description in the Comment field.

  3. For Connection Security, specify Trusted Certification Authority or Self-signed certificate depending on whether your partner has a valid certificate issued by a Microsoft-trusted, public certificate authority (CA) or a self-signed certificate. For Outbound Delivery, choose MX record associated with the recipient domain or a smart host capable of delivering to that domain.

    You can specify Recipient certificate matches domain for an additional level of security. This is commonly used for hybrid and trusted-partner configuration if you need to process and format email received over this connector as internal to recipient’s Exchange organization. The domain specified in the connector must match the common name (CN) in certificate subject. This does NOT include subject alternate names (SAN).  However, single-level wildcard is supported to match more than one certificate. For example, if your partner has certificates issued individually to each server, such as server1.partner.com and server2.partner.com, in certificate subject, then in the connector setting, you would need to specify Recipient certificate matches domain with a value of *.partner.com.

  4. Under Domains, click Add Icon to add a domain.

  5. In the add domain dialog, add the name of the recipient domain. Click ok.

  6. The domain you added appears in the Domains list.

  7. Click save to save the connector. It appears in the Outbound Connectors list. You can click Edit Icon to change the configuration settings for the connector.

 
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.