Disable TLS between Active Directory sites


Applies to: Exchange Server 2013

Topic Last Modified: 2013-02-19

Microsoft Exchange Server 2013 supports disabling TLS for SMTP communication between Mailbox servers in certain topologies where WAN Optimization Controller (WOC) devices that compress SMTP traffic are used.

This topic provides step-by-step instructions on how to configure the Transport service in your affected Mailbox servers to disable TLS, and to ensure your Active Directory routing topology is configured to correctly route messages. To learn more about this scenario, see Scenario: Configure Exchange to support WAN Optimization Controllers.

  • Estimated time to complete this task: 60 minutes.

  • Even though individual configuration steps within this scenario can be accomplished with lesser rights, to complete the entire end-to-end scenario tasks, your account needs to be a member of the Organization Management role group.

  • Make sure you disable TLS only on connections that pass through WOC devices.

  • This procedure requires that Exchange 2013 is deployed in multiple Active Directory sites, with at least one site connected to the other sites over a WAN link.

  • This procedure requires that WOC devices are deployed to compress SMTP traffic over the WAN link.

  • This procedure requires that a logical message flow path exists for Exchange going over the WAN link that has the WOC devices deployed.

  • For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.

Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Server, Exchange Online, or Exchange Online Protection.

To configure the Transport service on a Mailbox server to use downgraded Exchange server authentication, run the following command:

Set-TransportService <ServerIdentity> -UseDowngradedExchangeServerAuth $true

This example makes this configuration change on the server named Mailbox01.

Set-TransportService Mailbox01 -UseDowngradedExchangeServerAuth $true

  1. In the Exchange admin center (EAC), click Mail flow > Receive connectors, and then click Add Add Icon.

  2. On the first page of the New Receive connector wizard, enter the following values

    • Name   Enter a descriptive value.

    • Type   Internal

    When you are finished, click Next.

  3. On the second page of the New Receive connector wizard, in the Remote settings section, enter the IP addresses or IP address ranges for the target Active Directory site. When you are finished, click Finish.

To create a Receive connector on the Mailbox server, run the following command:

New-ReceiveConnector -Name <Name> -Server <ServerIdentity> -RemoteIPRanges <IPAddressRange> -Internal

This example creates the Receive connector named WAN on server named Mailbox01 with the following settings:

  • The RemoteIPRanges parameter is set to This IP address range should correspond to the remote Active Directory site from where this Receive connector will receive unencrypted connections. If there's more than one IP subnet in the remote site, you can enter them all separated by commas.

  • The usage type is set to Internal.

New-ReceiveConnector -Name WAN -Server Hub01 -RemoteIPRanges -Internal

To disable TLS on the Receive connector, run the following command:

Set-ReceiveConnector <ReceiveConnectorIdentity> -SuppressXAnonymousTLS $true

This example disables TLS on the Receive connector named WAN on Mailbox server named Mailbox01.

Set-ReceiveConnector Mailbox01\WAN -SuppressXAnonymousTLS $true

To designate an Active Directory site as a hub site, run the following command:

Set-AdSite <ADSiteIdentity> -HubSiteEnabled $true

You need to perform this procedure once in each Active Directory site that has Mailbox servers that participate in non-encrypted traffic.

This example configures the Active Directory site named Central Office Site 1 as a hub site.

Set-AdSite "Central Office Site 1" -HubSiteEnabled $true

Depending on how the IP site link costs are configured in Active Directory, this step may not be necessary. You need to verify that the network link with the WOC devices deployed is in the leastcost routing path. To view the Active Directory site link costs, and the Exchange-specific site link costs, run the following command:


If the network link with the WOC devices deployed isn't on the least cost routing path, you'll need to assign an Exchange-specific cost to the particular IP site link to ensure messages are routed correctly. To learn more about this particular issue, see the "Configure Exchange-specific Active Directory site link costs" section in Scenario: Configure Exchange to support WAN Optimization Controllers.

This example configures an Exchange-specific cost of 15 on the IP site link named Branch Office 2-Branch Office 1.

Set-AdSiteLink "Branch Office 2-Branch Office 1" -ExchangeCost 15