How to change TLS Certificate in Edge Server for Hybrid Mail flow
TLS Certificate plays important role in the mail flow between On promises and Exchange online in Hybrid Setup. If the certificate is not renewed or not updated properly in the On promises Inbound/Outbound servers which are configured in the EOP, You will end of with Mail delivery issues.
On-premises Mail routing will be done by using EDGE Servers which are placed in the DMZ Location for the inbound and outbound mail routing. At Exchange Online Protection(EOP), We need to have connectors created and placed for the mail routing. Please refer the article which talks about the mailflow and SMTP Mail Routing in the EOP.
Here will show you how to import the new certificate in the Exchange Store and how to enable the certificate for the Exchange certificate for the SMTP Service. SMTP Port 25 used for the Mail routing between On-Promsies and EOP.
EOP Always will understand the public certificate which issued by the third party certificates provider like Symantec, Commodo, Geo trust. Hence we need to buy the public certificate for the TLS Mail Routing in the Hybrid Setup. ideally it will costs around $250 Dollars for three years. I always suggest to go for minimum three years for the any public certificate purchase.
Okay, Let’s begin.
Import the certificate in the MMC–Certificates–Computer Store-Personal
Once certificate has been imported with private Keys.Run Get-ExchangeCertificate|select Thumbprint ,Services to check the certificates and the certificates are enabled for the enabled for the SMTP Services.
Enable-ExchangeCertificate -Thumbprint 571C45E942D3ACEFAD6884978972971EDC54F0CA -Services SMTP
After you enabled the new certificate thumbprint to the SMTP Service, You can go ahead and remove the old certificate from the MMC Store. Recommended to export the certificate with private key and store it on safe place before deleting the certificate.
Now you have done the changes, You need to restart the Exchange transport service (MSExchangeTransport) using Services.msc or PowerShell commadlet, Here i am using Powershell to restart the service and use the Test-Servicehealth commandlet check the status of the service
How to test whether it is working:
Run Get-MessageTrackingLog along with MessageId to track the massage is reaching the destination properly for the inbound/Outbound mail flow.
Exchange online Protection (EOP):
Run the Get-MessageTrace along with the message MessageId to track the message whether it is delivered to the destination for both Inbound/Outbound and run Get-MessageTrace -FromIP “Onprem EDGE Server IP” to check all the mails are reaching to EOP without any issues and run Get-MessageTrace -ToIP “Onprem EDGE Server IP” to check all the mails are reaching to On-Promise Inbound Servers.