Detailed Certificate Requirements for Hybrid Deployments
Stellar Information Technology Pvt. Ltd.
Global Data Care Experts #1 in India since 1993
While setting up an on-premises Exchange Server in a hybrid configuration, certificates are required to enable trust between the on-premises Exchange organization and Microsoft 365 or Office 365. Also, the certificates ensure that communication between the organizations is encrypted and secure. Besides security, you need certificates for various Exchange Services to work correctly.
If you’re planning a hybrid deployment in your on-premises Exchange organization, you should be aware of the various certificate requirements.
In this article, you will learn about the services that require certificates in a hybrid deployment and the certificates you need to configure for these services to secure your servers and emails.
Services that Require Certificates in a Hybrid Deployment
In a hybrid deployment, the following services require a valid certificate issued by a trusted third-party certificate authority (CA).
Exchange Servers
Exchange Servers require certificate to secure web communication, Outlook, etc. You may deploy a self-signed certificate or use a third-party certificate issued by a trusted Certificate Authority based on your organization’s needs and environment.
Exchange Services
Exchange services, such as Outlook for Web (OWA), Outlook Anywhere, ActiveSync, and secure message transport, require a certificate from a trusted third-party Certificate Authority to secure the communications over Secure Socket Layer (SSL) between the servers and clients.
Exchange Federation
A certificate is required for creating a secure layer between the on-premises Exchange Server and the Office 365 Azure Active Directory authentication system. Azure AD stores the user information, such as username and password that are used to sign into the hybrid Exchange.
领英推荐
Azure AD Connect with AD FS
To establish trust between the web clients and federation proxies, sign security tokens, and decrypt security tokens, a certificate issued by a trusted third party Certificate Authority is required. However, it’s only needed when you configure Azure Active Directory Connect (Azure AD Connect) with Active Directory Federation Services (AD FS) as a part of hybrid deployment.
Hybrid Deployment Certificate Requirements
Based on your organizations’ infrastructure, you can use a certificate for multiple services across all servers or set up a certificate for each server that provides various services. It all depends on your organization and the services implemented.
Although using a third-party certificate across multiple servers is a cheaper option, it complicates the renewal and replacement process. In addition, if you need to replace the certificate, you have to replace it on every server where you have installed it.
However, if you use third-party certificates from trusted Certificate Authority (CA) for each server, you can use them for specific server services. Thus, if you ever need to renew or replace the certificate, you only need to do it on that server for the particular installed services. This does not impact other servers or services in your organization.
Which Certificates to Use for Hybrid Deployment?
You should use self-signed certificates for on-premises federation trust with Microsoft Federation Gateway. However, Microsoft recommends using a dedicated third-party certificate issued by a trusted Certificate Authority for Exchange Services and AD FS in a hybrid deployment. You may also use a dedicated certificate on Exchange Servers for other services.
The Internet Information Services (IIS) on Exchange Servers in hybrid deployment also requires a certificate from a trusted CA. However, you should use and install the certificate issued by the same Certificate Authority with the same subject.
If services are installed on a single server, you may require configuring multiple Fully Qualified Domain Names (FQDNs) for the server. In such a case, you should ideally get a certificate that allows you to use it on the maximum number of FQDNs.
To Wrap Up
While configuring hybrid deployment with Exchange Servers deployed in multiple AD forests, use a dedicated certificate issued by a separate trusted Certificate Authority for each AD forest. However, if the Exchange Edge Transport servers are deployed in an on-premises Exchange organization, you should also install the certificate on all Edge Transport servers issued by the same Certificate Authority and with the same subject.
Once you configure the hybrid deployment between the Office 365 and on-premises organization, you can move your mailboxes using migration batches or a third-party EDB to PST converter software, such as Stellar Converter for EDB. The software scans the offline EDB files and directly exports the mailboxes to the Office 365 tenant. In addition, it auto-maps the source and destination mailboxes between the on-premises Exchange and Office 365.
IT/Systems Administrator || Cloud Support Engineer || Technical Support Engineer || ISO/IEC 27001:2022 Lead Implementer (ISMS) || ISMS Manager || Freelance Support Engineer
2 年currently we have hybrid Exchange environment. Most of the users are using exchange online, only few users are on on-premise exchange server. last week our third party ssl certificate has expired. will it affect the hybrid configuration.?