Suppress Anonymous TLS Connections

 

Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

In Microsoft Exchange Server 2007, Transport Layer Security (TLS) encryption is mandatory for all SMTP communication between Hub Transport servers. This increases overall security of hub-to-hub communications. However, in certain topologies where WAN Optimization Controller (WOC) devices are used, the TLS encryption of SMTP traffic may be undesirable. Exchange Server 2010 supports disabling TLS for hub-to-hub communications for these specific scenarios.

This topic provides step-by-step instructions on how to configure your Hub Transport servers to disable TLS. To learn more about this feature, see Disabling TLS Between Active Directory Sites to Support WAN Optimization.

Looking for other tasks related to managing message routing? Check out Managing Message Routing.

Warning

Make sure you disable TLS only on connections that pass through WOC devices.

Prerequisites

  • Exchange is deployed in multiple Active Directory sites, with at least one site connected to the other sites over a WAN link.

  • WOC devices are deployed to compress SMTP traffic over the WAN link.

  • A logical message flow path exists for Exchange going over the WAN link that has the WOC devices deployed.

Step 1: Use the Shell to configure the Hub Transport server to use downgraded Exchange Server authentication

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Hub Transport server" entry in the Transport Permissions topic.

Note

You can't use the EMC to perform this procedure.

You use the Set-TransportServer cmdlet to configure a Hub Transport server to use downgraded Exchange Server authentication. This example makes this configuration change on the server Hub01.

Set-TransportServer Hub01 -UseDowngradedExchangeServerAuth $true

For detailed syntax and parameter information, see Set-TransportServer.

Step 2: Use the Shell to create a Receive connector on the Hub Transport server for the specific remote IP address range of the target Active Directory site

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Receive connectors" entry in the Transport Permissions topic.

You use the New-ReceiveConnector cmdlet to create a Receive connector on your Hub Transport server to use for non-encrypted traffic. This example creates the Receive connector WAN on server Hub01 with the following configuration options:

  • The RemoteIPRanges parameter is set to 10.0.2.0/24. This IP address range should correspond to the remote Active Directory site from where this Receive connector will receive unencrypted connections. If there's more than one IP subnet in the remote site, you can enter them all separated by commas.

  • The usage type is set to Internal.

New-ReceiveConnector -Name WAN -Server Hub01 -RemoteIPRanges 10.0.2.0/24 -Internal

For detailed syntax and parameter information, see New-ReceiveConnector.

You can also create the Receive connector using the EMC. If you choose to use the EMC, make sure you create the connector with the following settings:

  • Select Internal for the intended usage for the connector.

  • Specify the remote IP address range (for example, in the preceding example, 10.0.2.0/24).

For more information, see Create an SMTP Receive Connector.

Step 3: Use the Shell to disable X-ANONYMOUSTLS on the new Receive connector

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Receive connectors" entry in the Transport Permissions topic.

Note

You can't use the EMC to perform this procedure.

You use the Set-ReceiveConnector cmdlet to disable TLS on the newly created Receive connector. This example disables TLS on the Receive connector WAN on server Hub01.

Set-ReceiveConnector Hub01\WAN -SuppressXAnonymousTLS $true

For detailed syntax and parameter information, see Set-ReceiveConnector.

Step 4: Use the Shell to designate the Active Directory sites on either side of the WAN connection as hub sites

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Active Directory site and site link management" entry in the Transport Permissions topic.

Note

You can't use the EMC to perform this procedure.

You use the Set-AdSite cmdlet to configure a specific Active Directory site as a hub site. You need to do this once in each site that has Hub Transport servers that participate in non-encrypted traffic.

This example configures the Active Directory site Central Office Site 1 as a hub site.

Set-AdSite "Central Office Site 1" -HubSiteEnabled $true

For detailed syntax and parameter information, see Set-AdSite.

Step 5: Use the Shell to verify the lowest-cost routing path goes through the WAN connection

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Active Directory site and site link management" entry in the Transport Permissions topic.

Note

You can't use the EMC to perform this procedure.

Depending on how the IP site link costs are configured in Active Directory, this step may not be necessary. You need to make sure that the network link with the WOC devices deployed lies on the least-cost message path. If this isn't the case, you'll need to assign an Exchange-specific cost to the particular IP site link to ensure messages are routed correctly. To learn more about this particular issue, see "Configuring Site Link Costs" in Disabling TLS Between Active Directory Sites to Support WAN Optimization.

This example configures an Exchange-specific cost of 15 on the IP site link Branch Office 2-Branch Office 1.

Set-AdSiteLink "Branch Office 2-Branch Office 1" -ExchangeCost 15

For detailed syntax and parameter information, see Set-AdSiteLink.

 © 2010 Microsoft Corporation. All rights reserved.