01-08-2020 11:49 PM
Dear all. I have a question. I want to enable TLS between ESA and Exchange Server. What is the best practice regarding TLS options. Prefered or Required? And should I check Verify Client Certificate? I would be thankful if you help me to find an answer for this question.
Solved! Go to Solution.
01-09-2020 10:37 AM
Yes that would be my recommendation as you don't need the additional TLS enforced overhead internal
01-09-2020 12:41 AM
I was doing last year some research while iam doing some PoC to test. but i have implemented some other solution as per the business requirement.
but there are good resources i have gathered may help you.
https://community.cisco.com/t5/email-security/enabling-tls-on-esas/td-p/2617813
https://jaapwesselius.com/2017/02/23/cisco-ironport-and-exchange-2016/
01-09-2020 01:02 AM
Hello Balaji
The link you sent is related to TLS configuration. I enabled it in outside interface as Prefered TLS. the question is that which option would be better in inside interface. From our ESA to our exchange server.should I choose Required or Prefered?
01-09-2020 05:40 AM
how is this internal network connected ? do you have any FW between ESA / and Exchage ?
01-09-2020 05:45 AM
Yes we have internal firewall
01-09-2020 04:38 AM
My take on it is the following :
if both ESA and Exchange are internal - > TLS prefered
if ESA is in DMZ and Exchange is internal -> TLS required, if SSL from trusted 3rd party, even with verify
It all depends on your firewall policy and what they need and allow.
We do SMTP packet inspection on our external firewalls but not on our internal one so for us it does not make a big difference as all our mail servers are in a separate protected subnet.
We have trusted certs on all our ESA/SMA and mail servers. BUt most internal devices use internal SSL certs from our MS PKI, so we do not enforce TLS for internal devices unless it needs to cross into the DMZ.
Hope that helps
-Marc
01-09-2020 10:04 AM - edited 01-09-2020 10:06 AM
As i understood i should choose TLS prefered if both firewall and esa is inside network right?
01-09-2020 10:37 AM
Yes that would be my recommendation as you don't need the additional TLS enforced overhead internal
01-09-2020 08:23 PM
Thank you Marc
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide