Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3100
Views
10
Helpful
8
Replies

TLS between ESA and Exchange

Go to solution
ccna_security
Level 3
Level 3

‎01-08-2020 11:49 PM

Dear all. I have a question. I want to enable TLS between ESA and Exchange Server. What is the best practice regarding TLS options. Prefered or Required? And should I check Verify Client Certificate? I would be thankful if you help me to find an answer for this question.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marc.luescherFRE
Spotlight
Spotlight
In response to ccna_security

‎01-09-2020 10:37 AM

Yes that would be my recommendation as you don't need the additional TLS enforced overhead internal

View solution in original post

8 Replies 8

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-09-2020 12:41 AM

I was doing last year some research while iam doing some PoC to test. but i have implemented some other solution as per the business requirement.

 

but there are good resources i have gathered may help you.

 

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118844-technote-esa-00.html

https://community.cisco.com/t5/email-security/enabling-tls-on-esas/td-p/2617813

https://jaapwesselius.com/2017/02/23/cisco-ironport-and-exchange-2016/

https://enterpriseit.co/ironport/setup-tls-ironport/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
ccna_security
Level 3
Level 3
In response to balaji.bandi

‎01-09-2020 01:02 AM

Hello Balaji

The link you sent is related to TLS configuration. I enabled it in outside interface as Prefered TLS. the question is that which option would be better in inside interface. From our ESA to our exchange server.should I choose Required or Prefered?

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to ccna_security

‎01-09-2020 05:40 AM

how is this internal network connected ? do you have any FW between ESA / and Exchage ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
ccna_security
Level 3
Level 3
In response to balaji.bandi

‎01-09-2020 05:45 AM

Yes we have internal firewall 

0 Helpful

Go to solution
marc.luescherFRE
Spotlight
Spotlight

‎01-09-2020 04:38 AM

My take on it is the following :

 

if both ESA and Exchange are internal - > TLS prefered

if ESA is in DMZ and Exchange is internal -> TLS required, if SSL from trusted 3rd party, even with verify

 

It all depends on your firewall policy and what they need and allow.

We do SMTP packet inspection on our external firewalls but not on our internal one so for us it does not make a big difference as all our mail servers are in a separate protected subnet.

 

We have trusted certs on all our ESA/SMA and mail servers. BUt most internal devices use internal SSL certs from our MS PKI, so we do not enforce TLS for internal devices unless it needs to cross into the DMZ.

 

Hope that helps

 

-Marc

 

 

 

 

0 Helpful

Go to solution
ccna_security
Level 3
Level 3
In response to marc.luescherFRE

‎01-09-2020 10:04 AM - edited ‎01-09-2020 10:06 AM

As i understood i should choose TLS prefered if both firewall and esa is inside network right? 

0 Helpful

Go to solution
marc.luescherFRE
Spotlight
Spotlight
In response to ccna_security

‎01-09-2020 10:37 AM

Yes that would be my recommendation as you don't need the additional TLS enforced overhead internal

Go to solution
ccna_security
Level 3
Level 3
In response to marc.luescherFRE

‎01-09-2020 08:23 PM

Thank you Marc

0 Helpful
Customers Also Viewed These Support Documents