Important notice about certificate expiration for Exchange 2013 Hybrid customers

If you’re Exchange 2013 and you’ve configured a hybrid with 365, this post contains important information that might impact you. Please evaluate this information and take any necessary action before April 15, 2016.

On April 15 2016, the TLS will be renewed. This certificate is used by 365 to provide TLS encryption between Office 365 and external SMTP servers. The new certificate, which will help improve the security of mail sent to and from Office 365, will be issued by a new Authority and it will have a new Issuer and Subject.

This change has the potential to stop mailflow between and your on-premises Exchange servers if one of the following conditions applies to you:

  • Your on-premises Exchange servers are Exchange 2013 Cumulative Update 8 (CU8) or lower.
  • You’ve upgraded the Exchange 2013 servers that handle mailflow to Exchange 2013 or higher. However, since upgrading to CU9, you HAVE NOTre-run the Configuration wizard (either from the Exchange Admin Center or via the direct download link).

If one of the previous conditions applies to your organization, hybrid mailflow between and your organization will stop working after April 15, 2016unless you complete the steps below.

Note: This only affects hybrid mailflow. Regular mailflow and TLS encryption is NOT affected.

How to keep hybrid mail flowing (MUST be completed before 4/15/2016)
Let the new Hybrid Configuration wizard do it for you

You can use the latest Hybrid Configuration wizard (HCW) to configure your Exchange 2013 servers to work with the new TLS certificate. Just follow these steps:

  1. If the Exchange 2013 servers handling hybrid mailflow are Exchange 2013 CU8 or lower, follow the instructions in Updates for Exchange 2013 to install the latest cumulative update on at least one server.
  2. After you install the latest cumulative update, download the new HCW application and run the wizard following the instructions here .

Note: For information on which releases of Exchange are supported with 365, see Hybrid deployment prerequisites.

Manual update

If you can’t upgrade Exchange 2013 to latest cumulative update right now (although we would like to remind you of our support policy), you can manually configure your servers to work with the new TLS certificate. On each Exchange 2013 that’s used for hybrid mailflow, open the Exchange Management Shell, and run the following commands:

$rc=Get-ReceiveConnector |where {$_.TlsDomainCapabilities -like R0;*<I>*”}

Set-ReceiveConnector -Identity $rc.Identity -TlsDomainCapabilities R0;mail.protection.:AcceptCloudServicesMail

http://blogs.technet.com/b/exchange/archive/2016/02/19/important-notice-about-certificate-expiration-for-exchange-2013-hybrid-customers.aspx

Translate »
%d bloggers like this: