Although I understand that MS does not want us to use NLB for internal exchange to exchange SMTP communication and uses internal round-robin algorithm, for external SMTP access (such as Exchange users that use IMAP or POP need MSTP outgoing server), I'd like to define and NLB for hubs. By default, the two connectors are separated. I defined the NLB and disabled port 25 explicitely and enabled 587. Port 25 is only for Exchange Servers, and Port 587 is only for authenticated with TLS for Exchange Users. Question: the certificate is applied globally to the SMTP service. Now, for client to use usual certificate chain model, I need to use a pulbic cert with cluster FQDN name. For internal communication, Exchange needs self-signed certs with hub's netbios and fqdn spelled out. What kind of cert should I be using then? It appears that I need a SAN cert that has <nlb fqdn>,hub1,hub2,hub1.fqdn,hub2.fqdnand then deploy it on both hub1, and hub2 nodes, however it seems to be an overkill from a price perspective. Anyone got any ideas?

Digicert is one of the few out there selling SAN cert, and with a good price. http://www.digicert.com/unified-communications-ssl-tls.htm are you running CAS on the same box as HT, then there would be a good ide to add autodiscover.yoursmtpdomain in the cert aswell

Lasse, I am not running in mutli-role. I have two isolated HUB1, and HUB2. For exchange communication, HUB1 and HUB2 use the cert only for encryption channel and rely on kerberos for authentication/validation. However, it appears that I should get a SAN cert with hub1.fqdn, hub2.fqdn, <nlb.fqdn>,hub1,hub2. Now what happens if I cheap out and get a simple cert for <nlb.fqdn> only and apply to hub1 and hub2 and apply it to SMTP service? In other words, is there an inherent requirement for hub1 to use non self-signed cert that contains subject name hub1 and hub1.fqdn names?

There is no need for your HT servers to use the self signed cert, as a matter of fact it should be replaced with a valid cert, If yout HT is only facing your internal net then you can use your private CA but if they are facing Internet you should use a public CA to create the cert. Do you have any other Exchange servers in other AD sites on your net? if no, you could probably by a cheaper cert. By I wouldnt do that. Remember that the NLB name and IP is only used when receiving mail, when sending, the real IP of the server is used and the name in the sendconnector How about letting your HT have multiple NIC's, one is facing Internet and the other is facing your internal net. then you can use NLB only on the Internet facing NIC.

Is NLB for HT now a supported config? I thought it was only supported for CAS.

NLB is supported for HT, but only for connectors that is not used internally. http://technet.microsoft.com/en-us/library/bb124398.aspx

This 3 part explination is really helpful: http://www.redline-software.com/eng/support/articles/msexchange/2007/load-balancing-exchange-2007-client-access-servers-windows-network-technology-part3.php