Hi guys, one of my customers has a Microsoft EBS (Essential Business Server) which has the exchange role split to two servers per default: HT, CAS and MB on one server and Edge Transport on the second one. Though I read through several Microsoft KB - articles it is not clear to me how I have to install our Entrust cert on the exchange. I have to correct myself: I already installed the cert, and it works in principle but I get errors in the eventlog because I installed the official Entrust cert on both servers (and obviously I am not supposed to do that). The errors are 10104 and 1024 from MSExchange EdgeSync. So how am I supposed to do it right? Install the Entrust cert for the services IIS,POP and IMAP on the HT, CAS and MB server and generate a self signed cert for SMTP which I install on both servers (for the SMTP service)? Or does the Entrust cert has to be installed on the Edgetransport server (which runs Microsoft TMG as firewall by the way)? Thank you in advance, Regards Michael

This would help http://www.digicert.com/ssl-certificate-installation-microsoft-exchange-2010.htm

No, this does not help - it just tells to install der cert on "the exchange server" (and not on which server, speaking of Exchange roles) and activate it. Of course I have to export it and install it on the ISA/TMG server (which in the case of the EBS is the server with the Exchange edge transport role) too, because I want to use it with the weblisterner there. So no, unfortenetely it does not help. Any other ideas? Thank you

You shouldn't have the same certificate on the TMG server as the Exchange server. Therefore if you have purchased a commercial certificate then that goes on whatever is facing the Internet. On the Exchange servers you leave the default self signed certificate. You will have to remove the commercial certificate, and ensure the self signed certificate is bound to the relevant services. Furthermore, you may have to add the self signed certificate from each server in to the local certificate store of the server with TMG installed on it, so that server trusts them. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources

Hi Simon - thank you for your answer! So for this specific scenario this means: I install der Entrust cert on the server running the Exchange EdgeTransport role and the TMG server and remove it from the server running the other Exchange services. But this also means that I only can enable the cert for the SMTP service because thats the only Exchange service running on the EdgeTransport server (f.e. there is no IIS there). Will OWA, Outlook Anywhere and so on work than? Once again - thank you!

You will need to generate a self signed certificate on the CAS server for TMG to connect to. However all other services should work as long as you have configured the TMG server correctly. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources

Thank you - I will try it this way!

Hi,I have to bring this up again (it seems like I can't get it to work). I tried your suggestions and also referred to article http://technet.microsoft.com/en-us/library/cc671171(EXCHG.80).aspx because I have the exact same error messages/behavior. So I removed the third party cert from the Edge Transport Server, created an New self signed cert (by cloning the old default self signed one) on the server hosting the CAS,HT and MB role and imported that new cert on the Edge Transport server. Than I enabled this new self signed cert for SMTP on the Edge Transport server and wanted to enable it for SMTP on the CAS,HT and MB server to but this doesn't work (I get the following error message: WARNING: This certificate will not be used for external TLS connections with an FQDN of 'msg.aet.local' because the CA-signed certificate with thumbprint 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' takes precedence. The following connectors match that FQDN: Default MSG, Client MSG. This warning mentions the third party cert. So still, Edgesync between the servers does not work because of an certificate mismatch, I see errors 10104 (source Synchronization) and 1024 (source Topology) in the event logs. "Normal" mailflow works but I run into troubles when I want to create a new mailbox - external senders can't send mails to it, internal mailflow for this new mailbox works, however. I guess this is because the EdgeSync doen't work?! Ideas?

OK - I finally solved the problem. Seems like YOU CANNOT run the same certificate for SMTP on the Edge and den HT server (doesn't matter if its a third party certificate or a self signed one). So I installed the third party cert on the Edge and generated an new self signed one on the HT server, recreated the EdgeSubscription and the EdgeSync finally worked again. Thanks anyhow!