Important notice about certificate expiration for Exchange 2013 Hybrid customers


If you’re running Exchange 2013 and you’ve configured a hybrid deployment with Office 365, this post contains important information that might impact you. Please evaluate this information and take any necessary action before April 15, 2016. If your latest run of the Hybrid Configuration Wizard was initiated from Exchange 2010 than you are NOT affected.

Note: This information is now also published in KB3145044.

On April 15 2016, the Office 365 TLS certificate will be renewed. This certificate is used by Office 365 to provide TLS encryption between Office 365 and external SMTP servers. The new certificate, which will help improve the security of mail sent to and from Office 365, will be issued by a new Certificate Authority and it will have a new Issuer and Subject.

This change has the potential to stop hybrid mailflow between Office 365 and your on-premises Exchange servers if one of the following conditions applies to you:

  • Your on-premises Exchange servers are running Exchange 2013 Cumulative Update 8 (CU8) or lower.
  • You’ve upgraded the Exchange 2013 servers that handle hybrid mailflow to Exchange 2013 CU9 or higher. However, since upgrading to CU9, you HAVE NOT re-run the Hybrid Configuration wizard (either from the Exchange Admin Center or via the direct download link).

If one of the previous conditions applies to your organization, hybrid mailflow between Office 365 and your organization will stop working after April 15, 2016 unless you complete the steps below.

Note: This only affects hybrid mailflow. Regular mailflow and TLS encryption is NOT affected.

How to keep hybrid mail flowing (MUST be completed before 4/15/2016)

Let the new Hybrid Configuration wizard do it for you

You can use the latest Hybrid Configuration wizard (HCW) to configure your Exchange 2013 servers to work with the new TLS certificate. Just follow these steps:

  1. If the Exchange 2013 servers handling hybrid mailflow are running Exchange 2013 CU8 or lower, follow the instructions in Updates for Exchange 2013 to install the latest cumulative update on at least one server.
  2. After you install the latest cumulative update, download the new HCW application and run the wizard following the instructions here .

Note: For information on which releases of Exchange are supported with Office 365, see Hybrid deployment prerequisites.

Manual update

If you can’t upgrade Exchange 2013 to latest cumulative update right now (although we would like to remind you of our support policy), you can manually configure your servers to work with the new TLS certificate. On each Exchange 2013 server that’s used for hybrid mailflow, open the Exchange Management Shell, and run the following commands:

$rc=Get-ReceiveConnector |where {$_.TlsDomainCapabilities -like "*MSIT Machine Auth CA 2*"}

$rc | foreach {Set-ReceiveConnector -Identity $_.identity -TlsDomainCapabilities "mail.protection.outlook.com:AcceptCloudServicesMail”}

Office 365 Hybrid Team

Comments (12)
  1. krisasmith says:

    What I have configured today is: ‘mail.protection.outlook.com:AcceptOorgProtocol’. I don’t see any documentation as to what the capability ‘AcceptCloudServicesMail’ does. What is the impact (if any) changing my receive connector to: ‘mail.protection.outlook.com:AcceptCloudServicesMail’?

  2. @krisasmith: I spoke with the transport team and they said there is no need for you to change any settings, it appears you were configured with HCW 2010, you should be good to go.

  3. @krisasmith just to add a little more context,
    ‘AcceptCloudServicesMail’ was the replacement in Exchange 2013 for Exchange 2010 AcceptOorgProtocol. If your Receive Connector is an Exchange 2013 server then switching to ‘AcceptCloudServicesMail’ will have no impact. Thanks to the mail flow team for the additional
    context!

  4. Safeng says:

    Hi Tim, does that means no action required if using Exchange 2010 as Hybrid server?

  5. Tim, Thanks for clarifying this topic.

  6. @Safeeng – yes you are correct if you ran HCW from 2010 you will not be effected by this

  7. Azure-Amjad says:

    @TimothyHeeney (Your article ref August 15, Hybrid Best practices) I totally agree with you guys, and as mentioned before, great article, but a quick question to help me understand better.

    If migrating from Exchange 2007 using Exchange 2013 to move to Office 365. The new method would be to introduce enough Exchange 2013 Servers to handle the load and move all namespaces to Exchange 2013. Would it then be useful to retire the Exchange 2007 CAS
    servers before I start the HCW?
    Many Thanks
    Amjad

  8. Azure-Amjad says:

    No worries, found the answer, which is what I had suspected:
    Exchange 2013 Client Access servers proxy Outlook Web App requests for on-premises mailboxes to Exchange 2007 Client Access servers.

  9. Lars Baltzer says:

    Hi Tim
    I think your command should be
    $rc = Get-ReceiveConnector | Where-Object {$_.TlsCertificateName -like "**"}

    If you would like to check to see if you are ready for the certificate change.
    Could I assume that if -TlsDomainCapabilities is set to "mail.protection.outlook.com:AcceptCloudServicesMail”
    We are good to GO ?

    or is there anywhere else we can validate everything is OK. ?

    Regards
    Lars Baltzer

  10. Lars Baltzer says:

    $rc = Get-ReceiveConnector | Where-Object {$_.TlsCertificateName -like "**"}

  11. Lars Baltzer says:

    Something goes wrong when I paste my line into the comment field.

    The I is missing between **

    $rc = Get-ReceiveConnector | Where-Object {$_.TlsCertificateName -like "**"}

  12. khorshed alom says:

    @khorshed:does that means no action required if using Exchange 2014 as Hybrid server?

Comments are closed.