Hi Experts, We are designing a solution to a customer who has Iron port gateway servers in 2 different sites and Pure Exchange 2010 setup. Hub transport servers located in different geographical sites and two receive connectors will be configured to use one Iron port gateway in each site for redundancy. Now, customer wants us to configure secure communication between hub transport servers and gateway servers. In normal scenario, hub transport servers use self signed certificate to communicate internally. When get a 3rd party certificate to encrypy communication between Ironport and HT servers, how the internal communication be used using self signed certificate? I don't want to use any 3rd party certificate for internal HT communication. Probably don't want to assign any specific IP range to communicating from HT to Gateway, in worst case will prefer to have one. Any suggestings would be highly appreciated.

I assume you have already created the SMTP receive /send connectors on the HTs that will handle mail to and from the Iron ports? They should have TLS enabled by default. They will offer Opportunistic TLS on the Internet receive connector and will send TLS if its offered by the Ironport. You can verify this by doing a get command for the connectors and checking the auth methods. More info: http://technet.microsoft.com/en-us/library/aa998662.aspx http://technet.microsoft.com/en-us/library/aa996395.aspx

Thanks for the reply Andy My question is, after enabling 3rd party certificate on Ironport and HT servers whether internal communication between HTs will continue function as usual, or any internal mail flow problem due to default nature of self signed certificate for HT servers. Is there a way to assign a certificate to IP address or IP address range so that I can assign multiple IPs to same NIC on HTs. By doing so I can leave internal self signed cert for internal communication, and 3rd party cert for HT and Ironport communication.

You can leave the self-signed cert on the HTs. There is no need to use a 3rd party certificate on the HTs in your scenario. You arent requiring that the IronPort trust the cert, only that it uses it for encrypting the transmission. You can do that when using Opportunistic TLS. Check the internet headers in Outlook for a message that traverses the HTs and IronPorts. You should see references to TLS in there, so you know that whats it using.