You are the messaging engineer for Contoso, Ltd. Contoso has an Exchange Server 2007 messaging system. Contoso has an Edge Transport server deployed in its perimeter network.
Contoso recently acquired Blue Yonder Airlines. Blue Yonder Airlines has an Exchange Server 2007 messaging system. Blue Yonder Airlines has an Edge Transport server deployed in its perimeter network. You need to encrypt all e-mail communication between Contoso and Blue Yonder Airlines.
Your solution should not prevent the organization from receiving e-mail from the Internet. Which two tasks should you do? (Each correct answer presents part of the solution. Choose two.)
A.
Import a trusted X.509 certificate for each Edge Transport server.
B.
Install the S/MIME control on each Edge Transport server.
C.
Assign the Secure Server IPsec policy on the Edge Transport server.
D.
Disable Anonymous authentication for all Receive connectors on each Edge Transport server.
E.
Use the Set-TransportConfig cmdlet to enable Domain Security for a Send connector and a Receive
connector. For each connector, specify only the Contoso and Blue Yonder Airlines SMTP domains.
Explanation:
Domain Security is a functionality built into Exchange and Outlook 2007 providing a low-cost alternative to S/MIME or other message-level security solutions to manage secured message paths over the Internet with business partners. Messages from an authenticated sender display in Outlook and OWA interfaces with a Domain Secured icon.Domain Security uses TLS with mutual authentication to enable session-level security. This differs from ordinary TLS, where, typically, the client, before transmitting data, authenticates the server by validating a cert presented as part of the TLS negotiation process; but, the server itself doesn’t authenticate the client.
With mutual TLS authentication, each side verifies the connection with the other by validating exchanged certs. For Internet connections, its most efficient to generate TLS certs using a PKI or third-party CA.
To set up mutual TLS:
1. Generate a cert request for TLS certs.
2. Import the cert to Edge servers.
3. Configure outbound domain security.
4. Configure inbound domain security.
5. Test mail flow.http://technet.microsoft.com/en-us/library/bb124392.aspx
http://technet.microsoft.com/en-us/library/bb123543(EXCHG.80).aspx
EMC > Server Configuration > Hub Transport > Receive Connectors > Properties > Authentication…
Or:
Set-TransportConfig [-TLSReceiveDomainSecureList <MultiValuedProperty>] [-TLSSendDomainSecureList <MultiValuedProperty>]
Use Set-TransportConfig to modify transport configuration settings for the whole Exchange organization. To run the cmdlet on an Edge server, you must log on using a local Admin account.
TLSReceiveDomainSecureList specifies the domains from which you want to receive domain secured email using mutual TLS authentication. To fully support this, you must also perform the following steps: Enable Domain Security (Mutual Auth TLS) and TLS authentication on the Receive connectors getting messages from the domains specified with the TLSReceiveDomainSecureList parameter. Specify the domains to which you want to send domain secured email by using TLSSendDomainSecureList. Enable Domain Security (Mutual Auth TLS) on the Send connectors that send messages to domains specified in the TLSSendDomainSecureList parameter.
TLSSendDomainSecureList parameter specifies the domains from which you want to send domain secured email using mutual TLS authentication. To fully support this, you must also: Enable Domain Security (Mutual Auth TLS) on the Send connectors dispatching messages to the domains specified in the TLSSendDomainSecureList parameter. Specify the domains from which you want to receive domain secured email by using TLSReceiveDomainSecureList. Enable Domain Security (Mutual Auth TLS) and TLS authentication on the Receive connectors that receive messages from domains specified in TLSReceiveDomainSecureList.
Default value for both parameters is an empty list ({}).
http://technet.microsoft.com/en-us/library/bb124151.aspx