Certificate expiration warning for Exchange 2013 hybrid deployment with Office 365

SharePoint Admin

Certificate expiration warning for Exchange 2013 hybrid deployment with Office 365

Camilo Borges April 8, 2016
Certificate expiration warning for Exchange 2013 hybrid deployment with Office 365

What’s the deal?

In a nutshell, if you’re using an on-site Exchange 2013 server with a hybrid Office 365 environment, your mail flow between the two service could stop due to a certification issue. Here’s why:

The Office 365 TLS Certificate is expiring on the 15th of April 2016. This certificate is used by Office 365 to provide TLS encryption between Office 365 and external Simple Mail Transfer Protocol (SMTP) servers. The new certificate, which will help improve the security of mail that’s sent to and from Office 365, will be issued by a new certification authority, and it will have a new Issuer and Subject.

After 15 April 2016, if your organization meets one of the conditions highlighted below your environment will have the hybrid mail flow between Office 365 and your organization could be impacted until the remediation steps are followed.

Please note that this doesn’t affect any environment apart from On-Premises Exchange 2013 with a hybrid Office 365 environment.

Am I affected?

The change applies only to on-premises Exchange 2013 server, not Exchange 2010. Also, the problem happens if one of the following conditions applies to you:

  • Your on-premises Exchange servers are running Exchange 2013 Cumulative Update 8 (CU8) or earlier.
  • You’ve upgraded the Exchange 2013 servers that handle hybrid mail flow to Exchange 2013 Cumulative Update 9 (CU9) or later. However, after upgrading to Exchange 2013 CU9, you have not rerun the Hybrid Configuration wizard (either from the Exchange admin centre or through the direct download link at https://aka.ms/HybridWizard).

What can I do?

If you discover you are affected, time is short. The following solutions must be completed before 15 April, 2016:

Solution 1 – Using Office 365 Hybrid Configuration Wizard

Use the Office 365 Hybrid Configuration Wizard (HCW) to configure the Exchange 2013 servers to work with the new TLS certificate. To do this, follow these steps:

  • If the Exchange 2013 servers that are handling hybrid mail flow are running Exchange 2013 Cumulative Update 8 (CU8) or earlier, follow the instructions at Updates for Exchange 2013 to install the latest cumulative update on at least one server.
  • After you install the latest cumulative update, download the Office 365 Hybrid Configuration Wizard from https://aka.ms/HybridWizard, and then run it by following the instructions you can find here: Introducing the Microsoft Office 365 Hybrid Configuration Wizard.
  • For information about the releases of Exchange that are supported in Office 365, see Hybrid deployment prerequisites
Solution 2 – Manual configuration

If you can’t upgrade Exchange 2013 to the latest cumulative update now (as a reminder, see the support policy), you can manually configure the servers to work with the new TLS certificate.

To do this, on each Exchange 2013 server that’s used for hybrid mail flow, open the Exchange Management Shell, and then run the following commands:

 

Further reading

Microsoft KnowledgeBase: https://support.microsoft.com/en-au/kb/3145044

Microsoft Office 365 Hybrid Configuration Wizard: https://blogs.technet.com/b/exchange/archive/2015/09/04/introducing-the-microsoft-office-365-hybrid-configuration-wizard.aspx

Enjoyed this article? Stay up to date with our latest news...

Leave a Reply

Your email address will not be published. Required fields are marked *