In Part 4 we will enabling Exchange Federation and we will see, how to configure the on-premises Exchange organization for Federation trust and Organization Relationship.
In order to do that, we have to import a trusted certificate in to the local computer certificate store.  That is we will import and assign a third party certificate to IIS and SMTP on the Exchange 2010 hybrid server.
Let’s get going…

Import a trusted certificate in to the local computer certificate store
When configuring a hybrid deployment, one of the requirements is a SSL certificate from a trusted 3rd party certificate provider.
This certificate will be used to secure the communication between the on premise Exchange 2010 hybrid servers, Exchange clients and Exchange Online.

Note:
In my case scenario, I’m using TMG 2010 Server for my on premise environment

First I will switch to O365-EX1 Virtual Machine to Export the certificate

Start and click Exchange Management Console (EMC)

On EMC navigate to Server Configuration and in the right site you will see the Exchange Certificates

Select the server that contains the certificate, and then select the certificate you want to export (mine is ex1.onprem.local), right click in the certificate you want to export, and click Export Exchange Certificate
The services that are checked are currently assigned to the certificate

When you click Export, the Progress Page will confirm your selections and try to export the certificate

The Completion page will display the status of the request together with the syntax of the Shell cmdlet needed to export the certificate

Create a new firewall rule on O365-TMG1 and Import the certificate

Note:
If you do not use TMG to publish Exchange in your environment, you just need to update the autodiscover and EWS DNS records in external DNS to point to the public IP address

Importing the Certificate
Before we can publish OWA, we first need to import the SSL certificate for the site on the TMG firewall.
To accomplish this, click Start / Run and then type mmc.exe. From the drop down menu choose File / Add/Remove Snap-in. Select Certificates, then click Add >

Select the Computer Account option

Select the option to manage the Local computer.

In the console tree, expand the Certificates node. Expand the Personal folder, then right-click the Certificates folder and choose Import…

Enter the location of the certificate file you exported previously.
Enter the password and optionally mark the private key exportable.

Accept the default option to Place all certificates in the following store.

Create a new firewall rule on O365-TMG1

On TMG1, click Start, point to All Programs, click Microsoft Forefront TMG, and then click Forefront TMG Management.
In the console tree, click Firewall Policy (TMG has already been configured with an SMTP (port 25) rule)
In the actions pane, on the Tasks tab under Firewall Policy Tasks, click Publish Exchange Web Client Access

On the Welcome to the New Exchange Publishing Rule Wizard page, in the Exchange Publishing rule name, type name and then click Next. 

On the Select Services page, click the Exchange version menu and click Exchange Server 2010 and then select the option to publish Outlook Web Access

For demonstration purposes we are publishing a single CAS server, so we’ll choose the option to Publish a single web site or load balancer.

Select the option to Use SSL to connect to the published web server or server farm.

Enter the name of the internal web site.
Select the option to accept requests for a specific domain, and then enter the public name of the web site.
Create a web listener for the site by selecting New…, and then enter a descriptive name for the listener.
Select the option to Require SSL secure connection with clients.

Select the network to listen for incoming web requests.

Choose Select Certificate… and select the certificate you imported previously.

Select the option to use No Authentication

On the Authentication Delegation page, click the menu, click No delegation, but the client may authenticate directly, and then click Next

If you wish to grant access to OWA only to specific users and/or groups, add them here. Otherwise accept the default All Authenticated Users group.

To confirm operation, click the Test Rule button.

In the results pane, double-click the Exchange Web Access rule.
In the Exchange Web Access Properties window, on the Paths tab, click Add.
And check the Paths

Be in tune for Part 5…