混合部署的憑證需求Certificate requirements for hybrid deployments

在混合式部署中,數位憑證是保護內部部署 Exchange 組織與 Office 365 之間通訊安全相當重要的一環。憑證可讓 Exchange 組織信任彼此的識別。憑證也有助於確認每一個 Exchange 組織與正確的來源進行通訊。In a hybrid deployment, digital certificates are an important part of securing the communication between the on-premises Exchange organization and Office 365. Certificates enable each Exchange organization to trust the identity of another. Certificates also help to ensure that each Exchange organization is communicating to the right source.

在混合式部署中,有許多服務會使用憑證:In a hybrid deployment, many services make use of certificates:

  • Azure Active Directory Connect (Azure AD Connect) 搭配 Active Directory Federation Services (AD FS) 如果您選擇在混合式部署中部署 Azure AD Connect 搭配 AD FS,則使用受信任的協力廠商憑證授權單位 (CA) 所發行的憑證,在 Web 用戶端與同盟伺服器 Proxy 之間建立信任,以簽署安全性權杖及解密安全性權杖。Azure Active Directory Connect (Azure AD Connect) with Active Directory Federation Services (AD FS) If you choose to deploy Azure AD Connect with AD FS as part of your hybrid deployment, a certificate issued by a trusted third-party certificate authority (CA) is used to establish a trust between web clients and federation server proxies, to sign security tokens, and to decrypt security tokens.

    若要深入了解,請參閱憑證Learn more at Certificates.

  • Exchange 同盟 使用自我簽署憑證可在內部部署 Exchange 伺服器與 Azure Active Directory 驗證系統之間建立安全連線。Exchange federation A self-signed certificate is used to create a secure connection between the on-premises Exchange servers and the Azure Active Directory authentication system.

    若要深入了解,請參閱 Understanding Federated DelegationLearn more at Understanding Federated Delegation.

  • Exchange 服務 使用受信任的協力廠商 CA 所發行的憑證,協助確保在 Exchange 伺服器與用戶端之間進行安全的安全通訊端層 (SSL) 通訊。使用憑證的服務包括 網頁型 Outlook、Exchange ActiveSync、Outlook Anywhere 及郵件傳輸。Exchange services Certificates issued by a trusted third-party CA are used to help secure Secure Sockets Layer (SSL) communication between Exchange servers and clients. Services that use certificates include Outlook on the web, Exchange ActiveSync, Outlook Anywhere, and secure message transport.

  • 現有 Exchange 伺服器 您現有的 Exchange 伺服器可能會使用憑證,協助確保 網頁型 Outlook 通訊、郵件傳輸等等的安全。視您在 Exchange 伺服器上使用憑證的方式而定,可能會使用自我簽署憑證或受信任的協力廠商 CA 所發行的憑證。Existing Exchange servers Your existing Exchange servers may make use of certificates to help secure Outlook on the web communication, message transport, and so on. Depending on how you use certificates on your Exchange servers, you might use self-signed certificates or certificates issued by a trusted third-party CA.

混合式部署的憑證需求Certificate requirements for a hybrid deployment

設定混合式部署時,您必須針對您向信任的協力廠商 CA 所購買的憑證進行使用和設定。用於混合安全郵件傳輸的憑證必須安裝在所有內部部署信箱 (Exchange 2016 和更新版本) 以及信箱和用戶端存取 (Exchange 2013 和更舊版本) 伺服器上。When configuring a hybrid deployment, you must use and configure certificates that you have purchased from a trusted third-party CA. The certificate used for hybrid secure mail transport must be installed on all on-premises Mailbox (Exchange 2016 and newer), and Mailbox and Client Access (Exchange 2013 and older) servers.

重要

對於將 Exchange 伺服器部署在多個 Active Directory 樹系中的組織,當您在該組織中設定混合式部署時,必須在每個 Active Directory 樹系中使用不同的協力廠商 CA 憑證。If you're configuring a hybrid deployment in an organization that has Exchange servers deployed in multiple Active Directory forests, you must use a separate third-party CA certificate for each Active Directory forest.

注意

如果內部部署組織中已部署 Exchange Edge Transport Server,此憑證也必須安裝在所有 Edge Transport Server 上。每一部傳輸伺服器都必須使用共用相同發行 CA 與相同主旨的憑證,混合安全郵件才能正確運作。When Exchange Edge Transport servers are deployed in an on-premises organization, this certificate must also be installed on all Edge Transport servers. Each transport server must use a certificate that shares the same issuing CA and the same subject for hybrid secure mail to function correctly.

像是 AD FS、Exchange 同盟、服務和 Exchange 等多項服務都需要憑證。視您的組織而定,您可以決定執行下列其中一項操作:Multiple services, such as AD FS, Exchange federation, services, and Exchange, each require certificates. Depending on your organization, you may decide to do one of the following:

  • 使用由所有服務跨多部伺服器使用的協力廠商憑證。Use a third-party certificate that's used by all services across multiple servers.

  • 將協力廠商憑證用於提供服務的每部伺服器。Use a third-party certificate for each server that provides services.

無論您選擇將相同的憑證用於所有服務,或是每項服務各有專用的憑證,都取決於您的組織以及您實作的服務。以下是每個選項要考量的事項:Whether you choose to use the same certificate for all services or dedicate a certificate for each service depends on your organization and the service you're implementing. Here are some things to consider about each option:

  • 跨多部伺服器的協力廠商憑證 由許多服務跨多部伺服器使用的協力廠商憑證在取得時可能較便宜,但是會使更新及更換作業變得複雜。發生複雜情況是因為當需要更換憑證時,必須為每部安裝憑證的伺服器進行更換。Third-party certificate across multiple servers Third-party certificates that are used by services across multiple servers may be slightly cheaper to obtain, but they may complicate renewal and replacement. The complication occurs because, when a certificate needs replacement, you need to replace the certificate on every server where it's installed.

  • 每部伺服器專用的協力廠商憑證 針對每部主控服務的伺服器使用專用憑證,可讓您特別為該伺服器上的服務設定憑證。如果需要更換或更新憑證,只需要在安裝服務的伺服器上進行更換。其他伺服器不會受到影響。Third-party certificate for each server Using a dedicated certificate for each server that hosts services allows you to configure the certificate specifically for the services on that server. If you need to replace the certificate or renew it, you only need to replace it on the server where the services are installed. Other servers aren't impacted.

建議您將專用的協力廠商憑證用於任何選用的 AD FS 伺服器,另一張憑證用於混合式部署的 Exchange 服務,並且視需要在 Exchange 伺服器上再將一張憑證用於其他需要的服務或功能。根據預設,設定作為混合式部署中同盟資訊共用一部分的內部部署同盟信任,會使用自我簽署憑證。除非您有特殊需求,否則不需要使用在其中將同盟信任設定作為混合式部署一部分的協力廠商憑證。We recommend that you use a dedicated third-party certificate for any optional AD FS server, another certificate for the Exchange services for your hybrid deployment, and if needed, another certificate on your Exchange servers for other needed services or features. The on-premises federation trust configured as part of federated sharing in a hybrid deployment uses a self-signed certificate by default. Unless you have specific requirements, there's no need to use a third-party certificate with the federation trust configured as part of a hybrid deployment.

安裝在單一伺服器上的服務可能會要求您為伺服器設定多個完整網域名稱 (FQDN)。您應購買允許使用所需最大 FQDN 數目的憑證。憑證是由主旨名稱 (亦稱為主要名稱) 以及一個或多個主體別名 (SAN) 所組成。主旨名稱是作為憑證簽發目標的 FQDN,且應該使用內部部署與 Exchange Online 組織之間共用的主要 SMTP 網域。SAN 是除主旨名稱外可新增至憑證的其他 FQDN。如果您需要可支援五個 FQDN 的憑證,請購買允許將五個網域新增至憑證的憑證:一個主旨名稱和四個 SAN。The services that are installed on a single server may require that you configure multiple fully qualified domain names (FQDNs) for the server. You should purchase a certificate that allows for the maximum required number of FQDNs. Certificates consist of the subject (also called a principal name) and one or more subject alternative names (SAN). The subject name is the FQDN that the certificate is issued to and should use the primary SMTP domain that is shared between the on-premises and Exchange Online organizations. SANs are additional FQDNs that can be added to a certificate in addition to the subject name. If you need a certificate to support five FQDNs, purchase a certificate that allows for five domains to be added to the certificate: one subject name and four SANs.

下表說明應包含在設定用於混合式部署中憑證上的建議 FQDN 數目下限。The following table outlines the minimum suggested FQDNs that should be included on certificates configured for use in a hybrid deployment.

服務Service 建議的 FQDNSuggested FQDN 欄位Field
主要共用 SMTP 網域Primary shared SMTP domain
contoso.comcontoso.com
主體名稱Subject name
自動探索Autodiscover
符合 Exchange 2013 Client Access Server 的外部自動探索 FQDN 的標籤,例如 autodiscover.contoso.comLabel that matches the external Autodiscover FQDN of your Exchange 2013 Client Access server, such as autodiscover.contoso.com
主體替代名稱Subject alternative name
傳輸Transport
符合 Edge Transport Server 的外部 FQDN 的標籤,例如 edge.contoso.comLabel that matches the external FQDN of your Edge Transport servers, such as edge.contoso.com
主體替代名稱Subject alternative name