Most of you are probably familiar with Classic Hybrid Deployments that are automatically configured through classic option in the Hybrid Configuration Wizard (HCW). In this blog post we will focus o...
Updated May 19, 2023
Version 9.0
Blog Post
Thank you Mirela this is a really good article.
Throughout several design reviews, we recorded that the Exchange Online infrastructure was the only infrastructure which was able to access the tunnel termination point for the Hybrid Agent built on the Azure Application Proxy. We have notes stating that MS has IP ACLs restricting access to that tunnel endpoint.
With the discovery that it’s publicly available, we are looking for MS’s answers on how the credentials and monitoring for the MS side of that endpoint is handled?
You stated above "The Hybrid Agent accepts traffic only from Exchange Online Servers" however in our tests it’s not just resolvable, it’s reachable - we get challenged for authentication from public networks which is not “only reachable from Exchange Online”. Do you have a document on how this technology is secured so that Only Exchange Online resources are the only resources that can access the Hybrid endpoint especially when the URL is not dynamic?
Thank you
Eric