Forum Discussion
Exchange Classic Hybrid Firewall Requirements
I am setting up Exchange Classic Hybrid. All mail flow will continue through our DataCentre Exchange Servers. I am unsure of exactly what needs to be allowed on my firewall. The deployment https://docs.microsoft.com/en-us/exchange/hybrid-deployment-prerequisites indicate that the target is EOL (Exchange Online) so I am wondering what exactly is the list of IPs/DNS names for EOL. From the https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide#skype-for-business-online-and-microsoft-teams are we to allow all EOL ranges or all EOL ranges and common URLs?
Note: I am specifically talking about the back-end and not the client requirements.
So if my interpretation is correct this is what my ruleset should look like.
Direction | TCP port | Usage | Source | Destination | Ruleset | ID |
Outbound | 25 | Mail flow to EOP | All Exchange Servers | All Exchange Servers | Exchange Online | 1,3,8,9,154 |
Outbound | 443 | Calendaring and Migration | All Exchange Servers | See ruleset | Exchange Online | 1,3,8,9,154 |
Inbound | 443 | Calendaring and Migration | See ruleset | One Exchange Server | Exchange Online | 1,3,8,9,154 |
Inbound | 25 | Mail flow from EOP | See ruleset | One Exchange Server | Exchange Online | 10 |
5 Replies
Hi shockotechcom,
your table is correct - if all client systems (also means servers, printers, etc. sending mail via Exchange) connect to Exchange on-premises, you do not need port 587 to be open.
The connections between Exchange OP and EXO only need 443, 80 and 25. You must allow every IP range/URL that uses one or more of these ports from the list on the website you provided (https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide#skype-for-business-online-and-microsoft-teams).
BenKrah thanks for the reply but you indicate my table i not correct? I don't have port 80. What is that used for?
Hi shockotechcom,
never mind - port 80 is required for certificate revocation check in other scenarios but not for hybrid configuration itself.
