Forum Discussion
Exchange Classic Hybrid Firewall Requirements
I am setting up Exchange Classic Hybrid. All mail flow will continue through our DataCentre Exchange Servers. I am unsure of exactly what needs to be allowed on my firewall. The deployment pre-reqs here indicate that the target is EOL (Exchange Online) so I am wondering what exactly is the list of IPs/DNS names for EOL. From the Office 365 URLs and IP ranges listing are we to allow all EOL ranges or all EOL ranges and common URLs?
Note: I am specifically talking about the back-end and not the client requirements.
So if my interpretation is correct this is what my ruleset should look like.
Direction | TCP port | Usage | Source | Destination | Ruleset | ID |
Outbound | 25 | Mail flow to EOP | All Exchange Servers | All Exchange Servers | Exchange Online | 1,3,8,9,154 |
Outbound | 443 | Calendaring and Migration | All Exchange Servers | See ruleset | Exchange Online | 1,3,8,9,154 |
Inbound | 443 | Calendaring and Migration | See ruleset | One Exchange Server | Exchange Online | 1,3,8,9,154 |
Inbound | 25 | Mail flow from EOP | See ruleset | One Exchange Server | Exchange Online | 10 |
Hi shockotechcom,
your table is correct - if all client systems (also means servers, printers, etc. sending mail via Exchange) connect to Exchange on-premises, you do not need port 587 to be open.
The connections between Exchange OP and EXO only need 443, 80 and 25. You must allow every IP range/URL that uses one or more of these ports from the list on the website you provided (Office 365 URLs and IP ranges listing).
BenKrah thanks for the reply but you indicate my table i not correct? I don't have port 80. What is that used for?
Hi shockotechcom,
never mind - port 80 is required for certificate revocation check in other scenarios but not for hybrid configuration itself.
