Forum Discussion

Deleted's avatar
Deleted
Jan 22, 2018

Exchange hybrid Communication Question

My organization is in hybrid mode. We have already moved our users to the cloud. Now I have the security team asking me when I am going to turn off various services and exposrue to the outside. The p...
hybrid
office 365
On-Premises
security
Deleted's avatar
Deleted
Jan 23, 2018

Yes AD Connect will remain. No plans have been made to go full cloud.

Ian Moran's avatar
Ian Moran
Iron Contributor
Jan 23, 2018

Then your only supported setup is to keep an Exchange Server onprem for recipient management. It plays no part in mail flow and is fairly trivial to update to the latest version since it hosts no mailboxes either.

 

As long as the master source of accounts is your local AD then you'll need an EAC to manage the mail attributes of these users.

 

https://technet.microsoft.com/en-us/library/dn931280(v=exchg.150).aspx

  • Deleted's avatar
    Deleted
    Jan 23, 2018
    Ok. I understand that part. However what about the configurations, can IIS be turned off for OWA, ECP..etc and the various ports that are open to Internet and respond to external request? I guess the question that is being asked of me is can I reduce the footprint of Exchange to just management components and remove/turn off anything else?

    Examples...
    -if I go to the old OWA, IIS will respond. It displayed the IIS splash page but I have since redirected it to O365.
    -If you make EHLO request the server responds.
    -If I created an on-prem mailbox it will work because it is hybrid mode.

    Security folks are paranoid (by nature) so they want to turn everything off and run the bare minimum to do the management function.
    • Ian Moran's avatar
      Ian Moran
      Iron Contributor
      Jan 24, 2018

      The short answer is yes - but without knowing what procedures you have followed I can't really give you a definitive answer for your particular setup

      • Dominik Hoefling's avatar
        Dominik Hoefling
        MVP
        Jan 24, 2018

        You can decommission the hybrid connectivity as this is not needed for recipient management. But it is not recommended disable IIS or services like OWA, etc. You need a connectivity to Exchange Online for mailbox creation. And let's assume you would like to create a shared mailbox, you have to create it on-premises and migrate it to Exchange Online. This means, you need the migration endpoint, open ports, IIS, etc. (You can't create a shared mailbox in Exchange Online with hybrid in place).

         

        Block incoming ports to your Exchange like 25 and 587 for the EHLO response as your MX points to EOP. I guess you have to try it and verify the impact of disabling / blocking Exchange components. There is no official document from Microsoft.

Resources