App Proxy and Exchange Hybrid

%3CLINGO-SUB%20id%3D%22lingo-sub-1011924%22%20slang%3D%22en-US%22%3ERe%3A%20App%20Proxy%20and%20Exchange%20Hybrid%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1011924%22%20slang%3D%22en-US%22%3E%3CP%3ETwo%20words%20for%20you%2C%20%22Hybrid%20agent%22%20%3A)%3C%2Fimg%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fhybrid-deployment%2Fhybrid-agent%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fhybrid-deployment%2Fhybrid-agent%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1012522%22%20slang%3D%22en-US%22%3ERe%3A%20App%20Proxy%20and%20Exchange%20Hybrid%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1012522%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3BThat's%20the%20path%20I%20went%20but%20I%20still%20needed%20my%20autodiscover%20publicly%20available.%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fsad_40x40_1.gif%22%20alt%3D%22%3Asad%3A%22%20title%3D%22%3Asad%3A%22%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1013110%22%20slang%3D%22en-US%22%3ERe%3A%20App%20Proxy%20and%20Exchange%20Hybrid%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1013110%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F390877%22%20target%3D%22_blank%22%3E%40geek2point0%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eyou%20can%20try%20to%20allow%20only%20microsoft%26nbsp%3B%20ip%20ranges%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fde-de%2Foffice365%2Fenterprise%2Furls-and-ip-address-ranges%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fde-de%2Foffice365%2Fenterprise%2Furls-and-ip-address-ranges%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1013957%22%20slang%3D%22en-US%22%3ERe%3A%20App%20Proxy%20and%20Exchange%20Hybrid%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1013957%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3Eyou%20don't%20need%20to%20publish%20Autodiscover%20if%20you%20are%20using%20the%20Hybrid%20Agent.%20Or%20why%20do%20you%20want%20to%20publish%20it%3F%3CBR%20%2F%3EAll%20Free%2FBusy%20requests%20will%20traverse%20over%20the%20Hybrid%20Agent.%3CBR%20%2F%3EMichael%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1013960%22%20slang%3D%22en-US%22%3ERe%3A%20App%20Proxy%20and%20Exchange%20Hybrid%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1013960%22%20slang%3D%22en-US%22%3ERunning%20through%20the%20hybrid%20configuration%20wizard%20I%20kept%20getting%20an%20error%20that%20my%20autodiscover%20url%20wasn%E2%80%99t%20reachable.%20It%20is%20listed%20in%20the%20requirements%20on%20docs.microsoft.com%20that%20autodiscover%20be%20reachable%20as%20well.%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2FExchange%2Fhybrid-deployment-prerequisites%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2FExchange%2Fhybrid-deployment-prerequisites%3C%2FA%3E%20And%20isn%E2%80%99t%20autodiscover%20discover%20required%20if%20I%20want%20ActiveSync%20to%20work%20for%20mailboxes%20I%20migrate%20to%20EOL%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1014339%22%20slang%3D%22en-US%22%3ERe%3A%20App%20Proxy%20and%20Exchange%20Hybrid%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1014339%22%20slang%3D%22en-US%22%3EFor%20the%20HCW%20your%20Autodiscover%20URL%20should%20be%20reachable%20internally%20or%20you%20could%20ignore%20this%20error%2C%20because%20the%20TargetSharingEPR%20should%20be%20set%20correct%20by%20the%20HCW.%3CBR%20%2F%3EYes%20Autodiscover%20is%20required%20for%20new%20mailboxes%20but%20if%20you%20lock%20it%20down%20to%20Exchange%20Online%20IPs%20it%20will%20not%20work%20for%20your%20mobile%20phones%2C%20because%20there%20are%20coming%20from%20different%20IPs.%20So%20if%20you%20want%20to%20have%20Autodiscover%20working%20you%20have%20to%20publish%20without%20any%20specific%20IP%20blocking%20rules.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1011109%22%20slang%3D%22en-US%22%3EApp%20Proxy%20and%20Exchange%20Hybrid%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1011109%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20what%20appears%20to%20be%20a%20odd%20scenario.%20I%20would%20like%20to%20enable%20the%20Exchange%20Hybrid%20config%2C%20however%20I%20don't%20want%20to%20expose%20my%20on-prem%20Exchange%20servers%20to%20the%20internet.%20I%20was%20thinking%20I%20could%20potentially%20use%20the%20Azure%20App%20Proxy%20to%20publish%20URIs%20like%20autodiscover.mydomain.com%20and%20mail.mydomain.com.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20know%20Exchange%20Online%20needs%20to%20access%20the%20AutoDiscover%20URI%2C%20but%20can%20I%20use%20the%20App%20Proxy%20with%20conditional%20access%20to%20somehow%20limit%20access%20to%20that%20URI%20to%20only%20Exchange%20Online%3F%20Is%20there%20another%20Azure%20product%20that%20would%20do%20this%20better%3F%20Any%20and%20all%20suggestions%20welcome.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1011109%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

I have what appears to be a odd scenario. I would like to enable the Exchange Hybrid config, however I don't want to expose my on-prem Exchange servers to the internet. I was thinking I could potentially use the Azure App Proxy to publish URIs like autodiscover.mydomain.com and mail.mydomain.com.

 

I know Exchange Online needs to access the AutoDiscover URI, but can I use the App Proxy with conditional access to somehow limit access to that URI to only Exchange Online? Is there another Azure product that would do this better? Any and all suggestions welcome.

6 Replies

@Vasil Michev That's the path I went but I still needed my autodiscover publicly available. :sad:

Hi,
you don't need to publish Autodiscover if you are using the Hybrid Agent. Or why do you want to publish it?
All Free/Busy requests will traverse over the Hybrid Agent.
Michael
Running through the hybrid configuration wizard I kept getting an error that my autodiscover url wasn’t reachable. It is listed in the requirements on docs.microsoft.com that autodiscover be reachable as well. https://docs.microsoft.com/en-us/Exchange/hybrid-deployment-prerequisites And isn’t autodiscover discover required if I want ActiveSync to work for mailboxes I migrate to EOL?
For the HCW your Autodiscover URL should be reachable internally or you could ignore this error, because the TargetSharingEPR should be set correct by the HCW.
Yes Autodiscover is required for new mailboxes but if you lock it down to Exchange Online IPs it will not work for your mobile phones, because there are coming from different IPs. So if you want to have Autodiscover working you have to publish without any specific IP blocking rules.