Exchange Hybrid without publishing Autodiscover externally

Copper Contributor



We are planning Exchange Hybrid with Exchange 2016 setup. Security team is concerned about opening incoming 443 ports to internal environment. No external user access is allowed. We are also planning to implement MS Teams and SharePoint Online in cloud.


We looked into Hybrid agent but doesn't meet business and user experience requirements.


Ask is how can we securely establish Exchange Hybrid without compromising user experience.




4 Replies

@CloudTechie I believe you can publish autodiscover externally (using the FQDN of your choice) and limit the firewall rule to only allow Exchange Online IP's (row #1's IPv4 addresses here).  If you use autodiscover.<domain>.<tld>, this will increase the odds that the HCW will naturally succeed and a migration endpoint be successfully created.  Even if the HCW complains that it couldn't locate Exchange on-premises due to Autodiscover service not found, you can ignore that then use Exchange Online PowerShell to set your TargetAutodiscoverEpr (i.e., full URL to your on-premises Autodiscover, ending in /autodiscover/autodiscover.svc/WSSecurity (instead of /Autodiscover/Autodiscover.xml).


You may have to redo this manual TargetAutodiscoverEpr step each time your run the HCW, as it may recreate the organization relationship object.   This leads me to option B.


You can also just NOT publish Autodiscover and instead skip to updating the organization relationship in EXO, but this time just update TargetSharingEpr to be the on-premises EWS URL (which does need to be published externally, at least to the EXO IP's).  Doing this will tell EXO to not bother trying Autodiscover to find on-premises Exchange, and instead just go directly to the URL in TargetSharingEpr.  Again, you may have to re-set this TargetSharingEpr each time you run the HCW (check it to be sure it is still set after running HCW, set it again if it is no longer populated).


Hope this helps.

Thanks! We are looking into it.



We are planning to remove External ECP url in order to restrict access from public network.

Please advice us.

Hi there,

Instructions for Exchange 2016 are here:

New instructions specific to Exchange 2019 are to use Client Access Rules instead, which is a nice new way to get familiar with since these rules can have lots of other use cases too, and they're also ready to be harnessed in EXO: (links to this page: