Oct 18 2020
08:54 AM
- last edited on
Feb 01 2023
12:03 PM
by
TechCommunityAP
Oct 18 2020
08:54 AM
- last edited on
Feb 01 2023
12:03 PM
by
TechCommunityAP
I am setting up Exchange Classic Hybrid. All mail flow will continue through our DataCentre Exchange Servers. I am unsure of exactly what needs to be allowed on my firewall. The deployment pre-reqs here indicate that the target is EOL (Exchange Online) so I am wondering what exactly is the list of IPs/DNS names for EOL. From the Office 365 URLs and IP ranges listing are we to allow all EOL ranges or all EOL ranges and common URLs?
Note: I am specifically talking about the back-end and not the client requirements.
So if my interpretation is correct this is what my ruleset should look like.
Direction | TCP port | Usage | Source | Destination | Ruleset | ID |
Outbound | 25 | Mail flow to EOP | All Exchange Servers | All Exchange Servers | Exchange Online | 1,3,8,9,154 |
Outbound | 443 | Calendaring and Migration | All Exchange Servers | See ruleset | Exchange Online | 1,3,8,9,154 |
Inbound | 443 | Calendaring and Migration | See ruleset | One Exchange Server | Exchange Online | 1,3,8,9,154 |
Inbound | 25 | Mail flow from EOP | See ruleset | One Exchange Server | Exchange Online | 10 |
Oct 18 2020 11:49 PM
Hi @shockotechcom,
your table is correct - if all client systems (also means servers, printers, etc. sending mail via Exchange) connect to Exchange on-premises, you do not need port 587 to be open.
The connections between Exchange OP and EXO only need 443, 80 and 25. You must allow every IP range/URL that uses one or more of these ports from the list on the website you provided (Office 365 URLs and IP ranges listing).
Oct 19 2020 03:13 PM
@BenKrah thanks for the reply but you indicate my table i not correct? I don't have port 80. What is that used for?
Oct 20 2020 12:46 AM
Hi @shockotechcom,
never mind - port 80 is required for certificate revocation check in other scenarios but not for hybrid configuration itself.
Oct 22 2020 01:05 PM
@BenKrah Thanks! So the hybrid connector does not do CRL check?
Oct 23 2020 03:45 AM
@shockotechcom the HCW itself not, it only configures the infrastructures to talk to each other.