Exchange Classic Hybrid Firewall Requirements

%3CLINGO-SUB%20id%3D%22lingo-sub-1793190%22%20slang%3D%22en-US%22%3EExchange%20Classic%20Hybrid%20Firewall%20Requirements%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1793190%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20setting%20up%20Exchange%20Classic%20Hybrid.%20All%20mail%20flow%20will%20continue%20through%20our%20DataCentre%20Exchange%20Servers.%20I%20am%20unsure%20of%20exactly%20what%20needs%20to%20be%20allowed%20on%20my%20firewall.%20The%20deployment%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fhybrid-deployment-prerequisites%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Epre-reqs%20here%3C%2FA%3E%20indicate%20that%20the%20target%20is%20EOL%20(Exchange%20Online)%20so%20I%20am%20wondering%20what%20exactly%20is%20the%20list%20of%20IPs%2FDNS%20names%20for%20EOL.%20From%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fenterprise%2Furls-and-ip-address-ranges%3Fview%3Do365-worldwide%23skype-for-business-online-and-microsoft-teams%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EOffice%20365%20URLs%20and%20IP%20ranges%20listing%3C%2FA%3E%26nbsp%3Bare%20we%20to%20allow%20all%20EOL%20ranges%20or%20all%20EOL%20ranges%20and%20common%20URLs%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ENote%3C%2FSTRONG%3E%3A%3CFONT%20color%3D%22%23FF6600%22%3E%20I%20am%20specifically%20talking%20about%20the%20back-end%20and%20not%20the%20client%20requirements.%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20if%20my%20interpretation%20is%20correct%20this%20is%20what%20my%20ruleset%20should%20look%20like.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CTABLE%3E%3CTBODY%3E%3CTR%3E%3CTD%20width%3D%22103%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3E%3CSTRONG%3EDirection%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%2286%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3E%3CSTRONG%3ETCP%20port%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22107%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3E%3CSTRONG%3EUsage%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22100%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3E%3CSTRONG%3ESource%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22106%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3E%3CSTRONG%3EDestination%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22100%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3E%3CSTRONG%3ERuleset%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22105%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3E%3CSTRONG%3EID%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22103%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3E%3CSTRONG%3EOutbound%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%2286%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3E25%3C%2FFONT%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22107%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3EMail%20flow%20to%20EOP%3C%2FFONT%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22100%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3EAll%20Exchange%20Servers%3C%2FFONT%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22106%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3EAll%20Exchange%20Servers%3C%2FFONT%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22100%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3EExchange%20Online%3C%2FFONT%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22105%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3E1%2C3%2C8%2C9%2C154%3C%2FFONT%3E%3C%2FP%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22103%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3E%3CSTRONG%3EOutbound%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%2286%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3E443%3C%2FFONT%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22107%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3ECalendaring%20and%20Migration%3C%2FFONT%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22100%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3EAll%20Exchange%20Servers%3C%2FFONT%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22106%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3ESee%20ruleset%3C%2FFONT%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22100%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3EExchange%20Online%3C%2FFONT%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22105%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3E1%2C3%2C8%2C9%2C154%3C%2FFONT%3E%3C%2FP%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22103%22%3E%26nbsp%3B%3C%2FTD%3E%3CTD%20width%3D%2286%22%3E%26nbsp%3B%3C%2FTD%3E%3CTD%20width%3D%22107%22%3E%26nbsp%3B%3C%2FTD%3E%3CTD%20width%3D%22100%22%3E%26nbsp%3B%3C%2FTD%3E%3CTD%20width%3D%22106%22%3E%26nbsp%3B%3C%2FTD%3E%3CTD%20width%3D%22100%22%3E%26nbsp%3B%3C%2FTD%3E%3CTD%20width%3D%22105%22%3E%26nbsp%3B%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22103%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3E%3CSTRONG%3EInbound%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%2286%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3E443%3C%2FFONT%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22107%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3ECalendaring%20and%20Migration%3C%2FFONT%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22100%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3ESee%20ruleset%3C%2FFONT%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22106%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3EOne%20Exchange%20Server%3C%2FFONT%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22100%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3EExchange%20Online%3C%2FFONT%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22105%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3E1%2C3%2C8%2C9%2C154%3C%2FFONT%3E%3C%2FP%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22103%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3E%3CSTRONG%3EInbound%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%2286%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3E25%3C%2FFONT%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22107%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3EMail%20flow%20from%20EOP%3C%2FFONT%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22100%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3ESee%20ruleset%3C%2FFONT%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22106%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3EOne%20Exchange%20Server%3C%2FFONT%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22100%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3EExchange%20Online%3C%2FFONT%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22105%22%3E%3CP%3E%3CFONT%20size%3D%222%22%3E10%3C%2FFONT%3E%3C%2FP%3E%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1793190%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ehybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%20Network%20Connectivity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1794282%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Classic%20Hybrid%20Firewall%20Requirements%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1794282%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F534442%22%20target%3D%22_blank%22%3E%40shockotechcom%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eyour%20table%20is%20correct%20-%20if%20all%20client%20systems%20(also%20means%20servers%2C%20printers%2C%20etc.%20sending%20mail%20via%20Exchange)%20connect%20to%20Exchange%20on-premises%2C%20you%20do%20not%20need%20port%20587%20to%20be%20open.%3C%2FP%3E%3CP%3EThe%20connections%20between%20Exchange%20OP%20and%20EXO%20only%20need%20443%2C%2080%20and%2025.%20You%20must%20allow%20every%20IP%20range%2FURL%20that%20uses%20one%20or%20more%20of%20these%20ports%20from%20the%20list%20on%20the%20website%20you%20provided%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fenterprise%2Furls-and-ip-address-ranges%3Fview%3Do365-worldwide%23skype-for-business-online-and-microsoft-teams%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EOffice%20365%20URLs%20and%20IP%20ranges%20listing%3C%2FA%3E).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1797505%22%20slang%3D%22en-US%22%3ERe%3A%20Exchange%20Classic%20Hybrid%20Firewall%20Requirements%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1797505%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F817672%22%20target%3D%22_blank%22%3E%40BenKrah%3C%2FA%3E%26nbsp%3Bthanks%20for%20the%20reply%20but%20you%20indicate%20my%20table%20i%20not%20correct%3F%20I%20don't%20have%20port%2080.%20What%20is%20that%20used%20for%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

I am setting up Exchange Classic Hybrid. All mail flow will continue through our DataCentre Exchange Servers. I am unsure of exactly what needs to be allowed on my firewall. The deployment pre-reqs here indicate that the target is EOL (Exchange Online) so I am wondering what exactly is the list of IPs/DNS names for EOL. From the Office 365 URLs and IP ranges listing are we to allow all EOL ranges or all EOL ranges and common URLs?

 

Note: I am specifically talking about the back-end and not the client requirements. 

 

So if my interpretation is correct this is what my ruleset should look like. 

 

Direction

TCP port

Usage

Source

Destination

Ruleset

ID

Outbound

25

Mail flow to EOP

All Exchange Servers

All Exchange Servers

Exchange Online

1,3,8,9,154

Outbound

443

Calendaring and Migration

All Exchange Servers

See ruleset

Exchange Online

1,3,8,9,154

       

Inbound

443

Calendaring and Migration

See ruleset

One Exchange Server

Exchange Online

1,3,8,9,154

Inbound

25

Mail flow from EOP

See ruleset

One Exchange Server

Exchange Online

10

5 Replies

Hi @shockotechcom,

 

your table is correct - if all client systems (also means servers, printers, etc. sending mail via Exchange) connect to Exchange on-premises, you do not need port 587 to be open.

The connections between Exchange OP and EXO only need 443, 80 and 25. You must allow every IP range/URL that uses one or more of these ports from the list on the website you provided (Office 365 URLs and IP ranges listing).

@BenKrah thanks for the reply but you indicate my table i not correct? I don't have port 80. What is that used for? 

Hi @shockotechcom,

 

never mind - port 80 is required for certificate revocation check in other scenarios but not for hybrid configuration itself.

@BenKrah Thanks! So the hybrid connector does not do CRL check?

@shockotechcom the HCW itself not, it only configures the infrastructures to talk to each other.