cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Exchange Classic Hybrid Firewall Requirements

shockotechcom
Brass Contributor

‎Oct 18 2020 08:54 AM - last edited on ‎Feb 01 2023 12:03 PM by

‎Oct 18 2020 08:54 AM - last edited on ‎Feb 01 2023 12:03 PM by

Exchange Classic Hybrid Firewall Requirements

I am setting up Exchange Classic Hybrid. All mail flow will continue through our DataCentre Exchange Servers. I am unsure of exactly what needs to be allowed on my firewall. The deployment pre-reqs here indicate that the target is EOL (Exchange Online) so I am wondering what exactly is the list of IPs/DNS names for EOL. From the Office 365 URLs and IP ranges listing are we to allow all EOL ranges or all EOL ranges and common URLs?

 

Note: I am specifically talking about the back-end and not the client requirements. 

 

So if my interpretation is correct this is what my ruleset should look like. 

 

Direction

TCP port

Usage

Source

Destination

Ruleset

ID

Outbound

25

Mail flow to EOP

All Exchange Servers

All Exchange Servers

Exchange Online

1,3,8,9,154

Outbound

443

Calendaring and Migration

All Exchange Servers

See ruleset

Exchange Online

1,3,8,9,154

       

Inbound

443

Calendaring and Migration

See ruleset

One Exchange Server

Exchange Online

1,3,8,9,154

Inbound

25

Mail flow from EOP

See ruleset

One Exchange Server

Exchange Online

10

Labels:
3,397 Views
0 Likes
5 Replies
Reply
5 Replies
BenKrah

‎Oct 18 2020 11:49 PM

‎Oct 18 2020 11:49 PM

Re: Exchange Classic Hybrid Firewall Requirements

Hi @shockotechcom,

 

your table is correct - if all client systems (also means servers, printers, etc. sending mail via Exchange) connect to Exchange on-premises, you do not need port 587 to be open.

The connections between Exchange OP and EXO only need 443, 80 and 25. You must allow every IP range/URL that uses one or more of these ports from the list on the website you provided (Office 365 URLs and IP ranges listing).

0 Likes
Reply
shockotechcom

‎Oct 19 2020 03:13 PM

‎Oct 19 2020 03:13 PM

Re: Exchange Classic Hybrid Firewall Requirements

@BenKrah thanks for the reply but you indicate my table i not correct? I don't have port 80. What is that used for? 

0 Likes
Reply
BenKrah

‎Oct 20 2020 12:46 AM

‎Oct 20 2020 12:46 AM

Re: Exchange Classic Hybrid Firewall Requirements

Hi @shockotechcom,

 

never mind - port 80 is required for certificate revocation check in other scenarios but not for hybrid configuration itself.

1 Like
Reply
shockotechcom

‎Oct 22 2020 01:05 PM

‎Oct 22 2020 01:05 PM

Re: Exchange Classic Hybrid Firewall Requirements

@BenKrah Thanks! So the hybrid connector does not do CRL check?

0 Likes
Reply
BenKrah

‎Oct 23 2020 03:45 AM

‎Oct 23 2020 03:45 AM

Re: Exchange Classic Hybrid Firewall Requirements

@shockotechcom the HCW itself not, it only configures the infrastructures to talk to each other.

0 Likes
Reply