Hybrid mail flow with IronPort

%3CLINGO-SUB%20id%3D%22lingo-sub-511339%22%20slang%3D%22en-US%22%3EHybrid%20mail%20flow%20with%20IronPort%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-511339%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EOne%20of%20my%20customer%20has%20the%20following%20setup%2C%20and%20I'd%20need%20some%20recommendation%20to%20setup%20a%20hybrid%20mail%20flow%20-%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIncoming%20emails%20-%3C%2FP%3E%3CP%3EInternet%20-%26gt%3B%20Cisco%20ASA%20firewall%20-%26gt%3B%20on%20premise%20Ironport%20-%26gt%3B%20Exchange%20servers.%3C%2FP%3E%3CP%3EOutgoing%20emails%20-%3C%2FP%3E%3CP%3EExchange%20servers%20-%26gt%3B%20Ironport%20-%26gt%3B%20Cisco%20ASA%20firewall%20-%26gt%3B%20Internet.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20want%20to%20setup%20hybrid%2C%20and%20figure%20out%20a%20way%20to%20bypass%20Ironport%20as%20Microsoft%20recommends%20that%20there%20should%20not%20be%20any%20device%20between%20secure%20mail%20flow%20between%20online%20and%20on%20premise%20exchange%20servers.%20Any%20ideas%20on%20how%20to%20setup%20hybrid%20mail%20flow%20bypassing%20Ironport%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-511339%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMigration%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-512582%22%20slang%3D%22en-US%22%3ERe%3A%20Hybrid%20mail%20flow%20with%20IronPort%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-512582%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F331917%22%20target%3D%22_blank%22%3E%40akashg88%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIs%20not%20advised%20by%20Microsoft%20to%20have%20any%20device%20between%20Exchange%20and%20Office%20365%2C%20but%20you%20can%20setup%20hybrid%20and%20change%20de%20Connectors%2C%20both%20on-premises%20and%20Online%20to%20point%20to%20your%20infrastructure%2C%20but%20for%20best%20security%20you%20must%20enable%20TLS%20on%20those%20devices%20and%20Exchange%20Online%20and%20OnPremises%20Connectors.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-515143%22%20slang%3D%22en-US%22%3ERe%3A%20Hybrid%20mail%20flow%20with%20IronPort%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-515143%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F50%22%20target%3D%22_blank%22%3E%40Nuno%20Silva%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20response%20-%20I%20agree%20that%20there%20shouldn't%20be%20any%20device%20and%20I%20am%20trying%20to%20figure%20out%20a%20way%20to%20bypass%20Ironport%2C%20but%20unable%20to%20do%20so.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20by%20which%20I%20can%20bypass%20Ironport%20considering%20that%20traffic%20on%20firewall%20for%20port%2025%20is%20NATed%20to%20go%20to%20Ironport%20first.%20How%20do%20I%20bifurcate%20the%20traffic%20%3F%3C%2FP%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F50%22%20target%3D%22_blank%22%3E%40Nuno%20Silva%3C%2FA%3E%26nbsp%3Bwrote%3A%3CBR%20%2F%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F331917%22%20target%3D%22_blank%22%3E%40akashg88%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20not%20advised%20by%20Microsoft%20to%20have%20any%20device%20between%20Exchange%20and%20Office%20365%2C%20but%20you%20can%20setup%20hybrid%20and%20change%20de%20Connectors%2C%20both%20on-premises%20and%20Online%20to%20point%20to%20your%20infrastructure%2C%20but%20for%20best%20security%20you%20must%20enable%20TLS%20on%20those%20devices%20and%20Exchange%20Online%20and%20OnPremises%20Connectors.%3C%2FP%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1109923%22%20slang%3D%22en-US%22%3ERe%3A%20Hybrid%20mail%20flow%20with%20IronPort%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1109923%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F331917%22%20target%3D%22_blank%22%3E%40akashg88%3C%2FA%3E%26nbsp%3Bplease%20have%20a%20look%20at%20the%20following%20post%20from%20Cisco%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.cisco.com%2Fc%2Fen%2Fus%2Fsupport%2Fdocs%2Fsecurity%2Fcloud-email-security%2F214812-configuring-office-365-microsoft-with.html%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.cisco.com%2Fc%2Fen%2Fus%2Fsupport%2Fdocs%2Fsecurity%2Fcloud-email-security%2F214812-configuring-office-365-microsoft-with.html%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20that%20help%20you%20solve%20your%20issue%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20regards%3C%2FP%3E%3CP%3ESpiros%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi,

One of my customer has the following setup, and I'd need some recommendation to setup a hybrid mail flow -

 

Incoming emails -

Internet -> Cisco ASA firewall -> on premise Ironport -> Exchange servers.

Outgoing emails -

Exchange servers -> Ironport -> Cisco ASA firewall -> Internet.

 

We want to setup hybrid, and figure out a way to bypass Ironport as Microsoft recommends that there should not be any device between secure mail flow between online and on premise exchange servers. Any ideas on how to setup hybrid mail flow bypassing Ironport ?

3 Replies
Highlighted

Hi @akashg88 

 

Is not advised by Microsoft to have any device between Exchange and Office 365, but you can setup hybrid and change de Connectors, both on-premises and Online to point to your infrastructure, but for best security you must enable TLS on those devices and Exchange Online and OnPremises Connectors.

Highlighted

Hi @Nuno Silva 

Thanks for your response - I agree that there shouldn't be any device and I am trying to figure out a way to bypass Ironport, but unable to do so. 

 

Is there a way by which I can bypass Ironport considering that traffic on firewall for port 25 is NATed to go to Ironport first. How do I bifurcate the traffic ?


@Nuno Silva wrote:

Hi @akashg88 

 

Is not advised by Microsoft to have any device between Exchange and Office 365, but you can setup hybrid and change de Connectors, both on-premises and Online to point to your infrastructure, but for best security you must enable TLS on those devices and Exchange Online and OnPremises Connectors.


 

Highlighted

@akashg88 please have a look at the following post from Cisco

 

https://www.cisco.com/c/en/us/support/docs/security/cloud-email-security/214812-configuring-office-3...

 

Could that help you solve your issue ?

 

Kind regards

Spiros