We help IT Professionals succeed at work.

Mail flow route through on primses spam firewall

Hi ALL
I have hybrid Office 365  with exchnage 2010 I want to use the filtering and compliance solutions that are already in my on-premises spam firewall.
Mail sent to the internet from cloud mailboxes and onprimses  must route through my on-premises spam firewall. .

please suggest me below step is correct or not.

1. MX record to my on-premises ip addresss
2.Create outgoing connector on office 365 portal  (any email to our public ip address)
3.Create receive connector on primses.
 
One more question ,later staget if i  decommision exchnage 2010 and keep only onprimses firewall and office 365, how mail flow will happend.
Comment
Watch Question

Shabarinath RamadasanInfrastructure Architect

Commented:
Hello,

In short, MX record needs to continue pointing to your onpremise IP. This will take care of the inbound emails from internet.
For Outbound mails to be routed through onpremise, you need to enable "Centralized Mail Transport" while re-running hybrid configuration wizard. This will ensure that outbound emails to internet from Office365 as well as ONpremise will get routed through the onpremise gateways.

Refer this link for more clarity.

https://docs.microsoft.com/en-us/exchange/transport-routing

Good luck
Hi shabarinath,

thank you for reply.

if I decommission onprimses exchange can I route office 365 email through onprimses spam firewall.
Network Security Engineer
Distinguished Expert 2018
Commented:
1. MX record to my on-premises ip addresss (Yes, because your firewall will act as spam filtering gateway)
2.Create outgoing connector on office 365 portal  (any email to our public ip address) Yes
3.Create receive connector on primses. Yes
 
One more question ,later staget if i  decommission exchange 2010 and keep only onprimses firewall and office 365, how mail flow will happens.

Simple,  If you send an email from office 365 it automatically sends the request to your MX records and the MX will send it to your firewall spam gateway and the gateway will deliver the email to the destined domain. ( as long you keep the outbound connector) receiving as well.

in few words if you decommission 2010, you should be fine as long you don't remove the 365 connector.