Avatar of sword12
sword12
 asked on

Exchange hybrid configuration question

Hi exchange online experts
 
We have in our environment exchange 2016 cu20, and we are using Cisco Iron Port as an email security gateway so any email that will come from outside to inside must pass via Iron Port
 
And any email that will go from inside to outside must go via Iron Port
 
Now we are planning to configure a long term hybrid configuration with exchange online, and I read that to enjoy a fully hybrid long term configuration you need to open not just port 443 on the firewall also need to open port 25 ((and I got to know the only support approach to use Microsoft Edge transport)) I am not sure about this info
 
Note: we don’t want to use a use hybrid agent because our target to have long term coexistence
 
So my question 
 
  1. How can I reach my target by keep using Iron Port as the main email security gateway  and enjoying full hybrid long term configuration
  2. Our firewall admin does not like to open port 25 on the firewall do you I have to explain to him something special
 
Note: we need to use also hybrid modern authentication 
 
 
Please take a look at the attached photos and if you need any more info to answer me please let me know 
 
 
 
 
 
.
 

 
 
 
Exchange* Exchange Hybrid

Avatar of undefined
Last Comment
M A

8/22/2022 - Mon
Saif Shaikh

You can have port 25 go directly to the internal Exchange server or you can go through an Edge server which helps you limit the inbound traffic to only the Office 365 IP address ranges list in this official document: Office 365 URLs and IP address ranges
As for port 443, your system needs to be reverse proxied to Office 365 so that the hybrid connection can be fully established. Office 365 needs a web services connection to your internal systems so that it can create move requests.
All outbound communication is on either port 25 or port 443. Port 80 is not used between your on-prem Exchange server and Office 365.

M A

-->we don’t want to use a use hybrid agent because our target to have long term coexistence
Please elaborate.

FYI: Having ADSync running and remove hybrid is unsupported scenario or keeping hybrid and stop ADSync is also unsupported. You will have to stop hybrid and ADSync to make a supported method.


  1. How can I reach my target by keep using Iron Port as the main email security gateway  and enjoying full hybrid long term configuration
    Configure port forwarding port 25 to your Ironport and port 443,80 to your Exchange server.

  2. Our firewall admin does not like to open port 25 on the firewall do you I have to explain to him something special
    Without opening port 25 to Ironport you cannot receive emails from external/internet..
    How do you receive email from external now.?

Regarding MAUTH please check this.
https://docs.microsoft.com/en-us/microsoft-365/enterprise/configure-exchange-server-for-hybrid-modern-authentication?view=o365-worldwide

sword12

ASKER
We don’t want to use a use hybrid agent because our target to have long term coexistence
 Please elaborate: 
 
as I know using a hybrid agent is a workaround from Microsoft if the customer does want to open 25  ports on the firewall but this approach has disadvantages 
Only supports HTTPS connections
Does not support SMTP (Microsoft does not plan to add this)
Not recommended for long term hybrid this will be an option for just migrate mailboxes to the cloud 

 
 FYI: Having ADSync running and remove hybrid is an unsupported scenario or keeping hybrid and stop ADSync is also unsupported. You will have to stop hybrid and ADSync to make a supported method:
 
I never said I want to stop ADSync we all the time will have AD connector running and we need to have a long term hybrid environment  
 
 
 
  1. How can I reach my target by keep using Iron Port as the main email security gateway  and enjoying full hybrid long term configuration
     Configure port forwarding port 25 to your Ironport and port 443,80 to your Exchange server.
 
Thank you for this answer I just checked our firewall and I found we already configure port 25 between our IronPort 
So we are receiving emails from outside to iron ports and IronPort  filter the emails then send them to our exchange server 
So based on such configuration do you think we are ready to run the hybrid wizard and start the configuration ?? 
Our IronPort has this rule on the firewall 

So our internal exchange server has this rule on the firewall 


 
  1. Our firewall admin does not like to open port 25 on the firewall do you I have to explain to him something special
     Without opening port 25 to Iron port you cannot receive emails from external/internet.
     How do you receive email from external now.?
You are right I was wrong we have port 25 already opened for our Iron Port 
 
So you think we are ready to lunch the hybrid configuration wizard and do the configuration 
 
Because I thought having third part email security gateway will forbid us to do the hybrid configuration, and we must use Microsoft Edge 
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ASKER CERTIFIED SOLUTION
M A

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.