asked on
Exchange hybrid configuration question
Hi exchange online experts
We have in our environment exchange 2016 cu20, and we are using Cisco Iron Port as an email security gateway so any email that will come from outside to inside must pass via Iron Port
And any email that will go from inside to outside must go via Iron Port
Now we are planning to configure a long term hybrid configuration with exchange online, and I read that to enjoy a fully hybrid long term configuration you need to open not just port 443 on the firewall also need to open port 25 ((and I got to know the only support approach to use Microsoft Edge transport)) I am not sure about this info
Note: we don’t want to use a use hybrid agent because our target to have long term coexistence
So my question
Note: we need to use also hybrid modern authentication
Please take a look at the attached photos and if you need any more info to answer me please let me know
.
We have in our environment exchange 2016 cu20, and we are using Cisco Iron Port as an email security gateway so any email that will come from outside to inside must pass via Iron Port
And any email that will go from inside to outside must go via Iron Port
Now we are planning to configure a long term hybrid configuration with exchange online, and I read that to enjoy a fully hybrid long term configuration you need to open not just port 443 on the firewall also need to open port 25 ((and I got to know the only support approach to use Microsoft Edge transport)) I am not sure about this info
Note: we don’t want to use a use hybrid agent because our target to have long term coexistence
So my question
- How can I reach my target by keep using Iron Port as the main email security gateway and enjoying full hybrid long term configuration
- Our firewall admin does not like to open port 25 on the firewall do you I have to explain to him something special
Note: we need to use also hybrid modern authentication
Please take a look at the attached photos and if you need any more info to answer me please let me know
.
Exchange* Exchange Hybrid
Last Comment
M A
-->we don’t want to use a use hybrid agent because our target to have long term coexistence
Please elaborate.
FYI: Having ADSync running and remove hybrid is unsupported scenario or keeping hybrid and stop ADSync is also unsupported. You will have to stop hybrid and ADSync to make a supported method.
https://docs.microsoft.com/en-us/microsoft-365/enterprise/configure-exchange-server-for-hybrid-modern-authentication?view=o365-worldwide
Please elaborate.
FYI: Having ADSync running and remove hybrid is unsupported scenario or keeping hybrid and stop ADSync is also unsupported. You will have to stop hybrid and ADSync to make a supported method.
- How can I reach my target by keep using Iron Port as the main email security gateway and enjoying full hybrid long term configuration
Configure port forwarding port 25 to your Ironport and port 443,80 to your Exchange server. - Our firewall admin does not like to open port 25 on the firewall do you I have to explain to him something special
Without opening port 25 to Ironport you cannot receive emails from external/internet..
How do you receive email from external now.?
https://docs.microsoft.com/en-us/microsoft-365/enterprise/configure-exchange-server-for-hybrid-modern-authentication?view=o365-worldwide
ASKER
We don’t want to use a use hybrid agent because our target to have long term coexistence
Please elaborate:
as I know using a hybrid agent is a workaround from Microsoft if the customer does want to open 25 ports on the firewall but this approach has disadvantages
Only supports HTTPS connections
Does not support SMTP (Microsoft does not plan to add this)
Not recommended for long term hybrid this will be an option for just migrate mailboxes to the cloud
FYI: Having ADSync running and remove hybrid is an unsupported scenario or keeping hybrid and stop ADSync is also unsupported. You will have to stop hybrid and ADSync to make a supported method:
I never said I want to stop ADSync we all the time will have AD connector running and we need to have a long term hybrid environment
Thank you for this answer I just checked our firewall and I found we already configure port 25 between our IronPort
So we are receiving emails from outside to iron ports and IronPort filter the emails then send them to our exchange server
So based on such configuration do you think we are ready to run the hybrid wizard and start the configuration ??
Our IronPort has this rule on the firewall
So our internal exchange server has this rule on the firewall
So you think we are ready to lunch the hybrid configuration wizard and do the configuration
Because I thought having third part email security gateway will forbid us to do the hybrid configuration, and we must use Microsoft Edge
Please elaborate:
as I know using a hybrid agent is a workaround from Microsoft if the customer does want to open 25 ports on the firewall but this approach has disadvantages
Only supports HTTPS connections
Does not support SMTP (Microsoft does not plan to add this)
Not recommended for long term hybrid this will be an option for just migrate mailboxes to the cloud
FYI: Having ADSync running and remove hybrid is an unsupported scenario or keeping hybrid and stop ADSync is also unsupported. You will have to stop hybrid and ADSync to make a supported method:
I never said I want to stop ADSync we all the time will have AD connector running and we need to have a long term hybrid environment
- How can I reach my target by keep using Iron Port as the main email security gateway and enjoying full hybrid long term configuration
Configure port forwarding port 25 to your Ironport and port 443,80 to your Exchange server.
Thank you for this answer I just checked our firewall and I found we already configure port 25 between our IronPort
So we are receiving emails from outside to iron ports and IronPort filter the emails then send them to our exchange server
So based on such configuration do you think we are ready to run the hybrid wizard and start the configuration ??
Our IronPort has this rule on the firewall
So our internal exchange server has this rule on the firewall
- Our firewall admin does not like to open port 25 on the firewall do you I have to explain to him something special
Without opening port 25 to Iron port you cannot receive emails from external/internet.
How do you receive email from external now.?
So you think we are ready to lunch the hybrid configuration wizard and do the configuration
Because I thought having third part email security gateway will forbid us to do the hybrid configuration, and we must use Microsoft Edge
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
As for port 443, your system needs to be reverse proxied to Office 365 so that the hybrid connection can be fully established. Office 365 needs a web services connection to your internal systems so that it can create move requests.
All outbound communication is on either port 25 or port 443. Port 80 is not used between your on-prem Exchange server and Office 365.