Hybrid configuration - separating EWS and SMTP traffic

Tech10 20 Reputation points


Urgent help is needed.

We have published EWS and SMTP on two separate pairs of Exchange 2016 mailbox servers (2 Public IPs) and using a single SAN certificate with the subject name mail.domain.com and autodiscover and SMTP FQDNs in SAN. Looking to deploy classic full hybrid.

EWS: mail.domain.com Public IP1

SMTP: smtp.domain.com Public IP2

While running HCW, what should we enter in the Organization FQDN? Is this EWS FQDN or the SMTP FQDN?

Screenshot 2023-02-06 020933


Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
1,785 questions
{count} votes

5 additional answers

Sort by: Most helpful
  1. Tech10 20 Reputation points

    Thank you. This is the security requirement to split EWS and SMTP. I would prefer the same as you mentioned. Is the SMTP fqdn in SAN of the cert fine or is it required to be in subject name?

    0 comments No comments

  2. Andy David - MVP 138K Reputation points MVP
    0 comments No comments

  3. Tech10 20 Reputation points

    Based on your comment, is the below process correct? Appreciate it if you can glance through and advise.

    SSL Cert:

    Subject: domain.com

    SAN: mail.domain.com, autodiscover.domain.com, smtp.domain.com

    My assumption here is that HCW will do the autodiscovery by itself to discover mail.domain.com FQDN. We just pick separate servers for SMTP and cert and use smtp.domain.com when it prompts for the Organization FQDN. We don't need to mention mail.domain.com at any stage during the HCW setup.

    The reason why I am running through this process is to ensure that the HCW will set this environment correctly, especially the other things it does such as shared domain name space, federation, Modern Auth etc. I am wondering if I need to use mail.domain.com with HCW and change the smart host on the O365 once it runs or follow the above.

    Which one will be the right approach?

    Pl. advise.

  4. Tech10 20 Reputation points

    Autodiscover URL points to the public IP1 (same as EWS).

    I really appreciate your time looking into the scenario. Please let me know if the rest of the configuration done by HCW (full classic hybrid) such as federation, Modern Auth etc. uses Organization FQDN in the wizard that I plan to specific which is smtp.domain.com. It has only port 25 open while mail.domain.com has 443.