This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 51%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECA%3C/text%3E%3C/svg%3E)
We have implemented OWA access to an Exchange 2013 server on-premise using Azure AD Application Proxy \ conditional access to check the box for MFA access. However, if we disable our firewall rules for outside to inside access for our Exchange server, we break outlook anywhere and active sync. Has anyone found a way to implement outlook anywhere and ActiveSync through azure application proxy so we can fully remove our outside access rule on our firewall to exchange?
I have seen some older articles state Microsoft does not support this, but people have found a way to do it. There is no documentation on how it was done. Also, maybe Microsoft has found a supported way to do this since other people have asked.
Hello @Cochran, Adam ,
Thanks for reaching out.
Publishing OWA is the only supported Exchange scenario with Azure AD application proxy (Therefore outlook Anywhere and ActiveSync methods through AAD Proxy is not recommended).
Here is similar thread for your reference: https://learn.microsoft.com/en-us/answers/questions/397944/index.html
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 40%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDS%3C/text%3E%3C/svg%3E)
Can you direct me to any official documentation from Microsoft regarding Exchange on-premises and securing access through Azure App Proxy? Specifically, I am trying to use Hybrid Modern Authentication (HMA) to secure Exchange on-premises. Much of the documentation out there states how to setup HMA but not how to expose the secure environment to end users. In my lab with Exchange 2016, I use Azure App Proxy exclusively and have port 443 completely blocked. I am able to get Outlook and Outlook Mobile to connect securely, or so it seems. It is difficult to know what I should be recommending to clients when there seems to be missing pieces in the HMA guidelines/architecture. For example, here is the guide for enabling HMA: https://learn.microsoft.com/en-us/microsoft-365/enterprise/configure-exchange-server-for-hybrid-modern-authentication?view=o365-worldwide. The only reference that traffic should be NAT'ed through a firewall is the listing of 2 IP ranges towards the bottom of the article. If I am using Azure App Proxy for OWA, and allowing port 443 through my firewall, what is to keep a threat actor from typing https://1.2.3.4/owa and bypassing the Azure App Proxy protection for OWA? Is there a way to split up the name spaces or put exchange services on different public IP addresses that would provide protection?