Mail is getting queued in MS Edge Transport Server 2016 | Hybrid Exchange 2016

Al Amran 326 Reputation points
2022-01-13T06:29:13.553+00:00

We have 3 Exchange 2016 Mailbox servers 1 Edge server. Our MX is pointed to Cisco ESA email device.
Mail first hits the Cisco ESA antispam device, then goes to the edge then the CAS.

Now I have the SSL certificate and installed it on all my exchange servers only, ran the Hybrid configuration wizard, at the last step where it asks for the FQDN address, I have input the edge.xyz.com(Edge)/Public IP of Edge. Please be notes, our MX is pointed to our Cisco ESA device.

Before Hybrid configuration, Edge subscription was configured and synchronization state is successful. Then we have configured Exchange hybrid mail flow through Edge Transport server.
Allowed Port:

  1. Only TCP/25 port is allowed between Edge(source server) to Global(destination as Internet) for outbound mail transport.
  2. Only TCP/25 port is allowed between Global(source) to Edge(destination server) for inbound mail transport.

Test Mail Flow:

  1. Mail transport from Exchange Online to Edge server is working fine.
  2. Mail transport from on-premises Edge to Exchange Online is not working. Mail is getting queue in Edge Transport Server.

This is where we are stuck. Would be great if someone could guide me a little.

Troubleshooting Purpose:

After hybrid configuration, I have is installed the Public SSL certificate on Edge server. Should I need to assign any service on Edge Transport server Public SSL certificate?

Queries:

  1. Edge servers already had a certificate with that same public edge endpoint name(edge.example.com) and this FQDN is published in Public DNS. Please be noted, the edge server computer name is edge won't that be a clash?
  2. Are there any additional steps to be performed in Edge transport server like Edge sync?
  3. Is there any other port required to be allowed in Edge transport server to Internet? Any reference link would be helpful.

Thanks
Amran

Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,492 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,604 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
2,076 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Michel de Rooij 1,536 Reputation points MVP
    2022-01-13T18:03:50.287+00:00

    1) You disabled the Mailguard feature (SMTP inspection) on the Cisco device?
    It strips certain SMTP verbs from the stream, which prevents setup of a succesfull SMTP TLS handshake.
    2) You checked with Telnet/Putty is port 25 is not blocked outbound? Some ISPs - mostly consumer ones - block 25 outbound as means to prevent potential spamming..


  2. KyleXu-MSFT 26,256 Reputation points
    2022-01-14T06:19:03.513+00:00

    @Al Amran

    I have input the edge.xyz.com(Edge)/Public IP of Edge. Please be notes, our MX is pointed to our Cisco ESA device.

    From the picture below, we can know that the FQDN is used to send emails from Exchange online to Exchange om-premises. So, this isn't an issue:
    165043-qa-kyle-13-57-37.png

    Edge servers already had a certificate with that same public edge endpoint name(edge.example.com) and this FQDN is published in Public DNS. Please be noted, the edge server computer name is edge won't that be a clash?

    For Edge server, it just needs to use the default self-signed certificate.

    Are there any additional steps to be performed in Edge transport server like Edge sync?

    Microsoft says, "Don't place any servers, services, or devices between your on-premises Exchange servers and Microsoft 365 or Office 365 that process or modify SMTP traffic."

    So, make sure the email was sent from Exchange on-premises to Exchange online directly. Don't use Cisco ESA antispam device for the outbound emails from Exchange on-premises to Exchange online.

    I would suggest you remove Cisco ESA antispam device, make sure the hybrid mail flow works first. Then create new customized connectors for Cisco ESA antispam device.

    Is there any other port required to be allowed in Edge transport server to Internet? Any reference link would be helpful.

    It seems ok.
    164988-qa-kyle-14-11-48.png


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.