Exchange hybrid ports

Question

Hello,
Current environment:
Exchange 2016 DAG(2 NOD) and 3rd party anti-spam in DMZ.
We need to configure hybrid and migrate couple of mailboxes to O365.
I can see that 3rd party anti-spam is not supported between Office 365 and Exchange on-premises in hybrid deployment.
https://learn.microsoft.com/en-us/exchange/transport-routing
„Don’t put it between Office 365 and Exchange on-premises in hybrid deployment, because the mail flow between them in hybrid deployment is considered as internal, this configuration will cause mail flow issue. Microsoft does not support any third-party SMTP gateways between EOP and the on-premises hybrid connectors; the only supported device is an Exchange Edge Transport server.“
https://community.spiceworks.com/topic/2266268-how-to-receive-email-in-hybrid-exchange-with-spam-filter-on-premise

So,I need to open ports from domain Exchange directly to O365 addreses(is this secure?)
https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
and than configure hybrid?

Answer 1

Correct ( or use an Exchange Edge role)
Its only open to Exchange Online IPs and secured with certificates. Many tens of thousands have done it, I think its secure, yes :)

Answer 2

@fsdg

As AndyDavid said, use Edge server to replace the existing anti-spam tools, only open needed ports.

For mail flow security, you could point MX record to Exchange online and use EOP to filter emails for your organization.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

---