Correct ( or use an Exchange Edge role)
Its only open to Exchange Online IPs and secured with certificates. Many tens of thousands have done it, I think its secure, yes :)
Exchange hybrid ports
Hello,
Current environment:
Exchange 2016 DAG(2 NOD) and 3rd party anti-spam in DMZ.
We need to configure hybrid and migrate couple of mailboxes to O365.
I can see that 3rd party anti-spam is not supported between Office 365 and Exchange on-premises in hybrid deployment.
https://learn.microsoft.com/en-us/exchange/transport-routing
„Don’t put it between Office 365 and Exchange on-premises in hybrid deployment, because the mail flow between them in hybrid deployment is considered as internal, this configuration will cause mail flow issue. Microsoft does not support any third-party SMTP gateways between EOP and the on-premises hybrid connectors; the only supported device is an Exchange Edge Transport server.“
https://community.spiceworks.com/topic/2266268-how-to-receive-email-in-hybrid-exchange-with-spam-filter-on-premise
So,I need to open ports from domain Exchange directly to O365 addreses(is this secure?)
https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
and than configure hybrid?
-
Andy David - MVP 151.1K Reputation points MVP
2022-03-22T15:39:06.477+00:00
1 additional answer
Sort by: Most helpful
-
KyleXu-MSFT 26,291 Reputation points
2022-03-23T06:17:08.463+00:00 As AndyDavid said, use Edge server to replace the existing anti-spam tools, only open needed ports.
For mail flow security, you could point MX record to Exchange online and use EOP to filter emails for your organization.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.