Exchange hybrid ports

fsdg 986 Reputation points
2022-03-22T15:36:17.803+00:00

Hello,
Current environment:
Exchange 2016 DAG(2 NOD) and 3rd party anti-spam in DMZ.
We need to configure hybrid and migrate couple of mailboxes to O365.
I can see that 3rd party anti-spam is not supported between Office 365 and Exchange on-premises in hybrid deployment.
https://learn.microsoft.com/en-us/exchange/transport-routing
„Don’t put it between Office 365 and Exchange on-premises in hybrid deployment, because the mail flow between them in hybrid deployment is considered as internal, this configuration will cause mail flow issue. Microsoft does not support any third-party SMTP gateways between EOP and the on-premises hybrid connectors; the only supported device is an Exchange Edge Transport server.“
https://community.spiceworks.com/topic/2266268-how-to-receive-email-in-hybrid-exchange-with-spam-filter-on-premise

So,I need to open ports from domain Exchange directly to O365 addreses(is this secure?)
https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
and than configure hybrid?

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,394 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
1,918 questions
0 comments No comments
{count} votes

Accepted answer
  1. Andy David - MVP 142.8K Reputation points MVP
    2022-03-22T15:39:06.477+00:00

    Correct ( or use an Exchange Edge role)
    Its only open to Exchange Online IPs and secured with certificates. Many tens of thousands have done it, I think its secure, yes :)

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. KyleXu-MSFT 26,211 Reputation points
    2022-03-23T06:17:08.463+00:00

    @fsdg

    As AndyDavid said, use Edge server to replace the existing anti-spam tools, only open needed ports.

    For mail flow security, you could point MX record to Exchange online and use EOP to filter emails for your organization.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


    1 person found this answer helpful.
    0 comments No comments