This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 85%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMW%3C/text%3E%3C/svg%3E)
I have exchange hybrid environment and currently the mailflow (MX) point to the on-premise email gateway.
I would like to configure firewall between exchange on-premise and online for mailflow to work. Should I allow firewall port 25 incoming from EOP to Exchange server or to the email gateway will do?
Thanks.
For hybrid you need port 25 to the Exchange Server directly or the Exchange Edge Role from Exchange Online
https://learn.microsoft.com/en-us/exchange/hybrid-deployment-prerequisites#hybrid-deployment-protocols-ports-and-endpoints
https://learn.microsoft.com/en-us/exchange/transport-routing
Hi Andy,
Sorry I was still having some doubts after reading the articles that you provided.
So if I have a requirement to keep incoming mail flow from internet to route through my on-premise email gateway as below:
Internet >> Email gateway >> On-premise Exchange server
In this case, I assume the email that is sending to a cloud mailbox will be routed as following:
Internet >> Email gateway >> On-premise Exchange server >> Exchange online (Using the connector configured by HCW)
If above is correct, meaning that I have to configure the outbound firewall connection of port 25 from my Exchange servers to Office 365? How about the incoming from Office 365 to my on-premise Exchange server? Are they routing through my email gateway and then to my on-premise Exchange server? For example:
Email from Exchange Online >> Email gateway >> On-premise Exchange server
Or
Email from Exchange Online >> Connector >> On-premise Exchange server
Shall EOP delivers email directly to my Exchange server even though my on-premise Exchange servers do not have any public IP map to it and incoming port 25 is only allowed from the on-premise Email Gateway?
Yes - you need to do this:
Email from Exchange Online >> Connector >> On-premise Exchange server
and
On-premise Exchange server >> Connector >>Email from Exchange Online
In order for this to work in hybrid, you need to allow port 25 to and from your on-prem Exch Servers to Exchange Online to be supported.( Opening ports ONLY to those listed IPs in that article)
Its secured with a certificate.
https://learn.microsoft.com/en-us/exchange/transport-options#trusted-communication
Meaning I have to get another public IP for my Exchange servers or I can just utilize my mail.domain.com which point to my load balancer >> Exchange servers and then allow port 25 incoming from EOP IPs only?
You can use the existing public IP, yes and point that to the load balancer on port 25 . As long as Exchange Online can communicate directly with an Exchange Server, you are good.
( Don't forget 443 is needed as well for hybrid! )
Hi Andy,
So given that my existing infrastructure is as below:
With above, in order to make hybrid mail flow works, I have to enable incoming port 25 to the Exchange servers directly either assigning another public IP and NAT to one of my Exchange server & allow port 25, or allow port 25 access in my load balancer.
If I decided to route traffic through SMTP email gateway since I already allowed port 25 on it, can I just enter smtp.domain.com when configuring the HCW?
The Organization FQDN in HCW is used for creating outbound connector. So, you need to use MX record in it.
As said in the first post, "Don't place any servers, services, or devices between your on-premises Exchange servers and Microsoft 365 or Office 365 that process or modify SMTP traffic." . You need to make sure Exchange online send emails to your Exchange on-premises directly.