I am in the design stage of Exchange Hybrid and have been looking at two Exchange Hybrid models (Full Classic and Modern Hybrid). Due to the current limitations with the Modern Hybrid Agent (Especially Teams calendaring not working for on-premises mailboxes) I think we will need to implement the Full Classic Hybrid.
I understand that a direct incoming connection over port 443 is required from Exchange online endpoint IP addresses to our Internal Exchange servers on our Internal network. This is not something we normally allow due to security, however I can't seem to find anything online where anyone questions this or has any security concerns over it.
Could a reverse proxy can be put in place on the DMZ to handle the incoming traffic first which is then passed on to the Internal Exchange servers? Would this cause any issues?
Does anyone have any advice over security concerns for this?