Hardware and software requirements for SharePoint hybrid

APPLIES TO: yes-img-132013 yes-img-162016 yes-img-192019 yes-img-seSubscription Edition yes-img-sopSharePoint in Microsoft 365

This article describes the prerequisites that are required to deploy a SharePoint hybrid solution between SharePoint Server and SharePoint in Microsoft 365 for enterprises.

Hardware and software requirements

Certificate requirements

The default STS certificate in the SharePoint farm is used by the Hybrid Configuration Wizard to establish the token signing trust when configuring hybrid workloads. Using the inbuilt STS certificate is the recommended approach when configuring hybrid workloads. If however, you intend to use a publicly signed certificate instead of the inbuilt STS one then you must replace the inbuilt certificate with your own following the provided guidance.

For more information, see Replace the STS certificate.

Inbound connectivity requirements

The following hybrid solutions require inbound connectivity from Microsoft 365 to SharePoint Server:

  • Inbound hybrid search (displaying search results from SharePoint Server in Microsoft 365)

  • Hybrid Business Connectivity Services

  • Hybrid Duet Enterprise Online for Microsoft SharePoint in Microsoft 365 and SAP

For each of these hybrid solutions, the requirements in the following sections apply.

Additional hardware requirements

Inbound connectivity requires the following:

  • A reverse proxy device. The reverse proxy device provides a secure endpoint for inbound traffic using SSL encryption and client certificate authentication.

  • An Internet domain (such as https://adventureworks.com) and the permission to create or edit DNS records for that domain.

    Note

    This public domain must be registered by using a domain registrar, such as GoDaddy.com, and must be the same domain that the URL of the external endpoint of the reverse proxy device is associated with.

Certificate requirements

This section describes the certificates you'll need to configure a inbound connectivity from Microsoft 365 to SharePoint Server.

About the Secure Channel SSL certificate

This certificate provides authentication and encryption between the reverse proxy device and Microsoft 365. It must be either a wildcard or a SAN certificate and be issued by a public root certification authority. For more info, see About Secure Channel SSL certificates and Get a Secure Channel SSL certificate.

About the on-premises SharePoint SSL certificate

If you'll configure your primary web application to use SSL (which is the web application on the on-premises SharePoint farm that's configured for hybrid), you'll have to bind an SSL certificate to the primary web application.

If this web application already exists and is configured for SSL, you're ready to go. Otherwise you have to either obtain or create one for this purpose. For production environments, this certificate should be issued by a public certification authority (CA). For test and development environments, it can be a self-signed certificate.

For more info, see Plan SSL certificates.

Supported reverse proxy devices

The following table lists the currently supported reverse proxy devices for SharePoint Server hybrid deployments. This list will be updated as new devices are tested for supportability.

Supported reverse proxy devices Configuration article More information
Windows Server 2012 R2 with Web Application Proxy (WA-P)
Configure Web Application Proxy for a hybrid environment
Web Application Proxy (WA-P) is a Remote Access service in Windows Server 2012 R2 that publishes web applications that users can interact with from many devices.
> [!IMPORTANT]> To use Web Application Proxy as a reverse proxy device in a hybrid SharePoint Server environment, you must also deploy AD FS in Windows Server 2012 R2. Earlier versions of Windows don't support Web Application Proxy
Forefront Threat Management Gateway (TMG) 2010
Configure Forefront TMG for a hybrid environment
Forefront TMG 2010 is a comprehensive, secure, web gateway solution that provides secure reverse proxy functionality.
Note that Forefront TMG 2010 is no longer sold by Microsoft but will be supported through 4/14/2020. For more information, see Microsoft Support Lifecycle information for Forefront TMG 2010.
F5 BIG-IP
Enabling SharePoint 2013 Hybrid Search with the BIG-IP
This is external content that's managed by F5 Networks.

General reverse proxy requirements

In a hybrid SharePoint Server scenario, the reverse proxy must be able to:

  • Support client certificate authentication with a wildcard or SAN SSL certificate.

  • Support pass-through authentication for OAuth 2.0, including unlimited OAuth bearer token transactions.

  • Accept unsolicited inbound traffic on TCP port 443 (HTTPS).

    Tip

    No ports other than TCP 443 have to be opened on the external reverse proxy endpoint to support hybrid connectivity.

  • Bind a wildcard or SAN SSL certificate to a published endpoint.

  • Relay traffic to an on-premises SharePoint Server farm or load balancer without rewriting any packet headers.

For an overview of reverse proxy devices in a SharePoint hybrid topology, see Configure a reverse proxy device for SharePoint Server hybrid.