question

fsdg-2871 avatar image
0 Votes"
fsdg-2871 asked emilyhua-msft edited

Hybrid exchange FW rules

Hello,

Question about hybrid environment ports.

Is this the list of ports and IP addresses needed to open for on-prem<-->o365 hybrid environment?:

https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges-21vianet?view=o365-worldwide

443,25 on-prem ports only to O365 IP addresses?

Questions:


Does this O365 addresses changes frequently?

Is there an easy way to make this rules on firewall?

Someone mention JSON list to import in FW

https://forum.opnsense.org/index.php?topic=19472.0

This ports must be opened from on-prem exchange to O365 because:

"on premise Email Security Appliance integration with O365 is not supported."

https://www.sonicwall.com/support/knowledge-base/on-premise-email-security-appliance-and-office365/180807124206957/

So,mail flow between O365 and on-prem exchange must bypass anti-spam because it is not supported by Microsoft?

Any advice about O365<-->on-prem exchange ports needed to be open for hybrid environment?

Thank you

office-exchange-online-itprooffice-exchange-server-connectivityoffice-exchange-hybrid-itpro
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LucasLiu-MSFT avatar image
1 Vote"
LucasLiu-MSFT answered

Hi @fsdg-2871 ,
1.Yes, these are URLs and IPs required by Office 365. So these also includes the ports and URLs that Office 365 needs to open in hybrid deployments.

2.According to the previous situation, these URLs and IPs will not change frequently. And we could know that “Endpoints data is updated as needed at the beginning of each month with new IP Addresses and URLs published 30 days in advance of being active. ” from the official article.

3.Since we are focusing on general issues of Exchange, on how to configure these URLs and IP addresses in the firewall, I suggest you consult your firewall team or supplier for more professional guidance.

4.The mail flow between Office 365 and on-premises Exchange bypasses anti-spam by default, because in hybrid environment, the mail flow between Office 365 and On-premises Exchange is equivalent to internal transmission, so it will not go through the anti-spam. And accoridng to the official article we could know that “Don't place any servers, services, or devices between your on-premises Exchange servers and Microsoft 365 or Office 365 that process or modify SMTP traffic.”
For more information: Transport routing in Exchange hybrid deployments

5.About ports that need to be opened for hybrid environment, please refer to: Hybrid deployment protocols, ports, and endpoints



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.







5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
1 Vote"
AndyDavid answered AndyDavid edited

It does not change frequently. In fact, when it does change, they typically add IP ranges, not remove them, so would go with that list and not worry about it :)

You can see from the change log how often its updated:

https://endpoints.office.com/version/China?allversions=true&format=rss&clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.