question

MatthewRidley-8427 avatar image
0 Votes"
MatthewRidley-8427 asked JayceYang-MSFT edited

Exchange Full Classic Hybrid and reverse proxy

Hi,

I am in the design stage of Exchange Hybrid and have been looking at two Exchange Hybrid models (Full Classic and Modern Hybrid). Due to the current limitations with the Modern Hybrid Agent (Especially Teams calendaring not working for on-premises mailboxes) I think we will need to implement the Full Classic Hybrid.

I understand that a direct incoming connection over port 443 is required from Exchange online endpoint IP addresses to our Internal Exchange servers on our Internal network. This is not something we normally allow due to security, however I can't seem to find anything online where anyone questions this or has any security concerns over it.

Could a reverse proxy can be put in place on the DMZ to handle the incoming traffic first which is then passed on to the Internal Exchange servers? Would this cause any issues?

Does anyone have any advice over security concerns for this?

Regards

office-teams-windows-itprooffice-exchange-server-connectivityoffice-exchange-hybrid-itprooffice-exchange-server-itpro
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

3 Answers

AndyDavid avatar image
0 Votes"
AndyDavid answered KyleXu-MSFT commented

You can certainly do that, but any issues would have to be resolved by you and the reverse proxy vendor. There is nothing that says you cant do that however. There is no Micrsoft document I am aware that says a reverse proxy for 443 is not supported.

https://www.enowsoftware.com/solutions-engine/what-are-your-exchange-hybrid-options

· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MatthewRidley-8427 avatar image MatthewRidley-8427 ·

Thank you AndyDavid for your response.

I thought it might be something like that although I find it really strange that I can't see loads of articles around the security implications of a direct incoming connection to internal servers.
In your experience has anyone ever configured a reverse proxy in this way or are most customers happy to allow incoming traffic direct from Exchange online endpoints to their Internal Exchange servers?

0 Votes 0 ·
KyleXu-MSFT avatar image KyleXu-MSFT MatthewRidley-8427 ·

Connection from Microsoft IP addresses are secure. I think it is enough that you only keep the connection to the Microsoft IP address. Yes, you could try to add reverse proxy to your organization, I don't find any article saying it is supported or not.

0 Votes 0 ·
MatthewRidley-8427 avatar image
0 Votes"
MatthewRidley-8427 answered

Hi KyleXu-MSFT,

Thank you for your answer.

One final question (Hopefully), does anyone know if Azure AD Application Proxy could be used in this case? i.e External DNS entries pointed to Azure AD Application proxy which in turn has the proxy connectors on the internal Exchange servers.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered

its not supported as far as I know. Jut OWA.
https://docs.microsoft.com/en-us/answers/questions/685148/exchange-2016-and-hybrid-modern-auth-hma.html

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.