We have a hybrid deployment between the Exchange on-premises organization and Exchange Online organization. The…
Exchange Hybrid firewall ports
Are you following the course Exchange Hybrid? You know that the Exchange Hybrid firewall ports are required before going further. After that, we can run the Exchange Hybrid Wizard and start migrating mailboxes, sending, and receiving between on-premises and Office 365. In this article, you will learn about Exchange Hybrid firewall ports requirements. Let’s get into the Exchange firewall configuration.
Table of contents
Introduction
There are multiple scenarios for Exchange Hybrid architecture. It all depends on which Exchange Server version you use in the organization and if you want to have High Availability (load balance) for Exchange Hybrid servers.
Important: Read the article Exchange Hybrid design and planning before proceeding.
Note: The Exchange Hybrid server is when you run the Hybrid Configuration Wizard and select that Exchange Server in the wizard to be the Exchange Hybrid server. You can choose one or more Exchange Servers to act as Exchange Hybrid. It can be an Exchange Server with or without mailbox databases.
Configure Exchange Hybrid firewall ports
It’s important to open the following four firewall ports for mail flow and connections. It will enable the Exchange Hybrid server to communicate with the Exchange Online endpoints outside your organization.
| Purpose | Ports | Source | Destination |
|---|---|---|---|
| Encrypted web connections | 443/TCP (HTTPS) | Exchange Online endpoints | 192.168.1.52 |
| Encrypted web connections | 443/TCP (HTTPS) | 192.168.1.52 | Exchange Online endpoints |
| Inbound mail | 25/TCP (SMTP) | Exchange Online endpoints | 192.168.1.52 |
| Outbound mail | 25/TCP (SMTP) | 192.168.1.52 | Exchange Online endpoints |
In our example, the Exchange Hybrid server IP address is 192.168.1.52. We did select that Exchange Server when running the Hybrid Configuration Wizard.
Exchange Hybrid firewall ports for mail flow and services
To get clients and mail flow working between Exchange Server and Exchange Online, opening port 443 and port 25 on the firewall is very important. These are inbound and outbound firewall rules for both ports.
| Purpose | Ports | Source | Destination |
|---|---|---|---|
| On-premises Exchange Servers used to publish Exchange Web Services and Autodiscover to Internet | 443/TCP (HTTPS) | Exchange Online endpoints | Exchange Hybrid |
| On-premises Exchange Servers used to publish Exchange Web Services and Autodiscover to Internet | 443/TCP (HTTPS) | Exchange Hybrid | Exchange Online endpoints |
| On-premises Exchange Servers configured to host receive connectors for secure mail transport with Exchange Online in the Hybrid Configuration wizard | 25/TCP (SMTP) | Exchange Online endpoints | Exchange Hybrid |
| On-premises Exchange Servers configured to host send connectors for secure mail transport with Exchange Online in the Hybrid Configuration wizard | 25/TCP (SMTP) | Exchange Hybrid | Exchange Online endpoints |
In the next article, we will run the Hybrid Configuration Wizard.
Conclusion
You learned how to configure the required Exchange Hybrid firewall ports. The Exchange Hybrid firewall ports are essential for communication between Exchange Online and Exchange on-premises. Using the Exchange Online endpoints instead of ALL (everyone) will give you a layer of protection.
Did you enjoy this article? You may also like Exchange Server in DMZ or LAN network. Don’t forget to follow us and share this article.
What Others Are Reading
Has something changed in the ports or O365 addresses lately? Migrations from the On-Prem Exchange Server to O365 are now failing with a:
EndpointNotFoundTransientException: The call to ‘https://my.domain.com/EWS/mrsproxy.svc’ failed because no service was listening on the specified endpoint. Error details: There was no endpoint listening at https://my.domain.com/EWS/mrsproxy.svc that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details. –> The remote server returned an error: (404) Not Found. –> There was no endpoint listening at https://my.domain.com/EWS/mrsproxy.svc that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details. –> The remote server returned an error: (404) Not Found.
Nothing has changed internally, or on the Exchanger Server, or with the Internet Connections, or on the firewall or with any of our Static IP’s. Never had an issue with these migrations for years …
I have been battling with this error message now with no resolution. Do you have a fix for it yet ?
Hello Ali,
Your articles helped me a lot in the past. Thanks for posting these articles. I have quick question. I have exchange hybrid 2019 environment. All user were migrated over to Exchange online. All DNS records are pointing directly to Exchange online. We are keeping the exchange hybrid for management and for internal servers to use smtp service to send alerts. My network team recently pointed that users are still hitting exchange hybrid servers on port 443. Do you know what is the reason for for users hitting hybrid exchange on port 443? All of their mailboxes were migrated over long ago.
Thanks,
Hi there,
Does Exchange Hybrid require Reverse DNS to be set in order for it to be operational like at the ISP level?
Thank you!
Ryan
Hi, I read your article for exchange hybrid, very good article.
I want to ask how can I find out what is my Exchange Online endpoints ( IPs or URL) on my Microsoft 365 tenant , so I can configure firewall rules for ports 443 and 25 , for further configuration with HCW.
thanks
Dejan
Check the Exchange Online Endpoints table and look for ports 443,80,25. Then, add these addresses to your firewall.
Thx a lot.
Hi Ali,
I always enjoy reading your articles that are very well written and easy to understand!
I’m designing the deployment of Hybrid Exchange, I’m planning to publish EWS and Autdiscover using reverse-proxy/load-balancer that will have a public certificate and will proxy back to single exchange.
I do have a question about SMTP flow:
Inbound SMTP from exchange online to exchange on-prem – I don’t have edge server (we are using other mail relay), and we can’t open direct smtp into internal exchange,
do you know if using load-balancer in-front of the exchange server that support secure smtp (like KEMP load-balance) will work?
Outbound SMTP from on-prem to exchange online – I was thinking that outbound to exchange online will go direct – in this case, is it still require that the exchange server will have a public certificate? Can the outbound traffic will go out from load-balancer?
Thanks,
Guy
Hi sir, how about exchange 2013 which has CAS role and mailbox role in separate server. Allow the required port to be open sufficient only on the CAS server or we require the mailbox role server to be allowed as well
Hi Peter,
Open the required ports only on Exchange 2013 CAS.
Exchange Server 2019: Open the ports 25/443 on Mailbox/Edge.
Exchange Server 2016: Open the ports 25/443 on Mailbox/Edge.
Exchange Server 2013: Open the ports 25 and 443 on CAS/Edge.
Exchange Server 2010: Open the ports 25 and 443 on Hub/Edge.
Hello brother, hope you are doing good, could you please help me remove my existing failed exchange server, I have three 3 exchange servers , one of them has failed due to hardware issue, now I need to remove it from the DAG and exchange database copies but I have forgot the steps I was following before, where and how to remove the failed exchange server , I want to keep my current two exchage servers up and running.
Thank you,
Khalil