skip to Main Content

Exchange Hybrid firewall ports

Are you following the course Exchange Hybrid? You know that the Exchange Hybrid firewall ports are required before going further. After that, we can run the Exchange Hybrid Wizard and start migrating mailboxes, sending, and receiving between on-premises and Office 365. In this article, you will learn about Exchange Hybrid firewall ports requirements. Let’s get into the Exchange firewall configuration.

Introduction

There are multiple scenarios for Exchange Hybrid architecture. It all depends on which Exchange Server version you use in the organization and if you want to have High Availability (load balance) for Exchange Hybrid servers.

Important: Read the article Exchange Hybrid design and planning before you go further.

Note: The Exchange Hybrid server is when you run the Hybrid Configuration Wizard and select that Exchange Server in the wizard to be the Exchange Hybrid server. You can choose one or more Exchange Servers to act as Exchange Hybrid. It can be an Exchange Server with or without mailbox databases.

Configure Exchange Hybrid firewall ports

It’s important to open the following four firewall ports for mail flow and connections. It will enable the Exchange Hybrid server to communicate with the Exchange Online endpoints outside your organization.

PurposePortsSourceDestination
Encrypted web connections443/TCP (HTTPS)Exchange Online endpoints192.168.1.52
Encrypted web connections 443/TCP (HTTPS) 192.168.1.52 Exchange Online endpoints
Inbound mail25/TCP (SMTP)Exchange Online endpoints 192.168.1.52
Outbound mail25/TCP (SMTP)192.168.1.52Exchange Online endpoints

In our example, the Exchange Hybrid server IP address is 192.168.1.52. We did select that Exchange Server when running the Hybrid Configuration Wizard.

Exchange Hybrid firewall ports topology

Exchange Hybrid firewall ports for mail flow and services

To get clients and mail flow working between Exchange Server and Exchange Online, opening port 443 and port 25 on the firewall is very important. These are inbound and outbound firewall rules for both ports.

PurposePortsSourceDestination
On-premises Exchange Servers used to publish Exchange Web Services and Autodiscover to Internet 443/TCP (HTTPS) Exchange Online endpointsExchange Hybrid
On-premises Exchange Servers used to publish Exchange Web Services and Autodiscover to Internet 443/TCP (HTTPS) Exchange Hybrid Exchange Online endpoints
On-premises Exchange Servers configured to host receive connectors for secure mail transport with Exchange Online in the Hybrid Configuration wizard25/TCP (SMTP)Exchange Online endpointsExchange Hybrid
On-premises Exchange Servers configured to host send connectors for secure mail transport with Exchange Online in the Hybrid Configuration wizard25/TCP (SMTP)Exchange HybridExchange Online endpoints

Conclusion

You learned how to configure the required Exchange Hybrid firewall ports. The Exchange Hybrid firewall ports are essential for communication between Exchange Online and Exchange on-premises. Using the Exchange Online endpoints instead of ALL (everyone) will give you a layer of protection.

Did you enjoy this article? You may also like Exchange Server in DMZ or LAN network. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 3 Comments

  1. Hi sir, how about exchange 2013 which has CAS role and mailbox role in separate server. Allow the required port to be open sufficient only on the CAS server or we require the mailbox role server to be allowed as well

    1. Hi Peter,

      Open the required ports only on Exchange 2013 CAS.

      Exchange Server 2019: Open the ports 25/443 on Mailbox/Edge.
      Exchange Server 2016: Open the ports 25/443 on Mailbox/Edge.
      Exchange Server 2013: Open the ports 25 and 443 on CAS/Edge.
      Exchange Server 2010: Open the ports 25 and 443 on Hub/Edge.

  2. Hello brother, hope you are doing good, could you please help me remove my existing failed exchange server, I have three 3 exchange servers , one of them has failed due to hardware issue, now I need to remove it from the dag and exchange databasecopies but I have forgot the steps I was following before, where and how to remove the failed exchange server , I want to keep my current two exchage servers up and running.

    Thank you,
    Khalil

Leave a Reply

Your email address will not be published.