I have been recently doing some work for a local council where they require a migration strategy to move away from an ageing on premise Exchange 2010 and 2016 environment. The environment is currently hosted in a secure infrastructure managed by a large 3rd party who have put in place many security functions such as F5 proxies, numerous firewalls to protect the councils data. The main challenge here was to enable mail flow from the EOL services to EOP. One key factor into this solution is that Microsoft specify the following:
We must not place any servers, services, or devices that process or modify SMTP traffic (Filtering / Packet inspection) between the on-premises Exchange servers and Microsoft 365 or Office 365. Secure mail flow between the on-premises Exchange organisation and Microsoft 365 or Office 365 depends on information contained in messages sent between the organisations. Firewalls that allow SMTP traffic on TCP port 25 through without modification are supported. If a server, service, or device processes a message sent between your on-premises Exchange organisation and Microsoft 365 or Office 365, this information is removed. If this happens, the message will no longer be considered internal to the organisation and will be subject to anti-spam filtering, transport and journal rules, and other policies that may not apply to it.
With the above in mind we had to implement a solution that would not impact current mail flow and provide a solution to connect the EOP to EOL for just hybrid mail flow. To do this we implemented a Microsoft Exchange 2016 Edge Transport Server in the parimeter network and NAT the SMTP traffic through the firewall to the Exchange Mailbox Server in the internal network. The following explains the configuration to get this to work:
Exchange Edge Transport Network Diagram
Network ports required for mail flow with Edge Transport Server
Purpose | Ports | Source | Destination |
Inbound mail – Internet to Edge Transport server | 25/TCP (SMTP) | Internet (M365 Service IPs / URLS)https://technet.microsoft.com/en-us/library/dn163583(v=exchg.150).aspx | Edge Transport server |
Inbound mail – Edge Transport server to internal Exchange organization | 25/TCP (SMTP) | Edge Transport server | Mailbox servers in the subscribed Active Directory site |
Outbound mail – Internal Exchange organization to Edge Transport server | 25/TCP (SMTP) | Mailbox servers in the subscribed Active Directory site | Edge Transport server |
Outbound mail – Edge Transport server to internet | 25/TCP (SMTP) | Edge Transport server | Internet (any) |
EdgeSync synchronization | 50636/TCP (secure LDAP) | Mailbox servers in the subscribed Active Directory site that participate in EdgeSync synchronization | Edge Transport servers |
DNS for name resolution of the next mail hop* | 53/UDP,53/TCP (DNS) | Edge Transport server | DNS server |
Mail flow with Edge Transport Server
The following process describes the path messages take between an on-premises organisation and Exchange Online when the Edge Transport server is deployed.
Messages from the on-premises organisation to recipients in the Exchange Online organization are sent from the internal Exchange server:
- Messages from the on-premises organisation to recipients in the Exchange Online organisation are sent from a mailbox on an internal Exchange server.
- The Exchange server sends the message to an Edge Transport server running a supported version and release of Exchange.
- The Edge Transport server sends the message to EOP.
- EOP delivers the message to the Exchange Online organization.
Messages sent from the Exchange Online organisation to recipients in the on-premises organisation follow the reverse route.
Build Exchange Edge Transport Server
Rather than me mapping out the steps for deploying the Transport Server role, the following video goes into great detail as to how you deploy it.
- Install Pre Reqs
- .NET Framework 4.7.1
- Visual C++ Redistributable Package for Visual Studio 2012
- Install-WindowsFeature ADLDS
- Add DNS Suffix to the Hostname of server
- Manually add the DNS record of the non domaines joined server used for Edge
- Export Exchange Certificate from Exisiting
Configure Edge Subscription
Like the previous video, this one goes in to great detail as to how to configure the Edge Synchronisation and tests to ensure that the syncs are working as they should.
Publish Exchange SMTP Externally
- Modify External DNS record for Exchange 2016
- A Record: edge.domain.name to reference new Perimeter network External IP
- Request firewall rules creation
- Create NAT Rule for Exchange SMTP
- Source: Exchange Online IP Subnets (https://technet.microsoft.com/en-us/library/dn163583(v=exchg.150).aspx)Destination: DMZ Spare Public IP AddressProtocol: SMTP (tcp/25) (bidirectional)Translated destination: Exchange 2016 Edge server
- Create associated Access Rule for Exchange SMTP
- Source: Exchange Online IP Subnets (https://technet.microsoft.com/en-us/library/dn163583(v=exchg.150).aspx)
- Destination: Exchange 2016 server
- Protocol: SMTP (tcp/25) (bidirectional)
- <Create Reverse Rule if SMTP blocked outbound by default>
- Create rull to allow Transport Server to forward to Exchange Server on production LAN
- Create NAT Rule for Exchange SMTP
Hopefully this has solved your problems when you have a requirement for a hybrid exchange deployment in a secure infrastructure.