Exchange Classic Hybrid Connection Security

shockoQA 126 Reputation points
2020-10-17T08:44:08.18+00:00

Looking at the setup Wizard for Exchange Classic Hybrid I'm wondering if once it is setup communications are obviously over 443/35 TLS 1.2 is there any mutual authentication between our Exchange Servers in our DataCentre and the EOL hybrid connection points? If so, how is this done (certificate etc.) ? The reason I ask is we have to open ingress ports on our edge for EOL to send mail inwards as we are keeping mail flow on premise.

Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
1,981 questions
0 comments
Accepted answer
  1. Andy David - MVP 144.4K Reputation points MVP
    2020-10-17T11:44:29.427+00:00

    Yes, the Certs "authenticate" the connection between on-prem and Exchange online.

    https://video2.skills-academy.com/en-us/exchange/certificate-requirements

    n a hybrid deployment, digital certificates are an important part of securing the communication between the on-premises Exchange organization and Microsoft 365 or Office 365. Certificates enable each Exchange organization to trust the identity of another. Certificates also help to ensure that each Exchange organization is communicating to the right source.

    1 person found this answer helpful.
    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. shockoQA 126 Reputation points
    2020-10-17T12:08:39.093+00:00

    Thanks Andy. In my understanding classic hybrid EOL can open an unsolicited connection to our data-center EX 2016 servers with no SSL inspection (as that's a requirement) i.e. EOL sends a TCP syn on port 25 TLS for mail flow for example. So firewalls aside is exchange holding a certificate for the EOL somewhere to authenticate it ? I would assume so and that this certificate is added to Exchange server when we connect the hybrid. Otherwise the only security layer for 'auth' is just firewall rules allowing in the wide list of EOL IPs.

    So that is to say is EOL to EX using TLS with mutual authentication ?

  2. shockoQA 126 Reputation points
    2020-10-17T13:38:03.82+00:00

    Thanks for taking the time to reply Andy. Much appreciated. I'm getting more concise information from you than the documentation! Is there anywhere in the documentation that explicitly states this? Having a epic time trying to get this past security. Since I haven't got it up and running I can run a network trace to verify.