This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

On Prem Exchange Migration to Office 365 Questions

Hi Guys,

We're looking at moving from an On Prem Exchange 2016 Server (Behind an SG230 doing all our SPAM filtering) to Office 365. I'm across the setup of Exchange 365 and already have the Domain Sync setup and working fine and about to re-config the On Prem Exch 2016 server to Hybrid.

Just looking for a guide/primer on what I need to do/change on the UTM so that ALL external Mail goes to Office 365, and the UTM allows that mail traffic back down to our Outlook clients, plus our On Prem Exch talks to our Office 365 setup. Any advice or tips are always appreciated ;)

Cheers



This thread was automatically locked due to age.
Parents
  • Hey, Dread.

    IFAIK, you can not have a third party filter (like UTM Mail Protection) between your OnPrem Exchange Server and Office 365 in a hybrid setup. It would break your mail flow from Office 365 to any mailboxes that still resides on your OnPrem Exchange Server. If you are setting Office 365 as your MX (which you should), that would prevent any messages from reaching mailboxes still OnPrem. The way to prevent this is to DNAT ports 25 and 587 to your Exchange Server. You could create a DNAT rule forwarding ports 25 and 587 only when originating from Office 365 hosts to minimize your Exchange Server exposure. 

    For the other way around, as long as you are not using transparent mail proxy and your Exchange Server is allowed to access ports 25 and 587 on the outside world it should just work, as the hybrid setup wizard creates a smart host on your Exchange Server that will bypass your default send connector for inter-domain communication, meaning any messages sent from OnPrem mailboxes to mailboxes that were moved to Office 365 will flow thought the internet and not Sophos UTM. 

    Now, for general outbound messages (non inter-domain), by default OnPrem mailboxes will still deliver them using your default send connector, meaning through Sophos. I don't think there's a way for ALL external mail to go though Office 365 without moving all mailboxes to the cloud.

    Regards,

    Giovani

  • Does this mean that if we have our MX records still pointing to on premise, that it would work OK?  I'm looking into configuring Hybrid with our Exchange Server and UTM but am nervous about setting it up if you are saying it wont work.  I still want to use WAF and not NAT.

Reply
  • Does this mean that if we have our MX records still pointing to on premise, that it would work OK?  I'm looking into configuring Hybrid with our Exchange Server and UTM but am nervous about setting it up if you are saying it wont work.  I still want to use WAF and not NAT.

Children
  • Just out of interest on this (sorry for butting in) but if you move to office 365, what or who does you mail/av/spam filtering etc?

  • The idea is that everything gets routed through the UTM, then relayed on to O365, so the UTM will still do the spam/av/filtering etc

  • Right, so its basically the same and the on prem exchange is acting as a proxy for the 365? So, if somebody logs onto 365 from the web and sends mail, it will relay via the UTM too?

  • Hey Colly.

    AFAIK, at least for the communication between your Exchange Server and Office365 you would need to use DNAT.

    "Don't place any servers, services, or devices between your on-premises Exchange servers and Office 365 that process or modify SMTP traffic. Secure mail flow between your on-premises Exchange organization and Office 365 depends on information contained in messages sent between the organization. Firewalls that allow SMTP traffic on TCP port 25 through without modification are supported. If a server, service, or device processes a message sent between your on-premises Exchange organization and Office 365, this information is removed. If this happens, the message will no longer be considered internal to your organization and will be subject to anti-spam filtering, transport and journal rules, and other policies that may not apply to it."

    I've not done hybrid setups in a while, but the last time I did it mail flow from O365 to onprem would not work if using UTM's Mail Protection between this specific flow. This would break all flow between mailboxes on O365 and your Exchange Server, rendering any mailboxes on O365 useless. Your Exchange server and O365 need to talk directly for this communication to occur. Since DNAT takes precedence over local ports, if you create a DNAT from connections coming exclusively from O365 addresses to ports 25 and 587 on your UTM you could at least minimize exposure, letting everything else passing though UTM's Mail Protection. That would mean that any e-mail coming from O365 would not be filtered though, not only internal communication.

    On that matter, i'll be perfectly honest with you: I'd take EOP over UTM's mail protection any day now. When configured correctly EOP is far more powerful than UTM's Mail Protection, which, in my opinion, it's becoming more and more ineffective against new forms of attacks.

    For OWA you can still use WAF, no issues there. Your local OWA would redirect any clients with mailboxes on O365 to O365' OWA automatically. 

    Regards,

    Giovani

  • Hey Louis.

    For inbound is one or the other: either onprem or on O365. For outbound you can have each one delivering directly or have it centralized onprem (not recommended unless for meeting compliance needs).

    Regards,

    Giovani

  • What I did was re-point the MX records back to On-Prem so that mail comes to the Exchange 2016 Server and then via the Hybrid connectors to O365. At this stage (due to NBN delays in our area) only remote users have mailboxes 'in the cloud' at O365 and all local domain users are still on the Exchange on-Prem servers. Mail flow is fine an the UTM is still doing all the SPAM/Virus filtering and O365 is scanning the mail sent to the cloud based mailboxes and its catching a few more (mostly enquiry forms from our websites that get spambotted). 

    Once we get out new NBN connections (100/40) I will start moving local uses to O365 and re-point the MX records to it, but for now everything has been working fine as is in this hybrid setup