On Prem Exchange Migration to Office 365 Questions

Hey, Dread.

IFAIK, you can not have a third party filter (like UTM Mail Protection) between your OnPrem Exchange Server and Office 365 in a hybrid setup. It would break your mail flow from Office 365 to any mailboxes that still resides on your OnPrem Exchange Server. If you are setting Office 365 as your MX (which you should), that would prevent any messages from reaching mailboxes still OnPrem. The way to prevent this is to DNAT ports 25 and 587 to your Exchange Server. You could create a DNAT rule forwarding ports 25 and 587 only when originating from Office 365 hosts to minimize your Exchange Server exposure. 

For the other way around, as long as you are not using transparent mail proxy and your Exchange Server is allowed to access ports 25 and 587 on the outside world it should just work, as the hybrid setup wizard creates a smart host on your Exchange Server that will bypass your default send connector for inter-domain communication, meaning any messages sent from OnPrem mailboxes to mailboxes that were moved to Office 365 will flow thought the internet and not Sophos UTM. 

Now, for general outbound messages (non inter-domain), by default OnPrem mailboxes will still deliver them using your default send connector, meaning through Sophos. I don't think there's a way for ALL external mail to go though Office 365 without moving all mailboxes to the cloud.

Regards,

Giovani

Does this mean that if we have our MX records still pointing to on premise, that it would work OK?  I'm looking into configuring Hybrid with our Exchange Server and UTM but am nervous about setting it up if you are saying it wont work.  I still want to use WAF and not NAT.

Just out of interest on this (sorry for butting in) but if you move to office 365, what or who does you mail/av/spam filtering etc?

Just out of interest on this (sorry for butting in) but if you move to office 365, what or who does you mail/av/spam filtering etc?

The idea is that everything gets routed through the UTM, then relayed on to O365, so the UTM will still do the spam/av/filtering etc

Right, so its basically the same and the on prem exchange is acting as a proxy for the 365? So, if somebody logs onto 365 from the web and sends mail, it will relay via the UTM too?

Hey Louis.

For inbound is one or the other: either onprem or on O365. For outbound you can have each one delivering directly or have it centralized onprem (not recommended unless for meeting compliance needs).

Regards,

Giovani

What I did was re-point the MX records back to On-Prem so that mail comes to the Exchange 2016 Server and then via the Hybrid connectors to O365. At this stage (due to NBN delays in our area) only remote users have mailboxes 'in the cloud' at O365 and all local domain users are still on the Exchange on-Prem servers. Mail flow is fine an the UTM is still doing all the SPAM/Virus filtering and O365 is scanning the mail sent to the cloud based mailboxes and its catching a few more (mostly enquiry forms from our websites that get spambotted). 

Once we get out new NBN connections (100/40) I will start moving local uses to O365 and re-point the MX records to it, but for now everything has been working fine as is in this hybrid setup