Hybrid Configuration Wizard - Public IP Addresses & Org FQDN


  • Hi Everyone,

    I wonder if someone might be able to clarify a few points for me.  I am currently working on setting up a hybrid configuration and was looking at my options for hybrid mail flow.  I have setup a lab environment in Azure and upon running the HCW I noticed the option to specify multiple public IP's and then later the Org FQDN.  Upon completion I noticed the Connector setup in O365 will direct all SMTP traffic to the DNS name specified on the Org FQDN page.  My two questions that I am looking for clarification on are:

    1.  Can we simply have the DNS name in the org FQDN resolve to multiple NAT'd IP's on our internet facing FW in order to provide HA for SMTP traffic in a hybrid configuration?  I'm assuming HWLB is another option but I'm trying to avoid that to keep things simple.

    2.  If the org FQDN is used by EOP for mail flow, what is the significance of specifying the Public IP Addresses?  Possibly added to a whitelist on the EOP side?

    Many thanks in advance for your help.

    Kind Regards


    Tuesday, November 22, 2016 1:26 PM

All replies

  • Keep in mind that your hybrid connection is not solely for email transport - it is also used by Office 365 to create mailbox move requests.  These are created in O365 yet the moves themselves are performed by your on-prem systems.  O365 will connect to your on-prem systems (using web services) on these IP addresses to tell your servers what they need to do (since the move requests themselves are run by your on-prem servers).  That's what your IP addresses are for.

    As for using RR DNS for your DNS name, yes you can do that, but you need to keep in mind the limitations of RR DNS - if one server is down temporarily, it will still be included in the DNS results given to client systems, and they will still try to connect to it.  And if a system goes down during a connection, the client will need to do another DNS lookup to get the other connection point (and it may still try to reconnect to the server it just lost its connection with, due to DNS caching).  A load balanced array will not have this issue - the array will test whether a system is online before directing client traffic to it, and if a connection is lost, the load balancer will redirect it to a known good system.

    Will Martin ...
    -join ('77696c6c406d617274696e2d66616d696c6965732e6f7267' -split '(?<=\G.{2})' | ? { $_ } | % { [char][int]"0x$_" })

    Tuesday, November 22, 2016 1:48 PM
  • Thank you ever so much for taking the time to reply Will.

    So is there a way of splitting out your SMTP and HTTPS end points for connectivity from EOP to on-prem or are we limited to using the single namespace defined in the Org FQDN?  I have an existing F5 LTM in my existing on-prem environment, however SMTP traffic destined for Exchange does not currently traverse the load balancer.  The current traffic flow is as follows:

    Internet (Multiple MX Records) -> Perimeter Mail Filter (Fully Redundant) -> Exchange (Fully Redundant)

    In the case of mail flow between the Perimeter devices and Exchange, the perimeter device is configured to forward SMTP traffic onto one of two Exchange transport servers and is intelligent enough for mail to continue to flow in the event of an Exchange server being down.  What I'm still a little unclear on is once the perimeter device has been removed and MX records repointed to Exchange online, how can I then achieve HA for SMTP traffic between EOP to my on-prem transport servers without traversing the F5?  In an ideal world I would see HTTPS traffic going via the existing F5 solution and SMTP traffic going direct to the two transport servers.  My rationale behind this is really simplification.

    Tuesday, November 22, 2016 3:22 PM
  • You can change your EOP outbound connector to send to another name, but you need to ensure that when you make the configuration, you validate the modified connector.  And if you need your inbound traffic from O365 to come directly to your Exchange servers (which is what you should have configured, in order to ensure that your "internal traffic" in the hybrid environment doesn't pass through your current perimeter device(s) and become external), you need to deploy a reverse proxy for inbound SMTP that only accepts connections from the Office 365 IP address ranges (see  This will ensure that a) only traffic from O365 is accepted by this route, and b) that the traffic retains the internal Exchange X-headers necessary to be seen as "internal traffic".

    Will Martin ...
    -join ('77696c6c406d617274696e2d66616d696c6965732e6f7267' -split '(?<=\G.{2})' | ? { $_ } | % { [char][int]"0x$_" })

    Tuesday, November 22, 2016 5:49 PM
  • We will be changing the Public IP Address of our Hybrid Server.  Can you tell me what changes I would need to make?

    Would I just need to change the IP Address on the O365 outbound connector? Also, we are using Proofpoint Enterprise as the email gateway, Do I need to change anything on the gateway as well ?
    Wednesday, August 8, 2018 7:08 PM