none
Hardening Exchange 2013 Hybrid Receive Connector

    Question

  • Hi,

    When creating a hybrid deployment you are required to configure a recieve connector so Exchange online can send E-mail to Exchange on Prem.

    How do I secure this connector so that only office 365 can connect (and not a spammer for instance).

    Thanks

    Gil


    Gil Gross | Technical Lead | G-Net Network Solutions | www.g-net.co.il | plz visit my blog - gilgrossblog.wordpress.com

    Thursday, May 19, 2016 11:39 AM

Answers

  • Hi Gross, 

    Please refer to the following link to configure TLS for specific domain:

    http://technet.microsoft.com/en-us/library/aa998662.aspx

    http://technet.microsoft.com/en-us/library/aa997285.aspx

    http://technet.microsoft.com/en-us/library/bb123543.aspx#Step3

    The certificate is using when on-premise connect to Office 365 

    https://technet.microsoft.com/en-us/library/bb125140(v=exchg.150).aspx 

    https://technet.microsoft.com/en-us/library/hh563848(v=exchg.150).aspx 

    Best Regard,

    Jim Xu

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Jim Xu
    TechNet Community Support

    Monday, May 23, 2016 7:25 AM
    Moderator
  • Office 365 sends to the hostname specified in the Outbound Connector.

    On the inbound side, this document describes the certificate selection process.

    https://technet.microsoft.com/en-us/library/bb430748(v=exchg.141).aspx


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Tuesday, May 24, 2016 7:20 PM
    Moderator

All replies

  • You can restrict access to the Exchange Online URLs and/or IP addresses in your firewall and/or in the RemoteIPRanges property of the receive connector if your firewall preserves the source IP addresses.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!


    Thursday, May 19, 2016 3:38 PM
    Moderator
  • Thanks for your answer.

    This is what I thought. Was hooping there may be a way to configure authentication on the connector, or at east disable the anonymous option.


    Gil Gross | Technical Lead | G-Net Network Solutions | www.g-net.co.il | plz visit my blog - gilgrossblog.wordpress.com

    Friday, May 20, 2016 5:14 AM
  • Hi Gross, 

    Welcome to our forum.

    By your requirement, we could configure receive connector with parameter “TlsCertificateName” using Set-ReceiveConnector cmdlet. After you configure it, the certificate was used to communicate between Office 365 and OnPremise. This connector must recognize the right certificate when Office 365 attempts a connection with your server.

    Please refer to the part which is “Prerequisites for your email server environment” by the following link:

    https://technet.microsoft.com/en-us/library/dn751020(v=exchg.150).aspx

    If I misunderstand, please be free to let me know.

    Best Regard,

    Jim Xu

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Jim Xu
    TechNet Community Support

    Friday, May 20, 2016 6:11 AM
    Moderator
  • OK, that will enable TLS, but how do I harden it to only accept TLS connections from 365?

    What certificate name should I use?


    Gil Gross | Technical Lead | G-Net Network Solutions | www.g-net.co.il | plz visit my blog - gilgrossblog.wordpress.com

    Friday, May 20, 2016 6:16 AM
  • Hi Gross, 

    Please refer to the following link to configure TLS for specific domain:

    http://technet.microsoft.com/en-us/library/aa998662.aspx

    http://technet.microsoft.com/en-us/library/aa997285.aspx

    http://technet.microsoft.com/en-us/library/bb123543.aspx#Step3

    The certificate is using when on-premise connect to Office 365 

    https://technet.microsoft.com/en-us/library/bb125140(v=exchg.150).aspx 

    https://technet.microsoft.com/en-us/library/hh563848(v=exchg.150).aspx 

    Best Regard,

    Jim Xu

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Jim Xu
    TechNet Community Support

    Monday, May 23, 2016 7:25 AM
    Moderator
  • Hi,

    In my case it's a hybrid deployment.

    How do I know the domain name that 365 uses in against my exchange?

    Does it use onmicrosoft.com?


    Gil Gross | Technical Lead | G-Net Network Solutions | www.g-net.co.il | plz visit my blog - gilgrossblog.wordpress.com

    Tuesday, May 24, 2016 7:49 AM
  • Office 365 sends to the hostname specified in the Outbound Connector.

    On the inbound side, this document describes the certificate selection process.

    https://technet.microsoft.com/en-us/library/bb430748(v=exchg.141).aspx


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Tuesday, May 24, 2016 7:20 PM
    Moderator
  • Hi Gross,

    Is there any update for this thread?

    If the above suggestions are helpful to you, please mark it as answer so that someone who has similar issue could find this thread as soon as possible.

    Best Regard,

    Jim Xu

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Jim Xu
    TechNet Community Support

    Thursday, May 26, 2016 7:46 AM
    Moderator