locked
On-Premise Exchange 2016 New Deployment, Secure Mail Flow for Activesync/OWA RRS feed

  • Question

  • Hi,

        I'm about to implement the on-premise exchange 2016 environment. Currently we are on Office 365 and due to our slow internet connection, I have many complain from our user how slow it is to send/receive email (even within our enterprise). 

    So, currently we are building our on-premise Exchange 2016 and somewhat configured as follow:

        a) Using the test account I have, I can send email to anyone except anyone on mydomain since my primary MX record are still pointing to Office 365.

        b) I can send/receive email within the exchange server 2016 using the test accounts.

        c) Using "telnet mymailserver.mydomain.com 25, I can receive email from the internet. 

        d) Theoretically, if i change the MX primary to my on-premise Exchange, I should be able to send/receive email to everyone provided that I create all the users currently reside in Office 365. We had some discussion how to migrate all the Office 365 email user but let's talk this later.


    I have the following set up ready:

    1- Active Directory 2016

    2- Exchange Server 2016. We also have Email Security Appliance(DMZ) between Firewall and the Exchange 2016 for email scrubbing)

    3- Certificate Services -- RootCA, issuingCA (somewhat setup but considering to use 3rd Party CA)

    Now, I need to allow mobile user to access their email either thru OWA or ActiveSync(iPhone, Android) but having such dillema on how safely implement this. I need to open https (or http redirected to https) port on Exchange 2016 Server to the outside through port nat'ing on the firewall. One solution is to use the MS Exchange Edge Transport server on the DMZ but the Exchange Edge Transport is deprecated. As well, I don't want to use it as I need another Exchange Server 2016 license.

    My questions:

    1- Are there alternatives in place of Edge Transport? How? 

    2- Go directly port NAT from the firewall to the Exchange Server for ActiveSync/OWA for simplicity, is it safe?

    3- Is ADFS-Proxy is the answer? Is this overkill since it is only for https/http redirection or I'm missing something.

         ADFS-Proxy required ADFS and Certificate Services  in the internal network and its just to complicated to set up (require  unless anyone came across some simple step by step instruction on how to configure it)

    HELP!!!

    Thank you.


    Tuesday, June 26, 2018 11:48 PM

All replies

  • Hi,

    Sorry for delay.

    Question 1:
    The available place for Edge transport server is DMZ, between two firewall from internet and internal network.

    Question 2:
    Honestly, it's not a safety method to use NAT to publish port to internet directly. You can do it by firewall or others.

    Question 3:
    Do you want to deploy SSO (single sign on)? If so, we need to deploy ADFS with hybrid.

    Moreover, about your primary problem (poor network connection and message delay), I recommend to increase the bandwidth or deploy VPN with high network bandwidth. It might be easy and fixes the root cause of this problem.

    Best Regards,
    Allen Wang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Proposed as answer by Allen_WangJF Monday, July 2, 2018 2:16 AM
    Thursday, June 28, 2018 1:35 AM
  • Hi,

    Any further help we can do for you?
    If it's solved, would you please post the solution here to share it with us? 

    Also, please free to mark the useful reply as answer. Thanks for your cooperation.

    Best Regards,
    Allen Wang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Proposed as answer by Allen_WangJF Thursday, July 5, 2018 6:09 AM
    Monday, July 2, 2018 2:16 AM