Updated on 19 Jun 2015
It is critical that an on premise environment be prepared before establishing an Exchange hybrid configuration with Office 365. Firewall settings are the key to ensuring proper communication for federation and mail flow.
Below are some excellent references to help with accomplishing the required firewall rules for an Exchange hybrid configuration.
- Network planning and performance tuning for Office 365
- Use this list of IPs…Exchange Online Protection IP addresses to configure your firewall with, and NOT this list…
Office 365 URLs and IP address ranges(per Office 365 support on 19 Jun 2015)* Ports and protocols used by Office 365(Don’t use this list either)
- SMTP Firewall Requirements for Exchange Online
- Firewall Ports for Office 365
- Hybrid deployment in Office 365 | Checklist and pre requirements
*It is important to understand that if a firewall is configured only to allow a specific range of IP addresses for inbound SMTP traffic that we use the correct list of IP addresses when implementing a hybrid configuration with Office 365. The experience today with the previous list that was being used was not allowing the Office 365 validation tool for the outbound connector to connect to the customer’s on premise Exchange server–as well as not allowing Office 365 originated mail to be delivered to the on premise organization. After contacting Office 365 support, they provided this list of IPs (which is essentially the same but different with IP addresses for EOP) to configure on the firewall. Once the firewall rules were updated, mail started flowing from Office 365 to the on premise environment.
If the firewall rules aren’t configured with the proper IP addresses, this error may appear in a message trace on an item pending delivery…
Reason: 450 4.4.101 Proxy session setup failed on Frontend with '441 4.4.1 Error encountered while communicating with primary target IP address: "Failed to connect. Winsock error code: 10061, Win32 error code: 10061." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.
This is a screenshot of the message trace…
Also, if the firewall isn’t configured properly, the connector validation will fail…