Comments on: Stop Publishing Exchange to the Internet After Migrating to Exchange Online https://practical365.com/stop-publishing-exchange-to-the-internet-after-migrating-to-exchange-online/ Practical Office 365 News, Tips, and Tutorials Mon, 31 Jul 2023 16:55:07 +0000 hourly 1 https://wordpress.org/?v=6.3.2 By: Nordean https://practical365.com/stop-publishing-exchange-to-the-internet-after-migrating-to-exchange-online/#comment-240185 Tue, 05 Jul 2022 13:05:22 +0000 https://practical365.com/?p=53227#comment-240185 Very Good article, thank you

]]>
By: Scott Haigh https://practical365.com/stop-publishing-exchange-to-the-internet-after-migrating-to-exchange-online/#comment-237832 Wed, 23 Feb 2022 17:31:37 +0000 https://practical365.com/?p=53227#comment-237832 We have completed the mailbox migration and are using a hybrid onprem server for management and mail relay. We’ve also restricted inbound HTTPS access to the Microsoft Exchange online pool of IP addresses in order to maintain microsoft’s recommended port configuration for hybrid exchange. So we’ve blocked inbound HTTPS from the public internet, but if we’re no longer migrating mailboxes or focusing autodiscover onprem, is there any need whatsover to allow 365 services to access the onprem environment via https?

]]>
By: Steve Goodman https://practical365.com/stop-publishing-exchange-to-the-internet-after-migrating-to-exchange-online/#comment-237143 Sat, 20 Nov 2021 20:02:20 +0000 https://practical365.com/?p=53227#comment-237143 In reply to Pete.

Hiya,

The HCW will connect outbound from the machine it’s ran on, and won’t require a connection inbound from the internet simply to make sure the configuration is updated (e.g. if you make changes or Microsoft need you to re-run it to update, say, Send Connectors after a cert update).

Steve

]]>
By: Pete https://practical365.com/stop-publishing-exchange-to-the-internet-after-migrating-to-exchange-online/#comment-237136 Fri, 19 Nov 2021 17:07:52 +0000 https://practical365.com/?p=53227#comment-237136 Quick question, All mailboxes are moved to the cloud and we are keeping exchange around for “Support” of exchange attributes and using it as a relay for internal applications.

If we remove https/https from the internet as the article suggest, do we even need to install/maintain the hybrid configuration (other than just keeping an exchange server running for the above mentioned reasons). I don’t see how they hybrid configuration wizard would even connect if the hybrid server is not accessible form the internet on http/https.

Thank you
Pete

]]>
By: Steve Goodman https://practical365.com/stop-publishing-exchange-to-the-internet-after-migrating-to-exchange-online/#comment-236871 Sun, 17 Oct 2021 13:52:46 +0000 https://practical365.com/?p=53227#comment-236871 In reply to Matthew Prentice.

Well, yes – that’s what New-RemoteMailbox and Enable-RemoteMailbox do. The UI in the EAC runs those commands.

]]>
By: Steve Goodman https://practical365.com/stop-publishing-exchange-to-the-internet-after-migrating-to-exchange-online/#comment-236870 Sun, 17 Oct 2021 13:51:01 +0000 https://practical365.com/?p=53227#comment-236870 In reply to Matthew Prentice.

Installing the fairly dated Windows Server IIS SMTP component will indeed work – and if you are familiar with Exchange 2003 management, it will be a breeze. Why you’ll do that instead of an Exchange 2016 server – mailbox or Edge role – is debatable. Personally, knowing the Microsoft will be coming with a solution here when the time is right – I’d go with a solution that is generally agreed to be the right one – so that anyone with Exchange skills can pick it up and manage it.

]]>
By: Steve Goodman https://practical365.com/stop-publishing-exchange-to-the-internet-after-migrating-to-exchange-online/#comment-236869 Sun, 17 Oct 2021 13:46:21 +0000 https://practical365.com/?p=53227#comment-236869 In reply to Matthew Prentice.

I’ll stand by “Need”. “Fully supported” isn’t 100% correct, it’s that doing another way is to quote Microsoft “not supported”. I’d agree that if you buy a tool where the vendor will commit to supporting that aspect can offset the risk, but managing attributes for Mailboxes via ADUC attribute edit or ADSIEdit is not a good strategy unless you are willing to fully take on that support burden yourself and ensure you always ensure every attribute that Exchange would have managed is managed *identically*.

I’ve never struggled to justify why it’s a good idea to remain supported by Microsoft, and customers too small to run an single server for management, should be looking towards going full into Azure AD and removing AD.

Every time this is stated, there’s always debate. But unfortunately it isn’t a debate that has any other answers than:
– Use a server for management, and remain supported
– Carefully select a vendor of a third-party tool to manage attributes, including understanding what their support process will be, should they (for example) miss a change Microsoft make, or implement something incorrectly. – Take on the personal risk of managing the attributes manually (i.e. by hand, or custom script) if it’s you as an IT pro, or as an MSP, if you do that as a service.
In the last two cases, you might need to, at some point, re-install Exchange 2016 (or start the server again) and perform an update from Microsoft to decommission in a specific way. Therefore I or you should be able to, at any point install an Exchange server and manage those recipients without causing any issue or risk. If that’s a worry then the last two options aren’t viable.

]]>
By: Matthew Prentice https://practical365.com/stop-publishing-exchange-to-the-internet-after-migrating-to-exchange-online/#comment-236848 Wed, 13 Oct 2021 21:01:48 +0000 https://practical365.com/?p=53227#comment-236848 In reply to Steve Goodman.

Or create the new user and remote mailbox directly within the on-prem Exchange Admin Center assuming you have Exch 2016 (or maybe 2013).

]]>
By: Matthew Prentice https://practical365.com/stop-publishing-exchange-to-the-internet-after-migrating-to-exchange-online/#comment-236847 Wed, 13 Oct 2021 20:59:26 +0000 https://practical365.com/?p=53227#comment-236847 In reply to Steve Goodman.

One option is to use the Windows Server IIS SMTP component. You can configure it with some restrictions and then have that one server go through the firewall to the receive connector at Exch Online. Your mileage may very.

]]>
By: Matthew Prentice https://practical365.com/stop-publishing-exchange-to-the-internet-after-migrating-to-exchange-online/#comment-236846 Wed, 13 Oct 2021 20:55:35 +0000 https://practical365.com/?p=53227#comment-236846 In reply to Steve Goodman.

“you still need an Exchange Server on premises to manage attributes”

“Need” is a strong word. To be fully supported, per Microsoft, you need the Exchange Server. https://docs.microsoft.com/en-us/exchange/decommission-on-premises-exchange#can-third-party-management-tools-be-used

In reality you can use ADUC’s Attribute Editor tab, PowerShell against AD, or a third-party tool such as Easy365Manager to achieve what you need.

We continue to struggle with justifying to customers the need to have a separate Exchange server, and pay any associated costs with it (e.g., MSP management fees). We have spent many hours debating the supported solution vs the best solution for our customers.

]]>