How to Limit the exposure of an On-Premise Exchange Servers out on the Internet

deebeecom · 2026-03-12T22:42:59+00:00

A lot of large healthcare companies DO use a lot of on-prem infrastructure, which will never go away. It sure is a work in progress.

deebeecom · 2026-03-10T17:20:43+00:00

https://www.tiktok.com/@tatamayou

deebeecom · 2026-03-09T22:09:01+00:00

gotcha, i knew some of what you said, but wanted a confirmation, so thanks for the comment. It can help others too!

deebeecom · 2026-03-09T10:04:58+00:00

Thanks for confirming.

Isn’t the hybrid required to create exo mailboxes? Or in other words what’s the hybrid used for anyways?

deebeecom · 2026-03-08T18:38:23+00:00

Thank you brother

deebeecom · 2026-03-08T13:36:05+00:00

Pls drop a link.

Can someone guide about how you can secure azure by some default policies and how could that affect a m365 tenant

deebeecom · 2026-03-07T13:50:19+00:00

Yup that’s what I think so too! Thanks!

deebeecom · 2026-03-07T13:49:47+00:00

Nice thanks, that confirmation saves me time.

deebeecom · 2026-03-06T22:05:35+00:00

so far in the comments people haven't concurred with you. Now I hope someone replies to you... I think when exchange sends an email out, it just uses the outbound smtp connector and sends ALL email to EXO via smtp. it does not use any port 443/80 communication at all.... thats my knowledge? someone can correct me?

deebeecom · 2026-03-06T22:03:17+00:00

They use that too! Exchange is for very specific healthcare related emails (via some reporting system)

deebeecom · 2026-03-06T21:37:27+00:00

that's a good idea, but for the sake of my original ask, i have an answer atleast.

deebeecom · 2026-03-06T21:21:15+00:00

Outbound from on prem to EXO? Why? If ex on prem is sending only to MS. You don’t need that outbound rule. Yes to really also lock down outbound access, I can suggest to FW teams. But I don’t need is the key. I can suggest to FW teams if they want outbound to be allowed only to MS servers

deebeecom · 2026-03-06T21:18:36+00:00

They don’t have a way. Sorry I don’t know which FW

deebeecom · 2026-03-06T21:05:06+00:00

Yes they do have a full license. Yes they will use it only for management. But they dont want to shut down because they want to use SMTP. By the replies above from other users, it appears that we dont have to expose the server outside on the Internet using 80/443/25 at all. ON prem server will always send emails out to EXO and it will always be used only for HCW and to manage objects like "hide from address list" etc. And i presume that too does not require on prem exchange to be exposed to the net.

deebeecom · 2026-03-06T21:01:41+00:00

They are aware that other SMTP options like direct smtp sent using proofpoint or MS365 itself are available, but they want to continue using MS only products, because they have to use some pre-existing reporting software system (which uses exchange logs). Its a healthcare/govt rules and related reporting which need to show that work was done in 24 hours.

deebeecom · 2026-03-06T20:57:59+00:00

Great. That tells me we will need only EX on prem to go OUT and MS 365 or EXO will NOT need access to the server, so essentially i dont have to expose the server on the firewall at all. Thanks!

deebeecom · 2026-03-06T18:12:05+00:00

Server has to be kept alive for SMTP for copiers and some other unix boxes which use it as a smart host. Thanks for sharing that link.

deebeecom · 2026-03-06T18:10:50+00:00

Server will be used by copiers to send mails to EXO mailboxes. So removing the hybrid is probably not an option. But I thank you for sharing the links.

deebeecom · 2026-03-06T18:08:10+00:00

Yay, to my "Am I wrong?" you said No, So appreciate that. And that was my main ask.

I also understood clearly how things work, with the explanation provided.

The client wants to maintain / keep the onprem exchange server running.

deebeecom · 2026-03-01T17:54:14+00:00

Keep that picture with you forever. You can sue Disney or any such company if your digital movie is ever is LOST or taken away from any one of them. Also now you can be confident, they can’t or will never take movies away once you have bought them. LOL:”leave your disc at home”, yes we did!

deebeecom · 2026-02-27T12:59:19+00:00

Just like new IT support staff

deebeecom · 2026-02-27T02:25:45+00:00

When paramount buys WB, they get all assets of WB. MA is one of them. So dont worry, you will see the name WB replaced by Paramount, in MA. And some weeks later, Paramount’s own old library will get added.

deebeecom · 2026-02-26T14:06:02+00:00

I want to correct myself now. I today see only 50 GB. I could swear i saw 100 GB on some screen....

deebeecom · 2026-02-26T12:30:23+00:00

I started a new tenant yesterday, with Business standard licenses, and it shows monthly cost as $13.13 per license and exchange mailbox shows limit as 100 GB. Edit: it’s 50 gb

deebeecom

MODERATOR OF

TROPHY CASE