SMTP Firewall Requirements for Exchange Online

Most of my Office 365 engagements are hybrid projects connecting Office 365 with Exchange on-premises, and most are with larger companies concerned with securing the hybrid deployment.



Exchange Online Protection servers send SMTP emails using a TLS connection usually to the hybrid or Edge Transport server to enable mail flow between cloud and on-prem users. Microsoft does not support any sort of SMTP gateway or appliance between EOP and the Edge or hybrid server. For this reason, customers normally have to open TCP port 25 on the firewall to the hybrid server from the Exchange Online Protection servers.








Companies can secure this SMTP traffic by configuring the perimeter firewall to allow inbound TCP 25 traffic only from Exchange Online Protection servers to the hybrid or Edge servers.



I’ve seen a number of articles that list the public IP addresses used by EOP to send SMTP emails to on-prem customers, but the one true list is maintained in the article, Exchange Online Protection IP Addresses. Currently, this article lists seven IPv4 blocks and one IPv6 block for SMTP delivery to on-prem:

  • 65.55.88.0/24
  • 207.46.51.64/26
  • 207.46.163.0/24
  • 213.199.154.0/24
  • 213.199.180.128/26
  • 216.32.180.0/24
  • 216.32.181.0/24
  • 2a01:111:f400:7c00::/54

Microsoft tries hard to not make changes to this list, but if they do they will update the article. It’s important for firewall admins to know that EOP does not use URLs for root domain routing (also known as Top-Level Domains, or TLDs). You must use the IP addresses listed in the article above.

Up until April 2014, Microsoft used many other IP addresses to send emails from Office 365 tenants to on-prem customers. This is because they maintain another set of IP addresses for something called the High Risk Delivery Pool, which is used to protect the production Exchange Online namespace from “spammy” senders. EOP no longer uses the High-Risk Delivery Pool when sending emails between the customer’s tenant and their on-prem servers.


It’s nice to know that we now have a single source to point to when configuring firewalls for Office 365.


Reporting Outlook Client Versions Using Log Parser

I’m doing a little cross-pollination today. Chris Lehr, one of my colleagues at ExtraTeam, worked up a Log Parser script that produces a report showing all the clients versions connecting to Exchange.  This is very helpful to show which clients are running Office versions in your organization that should be updated prior to migration.  Check out his blog post here.



Outlook Client Version Report

Clients will always get the best experience using the latest version of Office, currently Office 2013 SP1. The best practice is to always update your clients with the latest cumulative update prior to migration. this is especially true when you’re migrating to Office 365, since most updates pertain to Office 365, Exchange Online, and Exchange 2013 compatibility.



If you find that you need to upgrade clients to a new version of Office, I recommend that you install the x86 version of Office to provide the best compatibility with add-ons and third-party products. Some customers think they need to install Office x64 on Windows x64 operating systems, but that’s not the case. See 64-bit editions of Office 2013 for details on when it makes sense to install Office x64.



If you’re an Office 365 customer, I strongly recommend checking out using the Office 2013 ProPlus software deployment that’s most likely part of your Enterprise license. This version of Office 2013 can be installed on up to 5 PCs, iPads, tablets, etc. and is always up-to-date since it’s a cloud-managed service.




Fix for ASP.NET 4.0.30319.0 – 3005 Event message: An unhandled exception has occurred on Exchange 2013

I noticed after installing Windows Updates the following warning in the
Application Event log of all Exchange 2013 SP1 servers (abbreviated for
clarity):



Event 1309, ASP.NET 4.0.30319.0


Log Name:      Application
Source:        ASP.NET 4.0.30319.0
Date:          5/3/2014 9:31:25 AM
Event ID:      1309
Task Category: Web Event
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      EX2013-1.contoso.com
Description:
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 5/3/2014 9:31:25 AM
Event time (UTC): 5/3/2014 4:31:25 PM
Event ID: 20e50da04e9745e1a73bf21fa1dbb509
Event sequence: 2
Event occurrence: 1
Event detail code: 0

Application information:
    Application domain: /LM/W3SVC/3/ROOT/owa-3-130436082719776031
    Trust level: Full
    Application Virtual Path: /owa
    Application Path: C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\owa\
    Machine name: EX2013-1

Process information:
    Process ID: 6068
    Process name: w3wp.exe
    Account name: NT AUTHORITY\SYSTEM

Exception information:
    Exception type: MapiExceptionIllegalCrossServerConnection
    Exception message: MapiExceptionIllegalCrossServerConnection: Monitoring mailbox [] with application ID [Client=OWA] is not allowed to make cross-server calls from [EX2013-1.contoso.com] to [EX2013-2.contoso.com]
   at Microsoft.Mapi.CrossServerDiagnostics.BlockCrossServerCall(ExRpcConnectionInfo connectionInfo, String mailboxDescription)
   …
   at Microsoft.Exchange.Data.Storage.MailboxSession.ForceOpen(MapiStore linkedStore, Boolean unifiedSession)

Request information:
    Request URL: https://localhost:444/owa/proxylogon.owa
    Request path: /owa/proxylogon.owa
    User host address: ::1
    User: contoso\SM_ce56bab178eb42fda
    Is authenticated: True
    Authentication Type: Kerberos
    Thread account name: NT AUTHORITY\SYSTEM

Thread information:
    Thread ID: 15
    Thread account name: NT AUTHORITY\SYSTEM
    Is impersonating: False
    Stack trace:    at Microsoft.Mapi.CrossServerDiagnostics.BlockCrossServerCall(ExRpcConnectionInfo connectionInfo, String mailboxDescription)
   …
   at Microsoft.Exchange.Data.Storage.MailboxSession.ForceOpen(MapiStore linkedStore, Boolean unifiedSession)


The text highlighted above steered me toward the Exchange Health Monitoring
Mailboxes, so I ran Get-Mailbox -Monitoring and got the following results:

Name                      Alias                ServerName       ProhibitSendQuota
—-                      —–                ———-       —————–
HealthMailbox9a621ae8e… HealthMailbox9a62… ex2013-2         Unlimited
WARNING: The object contoso.com/Microsoft Exchange System Objects/Monitoring
Mailboxes/HealthMailbox9a621ae8e6f341638c0c2161affa7645 has been corrupted, and it’s in an inconsistent
 state. The following validation errors happened:
WARNING: Database is mandatory on UserMailbox.
WARNING: Database is mandatory on UserMailbox.
HealthMailbox1cd7a25f1… HealthMailbox1cd7… ex2013-2         Unlimited
HealthMailboxde79dfaa0… HealthMailboxde79… ex2013-2         Unlimited
WARNING: The object contoso.com/Microsoft Exchange System Objects/Monitoring
Mailboxes/HealthMailboxde79dfaa09604ffd8578527c2d3ffab1 has been corrupted, and it’s in an inconsistent
 state. The following validation errors happened:
WARNING: Database is mandatory on UserMailbox.
WARNING: Database is mandatory on UserMailbox.
HealthMailbox5e5bf093c… HealthMailbox5e5b… ex2013-2         Unlimited
HealthMailbox79f8d5d0e… HealthMailbox79f8… ex2013-2         Unlimited
WARNING: The object contoso.com/Microsoft Exchange System Objects/Monitoring
Mailboxes/HealthMailbox79f8d5d0e02443d2a6acdc60bd0a026e has been corrupted, and it’s in an inconsistent
 state. The following validation errors happened:
WARNING: Database is mandatory on UserMailbox.
WARNING: Database is mandatory on UserMailbox.
HealthMailbox693969aae… HealthMailbox6939… ex2013-2         Unlimited
HealthMailboxab01377ba… HealthMailboxab01… ex2013-2         Unlimited
WARNING: The object contoso.com/Microsoft Exchange System Objects/Monitoring
Mailboxes/HealthMailboxab01377bae994825ba08d083552e196e has been corrupted, and it’s in an inconsistent
 state. The following validation errors happened:
WARNING: Database is mandatory on UserMailbox.
WARNING: Database is mandatory on UserMailbox.
HealthMailbox7561b21db… HealthMailbox7561… ex2013-2         Unlimited
WARNING: The object contoso.com/Microsoft Exchange System Objects/Monitoring
Mailboxes/HealthMailbox7561b21db2c642778177f4ab0a2be350 has been corrupted, and it’s in an inconsistent
 state. The following validation errors happened:
WARNING: Database is mandatory on UserMailbox.
WARNING: Database is mandatory on UserMailbox.
HealthMailboxb337fe270… HealthMailboxb337… ex2013-2         Unlimited
HealthMailboxfd8b0f99f… HealthMailboxfd8b… ex2013-2         Unlimited
HealthMailbox739cff7e6… HealthMailbox739c… ex2013-2         Unlimited
HealthMailboxd8337c5a1… HealthMailboxd833… ex2013-2         Unlimited
HealthMailboxa990ff65c… HealthMailboxa990… ex2013-1         Unlimited
HealthMailbox91e52135c… HealthMailbox91e5… ex2013-1         Unlimited
HealthMailboxf351943c2… HealthMailboxf351… ex2013-1         Unlimited
HealthMailbox23eb6e495… HealthMailbox23eb… ex2013-1         Unlimited
HealthMailbox1821ba284… HealthMailbox1821… ex2013-2         Unlimited

Besides the fact that some of the Health Mailboxes were missing the mandatory
Database parameter, there were far too many Health Mailboxes. The easy way to
correct this is to delete all the Exchange Health Mailboxes and recreate them.



Open Active Directory
Users and Computers and enable Advanced View. The Health Mailboxes are located under Microsoft Exchange System Objects \ Monitoring Mailboxes. Select all of the HealthMailbox objects, delete them, and replicate AD.



Microsoft Exchange System Objects \ Monitoring Mailboxes

Now that the Exchange Health Mailboxes are gone, restart the Microsoft
Exchange Health Manager
service on all Exchange 2013 servers to recreate the
necessary Exchange Health Mailboxes:



[PS] C:\>Restart-Service MSExchangeHM

Replicate AD again and you will see the new Exchange Health Mailboxes in the Exchange Management Shell and ADUC:

[PS] C:\>Get-Mailbox -Monitoring

Name Alias ServerName ProhibitSendQuota
—- —– ———- —————–
HealthMailbox7b3ef7a60… HealthMailbox7b3e… ex2013-1 Unlimited
HealthMailbox312d14677… HealthMailbox312d… ex2013-2 Unlimited
HealthMailbox1aec3204b… HealthMailbox1aec… ex2013-1 Unlimited
HealthMailboxa04a8b769… HealthMailboxa04a… ex2013-2 Unlimited
HealthMailbox04e954fc9… HealthMailbox04e9… ex2013-1 Unlimited
HealthMailboxd20957258… HealthMailboxd209… ex2013-2 Unlimited



Recreated Health Mailboxes

Two monitoring mailboxes are created for each mailbox database in your
organization: one for monitoring the health of site mailboxes and one for
monitoring the health of public folders. That should resolve the ASP.NET
4.0.30319.0 warnings.