Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
NSC
New Contributor

Created on ‎05-27-2024 07:17 AM

O365/Exchange Online

We are in the process of moving from on prem Exchange to O365/Exchange Online hybrid deployment.

Can anyone advise which ports should be forwarded:

- From O365 to on prem Exchange.

- From O365 to on prem AD servers.

 

FG FMW is 7.4.4 (Not brave, forced by insurance to keep firmware up to date...)

 

I have all ports and FQDN listed in Microsoft white papers entered and policy from on prem servers to O365 in place.

 

I've been using all sorts of firewalls in the last 30 years but Fortigate's VIP is by far the weirdest thing ever. Good idea, but poorly implemented and very limited functionality.

 

Thank you for any suggestion you may have. (Yes I did search the forums but I hope I don't have to RTFM)

 

T

 

 

Thank you!
Thank you!
Labels:
864
0 Kudos
1 Solution
Brunn3r
New Contributor III

Created on ‎05-27-2024 07:29 AM Edited on ‎05-27-2024 07:37 AM

The only thing we opened is SMTP from a bunch of servers to the onprem Exchange.
104.47.0.0/17
40.107.0.0/16
40.92.0.0/15
52.100.0.0/14

 

you need a VIP as port-forwarder with your external IP of the WAN-Interface, the mapped IP of your Exchange Server and map the external Port 25 to internal Port 25.

something like this:

 

image.png

port forward in vip:

image.png

 

no need to open anything to your AD servers

View solution in original post

855
0 Kudos
2 REPLIES 2
Brunn3r
New Contributor III

Created on ‎05-27-2024 07:29 AM Edited on ‎05-27-2024 07:37 AM

The only thing we opened is SMTP from a bunch of servers to the onprem Exchange.
104.47.0.0/17
40.107.0.0/16
40.92.0.0/15
52.100.0.0/14

 

you need a VIP as port-forwarder with your external IP of the WAN-Interface, the mapped IP of your Exchange Server and map the external Port 25 to internal Port 25.

something like this:

 

image.png

port forward in vip:

image.png

 

no need to open anything to your AD servers

856
0 Kudos
NSC
New Contributor
In response to Brunn3r

Created on ‎05-30-2024 09:27 AM

Thanks for the reply!

 

I had to open in addition to 25, 80, and 443 as the exchange would error out when starting migration/copy of the mailboxes.

Created a VIP for 25, cloned twice to add remaining two ports and all was good for port forwarding...

Now, we are waiting for Microsoft level 3 support to tel us why so far two mailboxes cannot be migrated. To make things worse, I can't receive email from one " successfully " mailbox migrated.

 

Regards,

T

 

Thank you!
Thank you!
787
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.