Exchange Hybrid EWS Pre-Authentication

[Jens Ostkamp]

Hello alltogether,

 

I've come up with an issue, that's more and more present for my clients, regarding Microsoft Online/On-Premise Hybrid configuration.

So, I have a pretty much basic Exchange 2013 publishing (Content Switch, Pre-Authentication, Load Balancing) with an ADC 10.5 (yes I know it should get updated but this one particular client is a bit "stubborn" regarding firmware update...).

Everything works fine and as expected, now we have the issue, that the Microsoft Exchange Online configuration permanently needs to access /ews directory (and autodiscover as well i think) and its subdirectories to exchange free/busy information and so on. Until now I have solved this by just adding these EWS-paths alongside the public IPs of Azure for Exchange Online into a separate Content Switching Policy which forwards the traffic to an additional loadbalancing Server where no Pre-authentication is configured.

Apparently the paths/IPs has changed over the time, because it doesn't work anymore (still the policy is getting hits, but I assume that there is just some other sub directory or another public IP which causes this). 

So my question is - how do you guys solve this issue in general? I really don't want to keep adding stuff to a policy or pattern set because I think that it's an endless thing since Microsoft will surely change or add public IPs etc. etc., so - is it better to just fully deactivate Pre-Authentication on /ews subdirectory? This would cause some "minor" (depends how you see it) security issues, as of course all external clients which use /ews services will be able to get through to Exchange without any Authentication at NetScaler.

 

I am not completely sure how to solve this, because deactivating pre-authentication is like "too easy" regarding the fact, that i basically just want to bypass one specific service (Microsoft Online) from pre-authentication.

 

Any help or ideas are greatly appreciated. Thanks a lot!

 

Best regards

Jens

[Arne Weinmann]

You can check the ip address ranges of Exchange Online here: https://docs.microsoft.com/de-de/office365/enterprise/urls-and-ip-address-ranges

If your customer plans to use Exchange Hybrid in the long term, my best advice is to subscribe to the RSS-Feed of that page and change the whitelist for the separate content switcher when it gets updated. Or the customer could speed up his migration to EXO, so that no access to on-prem EWS would be needed anymore.