In a couple of scenarios recently I have come across clients where they have TMG/UAG/ISA in front of their Exchange Hybrid deployment and cannot allow traffic through to their Exchange infrastructure that isn’t pre-authenticated at the reverse proxy. This became a stumbling block most notably for Free/Busy with Exchange Hybrid – which uses Autodiscover to search for its endpoint. Normally, the symptoms of this issue are Free/Busy lookups work from On-Premises to Online mailboxes, but Office 365 mailboxes cannot do Free/Busy lookups for On-Premises users.
In the case of these clients, Autodiscover would go and find the appropriate endpoint, but despite the Hybrid configuration and authentication set up between the two environments, the Free/Busy requests could not pass through the reverse proxy. So how to get around this?
The following method tells Exchange Online where to go when carrying out Free/Busy lookups, so you can set up a separate DNS record and IP address for hybrid traffic.
Firstly, you should set up a new DNS namespace for the unauthenticated traffic to be NATd direct to Exchange, and use firewall rules to limit this traffic just to that required by Exchange Hybrid (see Microsoft Support blog post here: https://support.office.com/en-gb/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-GB&ad=GB).
After having successfully run the Exchange Hybrid Wizard, validated the domains for federation etc you will see an on-premises Federation Trust and an Office 365 Organisation Relationship has been set up. When you run “Get-OrganizationRelationship | fl” from Office 365 PowerShell you will see some results similar to the following:
TargetApplicationUri : FYDIBOHF25SPDLT.mikeparker365.co.uk TargetSharingEpr : TargetOwaURL : TargetAutodiscoverEpr : https://autodiscover.mikeparker365.co.uk/autodiscover/autodiscover.svc/WSSecurity
And this is where we need to make our changes.
I run the following command, specifying the hybrid namespace that has previously been set up to route Free/Busy traffic direct down this route, rather than using Autodiscover. This sets both the sharing Epr for on-premises as well as your on-premises OWA url, and clears the Autodiscover endpoint which is entered by the Hybrid Wizard.
Set-OrganizationRelationship "O365 to On-premises - 273f6cb3-cd8a-4da5-968e-b3d80b08af26" -TargetSharingEpr https://hybrid.mikeparker365.co.uk/EWS/Exchange.asmx/WSSecurity -TargetOwaURL https://owa.mikeparker365.co.uk/owa -TargetAutodiscoverEpr $null
When you test Free/Busy after running these commands you should find that it now works from Exchange Online to On-Premises.
Note: The above command will have to be run after each time you re-run the Exchange Hybrid Configuration Wizard.
If you have any questions or comments please either use the comments section below, Tweet me@MikeParker365 or via email blog@mikeparker365.co.uk.
Nice article, however from where you collected “TargetOwaURL https://owa.mikeparker365.co.uk/owa“
LikeLike
Hi Nadeem,
This will be specified in your on-premises Exchange and you should be able to find it by running Get-OWAVirtualDirectory and looking up the ExternalURL.
Thanks,
Mike
LikeLike
+1 A++ Thank You! Mystery Solved.
LikeLike
Brilliant, thanks for sharing this!
LikeLike
Hello Mike,
Sorry for silly question, but could you please clarify the following?
“Firstly, you should set up a new DNS namespace for the unauthenticated traffic to be NATd direct to Exchange, and use firewall rules to limit this traffic just to that required by Exchange Hybrid (see Microsoft Support blog post here: https://support.office.com/en-gb/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-GB&ad=GB).”
What DNS record should be created?
I have skipped this step, created the trust and jumped to Set-OrganizationRelationship without success.
Thank you for help.
LikeLike
This is good stuff Mike. Thanks!
LikeLike
Great information. Thanks for sharing 🙂
LikeLike
how to remove targetsharingepr? I’ve tried remove-organizationRelationship -identity targetsharingepr…but doesn’t work?
LikeLike
Hi Cam, sorry it took me a little while to get back to you. To remove the targetsharingepr you run Set-OrganizationRelationshop -TargetSharingEPR $Null from Exchange Online PowerShell. Hope this helps.
LikeLike