locked
Question about using S2S Azure VPN for O365 EOL mail routing RRS feed

  • Question

  • I have a home lab setup for testing and developing solutions in Office 365 hybrid configurations with on-prem systems.  The only real issue I've run into so far is that my ISP blocks outbound port 25 to combat spam.  However, Microsoft requires port 25 for hybrid mail flow to work between my on-prem environment and EOL.  I've gotten around this so far by getting a VPN provider that allows special ports like 25 and setting up an OpenVPN gateway in my router to forward just that port 25 traffic over the VPN tunnel.  Success!  BUT - I'd like to investigate options for using Azure networking itself to route this traffic for my home lab, again just port 25.

    So my question is this, does anyone have any tips or guidance for the following:
    1. Is it possible to create a VPN tunnel with Azure where SMTP (port 25) traffic from on-prem can route through Azure to O365 EOL? 

    2. Is there a solution that avoids the need to run a VM inside of Azure on the VPN gateway/network?

    3. Is it possible to use a static IP with this solution to avoid having to reconfigure my on-prem tunnel every few months when the IP rotates on the azure side?

    4. minimizes cost

    I am using pf-sense and understand how to create VPN tunnels and know that S2S VPN in Azure is definitely doable, but my question really has to do with routing specific traffic through Azure to O365 EOL.  If anyone has done this or understands what I'm after, I'd love to hear your thoughts and feedback on how I might be able to make this a reality.  If I can get an Azure VPN tunnel to route my port 25 traffic, then I won't need the other VPN provider anymore and can cancel that subscription in favor of Azure. 



    • Edited by PCAJOE Wednesday, August 15, 2018 3:33 PM Another typo
    Wednesday, August 15, 2018 2:48 PM

Answers

  • @PCAJOE, Outbound SMTP connections using TCP port 25 is blocked for most new subscriptions in Azure just to prevent malicious users from using Azure IP addresses for abuse and adversely affecting the reputation of all Azure IPs.



    • Edited by Zahid Faroq Saturday, August 18, 2018 3:01 PM
    • Marked as answer by PCAJOE Monday, August 20, 2018 2:12 PM
    Saturday, August 18, 2018 3:00 PM

All replies

  • You have to deploy a VPN in azure. check the link  for configuring a cross-premises Azure virtual network for Office server workloads

    https://docs.microsoft.com/en-us/office365/enterprise/connect-an-on-premises-network-to-a-microsoft-azure-virtual-network

    • Proposed as answer by samyyysam Wednesday, August 15, 2018 8:41 PM
    • Unproposed as answer by PCAJOE Thursday, August 16, 2018 12:14 PM
    Wednesday, August 15, 2018 8:40 PM
  • I had already seen that article, but it doesn't really address the specific goals I have in mind.  I do not need to connect my test LAB LAN to an Azure virtual network for connecting to VM's.  Instead I need to connect to Azure over VPN so that I can route EOL SMTP (port 25) traffic from on-prem Exchange to Exchange Online.  I went through this exercise anyway and got an IPSec P2P tunnel created and working, but it was useless to me because I have no service endpoints or connectivity to EOL.  In addition, IPSec P2P tunnels are more difficult to route only specific traffic over the tunnel since its linking two IP Subnets and providing a basic routing table.  I couldn't find a way in pfSense to route only specific source traffic on a specific port over the tunnel with a destination of anything but the Azure Vnet subnet.  
    • Edited by PCAJOE Thursday, August 16, 2018 4:13 PM Fixed Typos
    Thursday, August 16, 2018 12:14 PM
  • @PCAJOE, Outbound SMTP connections using TCP port 25 is blocked for most new subscriptions in Azure just to prevent malicious users from using Azure IP addresses for abuse and adversely affecting the reputation of all Azure IPs.



    • Edited by Zahid Faroq Saturday, August 18, 2018 3:01 PM
    • Marked as answer by PCAJOE Monday, August 20, 2018 2:12 PM
    Saturday, August 18, 2018 3:00 PM
  • Just checking in if you have had a chance to see the previous response. If this answers your query, do click “Mark as Answer” and Up-Vote for the same.
    Monday, August 20, 2018 1:45 PM
  • Well that puts me in a difficult spot.  With TCP Port 25 basically being depreciated, but still REQUIRED by Office 365 - the only way I was able to make this scenario work was to use a VPN Gateway that does not block port 25 and use that gateway to route all outbound port 25 traffic.  So I was able to solve me own problem, but it had a cost of $99 a year.  If Microsoft would simply allow a secure SMTP connection over port 587 for these types of hybrid mail connections, that would eliminate my need to spend another $100!
    Monday, August 20, 2018 2:09 PM
  • @PCAJOE, routing based on specific ports will not be possible. however, you can setup connection from On-prem to Microsoft Azure and Office 365 using ExpressRoute circuits and routing domains.

    Reference: ExpressRoute

    Tuesday, August 21, 2018 6:27 PM
  • That would be an option if this were a business project funded by a company budget.  Paying for ExpressRoute is not an option for a playground/lab.  Its just unfortunate that I'm being forced by Microsoft to use a depreciated port that they don't even allow on their infrastructure.  Thankfully in pfsense I can create openvpn gateway's and found a VPN provider that allows port 25.  Using this I was absolutely able to route traffic based on source IP and TCP port, to ensure that SMTP port 25 traffic from the Exchange servers routes over the VPN Gateway and successfully makes it to EOL.  The downside is that the requirement to use port 25 has now cost me $99 a year for this VPN solution.  
    Tuesday, August 21, 2018 7:21 PM
  • Thank you for responding with your solution!

    If you would like this to be changed in the future, I suggest you leave your feedback Here.

    Thursday, August 23, 2018 8:53 PM