Hybrid Modern Authentication with Omnissa Boxer – Part 2 – Prerequisites
- Part 1: Introduction
- Part 2: Prerequisites
- Part 3: Configuration
- Part 4: Special use cases and FAQ
- Part 5: Troubleshooting
Prerequisites for Hybrid Exchange Topology
The following prerequisite list is added for convenience and is valid at time of writing, you should always refer to the latest documentation from Microsoft available here:
https://learn.microsoft.com/en-us/microsoft-365/enterprise/hybrid-modern-auth-overview
The list detail the prerequisites for Hybrid deployment, this article series will not go over the hybrid configuration itself, only the activation of the authentication part.
If you want to read more on how to plan and execute an Exchange Hybrid deployment read this documentation: Exchange Server hybrid deployments
If your organization already have hybrid exchange in place just make sure you are following the latest guidance.
Hybrid Topology
Hybrid Modern Authentication requires the Classic Hybrid Topology. Using the Hybrid Agent is not supported by Microsoft.
To download the Hybrid Configuration wizard, go to https://aka.ms/HybridWizard
General Environment
- Azure AD Connect used for user sync and replication.
- Authentication is configured to use on-premises identity for authentication with one of the authentication methods:
- Password Hash Sync
- Password Passthrough
- IDP: WS1 Access, Okta, ADFS, etc.
Exchange Server Environment
Version
- Minimum version:
- Exchange server 2013 CU19
- Exchange server 2016 CU8
- Exchange server 2019 CU1
- All Exchange servers must have the latest cumulative updates installed or n-1. This is a requirement to be able to have support from Microsoft. (Source)
- There is no Exchange server 2007 or 2010 in the Hybrid environment.
General Configuration
- SSL Offloading is not configured. SSL termination and re-encryption are supported.
- If you are using Exchange Server 2013, at least one server must have the Mailbox and Client Access server roles installed.
- If you are using Exchange server 2016 or later version, at least one server must have the Mailbox server role installed.
- If proxy to internet all Exchange servers have the proxy server defined in the InternetWebProxy property.
- TLS 1.2 is enabled on Exchange Servers at the OS level as well as .NET Framework.
Network
Microsoft now offer a very convenient way of getting all the IPs and service required via a webservice.
Office 365 IP Address and URL web service
and also, for Hybridity, there is a bit more required, and it is detailed in the following page:
Other endpoints not included in the Office 365 IP Address and URL Web service
Prerequisites for Omnissa Boxer
Minimum version
- Omnissa Boxer iOS 2208
- Omnissa Boxer Android 2211
Network
| Service | Source | Destination | Port | Notes |
|---|---|---|---|---|
| Boxer | Autodiscover | 443 | If not available, see part 4 | |
| Boxer | ActiveSync server | 443 | Can be SEG | |
| Boxer | EWS server | 443 | If filtered, see part 4 | |
| Notification | Boxer | ENS | 443 | |
| Notification | ENS | EWS Server | 443 | If filtered, see part 4 |
Next: Part 3 – Configuration
vExpert, blogger and VMware champion. Worked as a Microsoft consultant for a partner before joining VMware via Airwatch in 2015.