Hybrid Modern Authentication with VMware Boxer – Part 2 – Prerequisites

Prerequisites for Hybrid Exchange Topology

The following prerequisite list is added for convenience and is valid at time of writing, you should always refer to the latest documentation from Microsoft available here:


The list detail the prerequisites for Hybrid deployment, this article series will not go over the hybrid configuration itself, only the activation of the authentication part.

If you want to read more on how to plan and execute an Exchange Hybrid deployment read this documentation: Exchange Server hybrid deployments

If your organization already have hybrid exchange in place just make sure you are following the latest guidance.

Hybrid Topology

Hybrid Modern Authentication requires the Classic Hybrid Topology. Using the Hybrid Agent is not supported by Microsoft.
To download the Hybrid Configuration wizard, go to https://aka.ms/HybridWizard

General Environment

  • Azure AD Connect used for user sync and replication.
  • Authentication is configured to use on-premises identity for authentication with one of the authentication methods:
    • Password Hash Sync
    • Password Passthrough
    • IDP: WS1 Access, Okta, ADFS, etc.

Exchange Server Environment


  • Minimum version:
    • Exchange server 2013 CU19
    • Exchange server 2016 CU8
    • Exchange server 2019 CU1
  • All Exchange servers must have the latest cumulative updates installed or n-1. This is a requirement to be able to have support from Microsoft. (Source)
  • There is no Exchange server 2007 or 2010 in the Hybrid environment.

General Configuration

  • SSL Offloading is not configured. SSL termination and re-encryption are supported.
  • If you are using Exchange Server 2013, at least one server must have the Mailbox and Client Access server roles installed.
  • If you are using Exchange server 2016 or later version, at least one server must have the Mailbox server role installed.
  • If proxy to internet all Exchange servers have the proxy server defined in the InternetWebProxy property.
  • TLS 1.2 is enabled on Exchange Servers at the OS level as well as .NET Framework.


Microsoft now offer a very convenient way of getting all the IPs and service required via a webservice.

Office 365 IP Address and URL web service

and also, for Hybridity, there is a bit more required, and it is detailed in the following page:

Other endpoints not included in the Office 365 IP Address and URL Web service

Prerequisites for VMware Boxer

Minimum version

  • VMware Boxer iOS 2208
  • VMware Boxer Android 2211


EmailBoxerAutodiscover443If not available, see part 4
EmailBoxerActiveSync server443Can be SEG
EmailBoxerEWS server443If filtered, see part 4
NotificationENSEWS Server443If filtered, see part 4

Next: Part 3 – Configuration

Written by
 | Website

vExpert, blogger and VMware champion. Worked as a Microsoft consultant for a partner before joining VMware via Airwatch in 2015.

Leave a Reply

Your email address will not be published. Required fields are marked *.

You may use these <abbr title="HyperText Markup Language">HTML</abbr> tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.

BCF Shop Theme By aThemeArt.