Firewall settings for Hosted Email Security to work with On-prem solutions
Description
In order for Hosted Email Security (HES) to work with On-prem solutions the Firewall will need the Nat Policies and Access Rules described below.
Resolution
Create the following in order of their appearance
Service Groups
1. LDAP and LDAPS 389 and 636
Address Objects
Create address object for the following Networks
1. Hosted IP a   173.240.210.0/255.255.255.0
2. Hosted IP b   173.240.213.0/255.255.255.0
3. Hosted IP c   204.212.170.0/255.255.255.0
Here is sample.
The Above mentioned IPs for HES North America. If your are HES Europe tenant. There is only one range you must use
1.Hosted IPÂ Â Â 173.240.221.0/255.255.255.0
 Public IP SMTP    (Public IP SMTP)
 Private IP SMTP   (Private IP of the SMTP server)
Public IP LDAPÂ Â Â Â (Public IP LDAP)
 Private IP LDAP   (Private IP of the LDAP server)
Address Groups
Create an Address Group with the following IP Networks for North America.
1. Hosted IPs Hosted IP a, Hosted IP b, Hosted IP c Hosted IP d
Nat Policies
for SMTP traffic:
1. Any Original Public IP Private IP SMTP Original
for LDAP traffic:
2. Any Original Public IP Private IP LDAP+S Original
Access rules
1. Wan Lan Hosted IPs Public IP LDAP+S Allow
2. Wan Lan Any Public IP LDAP+S Deny
3. Wan Lan Hosted IPs Public IP SMTP Allow
4. Wan Lan Any Public IP SMTP Deny
NOTE:If you have other devices that need to access your LDAP from WAN to LAN outside of the hosted devices you will need to make sure those allow rules are prior to the deny all for LDAP