Shows how to leverage the Get-Office365Endpoint script by Joerg Hochwald to configure Windows Firewall on a Microsoft Exchange Server to restrict SMTP traffic only from IP ranges used by Exchange Online Protection

Set-NetFirewallExchangeOnlineRule.ps1

# Define the Get-Office365Endpoint function in the current PowerShell session
Invoke-Expression ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/janegilring/PSCommunity/master/Office%20365/Get-Office365Endpoint.ps1'))

# Retrieve endpoints for Exchange Online and filter on TCP port 25
$ExchangeOnlineEndpoints = Get-Office365Endpoint -Services Exchange

$ExchangeOnlineSMTPEndpoints = $ExchangeOnlineEndpoints | Where-Object {

    $PSItem.ip -and
    $PSItem.DisplayName -eq 'Exchange Online' -and
    $PSItem.tcpPorts -contains '25'

}

# Restrict the Exchange Services listening on TCP port 25 to the retrieved IP addresses

Get-NetFirewallRule -DisplayName 'MSExchangeFrontendTransport (TCP-In)' |
    Get-NetFirewallAddressFilter |
        Set-NetFirewallAddressFilter -RemoteAddress $ExchangeOnlineSMTPEndpoints.ip


Get-NetFirewallRule -DisplayName 'MSExchangeTransportWorker (GFW) (TCP-In)' |
    Get-NetFirewallAddressFilter |
        Set-NetFirewallAddressFilter -RemoteAddress $ExchangeOnlineSMTPEndpoints.ip

# Verify

Get-NetFirewallRule -DisplayName 'MSExchangeFrontendTransport (TCP-In)' |
Get-NetFirewallAddressFilter

Get-NetFirewallRule -DisplayName 'MSExchangeTransportWorker (GFW) (TCP-In)' |
    Get-NetFirewallAddressFilter