Step-By-Step: Create a Site-to-Site VPN between your network and Azure

Before you start.

Once you Lab network is setup. Follow the next steps to establish a site-to-site VPN between your environment and Azure. Essentially making the cloud part of your environment.

1- logon to the Azure Portal, and create a new virtual network. Click on the NETWORKS link in the left navigation pane and then click the +NEW button located on the bottom toolbar.

Select VIRTUAL NETWORK and CUSTOM CREATE.


2- In the Wizard that popup, give your network a meaningful name, select the region you want to use to deploy your network in, and create and name an affinity group name.

Affinity Groups are a way to tell the Fabric Controller that those two elements, Compute and Storage, should always be together and close to one another, and what this does is when the Fabric Controller is searching for the best suited Container to deploy those services will be looking for one where it can deploy both in the same Cluster, making them as close as possible, and reducing the latency, and increasing the performance.

So in summary, Affinity Groups provide us:

  • Aggregation, since it aggregates our Compute and Storage services and provide the Fabric Controller the information needed for them to be kept in the same Data Center, and even more, in the same Cluster.
  • Reducing the Latency, because by providing information to the Fabric Controller that they should be kept together, allow us to get a lot better latency when accessing the Storage from the Compute Nodes, which makes difference in a highly available environment.
  • Lowering costs, as by using them we don’t have the possibility of getting one service in one Data Center and the other in another Data Center if for some reason we choose the wrong way, or even because we choose for both one of the “Anywhere” options in the

Once you have that filled out, just click the arrow  in the lower right corner.


3- In the next screen you’ll need to list the DNS servers you want the machines in your new virtual to use for name resolution. In our case DC1 is the DC in our on premise lab.  I’ve added an internet DNS just in case.

Before clicking the lower right arrow  , ensure you select the Configure site-to-site VPN checkbox.


4- the next step is for you to identify your on premise network by giving it a name, defining the address space you are using, and the external IP address of the edge device you are using.  in my case I’m using a Cisco ASA 5505 security appliance.  (please note that since this is my private lab, not a canned demo environment, sooo…. I have blanked out the address and some identifiable information….  )

This information will be used by azure to configure the routing in your virtual network and across the gateway we will setup in the next few steps.


5- In the Virtual Network Address Space screen you get to design how you want you virtual network to be configured.

in my case I assigned a private Class A address 10.0.0.0 for very large networks which can hold as many as 16 million computers to my cloud network…. ( Think BIG I always say…)

And you need to carve and name  that address space into usable subnets.

for my virtual network I used 10.10.1.0/24 as my infrastructure subnet (AZR-LAb-Infra) and created the10.10.2.0/24 as a publicly accessible subnet (AZR-Lab-Public). ( in case I decide to add public services )

and finally you have to click the “Add gateway subnet” button and configure that subnet 10.10.3.0/8 in my case.


6- Now that we have defined both our virtual network architecture and on premise network, we can create the gateway that will join both of them together.  In the Azure Portal, select NETWORKS in the left menu, then  click the Virtual network you just finished creating.  for me AZR-Lab


7- Once the virtual network info loads in the portal, click on CREATE GATEWAY. In my case since I’m using a Cisco ASA 5505 security appliance as my edge device I have to use Static Routing.  Once the process starts, it will take a bit of time… take this opportunity to visit MVA.


8- Once you come back the gateway will be complete and your internet VPN end point address will be listed in the portal.  ( again the address hab been redacted to protect the innocents…  In this case…   Me. )

  

9-  After the gateway has been created, you can gather the necessary information to send to your network administrator to configure the VPN device. 

  • On the virtual network dashboard, copy the GATEWAY IP ADDRESS.
  • Get the Shared Key. Click Manage KEY at the bottom of the screen, and then copy the SHARED KEYdisplayed in the dialog box. your key…  Not mine.


  • Download the VPN configuration file. On the dashboard, click DOWNLOAD.  On the Download VPN Device Config Script dialog box, select the vendor, platform, and operating system for your company’s VPN device. Click the checkmark button and save the file.  In order to create a site-to-site connection, you’ll need to either obtain and configure a VPN device, or use Routing and Remote Access Service (RRAS) on Windows Server 2012. Be aware that VPN device requirements vary depending on the type of connection that you want to create.  you can find more info on compatible machines and\or services here.

Since I have a business grade edge device with my Cisco ASA 5505 appliance I will use it.


If you don’t see your VPN device in the drop-down list, see About VPN Devices for Virtual Network in the MSDN library for additional script templates.

10- After have all that you can begin to configure your VPN device.  Copy the content of the configuration file you downloaded in the last step to the clipboard.  Open the Cisco ASDM application to manage the edge device and in theTools menu, select Command Line Interface.


11- After you select Multiple Line


12- Paste the content of the configuration file in the commands window and click the Send button to send the script top the appliance.


13- that is done the 2 networks will connect and setup the VPN tunnel. if the connection does not occur right away.  Click the  connect button in the portal at the bottom and initiate the connection.  once it’s connected the portal will show the connected state.


   Cue the  time machine….  After I created a Virtual Machine on my Virtual network.  I was able to ping it from one of my local Windows 8 lab machines.


We are done!!!

We have now extended a 4 machine lab in my home office to include a chunck of the cloud.  it’s a piece of network we can leverage for a multitude of services.  but these will have to be for other posts.

Configure HTTP or HTTPS Settings in the ICM for SAP NWBC 3.5

Introduction:

In this article, we will see how to configure HTTP or HTTPS Settings in the ICM for SAP NWBC 3.5.

Prerequisite: User must have installed the SAP GUI and SAP NWBC 3.5 on their desktop in order to login on it. Also, a basic understanding on SAP NWBC will be helpful to understand this article.

Details:

As most of us know that the basic purpose of SAP NWBC is to having all the required applications, traditional SAP transaction at a single platform.

The Internet Communication Manager (ICM) enables communication between your SAP systems

and the Internet using the HTTP or HTTPS protocols for the Business Client applications. NWBC

(Both the shell and most canvas types) uses HTTP to access an ABAP server. It is important that at a minimum one HTTP or HTTPS port is configured and active.  

Let’s see the steps to check if the HTTP or HTTPS service exists for given backend SAP R3 system in order to have a communication between Shell and ABAP server.  

Go to transaction code SMICM.  


  After that check if the HTTP or HTTPS service is active or not using Goto -> Services


We can see that HTTP service is active in this case.  

If it not active, then we can create/change it and then activate it.  


Please note that any changes you make here are lost when you restart. If you want to create or

Change a service permanently; you must do this using the profile parameter

icm/server_port_<xx> as follows.  



You may not be able to change it if you don’t have the correct authorizations. Check with your BASIS team and make the change.  

In this way you can configure the HTTP or HTTPS settings in the ICM in order to have a communication between shell and ABAP server.

Variant Configuration – Setting up Sales Order Costing

When you use variant configuration, one of the things you often need or want to do is setup sales order costing for your configuration.  Surprisingly to me, sales order costing is NOT setup automatically for the TAC item category.  So let me walk you through how to set this up (at least as far as I can take you).  Like so many things, you’ll need some input from your FICO expert to make sure all the settings are proper for their world 


Now, I’m going to start at the beginning, so you might be able to skip this step, but I’m going to assume you don’t know the requirements class you need to update.

So, use this path to the IMG in order to find your requirements class based on your item category.


I’m going to show the standard Item Category, TAC for a configurable material.  You can simply substitute your item category in here.


Now, it’s nice because you can see your requirements class at the bottom portion of this screen without backtracking to the requirements type screen.


We can get to the real work.  We have to go to a little bit different spot in configuration to adjust these settings.


Now, using the requirements class we located earlier, we can go to the details.


Now, all the work happens on this screen.  Originally, this screen was completely blank in standard SAP.  What I’ve populated is the most standard configuration I’ve used in the past.

Costing:  Setting this to X makes it required for sales order costing.
Costing ID: determines if you want automatic sales order costing (A) or automatic with marking (B).
Costing Method: (1) Product Costing, (2) unit costing
Costing Variant: PPC4 for sales order costing

CndTypLinItm: this is something optional, but it tells you where you can put the value within pricing  if you wish to use it for margin or cost plus calculations
Acct Assignment Cat: M for Ind Cust wo KD-CO
Valuation: M Separate valuation with reference to Sales Document/Project.

Settlement Profile: SD1 – Sales Order Make to Order Production

The one field I skipped is the Settlement Profile.  This one I always defer to my FICO person.  I don’t even pretend to know which one of these to select.

Once you set this stuff, you should be good to.

Disable Single Sign On ~~ Convert the federation domain to a standard domain with the PS:cmdlets and Reverse the domain federated authentication settings for the Office 365 accounts.

Below article provides you step by step guide how to convert the federation domain to standard domain with the PS cmdlets and reverse the domain federated authentication settings for the O365 accounts.

When you configure Single Sign On also known as identity federation with O365 you convert an existing domain from Standard Authentication to Federated Authentication, when you do this the users who are associated with the federated domain can no longer access O365 directly. 

You may have different requirements to covert your domain from Federated Authentication toStandard Authentication. As you can see there are some easy steps to be followed,

 
 

Log in to your ADFS server and open Online Services Module for Windows PowerShell and enter below shell command,

$cred=Get-Credential 


Once you are prompted with a Windows PowerShell Credential Request enter an Admin Username and Password


Once the credentials are validated enter below shell command, the purpose of entering this to connect to Microsoft Online Service with stored credentials

Connect-MsolServices – Credential $cred


In this command, the placeholder <AD FS 2.0 server name> represents the name of the primary AD FS 2.0 server.

Set-MsolADFSContext –Computer <AD FS 2.0 server name>


It is time to convert your domain from From Federated to Standard Authentication, enter below Shell command, This command removes the Rely Party Trust information from the Office 365 authentication system federation service and the on-premises AD FS 2.0 federation service. The -PasswordFile parameter indicates the path of the text file that contains the newly created temporary password of each formerly federated user’s account.

Convert-MSOLDomainToStandard –DomainName <federated domain name> –SkipUserConversion:$true -PasswordFile c:\userpasswords.txt


Here we go…  we just finished the conversion.. now you are good to go… in the below steps I will guide you how to reset the authentication setting for the domain and for each user account to use standard authentication with O365.

Set-MSOLDomainAuthentication -Authentication Managed -DomainName <federated domain name>


For this demonstration I will get Susan Baker user name (Directory Synched) to run the below command,


For the string value you have enter the username with UPN

Convert-MSOLFederatedUser -UserPrincipalName <string>


 
 

So once the conversion done this will provide the user name and temporary password as above. Now you can go to Microsoft Online Portal and enter the converted username and temp password as below, and follow other instructions in the screen previews,

 
 





Troubleshooting IIS SMTP Relay settings

In this section we will review how to troubleshoot common “causes” for mail flow problem when using IIS SMTP relay option.

1. Troubleshooting communication port

The first step is to verify that the IIS SMTP server can use port 587, for creating the required communication channel with the Exchange online server. An additional parameter that we need to check is that we use the correct Host name for the: Exchange online server. 
To be able to verify these parameters, we can use the built-in Telnet tool.

Note – the Telnet tool is not installed by default. To install the Telnet client on Windows 2008 server, use the  Server manager –> features –> Telnet client

To test the communication channel to the Exchange online server, from the IIS SMTP Server open a command prompt and type the following syntax:

 

Telnet < Exchange online Host name> 578

 

In the following screenshot, we can see that to connection attempt was failed. 
The reasons could be:

  • We didn’t create the required “outbound Firewall rule” that will enable to the IIS SMTP server to use port 587
  • The Exchange online server name is not correct


    After creating the required configuration, we use again the Telnet command. In the following screenshot we can see the “Exchange online response” to the communication attempt.


    2. Troubleshooting Really permissions

    Part of security settings in the IIS SMTP settings is to create a restricted list of Hosts (the IP address of the internal Hosts), that allowed to relay mail to the IIS SMTP server.

    In this following example we use the tool: Basic SMTP Telnet Client, for simulating the process of relaying mail message to the IIS SMTP Server. When using the “debug” option: Enable Step by Step Sending
    In the following screenshot, we can see that the error message that was return from the IIS SMTP Server, relate to the issue that the IP Address of Host that we use is not configured in the “Allowed list” in the IIS SMTP server.


     

    3. Troubleshooting “Mail from” settings

    In this section we will review how to troubleshooting errors that relate to the “Send on behalf” that the IIS SMTP Server need for relaying email messages from Mail enabled Devices\Applications. 

    In case that the IIS SMTP doesn’t have the required permission for sending email “on behalf” other email address, the connection attempt will be rejected by the Exchange online. Failed mail messages will be kept by the IIS SMTP in the “Badmail” folder (The default location for the IIS SMTP Mail folder is:C:\inetpub\mailroot ) 

    In the following example we simulate mail delivery from recipient named:HelpDesk@o365info.com to a “destination recipient” named:IsabelY@o365info.com

    When checking “Isabel mailbox”, we notice that the mail didn’t sent successfully.
    To be able to find the cause for the problem, we can look at the IIS SMTP Server – Badmail folder. 
    In the following screenshot, we can see that that the IIS SMTP creates 3 different log files, that includes information about the mail delivery process and the reason for the failure of the mail message delivery.

    To open the Log message open the file with the *.BAD extension using a text editor such as: Notepad.

    In the text file, we can see the description of the error:

    Diagnostic –code: smtp;550 5.7.1 client does not have permissions to send as this sender

    The meaning of the this error is that the IIS SMTP User account, that we use for creating the communication channel with Exchange online, doesn’t have the required permission to send mail on behalf of the recipient that try to relay mail to the IIS SMTP server. 

Testing IIS SMTP Relay mail flow

Test IIS SMTP Relay settings

In this section we will review: how to test the IIS SMTP Relay mail flow. One option is: trying to send email using the LAN Mail enabled Devices\Applications but, in case that there is a problem that prevent from the LAN Mail enabled Devices\Applications to send mail using the IIS SMTP server, it’s hard to find the cause for the problem. 

The preferred way that i recommend is to: use a nice free mail client tool named: Basic SMTP Telnet Client, that enable us to simulate the mail flow and, in case that there are problems, we can use the option of “debug” ( enable step by step sending) option to get information about the specific cause for the problem.

In the following section, we will demonstrate how to test the IIS SMTP relay infrastructure by using the Basic SMTP Telnet Client.

Note – before you can start to use the Basic SMTP Telnet Client, verify that you add the IP address of the Host that you use in the IIS SMTP server in the Relay restriction section.

Test 1: testing the ability of the IIS SMTP server to relay mail to office 365 recipient

In the Telnet properties tab we will configure the required setting for the communication with the IIS SMTP Server.

  • Receive connector IP: add the IP Address of the IIS SMTP Server
  • TCP Port: add the SMTP port number (25)
  • Mail From: in this text box, we will need to add email address the represent the IIS SMTP server (The IIS SMTP credentials that we use for identification when communicating with the Exchange online server).
  • Recipient To: in this text box, we will need to add the email address of the “destination recipient” that is supposed to get the mail from the Mail enabled Devices\Applications. In our example, we will use the email address of the recipient named Isabel (IsabelY@o365info.com).
  • Subject: this is an optional parameter that will create the “Subject header” 


    Telnet tab – click on the Send button


    To verify that the mail message was sent to the destination recipient, log in to the destination recipient mailbox and check if the mail was accepted. 

    In case that the mail was not sent to the destination recipient, we can use the option of: Enable Step by Step Sending
    Using this option, enables us to verify each of the steps that involved in the “send mail process”. We will need to “activate” each of the steps such as: EHLO, MAIL FROM etc. and, observe the result in the “step window”.


    Test 2: Testing the ability of the IIS SMTP server to relay mail to office 365 recipient “on behalf” (Send as permission”) of a LAN Mail enabled devices\application.

    In case that the first “Test” complete successfully, we can continue with the second test, that will enable us to simulate the scenario of LAN Mail enabled Devices\Applications that relay mail to the IIS SMTP Server. The basic assumption is that: we complete all of the required settings that will enable the IIS SMTP to send mail “on behalf” of the LAN Mail enabled Devices\Applications.

     

  • Receive connector IP: add the IP Address of the IIS SMTP Server
  • TCP Port: add the SMTP port number (25)
  • Mail From: in this text box, we will need to add email address the represent the “LAN Mail enabled Devices\Applications” that will relay mail to the IIS SMTP server. In our example, we will use the email address of the Helpdesk application (HelpDesk@o365info.com).
  • Recipient To: in this text box, we will need to add the email address of the “destination recipient” that is supposed to get the mail from the Mail enabled Devices\Applications.  In our example we will use the email address of the recipient named Isabel (IsabelY@o365info.com).
  • Subject: this is an optional parameter that will create the “Subject header”


Enable the IIS SMTP relay to send mail on behalf other Email address

After creating the required setting for the IIS SMTP relay, we will need to solve additional issue that can be described as: Enable the IIS SMTP relay to send mail on behalf other Email address. 

For the demonstration purpose, let’s use the following scenario:
We want to enable two internal Hosts, to send email using the IIS SMTP server.
One Host is a Help desk application that uses the Email address:HelpDesk@o365info.com, and the other Host is a Fax machine that use the use the email address: FaxService@o365info.com

In case that this Hosts will try to relay mail to the IIS SMTP server, that mail message will be rejected by the Exchange online server because: by default, a recipient( in our example: John@o365info.com) cannot send send email “on behalf” other recipient ( in our example: FaxService@o365info.com and HelpDesk@o365info.com).

The good news is that we don’t need to create a user account and Mailbox that will “represent” these Hosts that will relay mail to the IIS SMTP Server.


To enable the IIS SMTP server to send email for this Hosts, we can choose one of the following solutions:

1. Using distribution group and assign “Send as permissions”

This solution is based on creating a distribution group for each of the Host that need to relay email to the IIS SMTP server. The distribution group will be configured as: security group ( a Security\Distribution group). The next step is: assigning “Send as permission” for the recipient that the IIS SMTP Server use for authentication ( in our example: John@o365info.com). The send as permission could be assigned by using the Web interface or by using a PowerShell command.

Assign “Send as permission” using the office 365 management Web interface

1. Log in to office 365 portal, in the Admin menu choose the option: Exchange 

2. In the Exchange admin center choose the recipient menu –> groups 
Click on the “Add” option and choose the  Security group option.  


3. In our example, we will name the new security-distribution group as:FaxService 

4. Double click on the name of the new security-distribution (FaxService) and choose the menu – group delegation.
Click on the add option and, add the recipient name that we use for the IIS SMTP credentials ( in our example: John).

We will need to repeat this procedure, for each of the LAN Hosts that will need to relay email using the IIS SMTP Server.

Assign “Send as permission” using PowerShell command

Assign “Send As” Permissions for a Mailbox/Distribution group

PowerShell command syntax:

Add-RecipientPermission <User/Distribution Group> -AccessRights SendAs -Trustee <User>

Example:

Add-RecipientPermission FaxService -AccessRights SendAs -Trustee John

2. Add additional Email address ( Alias)

An additional option that we can use ( instead of the security\distribution group solution) is: add the email address that will be used by the LAN Mail enabled Devices\Applications as additional email address (Alias) for the recipient that is used by the IIS SMTP Server. 

In our example, we will add two additional email address to the recipient named: John

1. Log in to office 365 portal, in the Admin menu choose the option: Exchange 

2. In the Exchange admin center choose the recipient menu –> mailboxes
Choose the recipient name that is used by the IIS SMTP Server (in our example-John). 


3. Click on the “add” option 
In the Mailbox properties choose the option: Email address
In our example, we will add to “John Mailbox” additional two email addresses ( Alias):  FaxService@o365info.com and HelpDesk@o365info.com 

Article based on www.o365info.com

 



Implementing IIS SMTP relay

In the following section we will review all of the settings and pre requirements that we need to implement for using IIS SMTP as a mail relay server. 


SMTP Relay pre requirements

1. IIS SMTP User credentials

The credentials that the IIS SMTP use for communication with the Exchange online, could be any office 365 user credentials that have license for Exchange online Mailbox. There is no need for purchasing a “detected” license for this purpose. The only “issue” that we should consider regarding the recipient name (the office 365 user that we use for authenticate to the Exchange online server) is that: by default, each of the messages that will be relayed to the Exchange online server will include this recipient name in the form field. For example: in case that we use configure the IIS SMTP server to use the credentials of an office 365 user named: John, each of the message that will be sent from a LAN Mail enabled Devices\Applications to: other office 365 recipient, will be displayed at the destination recipient as a mail message that sent by “John”. 

Latter on, we will review the scenario in which the LAN Mail enabled Devices\Applications use different mail address and, how to enable the IIS SMTP send email “on behalf” this Hosts.

2. Firewall settings

To enable the IIS SMTP server to create a communication channel to the Exchange online, we need to create in the organization Firewall, outbound rule, that allow the IIS SMTP to use TLS (port 587).


 

3. Exchange online server Host name

The IIS SMTP Server needs to “know” the Host name of the Exchange online that will accept the mail message for the office 365 recipients.  
To be able to find the required Exchange online server name we will need to use the following instructions: 

1. Logon to office 365 portal with the a user credentials that will be used by the IIS SMTP Server ( in our example we will use the user credentials of user named John). 
2. In the top menu choose – Outlook 
3. Under the User name, choose – Options –> See All Options

4. In the Account section , click on the link named: settings for POP3, IMAP4 and SMTP Access

In the windows that appear, look for the section: SMTP Settings. 
Here you can find the Exchange online server name ( in our examplepod51014.outlook.com) and additionally, we can see that there is a mandatory requirement for using TLS protocol ( port 587). 

Office 365 preview

In case that you migrated your office 365 subscription to the “New office 365” ( at the current time described as: Office 3654 preview) the SMTP server name that we need to use is: smtp.outlook.office365.com

 
 

Installing and configuring the IIS SMTP server

In the following section we will demonstrate how to install IIS SMTP server on a windows 2008 server.

Step 1: install IIS Server

  • Open Server Manager Console and under Features select Add Features
  • Select the option of: SMTP Server 
    (The reset of the installation process is just next, next etc.) 


    Step 2: IIS SMTP Service


    By default the IIS SMTP service, is not started and the startup type is: manual 


  • We will need to change the default setting to: Automatic. 
    Double click on the SMTP Service:  Simple Mail Transfer Protocol (SMTP)and, change the Startup type to:  Automatic
  • Start the IIS SMTP service (SMTPSVC)

    Step 3: IIS SMTP Server MMC

    The management console for the IIS SMTP is Internet Information Services 6.0 
    ( There is no option of managing the IIS SMTP using the “standard” IIS 7  management console). 
    we can find the IIS 6.0 Manager under Administrative Tools -> Internet Information Services 6.0


    IIS SMTP relay Configurations

    In the following section we will review all of the required settings for configuring the IIS SMTP server as an”SMTP relay”. 

    1. IIS SMTP relay “LAN interface”


    The first part relates to the: settings for the interface or the “IIS Leg” that serve the LAN Hosts ( Mail enabled Devices\Applications ).

    Open the IIS SMTP management console, right click on the 
    [SMTP Virtual server #1] and choose: Properties


    Access tab

    Access tab – Authentication

    Select the Access tab -> Authentication 
    In the Authentication windows select the option: Anonymous access ( Mail enabled Devices\Applications doesn’t need to use authentication). 


    Access tab – Relay

    The “relay” settings use for configuring the IP address of the: Mail enabled Devices\Applications that will communicate (relay mail) to the IIS SMTP server. 

    In our example we have two hosts that need to send mail to the  IIS SMTP server: 
    Help Desk application that installed on a workstation with the IP address 10.100.102.2 
    and FAX device that uses the IP address: 10.100.102.3 
    To enable this Hosts to send ( relay) mail to the IIS SMTP server, we will need to add this IP address to the “allowed list”.

     

    Select the Relay tab -> Relay option. 
    In the Relay restriction window, add the IP address of the Mail enabled Devices\Applications that will communicate (relay mail) to the IIS SMTP server.


    Note – Make sure that you enter only the IP addresses of the Mail enabled Devices\Applications that you trust. This setting lets mail that’s coming from these sources be relayed to any destination. In effect, this makes the on-premises server that is running IIS an open relay.

    2. IIS SMTP relay “Exchange online interface”

     

    In this section, we will create the required settings that enable the IIS SMTP server to relay mail messages to the Exchange online server. 

    Delivery Tab 
    The Delivery tab use for: configure the IIS SMTP “interface” that communicate with the Exchange online server.

    Delivery Tab – Outbound security

    Select the Delivery tab -> Outbound Security option. 
    In the Outbound Security window select the option: Basic Authentication

    We will need to provide the office 365 user credentials, that have Exchange online Mailbox. In our example, we will use the credentials of a user named: John@o365info.com

    Select the Delivery tab -> Outbound Security option. 
    In the Outbound Security window select the option: TLS encryption  
    ( For creating a secure communication channel to Exchange online ).

    Delivery Tab – TCP port

    Select the Delivery tab -> Outbound connection option. 
    The TLS port number that we use for communicating with the Exchange online  is: 587 
    ( Please verify that the organization Firewall will have the required outbound rule that will enable the IIS SMTP Server to use this port ).

    Delivery Tab – Advanced

    Select the Delivery tab -> Advanced option 
    In the Smart host text box we need to provide the Exchange online server name .

     

    The section of: Fully qualified domain name is not a mandatory requirement. You can add the FQDN of the IIS SMTP server.