The setup in this example is simple, there is a single Exchange Server on
premise which is used for:
- Email administration
(both on premise and Office 365)
- Local SMTP relay for
devices with no Internet route
The topology looks something like this, a single Exchange 2016 sits on
premise, there is a firewall between it and the Internet. All external MX
Records point to Office 365, the firewall is configured to all the Exchange
Server out to the EXO IP’s on SMTP TCP 25. It also allows inbound SMTP TCP 25
which is NAT’d to the Exchange Server. In addition to this the NAT rule also
include HTTPS TCP 443 from anywhere.
I’m going to assume you have the following things
already configured:
Install Exchange Server 2016 (latest CU)Configure Exchange ServerVirtual Directories with External URL’s (e.g mail.domain.com)Configure External DNSConfigure Exchange Certificates- A wildcard certificate is best, but if you do not have a wildcard
certificate ensure your certificate has multiple Subject Alternative
Names (SAN’s) to cover things like mail.domain.com,
autodiscover.domain.com to prevent any certificate warnings from Outlook.
In this post I’m going to cover the following
with some lessons learned.
- Hybrid
Configuration Wizard
- Verify and Test
Hybrid
- Administering a
Hybrid
Firewall Rules
|
Exchange Server should be presented to the Internet on TCP ports 25 and
443. The firewall rule should only accept incoming SMTP (TCP 25) from the
Exchange Online IP’s. HTTPS (TCP 443) however should be open to all to ensure
services such as Autodiscover work correctly. These rules should be done
using NAT on your perimeter firewall.
The Exchange Server should be allowed out to the Exchange Online IP’s for
SMTP (TCP 25). It’s advisable to only allow the server itself out and not the
other nodes in the subnet.
|
MX Records
|
It’s possible to have your MX Records point to either Office 365 or the on
premise server for a hybrid deployment. It’s my preference to always have
these points to the Office 365 tenant. When your setup your custom domain for
Office 365 you will be given the target address for your MX records to point.
|
Centralized Mail Flow
|
Centralized Mail Flow is when all your outbound mail is forced to go
through the on premise Exchange Server. Personally I prefer all mail to be
routed out via Office 365, ensure this option is not selected if you want
Office 365 to route outbound mail.
|
Full or Minimal Hybrid
|
Full Hybrid gives the richest coexistence and will be required if your organization
is going to retain hybrid for an extended period of time.
|
Edge Transport
|
The Edge Transport server is an SMTP Relay which sits between your
Exchange Server and the Internet, most commonly in a DMZ. You must decide if
this is going to be in your topology before you run through the hybrid
wizard.
|
AD Connect
|
AD Connect will be required to sync you on premise identities to Office
365. This should be configured with Password Sync and Exchange Hybrid
Deployment. Please note if the Exchange Hybrid Deployment option is not
selected AD Connect will not write-back the Exchange-specific attributes to
AD which will cause internal mail routing issues.
|
If AD Connect is already in place, you must
change the settings so that you can reconfigure it to use Exchange Hybrid
Configuration. To do this open the AD Connect admin screen and edit the
configuration, on the Optional Features you will see the option.
Login to the ECP on the Exchange Server and click the Hybrid tab, then click Configure. This will download the HCW, install and run it.
It should auto detect the Exchange Server, ensure you select the correct Office 365 (more than likely Worldwide).
You will be prompted for credentials for on premise AD and Office 365, the AAD creds must be Global Admin.
The HCW will check over each environment.
Select which features you want as part of this hybrid, Full Hybrid gives the richest integration between on premise and Office 365.
Now you need to publish a TXT record to the root of your domain so that the HCW can validate you own the domain. Create the record, wait for it to replicate and verify the record. This part of the HCW is prone to break. Top tip is to rerun the HCW if it continously fail, it will eventually pass the validation test if the record has been created correctly.
Enable the federation trust, this will ensure free/busy information etc. can be share across the environments.
I don't have an Edge Transport server in my environment so I've chosen the CAS option. If you click Advanced you will be presented with an option to use Centralized Mail Flow, this will route all mail through your on premise Exchange, which is probabaly not wise.
The HCW will auto create Receive connector so that the Exchange Server can accept incoming mail from Office 365, choose from the drop down the server you want this to be created on.
Same goes for a Send Connector, we will examine the Send Connector further down and create another one to ensure mail flow to external recipients works correctly.
A globally trusted certificate must be installed on the Exchange Server, the same certificate you use to secure the servers Virtual Directories can be used by the HCW. A wildcard is generally best as it can cover multiple service names behind a single domain.
You then need to input the on premise service name I tend to use mail.domain.com, this is how Exchange Online will route mail to mail-enabled objects that reside in your domain. Obviously a DNS A record must be created to direct this service name to the outside IP address of your Exchange Server. Please do some DNS testing to ensure this is working before you attempt this part.
Click Update and the HCW will run a bunch of scripts to implement the changes, based on the information you have provided to the HCW.
