• Home
  • Topics
    • Office 365
    • Teams
    • SharePoint Online
    • Exchange 2019
    • Exchange 2016
    • Exchange 2013
    • Hybrid
    • Certificates
    • PowerShell
    • Migration
    • Security
    • Azure
  • Blog
  • Podcast
  • Webinars
  • Books
  • About
  • Videos
    • Interview Videos
    • How To Guide Videos
  • Subscribe
    • Facebook
    • Twitter
    • RSS
    • YouTube

Practical 365

You are here: Home / Exchange Server / Creating a Hybrid Configuration with Exchange and Office 365

Creating a Hybrid Configuration with Exchange and Office 365

February 8, 2016 by Paul Cunningham 138 Comments

In the last part of this series we looked at preparing for Hybrid deployment with Office 365. In this article we’re going to create the Hybrid configuration between the on-premises Exchange organization and the Office 365 tenant.

The current on-premises environment is running:

  • 2 x Exchange 2016 Mailbox servers
  • 1 x Exchange 2013 multi-role server
  • 1 x Exchange 2013 Edge Transport server
  • 1 x Exchange 2010 multi-role server

The Exchange 2016 Mailbox servers are the internet-facing servers for the organization, with a load balancer distributing traffic across them. Since those servers will be internet-facing for the Hybrid configuration, they need to be MRS Proxy enabled. Currently they are not MRS Proxy enabled, as seen here in the output of Get-WebServicesVirtualDirectory.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[PS] C:\>Get-WebServicesVirtualDirectory | fl server,mrs*
 
 
Server          : EX2013SRV1
MRSProxyEnabled : True
 
Server          : EX2010SRV1
MRSProxyEnabled : True
 
Server          : EX2016SRV1
MRSProxyEnabled : False
 
Server          : EX2016SRV2
MRSProxyEnabled : False


The servers can be MRS Proxy enabled by running Set-WebServicesVirtualDirectory.

1
[PS] C:\>Get-WebServicesVirtualDirectory -ADPropertiesOnly | Where {$_.MRSProxyEnabled -ne $true} | Set-WebServicesVirtualDirectory -MRSProxyEnabled $true


The Hybrid Configuration Wizard is launched from the Exchange Admin Center, in the hybrid section.

office-365-hybrid-configuration-01

After clicking enable we need to sign in to the Office 365 tenant with a global admin account.

office-365-hybrid-configuration-02

We’re directed to download the Hybrid Configuration Wizard tool. Click on the click here link to download it.

office-365-hybrid-configuration-03

Follow the prompts to install the application.

office-365-hybrid-configuration-04

When the Hybrid Configuration Wizard launches, click Next to begin.

office-365-hybrid-configuration-05

The HCW will detect a server to use automatically, or you can specify one if you need to.

office-365-hybrid-configuration-06

Enter credentials for both the on-premises organization and the Office 365 tenant.

office-365-hybrid-configuration-07

When the connections and credentials have been successfully validated, click Next to continue.

office-365-hybrid-configuration-08

For my scenario I’ll be using the Edge Transport server for secure mail flow, and not enabling centralized mail transport.

office-365-hybrid-configuration-09

There is only one Edge Transport to choose in my environment.

office-365-hybrid-configuration-10

Next we choose a reference server, and then an SSL certificate on that server, to use for secure mail flow.

office-365-hybrid-configuration-11

Enter an FQDN that can be used by Exchange Online Protection to route mail to the on-premises organization. This name should resolve in DNS to the public IP address of your on-premises server.

office-365-hybrid-configuration-12

After entering all of the information in the wizard click Update to configure and enable Hybrid for your organization. The configuration takes just a few moments as long as there are no errors encountered.

In the next part of this series we’ll look at testing the features of the Hybrid configuration.

Exchange Server Exchange 2016, Hybrid, Office 365

Comments

  1. mihalevskiy says

    September 16, 2021 at 12:09 pm

    Hello.

    Are you using the same certificate for mailbox server and edge for SMTP ?

    In that case you cannot re-subscribe the edge.

    You have to buy an additional certificate for edge.

    Or am I wrong ?

    Reply
  2. Natarajan says

    May 3, 2021 at 4:31 pm

    I have mixed environment
    1. Six 2010 exchange servers
    2. Four 2016 exchange servers
    3. O365 mailboxes.
    Recently updated CU20 in 2016 servers, now users in 2010 can’t see O365 users free busy information.

    O365 users can access all users freebusy information.
    Exchange 2016 users can access O365 users freebusy information.
    Exchange 2010 users can access Exchange 2016 users freebusy information.

    Exchange 2016 servers acts as a proxy server for Exchange 2010 users to get O365 users freebusy information.

    Received following error message in Exchange 2010 servers:

    ProxyWebRequest CrossSite from S-1-5-21-…….. to https://domainname/EWS/Exchange.asmx failed. Caller SIDs: NetworkCredentials. The exception returned is Microsoft.Exchange.InfoWorker.Common.Availability.ProxyWebRequestProcessingException: System.Net.WebException: The request failed with HTTP status 400: Bad Request.

    Exchange 2016 Server HTTPProxy has Badrequest error.
    Could you help
    Thank you

    Reply
    • Mars says

      May 11, 2021 at 2:43 pm

      We have identically the same issue.
      Does someone have a solution ?

      Reply
  3. TankAdmin says

    September 6, 2020 at 4:11 pm

    Hi Paul,
    Exchange HCW8078 – Migration Endpoint could not be created.

    Error details: There was no endpoint listening at https://webmail.domain.com/EWS/mrsproxy.svc that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details. –> Unable to connect to the remote server –> No connection could be made because the target machine actively refused it 202.183.94.21:443

    Reply
  4. Jerry says

    March 3, 2020 at 2:21 am

    Hello Paul,

    Thank for this great posting. I wanted to know if you can clarify the following: We have a hybrid setup from Exchange 2010 to Office 365. Can user use their mailbox (send and receive emails) during the sync process? I was led to believe yes, but we don’t?
    Can you let me know.

    JERRY

    Reply
  5. Tom says

    January 25, 2020 at 12:40 am

    If I need to change the FQDN on O365 for mailbox migrations and for EWS virtual directory On-Prem, do I have to run the HCW again?

    Reply
  6. Tamil Selvan says

    September 11, 2019 at 11:40 pm

    Hi Paul,

    We are already in O365, planning to install On-Prem Exch 2016 (2 Mailbox and 1 Edge )

    1. When External Mail flow Happens from O365, how the ATP works for On-prem mailbox.

    2. is there a any impact to the outlook configured users if i newly install On-Prem Exchange?

    Please answer

    Reply
  7. endrio milani says

    July 9, 2019 at 12:14 am

    HI, CAN I HAVE MORE THAN ONE EDGE SERVER CONFIGURED ON HYBRID CONFIGURATION ? Third party edge transport… I need to manage some users with one external edge transport and others with another external edge transport .
    Thanks

    Reply
  8. Chris says

    May 18, 2019 at 4:51 pm

    I’m doing migration from 2010 to 2016 following your article. I’m using wildcard certificate and going through the HCW option without selecting transport option s exchange 2016 doesn’t have one…it’s very strange that our on prem mailbox unable receive emails from external after that. Everything works fine except on prem mailbox.

    MX record is fine and mail trace indicating the message already sent but the mailbox never receive any emails at all from external. Care to advise me further?

    Reply
  9. John Smith says

    April 16, 2019 at 9:25 am

    Hi Paul,
    How to remove the Hybrid configuration and decommission the on-prem exchange?
    All mailboxs have been moved to Office 365 and on-prem exchange is no longer needed
    Thanks

    Reply
  10. John Smith says

    April 16, 2019 at 9:24 am

    Hi Pual,
    How to remove the Hybrid configuration and decommission the on-prem exchange?
    All mailboxes have been transferred to Office 365 and on-prem exchange is no longer needed
    Thanks

    Reply
  11. ManhVD says

    April 15, 2019 at 5:41 pm

    What happen when i have 3 CAS server, HCW will detect which server to install ?

    Reply
  12. Vladimir says

    January 22, 2019 at 11:26 pm

    Hi Paul,

    Thank you for this article!

    Can I ask you one thing regarding FQDN. In our organization, we have Edge transport log. When I am running the hybrid wizard, should I specify external DNS record of edge server as an FQDN?

    Thank you in advance!

    Vladimir

    Reply
    • Dave says

      August 20, 2020 at 11:03 pm

      What did you end up doing Vladimir? We’re in the same boat.

      Reply
  13. Shashank says

    December 6, 2018 at 3:17 am

    Hi Paul,

    Great Article !!

    We have 2 Exchange Mailbox servers, 1 CAS server, 1 Edge server. Our MX is pointed to Sophos antispam email device.
    Mail first hits the Sophos antispam device, then goes to the edge then the CAS.

    Now I have the SSL certificate and installed it on all my servers, ran the Hybrid configuration wizard, at the last step where it asks for the FQDN address, I have added the CAS servers FQDN address i.e. webmail.xyz.com as the mail.xyz.com is our MX pointing and that is at Sophos, please do correct me if I am wrong ?
    Also now when I check the outbound connector setup on Office365 and validate it, it gives me an eror:

    TLS authentication failed.

    Couldn’t validate the recipient’s email server certificate.

    The SSL certificate is installed on Edge server with SMTP binding as well as on CAS & mailbox servers. This is where we are stuck. Would be great if you could guide me a little.

    Thanks
    Shashank

    Reply
    • Jesus says

      September 22, 2021 at 4:11 pm

      We’re you able to find an answer?

      Reply
    • Lionel Shaul says

      April 10, 2022 at 4:00 pm

      I am submitting a late reply becuase it may help others. I just successfully completed the minimal HCW setup. Before running the wizard I ensured the MRS Proxy was enabled. I also ensured that TLS v1.2 was configured on my Exchange 2016 server as the preferred protocol as per: https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-server-tls-guidance-part-2-enabling-tls-1-2-and/ba-p/607761

      I did not disable TS 1.0 or TLS 1.1 since the on-premises Exchange 2016 server will be decommissioned in a few weeks.

      Reply
  14. Tej says

    November 1, 2018 at 5:48 am

    Hi Paul,

    our current on-premises environment is running:
    2 x Exchange 2010 SP3 RU20 Mailbox servers in DAG
    1 x Exchange 2010 SP3 RU20 multi-role server ( CS & HT)
    1 x Exchange 2010 SP3 RU20 Edge Transport server

    Today I run latest HCW and can’t find “Configure my edge transport server for secure mail transport” option to select my Exchange 2010 Edge Transport server as Secure mail transport.

    What configuration I am missing on-premise which prevent this option on HCW.

    Appreciate for any help in advance.

    Regards,

    Reply
  15. Allan Saul says

    October 24, 2018 at 11:43 pm

    Hi Paul,

    Can you undo a Hybrid configuration if it fails ?
    If so how.

    Reply
    • kofi says

      July 26, 2020 at 11:14 pm

      Hi Allan

      Yes just uninstall all the apps you used to perform the migration: Hybrid Wizard and delete 365 connection in on premise send connector

      Reply
  16. John Stansell says

    October 19, 2018 at 12:19 am

    Does anyone know if having a 3rd party relay will affect the ability to complete the Hybrid connection? We currently use Symantec as an AV and SPAM scanner so our MX records point to them first.

    Reply
    • Will says

      October 23, 2018 at 6:22 pm

      It won’t affect running the HCW… however, mail flow to / from O365 cannot go via this 3rd party gateway.
      (https://docs.microsoft.com/en-gb/exchange/transport-options – see “IMPORTANT” notice at top of the article)

      Normal inbound / outbound internet email is perfectly fine to remain going over this appliance, however mail to / from O365 cannot go over this appliance. When you run the HCW you have to enter an FQDN for smart host as the last step… that FQDN cannot point to your third party appliance and must go to an Exchange server (or Edge) server without the SMTP headers being modified.

      Reply
    • Will says

      October 23, 2018 at 6:26 pm

      It won’t affect running the HCW, however it is not supported for that appliance to be ‘in the way’ of mail flow between O365 and on-premises. (https://docs.microsoft.com/en-gb/exchange/transport-options)

      When you run the HCW you’re asked for an FQDN as the last step. This FQDN is what O365 will use as a smart host for mail to / from on-premises, it needs to be an Exchange Server or Edge Transport server (Load balancer for SMTP is possible, provided along the way the SMTP headers aren’t modified).

      Reply
  17. Lee says

    October 16, 2018 at 9:47 pm

    Paul
    Can we run Exchange 2010 and 2016 on-prem and establish a hybrid presence to Exchange Online. We wish to use centralised mail routing along and ADFS. Will Exchange 2010 proxy free/busy requests etc via 2016 frontend servers to Exchange online?

    Reply
  18. jim bailey says

    October 4, 2018 at 2:51 am

    Paul,
    Does the Office 365 hybrid configuration wizard need to be run on an exchange server, can it be run on an DC server for example?

    Reply
    • Will says

      October 23, 2018 at 6:24 pm

      It doesn’t have to be run from the Exchange server, it can be run from a client machine for example, provided the correct access to exchange is available.

      I would recommend you don’t run the HCW from your DC though. You shouldn’t be running anything like this from your DC. Create a management workstation / server if you must have a central location to do this sort of thing.

      Reply
  19. Felipe Cesar Cardoso says

    September 21, 2018 at 10:31 pm

    During the wizard, when I select Edge Transport Server, Do I need to select the self-signed certificate? Or I Need to select a third party certificate for the external name of the Edge Server (Ex.: edge.company.com)?

    As I select the Edge Server choice, In the “Organization FQDN” screen, Do I need to type the external name of Edge Server (Ex.: edge.company.com)?

    Reply
  20. Rizwan says

    June 30, 2018 at 6:39 am

    Hi Paul,
    I have configured Hybrid with Exchange 2016 server, AD users synchronizing with Office 365.
    I moved some Mailboxes from Onpremise Exchange to Office 365 cloud.
    Currently I’m sending my email to internet from my barracuda appliance.
    Now I want to send all outbound emails form my Exchange 2016 to Internet via office 365 to utilized EOP.
    Once I have created one send connector on my onpremise Exchange server and defined smart host of Office 365 “mydomain-com.mail.protection.outlook.com” and in Fully Qualified Domain Name (FQDN), enter an asterisk (*), and then click Save.
    we started receiving the below message when sending to some external users.

    Delivery has failed to these recipients or groups:
    amirr@gmail.com (amirr@gmail.com)
    Unable to relay due to relay restriction
    The following organization rejected your message: VE1EUR01FT051.mail.protection.outlook.com.

    Diagnostic information for administrators:
    Generating server: msexchange.abl.com
    amirr@gmail.com
    VE1EUR01FT051.mail.protection.outlook.com
    Remote Server returned ‘550 5.7.64 TenantAttribution; Relay Access Denied [VE1EUR01FT051.eop-

    Once Barracuda was back online and we changed all setting back to normal, mail flowed correctly.

    Reply
    • Paul Cunningham says

      June 30, 2018 at 3:01 pm

      Don’t create the connector manually. Run the Hybrid Configuration Wizard, it will create the necessary configuration for hybrid mail flow. If you want EOP as your inbound/outbound mail route, then you should also read this: https://docs.microsoft.com/en-gb/exchange/mail-flow-best-practices/manage-mail-flow-for-multiple-locations#scenario1

      Reply
  21. Eddie says

    June 27, 2018 at 10:12 pm

    Hi Paul,

    We have no Edge server and a TrendMicro IMSVA acting as a smarthost. To send mail from on-premises to O365 the TrendMicro IMSVA is not supported. What would be a supported way to send mail from on-premises to O365?

    Reply
    • Paul Cunningham says

      June 28, 2018 at 11:30 am

      Exchange and Exchange Online need to be able to communicate directly for mail flow. Simple as that really. The Hybrid Configuration Wizard will configure the required connectors for you.

      Reply
  22. Abraham says

    June 25, 2018 at 2:01 am

    Hi Paul,

    I would like to setup Exchange 2013 Hybrid. We have two servers with both mailbox and CAS role with KEMP loadbalancer. What I understand is we can’t add KEMP loadbalancer in the mailflow routing. Could you please help me with the configuration here? How do I setup Hybrid now?

    Reply
    • Paul Cunningham says

      June 26, 2018 at 9:23 am

      NAT the inbound connections from Exchange Online directly to an Exchange server, not via the load balancer.

      Reply
  23. PaulH says

    June 20, 2018 at 12:38 am

    Paul, if you are migrating 10K’s mailboxes using a hybrid configuration, do you need to configure multiple endpoints and split the batches across them or will a single endpoint distribute the batches as required?

    We have exchange servers in 3 regions but a single org.

    Thanks
    Paul

    Reply
    • Paul Cunningham says

      June 20, 2018 at 9:23 am

      You don’t need to. You can if you want to. It’s up to you.

      Michael Van H has a blog post series covering this topic. Part 1 is here: http://www.enowsoftware.com/solutions-engine/intelligently-using-migration-endpoints-to-speed-up-migrations-to-exchange-online

      Reply
  24. avi says

    June 15, 2018 at 11:55 pm

    I am in a situation where we will run the Hybrid environment (Hybrid wizard) but we dont have any external url published apart from the active sync.So if we publish owa url externally.Can we use the same name to the FQDN that i need to pur in hybrid wizard ?
    When i need to put the send/receive connector to the wizard,do i need to select the internal exchange server name (multi role)which should have public nated IP.Do we need any external URL for the same ?

    so certificate contains which SAN entry ?

    Reply
  25. Aldo says

    June 7, 2018 at 2:46 am

    For mailflow from Office 365 to an on-premise server can an load balancer be used to have multiple servers for high availability ? Is there any specific settings on load balancer that would be needed say for F5 or does this require a persistent connection

    Reply
  26. SamB says

    April 14, 2018 at 5:36 am

    Speaking of Hybrid Configuration, I currently have exchange 2010 and 2016. Originally Hybrid Configuration was done on 2010. Recently installed 2016. I’m trying to figure out whats the best way to move the Hybrid Configuration from 2010 to 2016.

    Any help be great.

    Thank You

    Reply
    • Paul Cunningham says

      April 14, 2018 at 10:47 am

      Short answer for any change in topology or internal infrastructure like that is to re-run the HCW.

      Reply
      • SamB says

        April 16, 2018 at 10:53 pm

        Thanks, will be testing it sometimes this week.

        Reply
  27. Garrett Michael Hayes says

    April 10, 2018 at 1:14 am

    Paul,
    Great run-through as usual!
    (Apologies if this is duplicated – I tried to post Friday, but it doesn’t seem to have appeared.)

    I’m struggling with a couple of points, and hoping you can point me in the right direction. Let me give some details, and then pose some questions.

    Setup:
    I have 3 Exchange 2010 servers, SP3, RU18 on 2008 R2E. 2 Are running DB, CAS, Transport in a DAG. 1 is DB only.
    SMTP inbound is fronted by a Barracuda Spam Firewall for all but 1 domain. The remaining domain is passed through our firewall straight to the 2 transport servers, but limited as to the source IPs. I have added the EOP source IPS so we can target the Exchange Online traffic there.
    OWA is accessed through TMG.
    Multiple accepted domains (about 30). Only 2 have Autodiscovery configured, as they are the only two through which users currently log on.
    Azure AD sync is already running.

    Problem(s):
    Running the Hybrid Configuration Wizard fails at setting up the Federated Trust. Ownership records verify OK. It appears to set up Federation for 1st domain, but fails on the 2nd. I unchecked that 2nd domain and ran again, but that fails with an error that the first is already set up (which it was, of course).

    Questions:
    1) Do I need to set up Autodiscovery for all the accepted domains, even though users don’t log on using those names?
    2) Can I safely remove the partial Federation set up for the first domain? (I presume that would be through the CLI?)

    Reply
    • Paul Cunningham says

      April 10, 2018 at 10:47 am

      It’s hard to troubleshoot complex scenarios without access to the environment, and I also don’t know what error you’re seeing when the HCW runs. I would suggest you open a support case with Microsoft so they can see the problem first hand.

      Reply
      • Garrett Michael Hayes says

        April 10, 2018 at 9:03 pm

        I would cheerfully give you access to the environment! But point taken. Thanks anyway!

        Reply
        • Garrett Michael Hayes says

          April 14, 2018 at 5:52 am

          For the benefit of anyone else who runs into this, here’s the resolution, which we actually found without recourse to M$.

          It turns out that the initial HCW step which “verifies” the existence of the TXT records on each domain before setting up the Federation trusts doesn’t (apparently) FULLY verify the record. What was going on was that the TXT record for the first domain (the one that worked) was correct, while the next domain’s TXT record had a LF at the end – as did about 4/5ths of the records. This was an artifact of the cut-and-paste process from the text file supplied by Microsoft.

          “Dig txt domain.com” showed it when it wasn’t obvious in the UI of the DNS host.

          We removed the LFs from the offending records and the setup continued just fine.

          Reply
          • Paul Cunningham says

            April 14, 2018 at 10:07 am

            Nice work. I recall a DNS provider tripping up one of my projects with some kind of UI bug like that. I think they were stripping one particular character out of the proof string, which I ended up writing this script to catch:

            https://www.practical365.com/exchange-server/powershell-script-to-test-federated-domain-proof-txt-record-for-hybrid-deployments/

          • Garrett Michael Hayes says

            April 28, 2018 at 1:13 am

            I’m sure you thought you were rid of me [grin], but I have another question – hopefully not too complex.

            We’re able to migrate mailboxes now, but it’s very slow. I’m sure this is largely because the URL for the MRS proxy points to our TMG server on a slow (10 Mb) channel. So we’re using a slow link with a feeble old machine in the way. I have a couple of existing URLs that point directly to our two CAS/OWA servers through a limited-access firewall hole on a 100 Mb connection. I have verified that the O365 servers can move mail pieces between the cloud and the on-prem servers over that channel. It’s just not using it for the mailbox moves.

            So here’s the question:
            If I change the external URL for the MRS Proxy on each Exchange server to the corresponding address on the main firewall, is anything OTHER than mailbox replication affected? I won’t screw up OWA or ActiveSync will I?
            (Oh, related 2nd question – can I define more than one endpoint at O365?)

          • Paul Cunningham says

            April 28, 2018 at 9:05 am

            May as well learn it from the master himself

            http://www.enowsoftware.com/solutions-engine/intelligently-using-migration-endpoints-to-speed-up-migrations-to-exchange-online

          • Garrett Michael Hayes says

            May 2, 2018 at 12:10 am

            Wow! Thanks. TONS of great info there. Alternate endpoints working just fine now. (Of course, it only took me an entire day to find the one typo in my ACL… [le sigh])

  28. Djam says

    March 29, 2018 at 8:46 pm

    Hi, very good explication!

    I’ve 2 questions:
    – you say ” those servers will be internet-facing for the Hybrid configuration” about “the Exchange 2016 Mailbox servers”. Maybe this a DAG (?) as you deals with load balancer. But in the HCW, we see that only one server of the 2 exchnage 2016 is configure. So about if this server will be down ? and is it possible to add the two Exchange servers?

    – My other question do you have test add a hybrid server on existing tenant office 365 that use AADC ? In particulary, do we see the existing o365 mailbox as remote mailbox or we have to do something ( enable remotemailbox for have the good attribute ?)

    Thanks for all! 😉

    Reply
    • Paul Cunningham says

      March 30, 2018 at 10:57 am

      For question 1, I had two servers load balanced for HTTPS traffic, so any HTTPS connections for Hybrid (e.g. migrations, free/busy) would still work with one server offline.

      But I only have one Edge Transport in that environment, so for SMTP traffic/mail flow if that server is down then hybrid mail flow would stop.

      For question 2, I don’t understand your question. It sounds like you have a particular scenario in mind and want to test it. You should set up an test Exchange environment and a trial Office 365 tenant and run through your scenario so you can test what you’re interested in. That is the best way to ensure that what you experience is well understood and aligns with your needs.

      Reply
  29. Rae says

    March 15, 2018 at 2:18 am

    Hi paul,

    What apps can be lost when building a Hybrid configuration of Exchange 2010?

    Reply
    • Paul Cunningham says

      March 15, 2018 at 5:28 am

      Apps? I don’t understand what you mean by that question.

      Reply
  30. Dev says

    January 19, 2018 at 5:25 pm

    Hi Paul,

    Nice Article.

    I have single exchange server with CA and MB role installed. I am in the process of building the Hybrid setup to move it to office 365. During the hybrid setup wizard, do i need to select “centralized mail transport” option for typical setup. I dont have edge.

    And the Organization FQDN, how do i get it. its my ECP URL?

    Above all, doing hybrid setup will it create any disturbance in current exchange setup or mail flow ? please help

    Reply
  31. Mike S says

    December 31, 2017 at 2:56 am

    I may have missed something but what if you don’t need any mail flow between your on prem server and O365 and are just using Exchange 2016 for management? Are the steps different?

    Reply
    • Paul Cunningham says

      December 31, 2017 at 8:38 am

      You might find the Minimal Hybrid Configuration suits your needs.

      https://blogs.technet.microsoft.com/exchange/2016/06/24/hcw-improvement-the-minimal-hybrid-configuration-option/

      Reply
  32. Pascal says

    November 20, 2017 at 5:14 pm

    Hi Paul,

    Seems like you have a good grip on this stuff – wondering if you have seen anything like this before. When running the Hybrid Configuration Wizard, we are selecting full hybrid. Everything is good with adding TXT entries to verify our domains, and then it just freezes saying “Adding Federated Domain”. In the logs, errors point to receiving an html file when an xml file was expected from a server, but it is not clear where it is connecting to – I believe the Microsoft Federation Gateway. The error is basically just an html webpage saying that the error can’t be reported remotely and to check the web.config errors on the server (yea, what server?).

    We’ve tried changing time settings, making sure MRS Proxy is on, lots of other things. We are on Exchange 2013. Is it possible this error is caused by a firewall or a proxy? I would expect that to not even connect. The minimal Hybrid setup seems to be working as expected. Any thoughts would be appreciated, thanks!

    Reply
    • Paul Cunningham says

      November 21, 2017 at 9:29 am

      I recommend opening a support case with Microsoft. They should be able to look at your log and spot the problem quickly.

      Reply
  33. Quentin Capron says

    November 10, 2017 at 6:51 pm

    Hello Paul, thanks for this great article.
    I just have a question, I’ve configured a Hybrid deploiement with Exchange 2010 SP3 & Office 365.
    I create a test account on Office 365. My on-premises maibox can write to the Office 365 account only if I configure my company domain to be an Internal Relay. Is it normal ?
    Thanks.

    Reply
    • Paul Cunningham says

      November 10, 2017 at 8:31 pm

      The Hybrid Configuration Wizard takes care of all of the necessary configuration.

      In a hybrid environment you should be creating users in the on-premises Active Directory, and enabling them with a remote mailbox. That will create the Exchange Online mailbox for them when the account synchronizes to Azure Active Directory.

      There is documentation on TechNet that you can search for to find the exact steps for creating new users and mailboxes in hybrid environments.

      Reply
  34. Ram says

    November 9, 2017 at 6:06 am

    Hi – I will be setting up hybrid exchange 2016 at home to learn and understand exchange concept.

    Since our ISP blocks port 25 for home customers, I will be using port 2525 and configure Send Connector – smart host to send email out. Will this be a problem for hybrid configuration?

    Do, I need to buy Exchange Online license to set up exchange hybrid?

    Thanks

    RL

    Reply
    • Paul Cunningham says

      November 9, 2017 at 6:19 am

      You’ll need port 25 for hybrid mail flow, but you can still configure the hybrid configuration without port 25 open.

      Yes, an Exchange Online license is needed for a hybrid Exchange configuration.

      Reply
  35. Les Davila says

    August 17, 2017 at 11:15 pm

    Hello,
    I’m starting a Hybrid migration and your articles are a life saver, thank you! I’m my scenario, my client also has an on-prem Lync/Skype server in use.
    How would the O365 DNS records affect the on-prem Skype?
    Any additional configuration needed for the skype interaction between the cloud and on-prem users?

    Reply
    • Paul Cunningham says

      August 18, 2017 at 9:21 am

      I don’t do any Skype work myself, but there’s a chapter on Skype in our Office 365 for IT Pros book.

      Reply
  36. john says

    July 12, 2017 at 1:02 pm

    Hi,
    I’m planning to setup hybrid Office 365 with my exchange 2010 environment.
    fyi>EOP had already configured a few years ago with Office 365. so currently all incoming and outbound emails go thru Office 365.
    I was wondering whether I still require to do the Receiver and Sender Connector Configuration steps as part of the Wizard. do I skip this? as it’s already configured.
    Please advise.

    Reply
  37. Balgates says

    July 12, 2017 at 6:40 am

    Hi Paul,

    We have 2 x Exchange 2016 Servers and Two Edge 2010 Servers
    External (In/out) SMTP are routed via Edge Servers. Exchange 2016 only allowed for https and http traffic and Edge servers are only allowed SMTP Traffic

    Now we have planned to Run Hybrid Wizard with Edge Servers. I have below doubts could you please help me on this.
    => Do we need to open port 25 for Exchange 2016 ?
    => We have public cert (Wild Card) installed on Exchange 2016, do we need to install the same certificate on Edge 2010 as well?
    => on the above steps it was not clear. We are selecting Edge server for mail flow and when it comes to Certificate we were selecting Exchange 2016 Server. Its bit confusing. Please explain with more clarity.
    => Do we need to perform any Manual Steps on Edge Server after the HCW to send or receive external emails?
    => DNS Doubt (We have Wild Card Certificate)
    mail.xyz.com – IP 1.1.1.1 is (Port 443 and 80 allowed) pointed to exchange 2016 Server
    SMTP.xyz.com – IP 1.1.1.2 (Port 25 Allowed)is pointed to Edge 2010 Server
    What name i have to provide during the HCW Org FQDN Name Configuration for Secure Email.

    Reply
    • Paul Cunningham says

      July 12, 2017 at 10:32 am

      We have a very detailed set of chapters on hybrid deployments in our Office 365 book. Michael Van Horenbeeck wrote the hybrid chapters and he is one of the world experts on the topic, so I think you’ll find it very useful.

      Here’s the link:
      https://www.practical365.com/ebooks/office-365-for-it-pros/

      Reply
  38. Logan says

    January 29, 2017 at 12:34 am

    Hi, we are in the process of setting up our Office 365 environment. We are currently a Notes shop and have installed our very first Exchange server (2016). Our On-prem Exchange server will be used as the first stop in our mail migration. The migrated mail will then be migrated to our Exchange Online with a mailbox move. It is our intent that with the exception of that quick touch during the migration process that our on-prem Exchange will not house mailboxes and will only be used for administration activities.

    We have some confusion about the 3rd party certificates requirement for the hybrid configuration. All documentation that I read indicates that a 3rd part cert is required but in many places the documentation indicates, or implies, that the mail flow is bidirectional.

    So, in the scenario described above are 3rd party certs still a requirement or can self-signed certs be used?

    Thanks

    Logan

    Reply
    • Paul Cunningham says

      January 29, 2017 at 4:54 pm

      Third party cert is still required.

      Reply
      • Caleb Stanley says

        April 18, 2018 at 6:11 am

        Hey Paul,

        Regarding the 3rd party certificate… we have two Exchange 2013 servers that are load balanced… we have a cert for the web address that resolves to the public IP of the load balanced servers.

        From my research, we have to point Office 365 to a SINGLE server in order to migrate mailboxes. Creating a NAT rule to one of our servers is not an issue. I am planning on creating a domain name that resolves to the NATed IP address (ex-c.pinelake.org)… my question is, would I need to get a new 3rd party SSL cert for that domain and install it on that single Exchange server in order for it to work? Would installing multiple SSL certs on a single server break anything?

        Thank you in advance.

        Reply
        • Paul Cunningham says

          April 18, 2018 at 7:08 am

          Yes, you’ll need a certificate on the server that includes the migration namespace that you’re going to use. Only one certificate can be bound to IIS/HTTPS at the same time, so that certificate will need to also include all the other namespaces (it can be a wildcard or a SAN certificate, your choice). Since it is the recommended practice to use the same SSL certificate on all servers that are load balanced together, you should also export/import that same certificate to your other server (the one that isn’t handling migration traffic but is load balanced for other namespaces).

          Reply
  39. DK says

    January 26, 2017 at 12:01 am

    We are currently in the process of going through a hybrid configuration to O365, and although we can change our MX to point to O365, due to security compliancy we *cannot* bypass our on-prem 3rd party SMTP gateway and go direct to Edge or Mailbox backend Exchange.

    What are the implications of using O365 hybrid in this case? MS white papers suggest ‘information’ is lost going through 3rd party SMTP gateways, but don’t specify what that is.

    From what I gather, the “X-MS-Exchange-Organization-AuthAs” is seen as Anonymous instead of Internal.

    Any other issues anyone is aware of apart from this??

    Reply
    • Paul Cunningham says

      January 26, 2017 at 12:56 pm

      It breaks internal mail flow. Being able to differentiate between internal and external mail flow is important for features such as Out-of-Office, Transport Rules, and so on.

      It’s not supported to add a non-Exchange SMTP gateway into the hybrid mail flow, and I’m not aware of any compliance regulations that would require it. Every customer I work with accepts the supported topology.

      Reply
  40. GCPatrick says

    January 25, 2017 at 1:16 am

    When we run “Update” after following the wizard, we are getting an error:

    HCW0000 PowerShell failed to invoke ‘Set-FederatedOrganizationIdentifier’: No federation trust is configured for this organization or no domain is federated as the account namespace.

    Any ideas? We have had Azure AD Connect in place for a few months, with no issues, but we receive this error when we go through HCW.

    Reply
    • GCPatrick says

      January 25, 2017 at 1:19 am

      Our environment:
      Exchange 2013 CU14
      3x Mailbox
      2x CAS

      Thanks for the article!

      Reply
  41. James says

    January 18, 2017 at 1:17 am

    Paul,

    Cannot get a clear answer on this from anyone, or any article…

    We know we need to open up port 80/443 – but to everyone? Or just the list of O365 IP ranges?

    Reply
    • Paul Cunningham says

      January 19, 2017 at 1:33 pm

      Well, what is your requirement? For everyone to access those ports, or just the O365 servers?

      There’s no right/wrong answer, it all depends on your specific scenario.

      Reply
  42. Colin says

    January 16, 2017 at 8:46 pm

    Hi Paul,

    I am trying to run the HCW from a single Exchange 2010 SP3 server and am immediately getting an error message saying that Microsoft Exchange has stopped working and the HCW doesn’t start. I can’t see too much online around it and was wondering if you have ever experienced it?

    Thanks,
    Colin

    Reply
    • Kevin Eyer says

      March 18, 2017 at 4:45 am

      I am having this exact same error message saying that Microsoft Exchange has stopped working and the HCW doesn’t start. I too can’t see too much online around it and was wondering if you have ever experienced it?

      Reply
  43. Zamir Mushtaq says

    December 28, 2016 at 7:03 pm

    HI Paul,

    We have deployed hybrid environment in which some users are on premises and few on O365. Currently MX record and autodiscover is pointing On premises server. We are planning to Shift MX records to O365. What should we do with autodiscover record. Should it still point to On premises server or to O365? . We have to provide email access on outlook , owa and mobile devices for both users.
    Please advise. Thanks

    Reply
  44. Vemaiah Bandi says

    December 21, 2016 at 8:09 pm

    Hello Paul,

    I have seen some where in Microsoft documentation, they say we should not keep any server or device in between Office 365 and Hybrid servers , that causes some issues for SMTP traffic. But in this case a load balancer has been placed, will it not create in issues for SMTP traffic? please clarify can we place any firewalls or load balancers in between them , if not how can we protect our connection from external attacks?

    Reply
  45. Administrator says

    November 24, 2016 at 1:08 am

    Hi Paul,

    Following running the HCW, i gather i am meant to see new Send and Receive connectors in the EAC for the on premise server but this hasnt happened. Should i create them manually? Is there a way to find out why the HCW hasnt added them automatically? The wizard completed without errors.

    Thanks

    Reply
  46. Tony says

    October 31, 2016 at 11:03 pm

    Hi Paul,

    Thanks for the informative article. In the step where you mentioned “Enter an FQDN that can be used by Exchange Online Protection to route mail to the on-premises organization. This name should resolve in DNS to the public IP address of your on-premises server.”

    When you entered mail.practical365.com, does this point to the Edge server or Exchange 2016 server?

    Thanks,
    Tony

    Reply
    • Paul Cunningham says

      November 1, 2016 at 10:41 am

      If you are using an Edge Transport server for hybrid mail flow, it goes to your Edge Transport server. If not, it goes to a Mailbox server.

      Reply
  47. Henry says

    October 9, 2016 at 3:06 am

    Hi Paul,

    Great document, I am in a situation where my CAS and HUB Servers are on different Servers, and I plan on keeping them like. Its eExchange 2010 SP3 with latest CU…we are also using SSL Offloading which isn’t supported for AutoDiscover and EWS (both will be changed to ssl bridging) but there are no third part certs on my Servers and I recently installed a wild card on my hub transport Servers only…is this enough? or do I need to install on my CAS as well? SSL offloading/bridging will be used…

    Thanks Henry
    Thanks

    Reply
  48. Josh says

    October 3, 2016 at 9:18 am

    We are on office 365 and are migrating to on-site Exchange 2016.
    Exchange 2016 CU3 running on Windows Server 2012 R2.

    When I first installed Exchange 2016 and ran the Hybrid Configuration Wizard – everything went well until the “Update” step at the end. The Error said that I need to update Exchange 2016 to the latest major release.

    So I updated to CU3. And ran the wizard again.

    It still says the same error. And looking into the log – the Hybrid Configuration Wizard is only compatible through CU2. What????? Now I can’t roll back, am stuck on CU3 – and can’t setup the hybrid environment. Help!!

    Can I manually setup the hybrid environment with 2016 and office 365? Or should I export PST files from each user on 365 and then import them into ons-te 2016 environment.

    Thanks for any help or direction anyone can provide.

    (reason for moving from 365 to on-site exchange: nested contact/distribution lists in public folder. Not available on 365.)

    Reply
    • Paul says

      October 3, 2016 at 12:27 pm

      HCW should work with CU3. I suggest you open a support case via the O365 portal.

      Reply
  49. shahin says

    September 23, 2016 at 12:19 am

    Hi,

    Could you tell me what approach is best for this situation?

    Currently we hosting emails for some of our customers, these customers have no access to the on premise exchange server and the address books of each customer is only accessable to that customer.

    office 365 was registered with this domain:
    mydomain.com

    our own comany email domain is:
    @mycompany.com

    customer 1 email domain:
    @customer1.org

    customer 2 email domain:
    @customer2.fr

    customer 3 email domain:
    @customer3.net

    The address books must be segregated from each other.

    Reply
    • TeamTerry says

      December 23, 2016 at 8:15 am

      What you’re after is called a Multi Tenant Exchange environment.
      Here are some guides –
      https://www.geekandi.com/2013/08/02/exchange-2013-multi-tenancy-step-by-step/
      http://www.ronnyrenner.ch/?p=1142

      Reply
  50. Charley Burroughs says

    September 16, 2016 at 9:21 am

    Paul,

    I’m getting an error with Hybrid Wizard HCW8057/HCW8078. There are no firewall ports being blocked and DNS is configured correctly. The MRSProxy.svc is enabled but O365 is unable to communicate. I’m at a loss. The only thing I haven’t done is enabled RPC over HTTP and so, would this cause my issue? Thanks for the great work!

    Charley

    Reply
    • Charley Burroughs says

      September 23, 2016 at 4:59 am

      Follow up: Just in case someone else is having same issue. It turned out to be a Cipher issue in which MS was looking for 1 of 5 Cipher responses that our F5’s had disabled due to vulnerability.
      Basically, go into F5, copy existing SSL profile, modify profile to add “:TLS1” If you have an F5, you will know what I’m talking about.

      Reply
      • Tony Holdgate says

        November 15, 2016 at 1:14 pm

        Charley was that serverside SSL on F5 or clientside SSL?

        Reply
  51. lloyd parchment says

    September 9, 2016 at 5:11 am

    We need to know if there is a GUI, and if not then we need to configure our Edge servers to pass traffic inbound from O365 and outbound to the internal network.

    Reply
    • Paul Cunningham says

      September 9, 2016 at 2:46 pm

      A GUI for Edge Transport? No, there isn’t one.

      To use Edge Transport servers for Hybrid mail flow, first subscribe the Edge Transport servers to the AD site, then run or re-run the Hybrid Configuration Wizard and select the Edge Transport servers for mail flow.

      Reply
  52. Steve says

    August 19, 2016 at 1:08 pm

    Hi All.

    My scenario is one Exchange 2010 SP3 Edge and One 2010 SP3 Internal with HUB< TRANSPORT _ CAS . When I run the office 365 hybrid config wizard I do not get the option in the Hybrid Configuration to select the Edge Server. I only have the radio button to select configure my client access and mailbox servers for secure main transport (typical) – any idea wwhy?

    regards

    Reply
    • Paul Cunningham says

      August 25, 2016 at 5:58 pm

      My understanding is that is normal, and if you want to use a 2010 Edge for a Hybrid deployment there’s manual config required for the connectors.

      Reply
  53. Andreas says

    August 18, 2016 at 7:29 pm

    Hi Paul,
    we have another Scenario and i will ask you how we can implement this.
    We moving a half year ago from Provider Mail (POP3/IMAP) direct to Office365 E3 Plan. At the Moment we have no Exchange Server on Premise.
    We only Extended our AD-Schema for Exchange and Syncing it with Azure AD Connect and Manage something over AD-Attributes, which is complicate to administrate.
    Can we install Exchange Hybrid in this Scenario after the using of office365 and how it works, or is there a chance to install only some Tools to manage the Exchange Parameters for Office365

    Many Thanks
    Andreas

    Reply
  54. David Abbott says

    August 15, 2016 at 11:43 pm

    Hi Paul,

    Fantastic article. I have a client that is looking to move to Office 365 Hybrid with Exchange 2010, they already have DirSync in place as they previously deployed Office 2016 and so already have accounts in Office 365 but we are unable to add any Exchange licences to them.

    Would I be able to simply run the Hybrid Wizard even with DirSync already in place or would it be a case of disabling DirSync, deleting their existing Office 365 accounts and then running the Hybrid wizard?

    Many thanks

    David

    Reply
    • Paul Cunningham says

      August 16, 2016 at 9:17 am

      Why can’t you add Exchange licenses to them?

      Reply
      • David Abbott says

        August 16, 2016 at 5:07 pm

        Hi Paul,

        As they simply put directory sync in place to Office 365 for password sync all the accounts in Office 365 show as not having an Exchange mailbox.

        Many thanks

        David

        Reply
        • Paul Cunningham says

          September 9, 2016 at 2:44 pm

          What’s the outcome that you’re trying to achieve?

          Reply
  55. Bharti says

    August 9, 2016 at 7:08 pm

    Great article. thanks!

    Reply
  56. John says

    July 7, 2016 at 5:00 pm

    Hi Paul,

    Thanks for this tutorial.
    My question is, I have 3 servers 01,02,03.
    If I run the HCW using server 03 and then plan to decommission it, Do I need to re-run the HCW and select a different server?

    Thanks
    John

    Reply
  57. Marc says

    June 28, 2016 at 12:16 am

    Hi Paul,

    I’ve read through your O365 ebook and bonuses. Quite a read! We are planning a migration to a hybrid setup running Ex 2013. We are currently still using 2010 for two Edge server that we use for SMTP relay for applications and some internet IPs. I’m not 100% certain that it’s possible to use Edge 2010 servers for a hybrid setup when running Exchange 2013. I may have misread but I’m having a hard time finding anything else online that says otherwise. Can you confirm, please? Thanks so much.

    Reply
    • Paul Cunningham says

      June 28, 2016 at 10:13 am

      The new HCW is compatible with Exchange 2010, so my assumption is it will work, but I haven’t tried it myself.

      Reply
      • Jop Gommans says

        July 29, 2016 at 11:52 pm

        Yes that is possible, we set up 2 hybrids lately with Ex2010 Edge-servers. Do keep in mind you will need to update your connectors on this machines manually. The wizard will make a note of what changes are needed when you finish it.

        Reply
  58. Jami says

    June 10, 2016 at 5:08 am

    Quick question: I have completed many cutover migrations but never a hybrid. The new company I’m working for is wanting as little impact as possible during the move to hybrid, and then eventually solely Exchange Online. The prerequisites are all set up for the hybrid move. I ran through the hybrid tool yesterday and got to the very end at the “update” button and got scared. Are you aware of any downtime or issues when kicking off the hybrid deployment? Is this something that needs to be done after hours? Any help is greatly appreciated.

    Thanks!

    Reply
    • Paul Cunningham says

      June 10, 2016 at 10:04 am

      It doesn’t cause any downtime, and it doesn’t cause any issues if you’ve planned correctly. Establishing the Hybrid configuration can impact your mail flow depending on what you’re trying to achieve.

      As with all changes there are risks. Understand what you’re trying to achieve, what could potentially be impacted, have a test plan, and have a roll back plan.

      If in doubt, create a test environment to run through it all first.

      Reply
  59. nicholas herbert says

    June 3, 2016 at 10:31 pm

    Hi Paul –
    quick question – dont understand this statement above ‘ Since those servers will be internet-facing for the Hybrid configuration, they need to be MRS Proxy enabled. ‘ – I thought this wasnt a requirement only for migrating on prem mailboxes to the tenant?
    Also just to verify in this demo above – your not going to federate the domain as you are not using ADFS just password sync? Will the public DNS record for Autodiscover always resolve to the onprem CAS in a hybrid scenario? RegardsNicholas

    Reply
    • Paul Cunningham says

      June 3, 2016 at 11:41 pm

      In this example scenario, mailbox migrations will be performed, AD FS is not being used, and AutoD will point to on-prem as long as there are still mailboxes on-prem.

      Reply
  60. sarma kumar says

    May 20, 2016 at 11:11 pm

    Hi paul,
    I have a query, is it possible to exclude the edge server for the mail transport between office 365 and exchange on premises but i want to keep the edge server for external mail communication?

    Reply
    • Paul Cunningham says

      May 22, 2016 at 8:18 pm

      Yes. You’ll need to run your public MX on a different namespace that resolves to a different IP address than what Office 365 is configured to use for mail flow.

      Reply
  61. Steve says

    May 19, 2016 at 9:55 am

    Great article Paul,
    We have a Notes environment and will be migrating to 2016. As such no existing Exchange servers, we are using a 3rd party tool however to stage the migration we are looking to deploy Ex 2016 to host the hybrid environment and enable seamless mailflow between the 365 users and notes users.

    Firstly is 2016 in this environment supported? All documentation I’ve used and seen has always referenced 2013.
    Secondly during the hybrid config wizard should we select “configure edge transport servers with secure mail transport” and tick “Enable Centralised mail transport”?

    Thanks

    Reply
    • Paul Cunningham says

      May 20, 2016 at 1:23 pm

      Yes, Exchange 2016 is supported for Hybrid configurations.

      As for the other options, you should use them if you need to use them in your scenario. I can’t really answer that for you. You simply need to read up on what those options do and then decide if that is applicable to your environment.

      Reply
  62. Lorenzo says

    March 31, 2016 at 11:16 pm

    Hi Paul,
    great article, as usual :).
    I need to configure an Hybrid Deployment from Exchange 2010 SP3 to Exchange Online in a shared namespace scenario.
    Actually the Exchange 2010 infrastructure has set the primary SMTP domain as Internal Relay, so when an Exchange user send an email to a recipient that doesn’t exist in Exchange, the email is sent to a Smart Host that deliver the message to a separated mail system.
    I know that the Hybrid configuration creates a Send Connector for the namespace “domain.mail.onmicrosoft.com” and when an onpremise Exchange user is migrated to Exchange Online, the mailbox is converted to a Mail User with a target address that correspond to the “domain.mail.onmicrosoft.com” domain.
    Based on this information, i believe that the hybrid configuration in this scenario is possible without affecting the existing mailflow.
    Are there other things to consider?
    E.g. using an internal relay domain in ad hybrid configuration is supported? And the HCW does change something regarding the scope of domain defined in the onpremise Exchange infrastructure?
    Thanks!

    Reply
  63. filip says

    March 31, 2016 at 1:05 am

    Paul, can we use NLB to LB the tls smtp traffic between o365 and exchange? I know smarthosts break tls/headers but does a Kemp not touch this?

    Reply
    • Paul Cunningham says

      March 31, 2016 at 11:17 am

      I’d suggest you check with your load balancing vendor.

      Reply
      • filip says

        March 31, 2016 at 3:42 pm

        May I ask how you fix this/is recommended?
        I read that it is also possible to use fqdn hybrid.contoso.com and create multiple mx records. This requires multiple external ips. Btw is it then also required to put all mx record names on the ssl cert?

        Reply
        • Paul Cunningham says

          April 1, 2016 at 8:46 am

          Brian Reid has a short write-up on HA for inbound Hybrid mail flow.

          http://c7solutions.com/2014/03/highly-available-office-365-to-on-premises-mail-routing

          Reply
  64. Larry Sullivan says

    March 28, 2016 at 8:08 pm

    I have a hybrid setup with central transport configured. MX records point to Exchange online and then gets forwarded to my on premise server. I notice that I had been getting a lot of spam. it looks like other mail servers found my IP address and were sending spam directly to my servers. I disabled anonymous connections on the receive connector that has port 25 open. This has helped reduce the spam a lot. I’m not sure if this may cause other potential problems, though. Would it be better to limit the connections in to the O365 IP address range? Is there a easy way to add these?

    Reply
    • Paul Cunningham says

      March 28, 2016 at 9:41 pm

      Disabling anon will impact any internal devices or applications that are trying to use the server to send emails to internal recipients (since that scenario doesn’t require a separate “relay” connector be set up). Of course, if you have set up a “relay” connector for those devices/apps to be able to relay externally, then they’ll continue working anyway (for both internal and external).

      Otherwise, yes it’s a good idea to restrict the access to Exchange to only those IP ranges for Office 365.

      Reply
  65. Adrian says

    March 17, 2016 at 3:53 pm

    Paul, can we use NLB to LB the tls smtp traffic between o365 and exchange? I know smarthosts break tls/headers but does a Kemp not touch this?

    Reply
    • Ben says

      April 29, 2017 at 7:00 am

      We use a kemp in the DMZ as a reverse proxy and a kemp load balancing the multi role exchange servers on the LAN. Works fine for TLS SMTP 🙂

      Reply
  66. Mukhan says

    March 8, 2016 at 3:39 pm

    Hi Paul,

    for Hybrid Configuration,

    Is it possible to speed up the process of syncing/migrating mailboxes from on-premises to office 365 by adding one more internet connection OR are there any other possibility?

    Reply
    • Paul Cunningham says

      March 8, 2016 at 4:17 pm

      Available bandwidth is one factor that influences the speed of remote mailbox moves in a Hybrid scenario. There are other factors as well, such as the performance of your servers, and the load on the Exchange Online servers at the time you’re migrating.

      Reply
  67. ChrisM says

    March 4, 2016 at 1:57 am

    I’m tackling my EX2010 migration to O365 now, and the new wizard is GREAT, but I have 3 questions I’m unsure about, because I have a Barracuda spam filter as my MX record, connected to my EX setup via a send connector on the hub transport (smart host).

    Setup
    EX server1 – Holds Hub Transport, Client Access, and Mailbox roles. (no public IP, CAS pretty much unused)
    EX server2 – Client access server used by all users via OWA or Outlook, has public IP (98% of my users connect remotely via OWA or Outlook over HTTPS)
    Barracuda – MX record, public IP, handles all mail in and out. I’ve been told we wish to keep it.

    Q1: On the Hybrid Config page of the wizard, under advanced, Do I need to check the box to enable centralized mail transport? (Yes, I think, because we want all mail to pass through the Barracuda like it does now)

    Q2: On the Public IP address page of the wizard, Our server with the transport role (Server1) doesn’t have a public IP address, would I put the public IP of the Barracuda here? Also because I enabled centralized mail transport two steps back.

    Q3: On the Organizational FQDN page of the wizard, Should it be the Barracudas FQDN, or our client access server (Server2) that has the public IP address? Server1 also has the client access role, but no public IP.

    I already have used the Azure AD Connect tool to connect my AD to my O365 tenant with great results. I just don’t want to break mail…eeerr…. have been told not to break mail 😮

    Any assistance would be greatly appreciated!!!

    Thanx
    Chris

    Reply
    • Paul Cunningham says

      March 4, 2016 at 9:37 am

      A non-Exchange server (like your Barracuda) can’t be involved in the mail flow between the on-premises Exchange server(s) and the Exchange Online servers. Exchange Online needs to be able to connect directly to an Exchange server when routing email from a cloud mailbox to an on-prem mailbox, and vice versa.

      So you’re going to need a public IP that NATs to Exchange for that connection to occur. You can lock it down on your firewall so that only the Office 365 IP ranges are allowed to connect in on that IP.

      Centralized transport tells Exchange Online where to send outbound email. With centralized transport enabled, EXO will send route email to the on-premises servers instead of directly out to the internet. This then allows your on-premises servers to apply any journaling, transport rules or other compliance requirements you might have, and then route out to the internet via your Barracuda if you wish to keep using it.

      I hope that is clear. In short, the Barracuda can still be used, but not in between the on-premises Exchange servers and the Exchange Online servers.

      Reply
      • ChrisM says

        March 15, 2016 at 12:52 am

        Thank you Paul, in giving the outside IP to the Exchange server, it looks like it mostly needs access to port 443 from the outside world to get the hybrid setup going for migration. I also see MS is asking me to open up port 25 to it as well. Is this required seeing that I’m keeping the Barracuda as the MX record?

        Thanx
        Chris

        Reply
        • Paul Cunningham says

          March 15, 2016 at 9:10 am

          Office 365 needs port 25 open to whichever Exchange server will be participating in Hybrid mail flow.

          The Barracuda can’t do this. Whether you keep it as the MX or not is irrelevant to the requirement for Office 365 to talk directly to an Exchange server on-premises.

          Reply
          • Nam says

            November 15, 2018 at 12:08 pm

            Hi Paul,

            As far as I know, if the hybrid setup includes Edge Transport, then we only need to open port 25 on the Edge server?

  68. Barr says

    February 10, 2016 at 4:01 pm

    Why did you select only one cas? Can you elaborate what happens if you select two cas in HCW?

    Reply
    • Paul Cunningham says

      February 10, 2016 at 7:03 pm

      Which step?

      Reply
      • Barr says

        February 13, 2016 at 12:20 am

        if you select 2 CAS will both be configured identical (receive connector with TLS, EWS MRS Proxy, wssecurity, oauth etc…)? And can both accept TLS mail from o365?

        Reply
        • heythere says

          February 14, 2016 at 2:33 am

          Yes

          Reply
  69. heythere says

    February 10, 2016 at 8:02 am

    Hi Paul
    as far as I know EWS will be configured by wizard itself
    so you don’t have to touch it…

    Reply
    • Paul Cunningham says

      February 10, 2016 at 10:51 am

      The EDA recommends it as a prep step, so I do as well.

      Reply
      • heythere says

        February 14, 2016 at 2:32 am

        you are right , I never noticed that:)
        I never used it either and never had a problem
        the wizard will enable it if its not enabled and configured it according to instructions you enter in wizard.
        ill definitely change my docs to reflect it anyway
        Thanks

        Reply
  70. filip says

    February 10, 2016 at 5:05 am

    Is it still best to install/run the New HCW on an Exchange server itself?
    Can You please elaborate a bit more about what happens if we select multiple cas servers? And how multiple cas servers act in a Hybrid env.?

    Reply

Leave a Reply Cancel reply

You have to agree to the comment policy.

Recent Articles

  • Turn On MFA: Real-World Example of Fraud, Domain Stealing, and the Nearly Lost House Deposit
  • Changes in Microsoft 365 Apps Channels and Why You Should Care
  • A New Tool to Manage Exchange-related Attributes Without Exchange Server
  • Microsoft Launches Group Ownership Governance Policy
  • Making the Case for Identity Governance in Azure Active Directory

Copyright © 2022 Quadrotech Solutions AG · Disclosure · Privacy Policy
Alpenstrasse 15, 6304 Zug, Switzerland