Configuring an Exchange 2013 Hybrid Deployment and Migrating to Office 365 (Exchange Online) (Part 10)

By /

If you would like to read the other parts in this article series please go to:

Introduction

In part 9 of this multi-part article series revolving around Exchange 2013 hybrid deployment based migrations to the new Office 365 or more precisely Exchange Online, we took a look at the WAAD Sync tool engine and verified that objects synchronized as expected from our on-premises Active Directory to the Office 365 tenant. In addition, I talked a bit about what objects and attributes are synchronized to the Office 365 tenant as well as directory synchronization filtering.

In this part 10, we will continue where we left off back in part 2. Yes, that is right! Now that we have gone through the ADFS and directory synchronization configuration, we can again focus on the Exchange hybrid side of things. In this article, we will talk about what’s remaining when it comes to completing the Office 365 “Set up domain” wizard that we began configuring back in part 2. Then we will talk about the mail routing options you have at your disposal in an Exchange hybrid deployment and which one you should select to fit your specific scenario.

Let us get started.

Completing the Office 365 Add a Domain wizard

Okay so back in part 2 of this article series (seems like long time ago right?), we added our custom domain to the new Office 365 tenant. We confirmed ownership of the domain using a TXT record, specified how we wanted to add users and assign licenses (via directory synchronization) and finally specified the domain purpose for the custom domain (Exchange Online). However as you probably observed, we did not complete all steps under “Step 3”. After having selected the domain purpose and ticked the option that we will have mailboxes in the on-premises environment (Advanced Setup), we reached the page shown in Figure 1 below.

Image
Figure 1: Step 2 of the “Set Up Domain” wizard

Before moving on with the “Set Up Domain” wizard, I want to talk a bit about the mail routing options, we have in regards to Exchange hybrid deployments. When it comes to mail routing in an Exchange hybrid configuration, we need to decide whether we want inbound messages from the Internet to route through the on-premises environment or if it should route through Exchange Online Protection in Office 365. Before deciding which mail routing path to go with, it’s critical you understand how each of them works as well as how they affect your environment.

Routing Inbound Messages through the Exchange Hybrid Servers

When it comes to how inbound messages from the Internet should be delivered to mailboxes in your environment, no matter if they are located on-premises or in Exchange Online, you can choose to keep the existing mail routing that is in place. That is, you can select to have all inbound messages from the Internet go through SMTP gateways in the on-premises perimeter network (such as Edge Transport servers or SMTP servers from 3rd party), directly to the Exchange Hub Transport servers on the internal network, or perhaps to a 3rd party online filtering service.

Note:
If you decide to keep the existing mail routing, that is have all mail route through your on-premises environment before it reaches one or more mailboxes on-premises or in Exchange Online, you can leave the MX record unchanged.

From my personal experience, most organizations choose to keep the existing mail routing because of one or more of the following reasons:

  • Compliance policies Organizations that need to apply compliance policies to messages sent to mailboxes on-premises as well as in Exchange Online.
  • 3rd party application integration Organizations that have an on-premises or online service based application that need to manipulate or journal messages in transit.
  • Switch MX record at a later stage Organizations may not wish to switch the MX record to Exchange Online Protection until the migration to Exchange Online has been completed.

Depending on the complexity of the existing mail routing, it is generally a good idea to wait with switching the MX record to point to Exchange Online Protection (EOP).

When choosing to route inbound messages destined for an on-premises mailbox or a mailbox in Exchange Online through the existing mail route, the mail routing is as follows:

  1. Sender from external organization sends an e-mail message to a recipient with a mailbox in the on-premises Exchange organization or in Exchange Online.
  2. The e-mail message is either received by a:
    • third party filtering service on the Internet
    • SMTP servers in the perimeter network
    • by the Exchange Client access servers on the internal network
  3. When the Client Access server in the on-premises organization receives the e-mail message depending on whether the destination mailbox is located in the on-premises Exchange organization or in Exchange Online, the e-mail message is routed to the on-premises mailbox servers on which the mailbox database holding the mailbox is stored or if the recipient has a mailbox in Exchange Online, it is routed on to Exchange Online Protection (EOP) based on the external e-mail address (targetAddress attribute) of the on-premises mail-enabled user object (MEU object) representing the mailbox in Exchange Online.
  4. If the recipient has a mailbox in Exchange Online, Exchange Online Protection (EOP) routes the e-mail message on to a Client Access Server (remember in Exchange 2013, the CAS acts as SMTP front-end proxy) in Exchange Online.
  5. The Client Access server in Exchange Online delivers the e-mail message to the respective mailbox server that currently have the active copy of the database in which the mailbox is stored.

Image
Figure 2: Inbound & Outbound Routing via on-premises Hybrid servers

Note:
When moving a mailbox from on-premises Exchange to Exchange Online in a hybrid deployment, the mailbox-enabled user object in the on-premises Active Directory is converted to a mail-enabled user object once the mailbox move has completed.

Routing Inbound Messages through Exchange Online Protection

If you wish, and more importantly, are ready to route messages coming from the Internet through Exchange Online Protection (EOP) before they are delivered to either Exchange Online or on-premises mailboxes, you need to switch the MX record for your respective domain to point to EOP. Doing so will have all e-mail messages coming from the Internet to route through EOP, where spam and malware infected messages are filtered, prior to being delivered to the Exchange Online or on-premises mailboxes. A big pro of doing so is that you typically can get rid of the existing either Internet based filtering service or perimeter network based filtering servers, you have in place.

Note:
If you have compliance requirements such as journaling of all inbound e-mail messages, be aware that you can configure Exchange Online to achieve this. Over the recent years, a lot of energy and resources have been put into including features that can help fulfil legal and compliance requirements both for small and large organizations.

When choosing to route inbound messages destined for an on-premises mailbox or a mailbox in Exchange Online directly through Exchange Online Protection (EOP), the mail routing is as follows:

  1. Sender from external organization sends an e-mail message to a recipient with a mailbox in the on-premises Exchange organization or in Exchange Online.
  2. The e-mail message is received by Exchange Online Protection (EOP).
  3. If the recipient has a mailbox in Exchange Online, EOP routes the e-mail message to a Client Access server in Exchange Online (If the mailbox is store in the on-premises Exchange organization, go to 5.)
  4. The Client Access server in Exchange Online delivers the e-mail message to the respective mailbox server that currently has the active copy of the database in which the mailbox is stored.
  5. If the recipient has a mailbox in the on-premises Exchange organization, EOP either routes the e-mail message to an Edge Transport server in the on-premises perimeter network or directly to an Exchange Client Access server on the internal network (if the latter, go to 7.).
  6. The Edge Transport server routes the e-mail message to an Exchange Client Access server on the internal network.
  7. The Client Access server delivers the e-mail message to the respective mailbox server that currently have the active copy of the database in which the mailbox is stored.

Image
Figure 3: Inbound & Outbound Routing via Exchange Online Protection

Routing Outbound Messages directly to Destination

When it comes to messages sent from internal users in Exchange Online or the on-premises Exchange organization to external recipients, we have the option of having Exchange Online Protection and the on-premises Client Access server (or if used the Edge Transport server) route the e-mail message directly to the external recipient. This is also known as non-centralized transport.

When choosing to route outbound messages from an internal Exchange Online or on-premises mailbox directly to the recipient, the mail routing is as follows:

  1. Internal sender with a mailbox in Exchange Online or on-premises Exchange organization sends an e-mail message to external recipient.
    • If the internal sender has a mailbox in on-premises Exchange organization, go to 2.
    • If the internal sender has a mailbox in Exchange Online go to 4.
  2. If the internal sender has a mailbox in on-premises Exchange organization, the e-mail message is submitted from the respective Mailbox server to a Client Access server
  3. The Client Access server routes to recipient (could be via an SMTP server in perimeter network or a filtering service on the Internet).
  4. The e-mail message is submitted from the respective Mailbox server to a Client Access server in Exchange Online.
  5. The Client Access server routes the message to Exchange Online Protection.
  6. Exchange Online Protection routes the e-mail message to the destination.

Routing Outbound Messages through On-Premises Hybrid Servers

Lastly, when it comes to messages sent from internal users in Exchange Online or the on-premises Exchange organization to external recipients, we have the option of having all e-mail messages to be routed through the on-premises Client Access servers (or if used the Edge Transport server) prior to reaching the external recipient. This is also known as centralized transport.

When choosing to route outbound messages from an on-premises mailbox or Exchange Online mailbox through the Client Access servers in the on-premises Exchange organization and from there on to the external recipient, the mail routing is as follows:

  1. Internal sender with a mailbox in on-premises Exchange organization or in Exchange Online sends an e-mail message to an external recipient.
    • If the internal sender has a mailbox in on-premises Exchange organization, go to 2.
    • If the internal sender has a mailbox in Exchange Online go to 4.
  2. The on-premises Mailbox server submits the e-mail message to a Client Access server in the on-premises Exchange organization.
  3. The Client Access server routes to recipient (could be via an SMTP server in perimeter network or a filtering service on the Internet).
  4. The e-mail message is submitted from the respective Mailbox server to a Client Access server in Exchange Online.
  5. The Client Access server routes the message to Exchange Online Protection.
  6. Exchange Online Protection routes the e-mail message to hybrid servers in on-premises organization (could be via an Edge Transport server in the perimeter network).
  7. The hybrid server routes to recipient (could be via an SMTP server in perimeter network or a filtering service on the Internet).

In this article series, we will route inbound mail through Exchange Online Protection (EOP). Outbound mail will be routed directly to the destination, which means outbound messages coming from Exchange Online won’t route through the on-premises Exchange hybrid servers.

This concludes part 10 of this multi-part article in which I explain how you configure an Exchange 2013 hybrid deployment followed by migrating to Office 365 (Exchange Online).

If you would like to read the other parts in this article series please go to:

About The Author

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top