Configuring an Exchange 2013 Hybrid Deployment and Migrating to Office 365 (Exchange Online) (Part 14)

If you would like to read the other parts in this article series please go to:

Introduction

In part 13 of this multi-part article series revolving around Exchange 2013 hybrid deployment based migrations to the new Office 365 or more precisely Exchange Online, we took a look behind the scenes by looking at the hybrid configuration settings performed by the hybrid configuration wizard on the Exchange hybrid servers on-premises.

In this part 14, we will continue where we left off back in part 13. That is we will take a look behind the scenes by looking at the hybrid configuration settings set by the hybrid configuration wizard in the Exchange Online organization in Office 365.

Let’s get started.

A Look at the Hybrid Configuration Settings in Office 365

So back in part 13, we focused on the Exchange hybrid related configuration settings that were set on the Exchange 2013 servers on-premises, when we ran the hybrid configuration wizard. Of course, the hybrid configuration wizard also performs several configuration settings in the Exchange Online organization in Office 365. Let’s take a look at what was configured. To do so, open the “Exchange admin center” and then click on the “Office 365” link in the top left of the screen.

  1. Just like for the on-premises Exchange organization, the respective domains used for routing between on-premises and Exchange Online has been added as “Accepted Domains” in the Exchange Online organization in Office 365.

Image
Figure 1:
Accepted domains in the Exchange Online organization

For the mailbox-enabled user objects in the on-premises Active Directory that has been synchronized to the Office 365 tenant as mail-enabled user (MEU) objects, the external email address (targetAddress attribute) on the MEU object has been set to “[email protected]”, so that all email messages sent from the Exchange Online organization (and from the Internet since we have chosen to route mail from external senders via Exchange Online Protection) to a user that hasn’t had his mailbox migrated yet is routed to his mailbox on-premises. In addition, the MEU objects in the Exchange Online organization also have a “[email protected]” proxy address, so that email messages sent to a migrated mailbox from a non-migrated mailbox is routed to the mailbox in the Exchange Online organization – again via the external email address (targetAddress attribute) set on the MEU object after the object is converted from a mailbox enabled object to a MEU object. We’ll look closer at this later.

Image
Figure 2:
External E-Mail address on MEU object on-premises

  1. Unlike in wave 14 of Office 365, we no longer configure any remote domains added in the Exchange Online organization.

Image
Figure 3: No remote domains in Exchange Online

And by the way, before you try to find the “Remote Domains” tab in the Exchange admin center (EAC), I should probably tell you it’s not there. You need to use PowerShell for this.

  1. When it comes to connectors, then the hybrid configuration wizard (HCW) has created an inbound and an outbound connector in Exchange Online Protection (EOP) as shown below. So far, it’s identical to how it was done back in FOPE in the old Office 365 (wave 14).

Image
Figure 4:
Inbound and Outbound connectors in Exchange Online Protection (EOP)

However back with FOPE, the hybrid configuration wizard (HCW) created an inbound and an outbound connector that couldn’t be modified directly via FOPE administration console. In EOP, the connectors can be modified as you wish. Not that you generally should do this, but we have the permissions to modify them as required.

In addition, the connectors created in EOP are configured slightly different than those in FOPE. As some of you may recall, the inbound connector the HCW created in FOPE was locked down so that only the public IP addresses we specified in the Exchange 2010 HCW were allowed to route mail to the Exchange Online organization. And of course forced TLS based on certificate domain matching was also configured.

The outbound connector created in FOPE was configured to point to a specific endpoint FQDN (depending on the on-premises scenario something like hybrid.contoso.com). And again, it was configured with forced TLS based on certificate domain matching.

Image
Figure 5: Inbound and Outbound connectors back in FOPE (wave 14)

In EOP the inbound connector is configured as follows. The “Connector Type” is set to “On-Premises” and “Retain service headers on transmission” is enabled.

Image
Figure 6:
General configuration settings for the Inbound connector in Exchange Online Protection (EOP)

On the “security” property page, we are forcing TLS based on certificate domain matching. “Domain Restrictions” is set to “None”.

Image
Figure 7:
Security configuration settings for the Inbound connector in Exchange Online Protection (EOP)

On the “scope” property page, an asterisk (*) representing all domains has been added to “Domains”.

Image
Figure 8:
Scope configuration settings for the Inbound connector in Exchange Online Protection (EOP)

In EOP, the outbound connector is configured as follows. Just like it’s the case with the inbound connector, “Connector Type” is set to “On-Premises” and again “Retain service headers on transmission” is enabled.

Image
Figure 9:
General configuration settings for the Outbound connector in Exchange Online Protection (EOP)

On the “security” property page, “Connection Security” is set to “Recipient certificate matches domain”.

Image
Figure 10:
Security configuration settings for the Outbound connector in Exchange Online Protection (EOP)

On the “delivery” property page, “Outbound Delivery” is set to “Route mail through smart hosts” pointing to “smtp.clouduser.dk”, which is the SMTP endpoint for my lab environment.

Image
Figure 11:
Delivery configuration settings for the Outbound connector in Exchange Online Protection (EOP)

On the “scope” property page, my custom domain “clouduser.dk” has been added under domains.

Image
Figure 12: Scope configuration settings for the Outbound connector in Exchange Online Protection (EOP)

  1. Finally, like in the on-premises Exchange organization, an organizational relationship has been created to establish Exchange federation with the on-premises Exchange organization.

Image
Figure 13:
Organization and individual sharing policies

Figure 14 shows the configuration for the organization relationship in detail.

Image
Figure 14: Configuration of the organization relationship in the Exchange Online organization

Just like is the case with Exchange 2010 based hybrid deployments, by default, free/busy is enabled with limited details. In addition, delivery reports and mailtips are enabled. Moreover, a target autodiscover Epr has been set by the HCW. This is the endpoint used to reach out to the on-premises Exchange organization for the configured features, when a request comes from the Exchange Online organization to the on-premises Exchange organization.

This concludes part 14 of this multi-part article in which I explain how you configure an Exchange 2013 hybrid deployment followed by migrating to Office 365 (Exchange Online).

If you would like to read the other parts in this article series please go to:

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top