skip to Main Content

Exchange Hybrid design and planning

Are you following the course Exchange Hybrid? If you are, you do know that we have to design and plan the Exchange Hybrid environment. After that, we can create a Microsoft 365 tenant and run the Exchange Hybrid Wizard to start migrating mailboxes. In this article, you will learn Exchange Hybrid best practices configuration.


There are multiple scenarios on the Exchange Hybrid architecture. It all depends on which Exchange Server version you use in the organization and if you want to have an Exchange Server High Availability configuration.

Note: The Exchange Hybrid server is when you run the Hybrid Configuration Wizard and select that Exchange Server in the wizard to be the Exchange Hybrid server. You can choose one or more Exchange Servers to act as Exchange Hybrid. It can be an Exchange Server with or without mailbox databases.

Let’s look at two Exchange Server states and what the best practices are for both of them.

Exchange Server supported state

You already have an Exchange Server running, which is supported. You can think of Exchange Server 2016 and Exchange Server 2019. Next, you run the Hybrid Configuration Wizard and select that server for Exchange Hybrid. Use the Exchange Hybrid for migrating mailboxes to Office 365. After that, keep the Exchange Hybrid server for management purposes.

Exchange Server non-supported state

You have an Exchange Server 2010 running in the organization, which is a non-supported Exchange Server. You should install a new Exchange Server and run the Hybrid Configuration Wizard. Then select that server so it will become the Exchange Hybrid server. Use the Exchange Hybrid for migrating mailboxes to Office 365. After that, keep the Exchange Hybrid server for management purposes and decommission the out-of-support Exchange Server.

This approach is excellent when you want an extra Exchange Server that acts as an Exchange Hybrid server to migrate to Office 365 and less load on the Exchange Server, which hosts the on-premises mailboxes. Or if you have an older Exchange Server version running in the organization. For example, think about Exchange Server 2010.

Important: Always run a supported Exchange Server in the organization. Even if the Exchange Server is only for management purposes.

Exchange Hybrid firewall ports for mail flow and services

Read more in the article Exchange Hybrid firewall ports.

It’s important to open the following four firewall ports for mail flow and connections. It will enable the Exchange Hybrid server to communicate with the Exchange Online endpoints outside your organization.

Encrypted web connections443/TCP (HTTPS)Exchange Online endpoints192.168.1.52
Encrypted web connections 443/TCP (HTTPS) Exchange Online endpoints
Inbound mail25/TCP (SMTP)Exchange Online endpoints
Outbound mail25/TCP (SMTP) Online endpoints

We have an Exchange Server 2016 running that hosts all the on-premises mailboxes. So we don’t have to install another Exchange Server 2019 in the organization next to the Exchange Server 2016 because it’s in a supported state. The Exchange Server 2016 ( will be the Exchange Hybrid server. We did select that Exchange Server when running the Hybrid Configuration Wizard.

Exchange Hybrid design examples

Let’s have a couple of examples that will show how to configure the Exchange Hybrid configuration.

Scenario 1. You want the Exchange Server to act also as the Exchange Hybrid server:

  • Run the Hybrid Configuration Wizard and select the Exchange Server
  • Check that the firewall ports 25/443 are open between Exchange Server/Exchange Hybrid server and Exchange Online endpoints in both the directions
  • Don’t change anything to the Exchange firewall ports that are already in place. You still want to use your spam filter and connections to the Exchange Server
Exchange Hybrid design and planning scenario1

Scenario 2. Add a second Exchange Server, and both of them will act as Exchange Server and Exchange Hybrid servers:

Note: The advantage is that the Exchange Server is set up in High Availability for Exchange Server (mailbox databases/mailboxes) and Exchange Hybrid.

Exchange Hybrid design and planning scenario2

Scenario 3. Add a second Exchange Server, and it will only act as an Exchange Hybrid server:

Exchange Hybrid design and planning scenario3

Scenario 4. Add a second Exchange Server that will act as an Exchange Hybrid server with a separate FQDN:

Important: You need a unique Public IP address to create a VIP on the firewall to route to the Exchange Hybrid server. It will NAT from FQDN to the Exchange Hybrid server.

Note: If you like to have High Availability, you can add more Exchange Servers, and when running the Hybrid Configuration Wizard, you can select the Exchange Servers that will act as Exchange Hybrid servers.

Exchange Hybrid design and planning scenario4

We hope that the Exchange Hybrid design and planning help you design the Exchange Hybrid environment.

Keep reading: Configure outbound mail via Office 365 »


You learned the Exchange Hybrid design and planning best practices. It’s essential to have an Exchange Hybrid architecture view before running the Exchange Hybrid Configuration Wizard. Save yourself trouble in the future, and create a plan before you start configuring the Exchange Hybrid environment and migrating mailboxes to Office 365.

Did you enjoy this article? You may also like Autodiscover URL in Exchange Hybrid. Don’t forget to follow us and share this article.



ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 8 Comments

  1. Have got an interesting question about HCW requirements.

    If the network scenario requires me to publish Ex 2016 mailbox server using for EWS and for SMTP separately using 2 public IPs one for each service and I just have one SAN certificate covering both EWS and SMTP FQDNs. Which URL should I point HCW to?

    My guess is to run it pointing to EWS URL only and once connectors are created, manually switch the FQDN from to on the new connectors listed below.

    Exch: SendConnector -Name ‘Outbound to Office 365’ and
    EXO: OutboundConnector -Name ‘Outbound to 48e7bec9-404c-4d24-b59e-4b46b64d7e03’

    Thanks in advance.

  2. Hi Ali,
    Scenario 2 has got two Exchange 2016 servers load balanced with a VIP and 1-1 NAT with public IP. In my opinion, SMTP over TLS communication will break if the load balancer can not preserve source IP (EXO) for inbound traffic. Mailflow may also get impacted if so. Can you pl. shed some light on this.

    EXO IP—>Firewall—>VIP—>EX 2016 SMTP Connector (Problems here if Exchange 2016 sees VIP as source IP)
    EXO IP—>Firewall—->EX 2016 SMTP Connector (No issues here)


  3. Hi,

    Thanx for making so easy hybrid environment. I am little bit confused about hybrid inbound & outbound rule. Let’s Asume that, I am going for hybrid migration and I have F5 load balancer which act as a reverse proxy then time my network team was public up mapped to F5 load balancer vNAT IP & Those IP was of F5 Load Balancer & Those Virtual IP was NAT To hybrid exchange server then that time my hybrid was not working & configured.

    Please help me here to more understand that kind of scenario?

  4. Hello Ali,

    thank you very much for your courses, they are very helpful.

    I have a question.
    Can we migrate our Exchange On Prem to Office 365(Exchange-Online) while we using FEDERATED DOMAIN on our Organisation. We are using currently FEDERATED DOMAIN and not MANAGED DOMAIN on our AAD.
    Is that Ok if we would migrate our Mail Organisation to Office 365.

    Thanks for your answer

  5. Hi Ali,

    thanks for the articles about Exchange Hybrid.

    What can be the technical solution (WAP, reverse proxy) in a DMZ if we don’t want to face the MBX server directly to the internet ?

Leave a Reply

Your email address will not be published. Required fields are marked *