skip to Main Content

Exchange Hybrid design and planning

Are you following the course Exchange Hybrid? If you are, you do know that we have to design and plan the Exchange Hybrid environment. After that, we can create a Microsoft 365 tenant and run the Exchange Hybrid Wizard to start migrating mailboxes. In this article, you will learn Exchange Hybrid best practices configuration.

Introduction

There are multiple scenarios on the Exchange Hybrid architecture. It all depends on which Exchange Server version you use in the organization and if you want to have an Exchange Server High Availability configuration.

Note: The Exchange Hybrid server is when you run the Hybrid Configuration Wizard and select that Exchange Server in the wizard to be the Exchange Hybrid server. You can choose one or more Exchange Servers to act as Exchange Hybrid. It can be an Exchange Server with or without mailbox databases.

Let’s look at two Exchange Server states and what the best practices are for both of them.

Exchange Server supported state

You already have an Exchange Server running, which is supported. You can think of Exchange Server 2016 and Exchange Server 2019. Next, you run the Hybrid Configuration Wizard and select that server for Exchange Hybrid. Use the Exchange Hybrid for migrating mailboxes to Office 365. After that, keep the Exchange Hybrid server for management purposes.

Exchange Server non-supported state

You have an Exchange Server 2010 running in the organization, which is a non-supported Exchange Server. You should install a new Exchange Server and run the Hybrid Configuration Wizard. Then select that server so it will become the Exchange Hybrid server. Use the Exchange Hybrid for migrating mailboxes to Office 365. After that, keep the Exchange Hybrid server for management purposes and decommission the out-of-support Exchange Server.

This approach is excellent when you want an extra Exchange Server that acts as an Exchange Hybrid server to migrate to Office 365 and less load on the Exchange Server, which hosts the on-premises mailboxes. Or if you have an older Exchange Server version running in the organization. For example, think about Exchange Server 2010.

Important: Always run a supported Exchange Server in the organization. Even if the Exchange Server is only for management purposes.

Exchange Hybrid firewall ports for mail flow and services

Read more in the article Exchange Hybrid firewall ports.

It’s important to open the following four firewall ports for mail flow and connections. It will enable the Exchange Hybrid server to communicate with the Exchange Online endpoints outside your organization.

PurposePortsSourceDestination
Encrypted web connections443/TCP (HTTPS)Exchange Online endpoints192.168.1.52
Encrypted web connections 443/TCP (HTTPS) 192.168.1.52 Exchange Online endpoints
Inbound mail25/TCP (SMTP)Exchange Online endpoints 192.168.1.52
Outbound mail25/TCP (SMTP)192.168.1.52Exchange Online endpoints

We have an Exchange Server 2016 running that hosts all the on-premises mailboxes. So we don’t have to install another Exchange Server 2019 in the organization next to the Exchange Server 2016 because it’s in a supported state. The Exchange Server 2016 (192.168.1.52) will be the Exchange Hybrid server. We did select that Exchange Server when running the Hybrid Configuration Wizard.

Exchange Hybrid design examples

Let’s have a couple of examples that will show how to configure the Exchange Hybrid configuration.

Scenario 1. You want the Exchange Server to act also as the Exchange Hybrid server:

  • Run the Hybrid Configuration Wizard and select the Exchange Server
  • Check that the firewall ports 25/443 are open between Exchange Server/Exchange Hybrid server and Exchange Online endpoints in both the directions
  • Don’t change anything to the Exchange firewall ports that are already in place. You still want to use your spam filter and connections to the Exchange Server
Exchange Hybrid design and planning scenario1

Scenario 2. Add a second Exchange Server, and both of them will act as Exchange Server and Exchange Hybrid servers:

Note: The advantage is that the Exchange Server is set up in High Availability for Exchange Server (mailbox databases/mailboxes) and Exchange Hybrid.

Exchange Hybrid design and planning scenario2

Scenario 3. Add a second Exchange Server, and it will only act as an Exchange Hybrid server:

Exchange Hybrid design and planning scenario3

Scenario 4. Add a second Exchange Server that will act as an Exchange Hybrid server with a separate FQDN:

Important: You need a unique Public IP address to create a VIP on the firewall to route to the Exchange Hybrid server. It will NAT from FQDN hybrid.exoip.com to the Exchange Hybrid server.

Note: If you like to have High Availability, you can add more Exchange Servers, and when running the Hybrid Configuration Wizard, you can select the Exchange Servers that will act as Exchange Hybrid servers.

Exchange Hybrid design and planning scenario4

We hope that the Exchange Hybrid design and planning help you design the Exchange Hybrid environment.

Keep reading: Configure outbound mail via Office 365 »

Conclusion

You learned the Exchange Hybrid design and planning best practices. It’s essential to have an Exchange Hybrid architecture view before running the Exchange Hybrid Configuration Wizard. Save yourself trouble in the future, and create a plan before you start configuring the Exchange Hybrid environment and migrating mailboxes to Office 365.

Did you enjoy this article? You may also like Autodiscover URL in Exchange Hybrid. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 3 Comments

  1. Hi Ali,

    thanks for the articles about Exchange Hybrid.

    What can be the technical solution (WAP, reverse proxy) in a DMZ if we don’t want to face the MBX server directly to the internet ?

Leave a Reply

Your email address will not be published.