Are you following the course Exchange Hybrid? You know that the Exchange Hybrid firewall ports…
Exchange Hybrid design and planning
Are you following the course Exchange Hybrid? If you are, you do know that we have to design and plan the Exchange Hybrid environment. After that, we can create a Microsoft 365 tenant and run the Exchange Hybrid Wizard to start migrating mailboxes. In this article, you will learn Exchange Hybrid best practices configuration.
Table of contents
Introduction
There are multiple scenarios on the Exchange Hybrid architecture. It all depends on which Exchange Server version you use in the organization and if you want to have an Exchange Server High Availability configuration.
Note: The Exchange Hybrid server is when you run the Hybrid Configuration Wizard and select that Exchange Server in the wizard to be the Exchange Hybrid server. You can choose one or more Exchange Servers to act as Exchange Hybrid. It can be an Exchange Server with or without mailbox databases.
Let’s look at two Exchange Server states and what the best practices are for both of them.
Exchange Server supported state
You already have an Exchange Server running, which is supported. You can think of Exchange Server 2016 and Exchange Server 2019. Next, you run the Hybrid Configuration Wizard and select that server for Exchange Hybrid. Use the Exchange Hybrid for migrating mailboxes to Office 365. After that, keep the Exchange Hybrid server for management purposes.
Exchange Server non-supported state
You have an Exchange Server 2010 running in the organization, which is a non-supported Exchange Server. You should install a new Exchange Server and run the Hybrid Configuration Wizard. Then select that server so it will become the Exchange Hybrid server. Use the Exchange Hybrid for migrating mailboxes to Office 365. After that, keep the Exchange Hybrid server for management purposes and decommission the out-of-support Exchange Server.
This approach is excellent when you want an extra Exchange Server that acts as an Exchange Hybrid server to migrate to Office 365 and less load on the Exchange Server, which hosts the on-premises mailboxes. Or if you have an older Exchange Server version running in the organization. For example, think about Exchange Server 2010.
Important: Always run a supported Exchange Server in the organization. Even if the Exchange Server is only for management purposes.
Exchange Hybrid firewall ports for mail flow and services
Read more in the article Exchange Hybrid firewall ports.
It’s important to open the following four firewall ports for mail flow and connections. It will enable the Exchange Hybrid server to communicate with the Exchange Online endpoints outside your organization.
| Purpose | Ports | Source | Destination |
|---|---|---|---|
| Encrypted web connections | 443/TCP (HTTPS) | Exchange Online endpoints | 192.168.1.52 |
| Encrypted web connections | 443/TCP (HTTPS) | 192.168.1.52 | Exchange Online endpoints |
| Inbound mail | 25/TCP (SMTP) | Exchange Online endpoints | 192.168.1.52 |
| Outbound mail | 25/TCP (SMTP) | 192.168.1.52 | Exchange Online endpoints |
We have an Exchange Server 2016 running that hosts all the on-premises mailboxes. So we don’t have to install another Exchange Server 2019 in the organization next to the Exchange Server 2016 because it’s in a supported state. The Exchange Server 2016 (192.168.1.52) will be the Exchange Hybrid server. We did select that Exchange Server when running the Hybrid Configuration Wizard.
Exchange Hybrid design examples
Let’s have a couple of examples that will show how to configure the Exchange Hybrid configuration.
Scenario 1. You want the Exchange Server to act also as the Exchange Hybrid server:
- Run the Hybrid Configuration Wizard and select the Exchange Server
- Check that the firewall ports 25/443 are open between Exchange Server/Exchange Hybrid server and Exchange Online endpoints in both the directions
- Don’t change anything to the Exchange firewall ports that are already in place. You still want to use your spam filter and connections to the Exchange Server
Scenario 2. Add a second Exchange Server, and both of them will act as Exchange Server and Exchange Hybrid servers:
- Install second Exchange Server in domain
- Configure the Exchange firewall ports
- Run the Hybrid Configuration Wizard and select both Exchange Servers
- Check that the firewall ports 25/443 are open between Exchange Server/Exchange Hybrid server and Exchange Online endpoints in both the directions
Note: The advantage is that the Exchange Server is set up in High Availability for Exchange Server (mailbox databases/mailboxes) and Exchange Hybrid.
Scenario 3. Add a second Exchange Server, and it will only act as an Exchange Hybrid server:
- Install second Exchange Server in domain
- Run the Hybrid Configuration Wizard and select the Exchange Hybrid server only
- Check that the firewall ports 25/443 are open between Exchange Hybrid server and Exchange Online endpoints in both the directions
Scenario 4. Add a second Exchange Server that will act as an Exchange Hybrid server with a separate FQDN:
- Install second Exchange Server in domain
- Configure the virtual directories on the new Exchange Server as a separate FQDN, for example: hybrid.exoip.com
- Run the Hybrid Configuration Wizard and select the Exchange Hybrid server only
- Check that the firewall ports 25/443 are open between Exchange Hybrid server and Exchange Online endpoints in both the directions
Important: You need a unique Public IP address to create a VIP on the firewall to route to the Exchange Hybrid server. It will NAT from FQDN hybrid.exoip.com to the Exchange Hybrid server.
Note: If you like to have High Availability, you can add more Exchange Servers, and when running the Hybrid Configuration Wizard, you can select the Exchange Servers that will act as Exchange Hybrid servers.
We hope that the Exchange Hybrid design and planning help you design the Exchange Hybrid environment.
Keep reading: Configure outbound mail via Office 365 »
Conclusion
You learned the Exchange Hybrid design and planning best practices. It’s essential to have an Exchange Hybrid architecture view before running the Exchange Hybrid Configuration Wizard. Save yourself trouble in the future, and create a plan before you start configuring the Exchange Hybrid environment and migrating mailboxes to Office 365.
Did you enjoy this article? You may also like Autodiscover URL in Exchange Hybrid. Don’t forget to follow us and share this article.
What Others Are Reading
Hi Ali,
thanks for the articles about Exchange Hybrid.
What can be the technical solution (WAP, reverse proxy) in a DMZ if we don’t want to face the MBX server directly to the internet ?
This is excellent, thank you!
Dear Ali,
Could you please share with me from which website you design the diagram ?