Skip to main content

Are you following the course Exchange Hybrid? If you are, you know that we have to design and plan the Exchange Hybrid environment. After that, we can create a Microsoft 365 tenant and run the Exchange Hybrid Wizard to start migrating mailboxes. In this article, you will learn Exchange Hybrid best practices configuration.

Introduction

There are multiple scenarios in the Exchange Hybrid architecture. It all depends on which Exchange Server version you use in the organization and if you want an Exchange Server High Availability configuration.

Note: The Exchange Hybrid server is when you run the Hybrid Configuration Wizard and select that Exchange Server in the wizard to be the Exchange Hybrid server. You can choose one or more Exchange Servers to act as Exchange Hybrid. It can be an Exchange Server with or without mailbox databases.

Let’s look at two Exchange Server states and what the best practices are for both of them.

Exchange Server supported state

You already have an Exchange Server running, which is supported. You can think of Exchange Server 2016 and Exchange Server 2019. Next, you run the Hybrid Configuration Wizard and select that server for Exchange Hybrid. Use the Exchange Hybrid for migrating mailboxes to Office 365. After that, keep the Exchange Hybrid server for management purposes.

Exchange Server non-supported state

You have an Exchange Server 2010 running in the organization, which is a non-supported Exchange Server. You should install a new Exchange Server and run the Hybrid Configuration Wizard. Then select that server so it will become the Exchange Hybrid server. Use the Exchange Hybrid for migrating mailboxes to Office 365. After that, keep the Exchange Hybrid server for management purposes and decommission the out-of-support Exchange Server.

This approach is excellent when you want an extra Exchange Server that acts as an Exchange Hybrid server to migrate to Office 365 and less load on the Exchange Server, which hosts the on-premises mailboxes. Or if you have an older Exchange Server version running in the organization. For example, think about Exchange Server 2010.

Important: Always run a supported Exchange Server in the organization. Even if the Exchange Server is only for management purposes.

Exchange Hybrid firewall ports for mail flow and services

Read more in the article Exchange Hybrid firewall ports.

It’s important to open the following four firewall ports for mail flow and connections. It will enable the Exchange Hybrid server to communicate with the Exchange Online endpoints outside your organization.

Purpose Ports Source Destination
Encrypted web connections 443/TCP (HTTPS) Exchange Online endpoints 192.168.1.52
Encrypted web connections 443/TCP (HTTPS) 192.168.1.52 Exchange Online endpoints
Inbound mail 25/TCP (SMTP) Exchange Online endpoints 192.168.1.52
Outbound mail 25/TCP (SMTP) 192.168.1.52 Exchange Online endpoints

We have an Exchange Server 2016 running that hosts all the on-premises mailboxes. So we don’t have to install another Exchange Server 2019 in the organization next to the Exchange Server 2016 because it’s in a supported state. The Exchange Server 2016 (192.168.1.52) will be the Exchange Hybrid server. We did select that Exchange Server when running the Hybrid Configuration Wizard.

Exchange Hybrid design examples

Let’s have a couple of examples that will show how to configure the Exchange Hybrid configuration.

Scenario 1. You want the Exchange Server to act also as the Exchange Hybrid server:

  • Run the Hybrid Configuration Wizard and select the Exchange Server
  • Check that the firewall ports 25/443 are open between Exchange Server/Exchange Hybrid server and Exchange Online endpoints in both the directions
  • Don’t change anything to the Exchange firewall ports that are already in place. You still want to use your spam filter and connections to the Exchange Server
Exchange Hybrid design and planning scenario1

Scenario 2. Add a second Exchange Server, and both of them will act as Exchange Server and Exchange Hybrid servers:

  • Install second Exchange Server in domain
  • Configure the Exchange firewall ports
  • Run the Hybrid Configuration Wizard and select both Exchange Servers
  • Check that the firewall ports 25/443 are open between Exchange Server/Exchange Hybrid server and Exchange Online endpoints in both the directions

Note: The advantage is that the Exchange Server is set up in High Availability for Exchange Server (mailbox databases/mailboxes) and Exchange Hybrid.

Exchange Hybrid design and planning scenario2

Scenario 3. Add a second Exchange Server, and it will only act as an Exchange Hybrid server:

  • Install second Exchange Server in domain
  • Run the Hybrid Configuration Wizard  and select the Exchange Hybrid server only
  • Check that the firewall ports 25/443 are open between Exchange Hybrid server and Exchange Online endpoints in both the directions
Exchange Hybrid design and planning scenario3

Scenario 4. Add a second Exchange Server that will act as an Exchange Hybrid server with a separate FQDN:

  • Install second Exchange Server in domain
  • Configure the virtual directories on the new Exchange Server as a separate FQDN, for example: hybrid.exoip.com
  • Run the Hybrid Configuration Wizard and select the Exchange Hybrid server only
  • Check that the firewall ports 25/443 are open between Exchange Hybrid server and Exchange Online endpoints in both the directions

Important: You need a unique Public IP address to create a VIP on the firewall to route to the Exchange Hybrid server. It will NAT from FQDN hybrid.exoip.com to the Exchange Hybrid server.

Note: If you like to have High Availability, you can add more Exchange Servers, and when running the Hybrid Configuration Wizard, you can select the Exchange Servers that will act as Exchange Hybrid servers.

Exchange Hybrid design and planning scenario4

We hope that the Exchange Hybrid design and planning help you design the Exchange Hybrid environment.

Leave a Reply