Encrypting email in Office 365 with PGP
I had an interesting discussion recently with a customer about email encryption in Office 365. The...
"Exchange Hybrid options? There are none. Just go Full Monty." - undisclosed Exchange consultant
That isn't quite right. But let me explain the concept of Exchange Hybrid first before we take a look at the available options.
You can connect an on-premises Exchange organization with Exchange Online, which is a key component of the Microsoft 365 SaaS platform. This connection is established by implementing an Exchange Server hybrid configuration. The hybrid configuration configures a trusted relationship between the two technically separated Exchange organizations.
This trusted relationship between your on-premises Exchange organization and Exchange Online ensures that email messages sent between the two organizations are identified as internal emails and treated as such. The identification as an internal message ensures that all Exchange components, including mail-flow, function correctly regardless of the location user mailboxes. [Here's more information about the benefits of operating an Exchange hybrid organization.]
The following diagram illustrates the Exchange hybrid configuration and the trusted relationship boundary (dotted green line).
Different options are available for configuring an Exchange hybrid setup between your on-premises Exchange organization and Exchange Online. We distinguish between two variants, Classic and Modern Hybrid. Up to three operating modes are available for each of these two variants.
The following table illustrates the two variants and operating modes for an Exchange hybrid configuration.
Now you have to ask yourself which operating mode you should use for implementing an Exchange hybrid configuration.
First, let's look at the technical requirements of the two operating variants and the main difference between the two.
Classic Hybrid requires that internal Exchange servers are accessible from Exchange Online via the HTTPS protocol. This connection allows Exchange Online to connect to the internal Exchange organization for hybrid capabilities. Publishing your internal Exchange Servers to the Internet requires a dedicated public IP address and an official TLS certificate.
Modern Hybrid does not require any inbound HTTPS connection from Exchange Online to the internal Exchange organization.
The Exchange Hybrid Agent connects the on-premises Exchange organization and Exchange Online. This agent is installed on a server and runs as a service which connects to Exchange Online using an outbound HTTPS connection. The configuration selected in HCW configures the functional behavior of all hybrid components. Concerning a hybrid operation of Exchange, this is the preferred variant because there is no requirement to install additional components for incoming HTTPS connections. However, if your organization uses Microsoft Teams and you want Teams users to continue to use mailboxes on on-premises Exchange servers, you are not able to use this operational variant. Microsoft Teams supports classic Exchange Hybrid operations only.
The Hybrid Agent supports free/busy requests from EXO to the on-premises Exchange server and mailbox migrations. You can read more about the supported features here.
Both variants require inbound and outbound SMTP connections between the on-premises Exchange organization and Exchange Online for hybrid mail flow.
Both variants require outbound HTTPS connections between the on-premises Exchange organization and Exchange Online.
What are the use cases for the different hybrid modes?
Implementing a hybrid operation presents technical challenges to your company. Therefore, you must plan the implementation of an Exchange hybrid setup properly.
For Classic Hybrid, you need external IP addresses for the HTTPS and SMTP protocols, while Modern Hybrid requires only one IP address for the SMTP protocol. You also need TLS certificates. For mail-flow between the on-premises Exchange organization and Exchange Online, I recommend using a separate TLS certificate that is not in use for an email Internet gateway.
Securing the on-premises Exchange servers from direct access from the Internet is a top priority. Therefore, it is best practice to secure hybrid mail-flow using Exchange Edge servers. You secure incoming HTTPS access to the on-premises Exchange servers using reverse proxy servers.
When using a permanent hybrid configuration, the on-premises Exchange organization is also responsible for managing the Exchange objects moved to Exchange Online. In conjunction with the on-premises Active Directory, it remains the so-called Source of Authority (SOA). For this reason, you need at least one remaining Exchange server in your on-premises Exchange organization as a coexistence server. This server should run Exchange Server 2016 or Exchange Server 2019.
With a choice of two hybrid variants and five different operating modes, it is not easy to make the right choice. The most critical question you need to ask yourself first is how will your business make use of Exchange features in the future and what requirements does my company have for securing email messages. If the on-premises Exchange organization hosts user mailboxes and your organization plans to use Microsoft Teams, the classic full-hybrid variant is the only option. You must go Full Monty.
You achieve the most considerable flexibility with the Classic Hybrid, but this is also the variant with the most requirements for setup and permanent operation.
With Modern Hybrid, you can quickly achieve a hybrid configuration and quickly migrate mailboxes to Exchange Online. However, when using Microsoft Teams and user mailboxes in the on-premises Exchange organization, this is not an option.
Enjoy Exchange Hybrid with Exchange Online.
On-premises components, such as AD FS, PTA, and Exchange Hybrid are critical for Office 365 end user experience. In addition, something as trivial as expiring Exchange or AD FS certificates can certainly lead to unexpected outages By proactively monitoring hybrid components, ENow gives you early warnings where hybrid components are reaching a critical state, or even for an upcoming expiring certificate. Knowing immediately when a problem happens, where the fault lies, and why the issue has occurred, ensures that any outages are detected and solved as quickly as possible.
Access your free 14-day trial of ENow’s Exchange Hybrid and Office 365 Monitoring and Reporting today!