Sign up for Office 365
Learn more about Office 365
Configuring Mail Routing with an Exchange 2010 Edge Transport Server in a Hybrid Deployment
Audience: Exchange/Office 365 for Enterprises Administrators
Authors: Lou Mandich, Senior Premier Field Engineer, Brian Drepaul, Senior Support Escalation Engineer and Kovaiselvan Jayaraman, Sr.Support Escalation Engineer
Configuring an Edge Transport server for mail routing in a hybrid deployment is supported in Exchange Server 2010 Service Pack 1 (SP1) ,Service Pack 2 (SP2) ,Service Pack 2 (SP3) and Exchange 2013 organizations. This wiki post outlines the configuration steps required to configure on-premises Edge Transport servers for mail routing between the on-premises and Exchange Online organizations in a hybrid deployment for Exchange Server 2010 SP2 and SP3 organizations. This wiki is specific to securing mail routing and ensuring messages appear as internal.
These steps incorporate using a combination of manual configuration steps and configuration steps outlined in the Exchange Server Deployment Assistant. The current version Deployment Assistant has been updated for Exchange Server 2010 SP2, Exchange Server 2010 SP3 and Hybrid Configuration wizard support sans edge deployment without Edgesync.
Configuring Edge Transport servers in your hybrid deployment when using EdgeSync
1. Install one or more Edge Transport servers in your on-premises organization.
Utilize the same certificate you purchased for the hybrid server. Run the following command to import your secure mail certificate for your hybrid deployment and enable SMTP services. This example imports an Exchange certificate from a file named “certificate.pfx”:
This is done in the Exchange Management Shell on each Edge Server.
Import-ExchangeCertificate -FileData ([Byte]$(Get-Content -Path "c:\certificate.pfx" -Encoding byte -ReadCount 0)) -Password:(Get-Credential).password -PrivateKeyExportable $true| Enable-ExchangeCertificate -Services SMTP
The pop-up prompt will ask for a username and password, the username will be blank, type anything in that section. The password must match the password you typed when you exported the hybrid routing certificate from a hybrid server.
When prompted in the Shell with "Overwrite the existing default SMTP certificate dialog", you must choose No. If you choose Yes, you will receive an error that sharing the hybrid routing certificate between the Edge Transport server and your organization's hybrid Hub Transport servers is not allowed.
2. Follow the TechNet guidance on setting up and configuring an Edge Transport server with Exchange 2010 SP1.
Note: Selecting the check box “Automatically create a Send connector for this Edge Subscription” automatically creates a Send connector that routes messages from the on-premises Exchange organization to the Internet. The Edge Subscription is configured as the source server for the Send connector and the Send connector is configured to route messages to all domains by using Domain Name System (DNS) MX resource records. If you want Edge to modify your existing routing path for mail to the internet, you must select this check box. If not, verify that the box is unchecked when you import the Edge Subscription XML file.
3. Start the hybrid deployment process by following the Exchange Deployment Assistance guidance located here. Please note you should plan your Internet mail routing topology and choose the proper routing path so you don’t accidently change your mail routing during the configuration process. Using the Exchange Deployment Assistant as a guide, substitute the following changes:
You will need to set the receive connector on each Edge Server. In the Exchange Management Shell use the following command.
You will replace the "<default internal receive connector name>" with the name of the default connector. For example "Edge Default"
$SendConnector = Get-SendConnector "Outbound to Office 365"
$ReceiveConnector = Get-ReceiveConnector "<default internal receive connector name>"
Set-ReceiveConnector -Identity $ReceiveConnector.Identity -TlsDomainCapabilities outlook.com:AcceptOorgProtocol –Fqdn $SendConnector.Fqdn
Hybrid Routing - Pointing your MX record to the Cloud - Leverage this article for mail flow verification and configuration.
Configuring Edge Transport servers in your hybrid deployment when not using EdgeSync
Although we recommend that you use EdgeSync when configuring an Edge Transport server in your hybrid deployment, EdgeSync isn’t a requirement. You can still configure your hybrid deployment so that your Edge Transport servers route mail between the on-premises and Exchange Online organizations in a hybrid deployment for Exchange Server 2010 SP1 organizations.
The configuration of a the Edge Transport server is almost identical to configuring a Hub Transport server there are few nuances with Set-RemoteDomain commandlet since we do not support all the switches that typically are available with running Set-RemoteDomain on a Hub Transport server. In addition since EdgeSync is not being used we will still need to configure the remote domains, receive connectors and send connectors on Edge and Hub. The Remote domain process will need to be duplicated on both Edge and Hub servers to ensure that all email going to and from the cloud is trusted. The receive connectors are created on both Hub and Edge and configured to Externally Secure and listen only for the IP addresses of each respected server. The Send connectors are also configured in the same fashion the receive connectors are and we also use Externally Secure, this is very important because if this setting is not used the email headers will not be stamped with X-MS-Exchange-Organization-AuthAs: Internal.
Follow the steps below to configure your Edge Transport and hybrid Hub Transport server. The Shell cmdlet examples use the “contoso.com” and “contoso.mail.onmicrosoft.com” domains used as examples in the hybrid deployment scenarios in the Deployment Assistant.
Configure the Edge Server
Use the Shell to make the following configuration changes on your Edge Servers:
1. Import Certificate – This step is same as in the Edgesync scenario
Utilize the same certificate you purchased for the hybrid hub server. Run the following command to import your secure mail certificate for your hybrid deployment and enable SMTP services. This example imports an Exchange certificate from a file named “certificate.pfx”:
2.Configure the Accepted Domains
3. Configure the Remote Domains
4. Configure the Receive Connector
FOPE IP addresses as of 04/23/2013*
* To get the latest list of FOPE address visit Configure Mail Flow for an Exchange 2010 Hybrid Deployment
EOP IP addresses as of 03/22/2013*
* To get the latest list of EOP address visit Configure Mail Flow for an Exchange 2010 Hybrid Deployment
Then follow the guidelines "How do I configure transport settings in my on-premises organization?" Steps 6 through 11
5. Configure the Send Connector
Configuring the hybrid Hub Transport server
Use the Shell to make the following configuration changes on your hybrid Hub Transport server:
1. Configure the Remote Domains
2. Configure the Receive Connector
3. Configure the Send Connector