Configuring Mail Routing with an Exchange 2010 Edge Transport Server in a Hybrid Deployment

Audience: Exchange/Office 365 for Enterprises Administrators

Introduction

Configuring an Edge Transport server for mail routing in a hybrid deployment is supported in Exchange Server 2010 Service Pack 1 (SP1) ,Service Pack 2 (SP2) ,Service Pack 2 (SP3) and Exchange 2013 organizations. This wiki post outlines the configuration steps required to configure on-premises Edge Transport servers for mail routing between the on-premises and Exchange Online organizations in a hybrid deployment for Exchange Server 2010 SP2 and SP3 organizations. This wiki is specific to securing mail routing and ensuring messages appear as internal.

These steps incorporate using a combination of manual configuration steps and configuration steps outlined in the Exchange Server Deployment Assistant. The current version Deployment Assistant has been updated for Exchange Server 2010 SP2, Exchange Server 2010 SP3 and Hybrid Configuration wizard support sans edge deployment without Edgesync.

Prerequisites:

• The Edge Transport server must be Exchange 2010 SP1 or later.

Configuring Edge Transport servers in your hybrid deployment when using EdgeSync

1. Install one or more Edge Transport servers in your on-premises organization.

Utilize the same certificate you purchased for the hybrid server. Run the following command to import your secure mail certificate for your hybrid deployment and enable SMTP services. This example imports an Exchange certificate from a file named “certificate.pfx”:

This is done in the Exchange Management Shell on each Edge Server.

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path "c:\certificate.pfx" -Encoding byte -ReadCount 0)) -Password:(Get-Credential).password -PrivateKeyExportable $true| Enable-ExchangeCertificate -Services SMTP

The pop-up prompt will ask for a username and password, the username will be blank, type anything in that section. The password must match the password you typed when you exported the hybrid routing certificate from a hybrid server.

When prompted in the Shell with "Overwrite the existing default SMTP certificate dialog", you must choose No. If you choose Yes, you will receive an error that sharing the hybrid routing certificate between the Edge Transport server and your organization's hybrid Hub Transport servers is not allowed.

2. Follow the TechNet guidance on setting up and configuring an Edge Transport server with Exchange 2010 SP1.

• Configure Internet Mail Flow Through a Subscribed Edge Transport Server
• Import an Edge Subscription File to an Active Directory Site.

Note: Selecting the check box “Automatically create a Send connector for this Edge Subscription” automatically creates a Send connector that routes messages from the on-premises Exchange organization to the Internet. The Edge Subscription is configured as the source server for the Send connector and the Send connector is configured to route messages to all domains by using Domain Name System (DNS) MX resource records. If you want Edge to modify your existing routing path for mail to the internet, you must select this check box. If not, verify that the box is unchecked when you import the Edge Subscription XML file.

3. Start the hybrid deployment process by following the Exchange Deployment Assistance guidance located here. Please note you should plan your Internet mail routing topology and choose the proper routing path so you don’t accidently change your mail routing during the configuration process. Using the Exchange Deployment Assistant as a guide, substitute the following changes:

• In the Configure Send and Receive Connectors checklist and the “How do I configure a default Receive Connector?” section, complete these steps on your Edge Transport server instead of your Hub Transport server.
• Open the Exchange Management Console (EMC) on a hybrid Hub Transport server in your on-premises organization. In the on-premises organization node of the EMC tree, select the Organization Configuration > Hub Transport node and select the Send Connectors tab. On the Send Connectors tab, select the “Outbound to Office 365” Send Connector and then click Properties in the Action pane. On the Properties dialog page, select the Source Server tab, delete all the hybrid Hub Transport servers by selecting each server and clicking the red “X” button.
• Click Add. On the Select Hub Transport or Subscribed Edge Transport Server dialog, select the Edge Transport servers for your on-premises organization and click OK.
• On the hybrid Hub Transport server, open the Exchange Management Shell and run Start-EdgeSynchronization.
• In the Hub Transport node, check to ensure the domains which represent your parent domain and <domain>.mail.onmicrosoft.com are set to Authoritative. For instance, if your parent domain is contoso.com , your service domain by default is contoso.mail.onmicrosoft.com, the domain types must be set to “Authoritative”. Note: The only exception to this rule is if Exchange 2003 is in the on-premises environment. If Exchange 2003 is present, you must set the service domain type to “Internal Relay”. To do this expand the Organization Configuration section in the Exchange Management Console. Select Hub Transport in the left pane. In the middle pane choose the Accepted Domains tab and review the two domains and their type.

You will need to set the receive connector on each Edge Server. In the Exchange Management Shell use the following command.

You will replace the "<default internal receive connector name>" with the name of the default connector. For example "Edge Default"

$SendConnector = Get-SendConnector "Outbound to Office 365"

$ReceiveConnector = Get-ReceiveConnector "<default internal receive connector name>"

 Set-ReceiveConnector -Identity $ReceiveConnector.Identity -TlsDomainCapabilities outlook.com:AcceptOorgProtocol –Fqdn $SendConnector.Fqdn

Additional Information

Hybrid Routing - Pointing your MX record to the Cloud - Leverage this article for mail flow verification and configuration.

Configuring Edge Transport servers in your hybrid deployment when not using EdgeSync

Although we recommend that you use EdgeSync when configuring an Edge Transport server in your hybrid deployment, EdgeSync isn’t a requirement. You can still configure your hybrid deployment so that your Edge Transport servers route mail between the on-premises and Exchange Online organizations in a hybrid deployment for Exchange Server 2010 SP1 organizations.

The configuration of a the Edge Transport server is almost identical to configuring a Hub Transport server there are few nuances with Set-RemoteDomain commandlet since we do not support all the switches that typically are available with running Set-RemoteDomain on a Hub Transport server. In addition since EdgeSync is not being used we will still need to configure the remote domains, receive connectors and send connectors on Edge and Hub. The Remote domain process will need to be duplicated on both Edge and Hub servers to ensure that all email going to and from the cloud is trusted. The receive connectors are created on both Hub and Edge and configured to Externally Secure and listen only for the IP addresses of each respected server. The Send connectors are also configured in the same fashion the receive connectors are and we also use Externally Secure, this is very important because if this setting is not used the email headers will not be stamped with X-MS-Exchange-Organization-AuthAs: Internal.

Follow the steps below to configure your Edge Transport and hybrid Hub Transport server. The Shell cmdlet examples use the “contoso.com” and “contoso.mail.onmicrosoft.com” domains used as examples in the hybrid deployment scenarios in the Deployment Assistant.

Configure the Edge Server

Use the Shell to make the following configuration changes on your Edge Servers:

1. Import Certificate – This step is same as in the Edgesync scenario

Utilize the same certificate you purchased for the hybrid hub server. Run the following command to import your secure mail certificate for your hybrid deployment and enable SMTP services. This example imports an Exchange certificate from a file named “certificate.pfx”:

This is done in the Exchange Management Shell on each Edge Server.

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path "c:\certificate.pfx" -Encoding byte -ReadCount 0)) -Password:(Get-Credential).password -PrivateKeyExportable $true| Enable-ExchangeCertificate -Services SMTP

The pop-up prompt will ask for a username and password, the username will be blank, type anything in that section. The password must match the password you typed when you exported the hybrid routing certificate from a hybrid server.

When prompted in the Shell with "Overwrite the existing default SMTP certificate dialog", you must choose No. If you choose Yes, you will receive an error that sharing the hybrid routing certificate between the Edge Transport server and your organization's hybrid Hub Transport servers is not allowed.

2.Configure the Accepted Domains

• New-AcceptedDomain -Name contoso.mail.onmicrosoft.com -DomainName contoso.mail.onmicrosoft.com -DomainType InternalRelay
• New-AcceptedDomain -Name contoso.com -DomainName contoso.com -DomainType Authoritative

3. Configure the Remote Domains

• New-RemoteDomain "Inbound Remote Domain" -DomainName contoso.com
• New-RemoteDomain "Outbound Remote Domain" -DomainName contoso.mail.onmicrosoft.com
• Set-RemoteDomain "Inbound Remote Domain" -TrustedMailInboundEnabled $True
• Set-RemoteDomain "Outbound Remote Domain" -TrustedMailOutboundEnabled $True -TargetDeliveryDomain $True

4. Configure the Receive Connector

• New-ReceiveConnector -Name "From Hub" -AuthMechanism ExternalAuthoritative -Fqdn mail.contoso.com -PermissionGroups AnonymousUsers,ExchangeServers,Partners -TlsDomainCapabilities mail.contoso.com:AcceptOorgProtocol -RemoteIPRanges <IP Address of hybrid Hub Transport server> -Bindings 0.0.0.0:25

• New-ReceiveConnector -Name "From Cloud" -Usage Internet -RemoteIPRanges <FOPE Outbound IP Addresses for Wave14 tenants/EOP Outbound IP addresses for Wave15 tenants> -Bindings 0.0.0.0:25 -FQDN mail.contoso.com -TlsDomainCapabilities outlook.com:AcceptOorgProtocol

FOPE IP addresses as of 04/23/2013*

65.55.88.0/24

94.245.120.64/26

207.46.51.64/26

207.46.163.0/24

213.199.154.0/24

213.199.180.128/26

216.32.180.0/24

216.32.181.0/24

* To get the latest list of FOPE address visit Configure Mail Flow for an Exchange 2010 Hybrid Deployment

EOP IP addresses as of 03/22/2013*

65.55.88.0/24

94.245.120.64/26

207.46.51.64/26

207.46.163.0/24

213.199.154.0/24

213.199.180.128/26

216.32.180.0/24

216.32.181.0/24

* To get the latest list of EOP address visit Configure Mail Flow for an Exchange 2010 Hybrid Deployment

Then follow the guidelines "How do I configure transport settings in my on-premises organization?" Steps 6 through 11

5. Configure the Send Connector

• New-SendConnector "To Cloud" -RequireTLS $True -TlsAuthLevel DomainValidation -TlsDomain outlook.com -Fqdn mail.contoso.com -ErrorPolicies DowngradeAuthFailures -AddressSpaces SMTP: contoso.mail.onmicrosoft.com
• New-SendConnector -Name "To Hub" -AddressSpaces SMTP:contoso.com -Fqdn mail.contoso.com -SmartHosts <IP Address of a hybrid Hub Transport server> -UseExternalDNSServersEnabled $false -SmartHostAuthMechanism ExternalAuthoritative

Configuring the hybrid Hub Transport server

Use the Shell to make the following configuration changes on your hybrid Hub Transport server:

1. Configure the Remote Domains

• New-RemoteDomain "Inbound Remote Domain" -DomainName contoso.com
• New-RemoteDomain "Outbound Remote Domain" -DomainName contoso.mail.onmicrosoft.com
• Set-RemoteDomain "Inbound Remote Domain" -TrustedMailInboundEnabled $True
• Set-RemoteDomain "Outbound Remote Domain" -TrustedMailOutboundEnabled $True -TargetDeliveryDomain $True -AllowedOOFType InternalLegacy -AutoReplyEnabled $True -AutoForwardEnabled $True -DeliveryReportEnabled $True -NDREnabled $True -DisplaySenderName $True -TNEFEnabled $True
• New-AcceptedDomain -Name contoso.mail.onmicrosoft.com -DomainName contoso.mail.onmicrosoft.com -DomainType InternalRelay

2. Configure the Receive Connector

• New-ReceiveConnector -Name "From Edge" -AuthMechanism ExternalAuthoritative -Fqdn mail.contoso.com -PermissionGroups ExchangeServers -RemoteIPRanges <External IP Address for Edge Transport server> -Bindings 0.0.0.0:25

3. Configure the Send Connector

• New-SendConnector -Name "To Edge" -AddressSpaces SMTP: contoso.mail.onmicrosoft.com -Fqdn mail.contoso.com -SmartHosts <IP Address of Edge Transport server> -UseExternalDNSServersEnabled $false -SmartHostAuthMechanism ExternalAuthoritative