Exchange Hybrid Migration

Apologies if this question has been answered before. We are going for Exchange hybrid migration to Exchange Online. On-premise, we have Exchange 2016 mailbox and Exchange 2016 Edge transport servers, DLP appliance (Forcepoint 8.4) and Cisco Email Security as our mail gateway.

We are enabling Centralised Mail Transport (CMT) because we wish to retain the DLP appliance for now until all mailboxes are migrated.

1) When running the HCW, should I choose the Edge Transport server as the Optimal server or the Exchange 2016 mailbox server? The Edge Transport server is used for address-rewrite for outgoing emails. Incoming emails do not traverse the Edge Transport server.

2) Is there any additional configuration needed on the send/receive connectors, so that email delivered to the online mailbox is routed back to the on-premise Exchange (CMT) without issues. I read somewhere that you should not have any device or systems in between the on-premise Exchange and EOL that modifies the email.

3) Is there any address rewriting capabilities in Exchange Online?

4) Please advise if having Trend Micro IMVSA and ForcePoint in between on-premise Exchange and Exchange Online would cause any problems?
R NAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jian An LimSolutions ArchitectCommented:
1) choose the exchange MBX and that will config should replicate to the EDGE. in your case, EDGE only applies to outbound email so not a huge problem.
2) when you run the HCW and mark it centralise mail transport, no additional settings required.
3). there are no address rewriting capability in Exchange Online, you are looking for 3rd party tools, like Binary Tree or Mimecast or some other 3rd party mail security tools.
4) as long as it is not modifing any thing on the email, it should be fine. But it starts modifying, then you start to see issues. Obvious one is DKIM from o365 will break your email DKIM. it is best to restamp it on the way out to Internet.
R NAuthor Commented:
Hi Mr. Lim,

Thank you for your brilliant answers. Please can I ask you some further questions on this?

1) If I choose the Exchange MBX instead of Edge Transport as the Optimal server, I am assuming that the Hybrid connectors are created on that server to send and receive from O365. Please can you elaborate on the "MBX and that will config should replicate to the EDGE"

2) Do I need to prep the Edge server (EdgeSync, Update CU, etc) ?

3) I don't reckon that the Trend IMVSA (AV, Spam filter), Forcepoint DLP or Cisco would not change anything on the email. Probably only EDGE is doing that (email suffix)   is this change on the headers?

4) Please can you provide me some links on how I can restamp the email to avoid DKIM causing issues?

Thank you.
Jian An LimSolutions ArchitectCommented:
1. the optimal server actually just reading what the exchange configuration. it doesn't means it will only configure on the server you setup.

2. you should run Edgesync after running the HCW . CU should be on latest when possible as always

3.  AV, spam filter will change it. Microsoft position is there should be no NON-exchange server between EOP and Exchange server. Else, just increase troubleshooting effort. DKIM definitely impacted so you need to check make sure you can stamp one, OR else, it will definitely fail on DKIM check when the recipient receives such emails.

4. you can read this.

Personally, i will not use centralised mail transport for this reason, it will be best to align them up front and not to go through but the decision is yours.
Price Your IT Services for Profit

Managed service contracts are great - when they're making you money. Yes, you’re getting paid monthly, but is it actually profitable? Learn to calculate your hourly overhead burden so you can master your IT services pricing strategy.

R NAuthor Commented:
Dear Mr. Lim,

Sorry to bother you again. What would you suggest I do? I agree that centralised transport is not a good solution.

The alternative would be for us to go for non-centralised model which I believe is emails from Office365 sent directly to the internet via EOP to the Cisco (mail gateway) :-

1) Still maintain the existing MX record to Cisco Email Security because we are only moving 5% of the users to Office 365 at the moment
2) Duplicate the DLP policies from the on-premise DLP applicance into the Office 365
3) Duplicate / Import policies such as IRM,  OWA policies, Active Sync policies into Office 365
4) Set up SMTP send connector to Cisco Email Security in Exchange Online?
5) Purchase 3rd party address rewriting tool for Office 365

Thanks again.
Jian An LimSolutions ArchitectCommented:
Hi R N,

i did not say good or bad, because it is all depends on budget you currently have.

Is all your 5% of users that move to office 365 will need to do address rewrite?

Step 4 or 5 is fine but 5 will cost you a lot, unless your cisco email security can do address rewrite.
If not, it will be better to setup SMTP send connector to EDGE for the time being

Again, DKIM is a risk but not an issue until you see a issue (user cannot send email to some recipient, or some recipient do not receive email from your user).

Usually you will let your email security perform the address rewrite (they should have the capability) and stamp a valid DKIM on the way out.
R NAuthor Commented:
Hi Mr. Lim

Yes you are right, the Cisco can do address rewriting so we will plan to decommission the Edge Transport and move that capability to the Cisco. So in the future, the mail flow will be:-

Outgoing email - Exchange 2016 > DLP > Trend IMVSA > Cisco > Internet
Incoming email - Internet > Cisco > Trend IMVSA > Exchange 2016

Apparently, the Trend Micro IMVSA and Cisco are both AV and spam -filters

I will run the HCW and select one of the mailbox server as the Hybrid server. I will enter that server FQDN as of the mailbox server that is published to the public DNS.

I wish you and your family a very happy and prosperous, healthy and wealthy New Year.

Gong Xi Fa Cai !
Jian An LimSolutions ArchitectCommented:
at some stage, you might want to remove Trend IMVSA as putting more AV/Spam don't usually stack up well.

Good luck and same to you on the festive season

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
R NAuthor Commented:
Thank you for all your answers
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.