Link to home
Start Free TrialLog in
Avatar of R N

asked on

Exchange Hybrid Migration

Apologies if this question has been answered before. We are going for Exchange hybrid migration to Exchange Online. On-premise, we have Exchange 2016 mailbox and Exchange 2016 Edge transport servers, DLP appliance (Forcepoint 8.4) and Cisco Email Security as our mail gateway.

We are enabling Centralised Mail Transport (CMT) because we wish to retain the DLP appliance for now until all mailboxes are migrated.

1) When running the HCW, should I choose the Edge Transport server as the Optimal server or the Exchange 2016 mailbox server? The Edge Transport server is used for address-rewrite for outgoing emails. Incoming emails do not traverse the Edge Transport server.

2) Is there any additional configuration needed on the send/receive connectors, so that email delivered to the online mailbox is routed back to the on-premise Exchange (CMT) without issues. I read somewhere that you should not have any device or systems in between the on-premise Exchange and EOL that modifies the email.

3) Is there any address rewriting capabilities in Exchange Online?

4) Please advise if having Trend Micro IMVSA and ForcePoint in between on-premise Exchange and Exchange Online would cause any problems?
Avatar of Jian An Lim
Jian An Lim
Flag of Australia image

1) choose the exchange MBX and that will config should replicate to the EDGE. in your case, EDGE only applies to outbound email so not a huge problem.
2) when you run the HCW and mark it centralise mail transport, no additional settings required.
3). there are no address rewriting capability in Exchange Online, you are looking for 3rd party tools, like Binary Tree or Mimecast or some other 3rd party mail security tools.
4) as long as it is not modifing any thing on the email, it should be fine. But it starts modifying, then you start to see issues. Obvious one is DKIM from o365 will break your email DKIM. it is best to restamp it on the way out to Internet.
Avatar of R N


Hi Mr. Lim,

Thank you for your brilliant answers. Please can I ask you some further questions on this?

1) If I choose the Exchange MBX instead of Edge Transport as the Optimal server, I am assuming that the Hybrid connectors are created on that server to send and receive from O365. Please can you elaborate on the "MBX and that will config should replicate to the EDGE"

2) Do I need to prep the Edge server (EdgeSync, Update CU, etc) ?

3) I don't reckon that the Trend IMVSA (AV, Spam filter), Forcepoint DLP or Cisco would not change anything on the email. Probably only EDGE is doing that (email suffix)   is this change on the headers?

4) Please can you provide me some links on how I can restamp the email to avoid DKIM causing issues?

Thank you.
1. the optimal server actually just reading what the exchange configuration. it doesn't means it will only configure on the server you setup.

2. you should run Edgesync after running the HCW . CU should be on latest when possible as always

3.  AV, spam filter will change it. Microsoft position is there should be no NON-exchange server between EOP and Exchange server. Else, just increase troubleshooting effort. DKIM definitely impacted so you need to check make sure you can stamp one, OR else, it will definitely fail on DKIM check when the recipient receives such emails.

4. you can read this.

Personally, i will not use centralised mail transport for this reason, it will be best to align them up front and not to go through but the decision is yours.
Avatar of R N


Dear Mr. Lim,

Sorry to bother you again. What would you suggest I do? I agree that centralised transport is not a good solution.

The alternative would be for us to go for non-centralised model which I believe is emails from Office365 sent directly to the internet via EOP to the Cisco (mail gateway) :-

1) Still maintain the existing MX record to Cisco Email Security because we are only moving 5% of the users to Office 365 at the moment
2) Duplicate the DLP policies from the on-premise DLP applicance into the Office 365
3) Duplicate / Import policies such as IRM,  OWA policies, Active Sync policies into Office 365
4) Set up SMTP send connector to Cisco Email Security in Exchange Online?
5) Purchase 3rd party address rewriting tool for Office 365

Thanks again.
Hi R N,

i did not say good or bad, because it is all depends on budget you currently have.

Is all your 5% of users that move to office 365 will need to do address rewrite?

Step 4 or 5 is fine but 5 will cost you a lot, unless your cisco email security can do address rewrite.
If not, it will be better to setup SMTP send connector to EDGE for the time being

Again, DKIM is a risk but not an issue until you see a issue (user cannot send email to some recipient, or some recipient do not receive email from your user).

Usually you will let your email security perform the address rewrite (they should have the capability) and stamp a valid DKIM on the way out.
Avatar of R N


Hi Mr. Lim

Yes you are right, the Cisco can do address rewriting so we will plan to decommission the Edge Transport and move that capability to the Cisco. So in the future, the mail flow will be:-

Outgoing email - Exchange 2016 > DLP > Trend IMVSA > Cisco > Internet
Incoming email - Internet > Cisco > Trend IMVSA > Exchange 2016

Apparently, the Trend Micro IMVSA and Cisco are both AV and spam -filters

I will run the HCW and select one of the mailbox server as the Hybrid server. I will enter that server FQDN as of the mailbox server that is published to the public DNS.

I wish you and your family a very happy and prosperous, healthy and wealthy New Year.

Gong Xi Fa Cai !
Avatar of Jian An Lim
Jian An Lim
Flag of Australia image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of R N


Thank you for all your answers