Exchange Hybrid Migration

R N
R N used Ask the Experts™
on
Apologies if this question has been answered before. We are going for Exchange hybrid migration to Exchange Online. On-premise, we have Exchange 2016 mailbox and Exchange 2016 Edge transport servers, DLP appliance (Forcepoint 8.4) and Cisco Email Security as our mail gateway.

We are enabling Centralised Mail Transport (CMT) because we wish to retain the DLP appliance for now until all mailboxes are migrated.

1) When running the HCW, should I choose the Edge Transport server as the Optimal server or the Exchange 2016 mailbox server? The Edge Transport server is used for address-rewrite for outgoing emails. Incoming emails do not traverse the Edge Transport server.

2) Is there any additional configuration needed on the send/receive connectors, so that email delivered to the online mailbox is routed back to the on-premise Exchange (CMT) without issues. I read somewhere that you should not have any device or systems in between the on-premise Exchange and EOL that modifies the email.

3) Is there any address rewriting capabilities in Exchange Online?

4) Please advise if having Trend Micro IMVSA and ForcePoint in between on-premise Exchange and Exchange Online would cause any problems?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Jian An LimSolutions Architect
Top Expert 2016

Commented:
1) choose the exchange MBX and that will config should replicate to the EDGE. in your case, EDGE only applies to outbound email so not a huge problem.
2) when you run the HCW and mark it centralise mail transport, no additional settings required.
3). there are no address rewriting capability in Exchange Online, you are looking for 3rd party tools, like Binary Tree or Mimecast or some other 3rd party mail security tools.
4) as long as it is not modifing any thing on the email, it should be fine. But it starts modifying, then you start to see issues. Obvious one is DKIM from o365 will break your email DKIM. it is best to restamp it on the way out to Internet.
R N

Author

Commented:
Hi Mr. Lim,

Thank you for your brilliant answers. Please can I ask you some further questions on this?

1) If I choose the Exchange MBX instead of Edge Transport as the Optimal server, I am assuming that the Hybrid connectors are created on that server to send and receive from O365. Please can you elaborate on the "MBX and that will config should replicate to the EDGE"

2) Do I need to prep the Edge server (EdgeSync, Update CU, etc) ?

3) I don't reckon that the Trend IMVSA (AV, Spam filter), Forcepoint DLP or Cisco would not change anything on the email. Probably only EDGE is doing that (email suffix)   is this change on the headers?

4) Please can you provide me some links on how I can restamp the email to avoid DKIM causing issues?

Thank you.
Jian An LimSolutions Architect
Top Expert 2016

Commented:
1. the optimal server actually just reading what the exchange configuration. it doesn't means it will only configure on the server you setup.

2. you should run Edgesync after running the HCW . CU should be on latest when possible as always

3.  AV, spam filter will change it. Microsoft position is there should be no NON-exchange server between EOP and Exchange server. Else, just increase troubleshooting effort. DKIM definitely impacted so you need to check make sure you can stamp one, OR else, it will definitely fail on DKIM check when the recipient receives such emails.

4. https://github.com/Pro/dkim-exchange you can read this.



Personally, i will not use centralised mail transport for this reason, it will be best to align them up front and not to go through but the decision is yours.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

R N

Author

Commented:
Dear Mr. Lim,

Sorry to bother you again. What would you suggest I do? I agree that centralised transport is not a good solution.

The alternative would be for us to go for non-centralised model which I believe is emails from Office365 sent directly to the internet via EOP to the Cisco (mail gateway) :-

1) Still maintain the existing MX record to Cisco Email Security because we are only moving 5% of the users to Office 365 at the moment
2) Duplicate the DLP policies from the on-premise DLP applicance into the Office 365
3) Duplicate / Import policies such as IRM,  OWA policies, Active Sync policies into Office 365
4) Set up SMTP send connector to Cisco Email Security in Exchange Online?
5) Purchase 3rd party address rewriting tool for Office 365

Thanks again.
Jian An LimSolutions Architect
Top Expert 2016

Commented:
Hi R N,

i did not say good or bad, because it is all depends on budget you currently have.

Is all your 5% of users that move to office 365 will need to do address rewrite?

Step 4 or 5 is fine but 5 will cost you a lot, unless your cisco email security can do address rewrite.
If not, it will be better to setup SMTP send connector to EDGE for the time being

Again, DKIM is a risk but not an issue until you see a issue (user cannot send email to some recipient, or some recipient do not receive email from your user).

Usually you will let your email security perform the address rewrite (they should have the capability) and stamp a valid DKIM on the way out.
R N

Author

Commented:
Hi Mr. Lim

Yes you are right, the Cisco can do address rewriting so we will plan to decommission the Edge Transport and move that capability to the Cisco. So in the future, the mail flow will be:-

Outgoing email - Exchange 2016 > DLP > Trend IMVSA > Cisco > Internet
Incoming email - Internet > Cisco > Trend IMVSA > Exchange 2016

Apparently, the Trend Micro IMVSA and Cisco are both AV and spam -filters

I will run the HCW and select one of the mailbox server as the Hybrid server. I will enter that server FQDN as of the mailbox server that is published to the public DNS.

I wish you and your family a very happy and prosperous, healthy and wealthy New Year.

Gong Xi Fa Cai !
Solutions Architect
Top Expert 2016
Commented:
at some stage, you might want to remove Trend IMVSA as putting more AV/Spam don't usually stack up well.

Good luck and same to you on the festive season
R N

Author

Commented:
Thank you for all your answers

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial