You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Remote domains", "Send connectors", and "Receive connectors" entries in Transport Permissions.

For this procedure, you’ll use the Exchange Management Shell to configure the following:

• Transport Layer Security (TLS) for all messages sent between your on-premises and cloud-organizations.
  
  
• Inbound and outbound messages sent between your on-premises and cloud-organizations are trusted. Anti-spam rules won't be applied to these messages.
  
  
• All mail sent to your cloud-based organization is routed through a FOPE smart host.
  
  

1. On your on-premises hybrid server, create a remote domain for inbound messages received from the cloud-based organization.
   
   

   	Copy Code
   New-RemoteDomain "Inbound Remote Domain" -DomainName contoso.com

2. On your on-premises hybrid server, create a remote domain for outbound messages sent to the cloud-based organization.
   
   

   	Copy Code
   New-RemoteDomain "Outbound Remote Domain" -DomainName service.contoso.com

3. On your on-premises hybrid server, configure the inbound remote domain to trust messages sent from the cloud-based organization.
   
   

   	Copy Code
   Set-RemoteDomain "Inbound Remote Domain" -TrustedMailInboundEnabled $True

4. On your on-premises hybrid server, configure the outbound remote domain to enable trusted delivery of messages to the cloud-based organization.
   
   

   	Copy Code
   Set-RemoteDomain "Outbound Remote Domain" -TrustedMailOutboundEnabled $True -TargetDeliveryDomain $True -AllowedOOFType InternalLegacy -AutoReplyEnabled $True -AutoForwardEnabled $True -DeliveryReportEnabled $True -NDREnabled $True -DisplaySenderName $True -TNEFEnabled $True

5. On your on-premises hybrid server, modify the “To cloud” Send connector to enable TLS transport and route all mail sent to your cloud-based organization through a FOPE smart host using the following command.
   
   

   	Copy Code
   Set-SendConnector "To cloud" -RequireTLS $True -TlsAuthLevel DomainValidation -TlsDomain mail.messaging.microsoft.com -Fqdn mail2.contoso.com -ErrorPolicies DowngradeAuthFailures

6. Browse to: FOPE administration center
   
   
7. If this is your first time accessing FOPE, do the following:
   
   
   1. Click Need your password.
      
      
   2. Enter the e-mail address of the account in the cloud-based service in the User name field. This is the e-mail address you specified when you created the account in the cloud-based service. For example, admin@contoso.onmicrosoft.com.
      
      
   3. Log on to your cloud-based service admin e-mail account at https://www.outlook.com/contoso.com. Open the e-mail message sent by FOPE to that account and retrieve the password provided.
      
      
   4. Browse back to: FOPE administration center
      
      
8. Enter the e-mail address of the account in the cloud-based service in the User name field.
   
   
9. Enter your FOPE password in the Password field.
   
   
10. Click the Information tab, and then click Configuration.
    
    
11. Make a note of the IP addresses listed under IP addresses to configure on your firewall.
    
    
12. On your on-premises hybrid server, create a new Receive connector to accept messages from FOPE. The Receive connector is configured to only accept connections from the FOPE IP addresses obtained in the previous step and to treat messages sent by the cloud-based organization as internal messages. The FQDN configured on the connector must match the common name of the SSL certificate that you want to use for secure mail.
    
    

    	Copy Code
    New-ReceiveConnector -Name "From Cloud" -Usage Internet -RemoteIPRanges <FOPE Outbound IP Addresses> -Bindings 0.0.0.0:25 -FQDN mail2.contoso.com -TlsDomainCapabilities mail.messaging.microsoft.com:AcceptOorgProtocol

    Note:
    FOPE uses a combination of Classless Inter-Domain Routing (CIDR) IP notation and single IP addresses. Separate each IP address using a comma when configuring the RemoteIPRanges parameter. For example, -RemoteIPRanges 172.0.0.0/24, 192.168.1.1, 10.23.21.64/26.

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Remote domains", and "Accepted domains" entries in Transport Permissions.

For this procedure, you’ll use the Shell to configure the following:

• Configure the shared SMTP domain as an internal relay domain and set the domain as outbound only.
  
  
• Inbound and outbound messages sent between your on-premises and cloud-organizations are trusted. Anti-spam rules won't be applied to these messages.
  
  

1. In the cloud-based organization, create a remote domain for inbound messages received from the on-premises organization. The domain name must contain the name of the certificate published on the hybrid server.
   
   

   Note:
   This domain must match the FQDN you specify in the TLS certificate matching domain when you create the inbound FOPE connector later.

   	Copy Code
   New-RemoteDomain "Inbound Remote Domain" -DomainName mail2.contoso.com

2. In the cloud-based organization, create a remote domain for outbound messages sent to recipients in the on-premises organization. The domain must be the domain portion of the recipient address of on-premises recipients.
   
   

   	Copy Code
   New-RemoteDomain "Outbound Remote Domain to On-Premises Recipients" -DomainName contoso.com

3. In the cloud-based organization, configure the inbound remote domain to trust messages sent from the on-premises organization.
   
   

   	Copy Code
   Set-RemoteDomain "Inbound Remote Domain" -TrustedMailInboundEnabled $True

4. In the cloud-based organization, configure the outbound remote domain to on-premises recipients to enable trusted delivery of messages to the on-premises organization and enable rich e-mail client features.
   
   

   	Copy Code
   Set-RemoteDomain "Outbound Remote Domain to On-Premises Recipients" -TrustedMailOutboundEnabled $True -AllowedOOFType InternalLegacy -AutoReplyEnabled $True -AutoForwardEnabled $True -DeliveryReportEnabled $True -NDREnabled $True -DisplaySenderName $True -TNEFEnabled $True

5. In the cloud-based organization, configure the outbound remote domain to Internet recipients to enable trusted delivery of messages to the on-premises organization.
   
   

   	Copy Code
   Set-RemoteDomain Default -TrustedMailOutboundEnabled $True

6. In the cloud-based organization, set the accepted domain for the shared SMTP domain to be an internal relay domain, and set the domain as outbound only, using the following command.
   
   

   	Copy Code
   Set-AcceptedDomain "contoso.com" -DomainType InternalRelay -OutboundOnly $True

The permissions required to perform this procedure are automatically granted to the cloud-based service administrator account when you log into FOPE for the first time.

With this procedure, you'll configure the following:

• Inbound connector in FOPE that accepts messages sent to your cloud-based organization only from your on-premises hybrid server. The connector is also configured to only accept messages sent using TLS.
  
  
• Outbound connector in FOPE that sends all messages sent from your cloud-based organization to the Internet through your on-premises hybrid server. The connector is also configured to send messages using TLS.
  
  

Note:

When you log into the FOPE administrator center, you might notice an entry on the Domains tab that begins with DuplicateDomain-GUID and ends with your shared domain. For example, DuplicateDomain-GUIDcontoso.com. This entry is expected if you configured the accepted domain for your shared domain in the cloud-based organization as an outbound-only domain. If you didn't configure the accepted domain as an outbound-only domain, and you still see a DuplicateDomain entry in the FOPE administration center domains list, contact FOPE support.

1. Browse to: FOPE administration center
   
   
2. If this is your first time accessing FOPE, do the following:
   
   
   1. Click Need your password.
      
      
   2. Enter the e-mail address of the account in the cloud-based service in the User name field. This is the e-mail address you specified when you created the account in the cloud-based service. For example, admin@contoso.onmicrosoft.com.
      
      
   3. Log on to your cloud-based service admin e-mail account at https://www.outlook.com/contoso.com. Open the e-mail message sent by FOPE to that account and retrieve the password provided.
      
      
   4. Browse back to: FOPE administration center
      
      
3. Enter the e-mail address of the account in the cloud-based service in the User name field.
   
   
4. Enter your FOPE password in the Password field.
   
   
5. Click the Administration tab, and then click the Company tab.
   
   
6. Click Add next to Inbound Connectors under Connectors.
   
   
7. In the Add inbound Connector dialog, configure the following:
   
   
   • Name   Enter a name for the inbound connector.
     
     
   • Description   Enter a description for the inbound connector.
     
     
   • Under Connector Scope, specify *.* in the Sender Domains text box
     
     
   • Under Connector Scope, specify the source IP address that your firewall presents to hosts on the Internet in the Sender IP Address text box. Depending on the configuration of your firewall, this might be the external IP address of your hybrid server, or it might be the WAN IP address of the firewall. If you want to specify a range of IP addresses, use CIDR notation. You can also specify multiple IP addresses by separating each IP address with a comma.
     
     
   • Select Add these IP addresses to the safelist and only accept mail from these IP addresses for the domains specified above.
     
     
   • Under Connector Settings, select the Force TLS option in Transport Layer Security (TLS) Settings.
     
     
   • Select the Sender certificate matches check box and, in the associated text field, specify the certificate subject name that you configured on the on-premises hybrid server. For example, mail2.contoso.com.
     
     

     Note:
     The FQDN you specify here must match the domain you specified when you created the "Inbound remote domain" in the cloud-based organization earlier.

   • Make sure that all the check boxes are cleared in Filtering in Connector Settings.
     
     
   • Click Save.
     
     
8. Click Enforce next to the inbound connector you just created. Click OK on the Enforce Inbound Connector dialog box.
   
   
9. Click Add next to Outbound Connectors under Connectors settings.
   
   
10. In the Add outbound Connector dialog, configure the following:
    
    
    • Name   Enter a name for the outbound connector.
      
      
    • Description   Enter a description for the outbound connector.
      
      
    • Under Connector Scope, specify *.* in the Recipient Domains text box.
      
      
    • Under Message Delivery Settings, select the Deliver all messages to the following destination check box.
      
      
    • Select the Fully Qualified Domain Name option and specify the external FQDN of the on-premises hybrid server. For example, mail2.contoso.com.
      
      
    • Under Transport Security Layer (TLS) Settings, select The recipient certificate matches, and in the associated text field, specify the certificate subject name that you configured on the on-premises hybrid server. For example, mail2.contoso.com.
      
      
    • Click Save.
      
      
11. Click Enforce next to the outbound connector you just created. Click OK on the Enforce Outbound Connector dialog box.
    
    

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Manage domains" entry in Assigning administrator roles.

Before you can send e-mail messages to recipients in the cloud-based service that have a service.contoso.com SMTP address, you must add a mail exchanger (MX) record for the service.contoso.com domain. The MX record must refer to the FQDN created for your cloud-based organization.

To find the FQDN that you should use to create your MX record, do the following:

1. Log on to: Cloud-based service administration portal
   
   
2. Click Admin, and then click Domains.
   
   
3. Click the SMTP namespace for your cloud-based organization. For example, service.contoso.com.
   
   
4. On the Domain properties page, verify that Yes is listed for the Exchange Online service. If No is listed, you must select Edit domain intent to assign Exchange services to the service-routing domain. In the Edit domain intent dialog box, select the Exchange Online check box for the Select the services that you’ll use with this domain and click Save.
   
   
5. Click DNS Settings.
   
   
6. In the Exchange Online DNS records table, find the row where Type equals MX. Use the value in the Points to address field. For example, <value>.mail.eo.outlook.com.
   
   

After you've found the FQDN to use with your MX record, create the MX record in your DNS zone.

For example, the MX record for service.contoso.com is the following:

Refer to your DNS host's Help for more information about how to add an MX record to your DNS zone.

To verify that you've correctly configured your transport settings, send test messages between the Internet and your cloud-based organization, and between on-premises Exchange mailboxes and mailboxes in your cloud-based organization. Then do the following to verify your settings are correct:

To perform the following tests, you must have a test mailbox in your cloud-based organization.

• Verify recipients receive each of the test messages.
  
  
• In the SMTP headers of a message sent from the Internet to a cloud-based mailbox, verify that (TLS) is present on the hop between your on-premises hybrid server and the FOPE smart host.
  
  
• In the SMTP headers of a message sent to an Internet recipient from a cloud-based mailbox, verify that the message is correctly routed through your on-premises hybrid server. Also verify that (TLS) is present on the hop between your on-premises hybrid server and the FOPE server.
  
  
• In the SMTP headers of messages sent between on-premises mailboxes and cloud-based mailboxes, verify that the X-MS-Exchange-Organization-AuthAs header is set to Internal.
  
  

If you're having problems configuring transport, you can enable protocol logging to provide you with additional information. Protocol logging enables you to record the conversations that take place between your hybrid server and other mail hosts. You can use this information to determine whether you're connecting to the correct mail hosts, whether SSL certificates are being exchanged, and so on.

Learn more at: Understanding Protocol Logging, Configure Protocol Logging

Having problems? Ask for help in the Office 365 forums. To access the forums, you'll need to sign in using an account that's granted administrator access to your cloud-based service. Visit the forums at: Office 365 Forums