Applies to: Exchange Server 2013, Exchange Online

Topic Last Modified: 2014-04-28

Before you create and configure a hybrid deployment using Microsoft Exchange Server 2013 and the Hybrid Configuration wizard, your existing on-premises Exchange organization must meet certain requirements. If you don't meet these requirements, you won't be able to complete the steps within the Hybrid Configuration wizard and you won't be able to configure a hybrid deployment between your on-premises Exchange organization and the Exchange Online organization in Microsoft Office 365.

ImportantImportant:
This feature of Exchange Server 2013 isn’t fully compatible with Office 365 operated by 21Vianet in China and some feature limitations may apply. For more information, see Learn about Office 365 operated by 21Vianet.

Prerequisites for hybrid deployment

The following prerequisites are required for configuring a hybrid deployment:

  • On-premises Exchange organization   Hybrid deployments can be configured for on-premises Exchange 2007-based organizations or later. For Exchange 2007 and Exchange 2010 organizations, at least one Exchange 2013 Client Access and one Exchange 2013 Mailbox server must be installed in the on-premises organization to run the Hybrid Configuration wizard and support Exchange 2013-based hybrid deployment functionality. We recommend combining the Exchange 2013 Client Access and Mailbox server roles on a single server when configuring hybrid deployments with Exchange 2007 and Exchange 2010 environments. All on-premises Exchange 2013 servers must have installed Cumulative Update 1 (CU1) or greater for Exchange 2013 to support hybrid functionality with Office 365. For more information, see Updates for Exchange 2013.

     

    For a complete listing of Exchange Server and Office 365 for enterprises tenant hybrid deployment compatibility, see the requirements listed in the following table for Exchange 2013-based and Exchange 2010-based hybrid deployments.

    NoteNote:
    To verify your Office 365 tenant version and status, see Verify Office 365 tenant version and status later in this topic.

    On-premises environment Exchange 2010-based hybrid with tenant version v14 Exchange 2010-based hybrid with tenant version v15 Exchange 2013-based hybrid with tenant version v15

    Exchange 2013 SP1

    Not supported1

    Not applicable

    Supported

    Exchange 2010 SP3

    Supported

    Supported

    Supported5

    Exchange 2010 SP2

    Supported

    Not supported2

    Not supported

    Exchange 2010 SP1

    Supported

    Not supported2

    Not supported

    Exchange 2007 SP3 RU10

    Supported3

    Supported4

    Supported5

    Exchange 2007 SP3

    Supported3

    Not Supported

    Not supported

    Exchange 2003 SP2

    Supported3

    Supported4

    Not supported
    NoteNote:
    1 Blocked in Exchange 2013 setup

    2 Tenant upgrade notification provided in Exchange Management Console

    3 Requires at least one on-premises Exchange 2010 SP2 server

    4 Requires at least one on-premises Exchange 2010 SP3 server

    5 Requires at least one on-premises Exchange 2013 CU1 or greater server

  • Office 365   Hybrid deployments are supported in all Office 365 plans that support Windows Azure Active Directory synchronization. All Office 365 Enterprise, Government, Academic and Midsize plans support hybrid deployments. Office 365 Small Business and Home plans don’t support hybrid deployments. The Office 365 tenant version must be 15.0.620.28 or greater to configure a hybrid deployment with Exchange 2013. Additionally, your Office 365 tenant status must not be transitioning between service versions. For a complete summary, see the preceding table. To verify your Office 365 tenant version and status, see Verify Office 365 tenant version and status later in this topic.

    Learn more at Sign up for Office 365.

     

  • Custom domains   Register any custom domains you want to use in your hybrid deployment with Office 365. You can do this by using the Office 365 Administrative portal, or by optionally configuring Active Directory Federation Services (AD FS) in your on-premises organization.

    Learn more at Add your domain to Office 365.

     

  • Active Directory synchronization   Deploy the Windows Azure Active Directory Sync tool for Active Directory synchronization with your on-premises organization.

    Learn more at Active Directory synchronization: Roadmap.

     

  • Autodiscover DNS records   Configure the Autodiscover public DNS records for your existing SMTP domains to point to an on-premises Exchange 2013 Client Access server.

     

  • Office 365 organization in the Exchange admin center (EAC)   The Office 365 organization node is included by default in the on-premises EAC, but you must connect the EAC to your Office 365 organization using your Office 365 tenant administrator credentials before you can use the Hybrid Configuration wizard. This also allows you to manage both the on-premises and Exchange Online organizations from a single management console.

    Learn more at Hybrid management in Exchange 2013 hybrid deployments.

     

  • Certificates   Install and assign Exchange services to a valid digital certificate purchased from a trusted public certificate authority (CA). Although self-signed certificates should be used for the on-premises federation trust with the Microsoft Federation Gateway, self-signed certificates can’t be used for Exchange services in a hybrid deployment. The Internet Information Services (IIS) instance on the Client Access servers configured in the hybrid deployment must have a valid digital certificate purchased from a trusted CA. Additionally, the EWS external URL and the Autodiscover endpoint specified in your public DNS must be listed in Subject Alternative Name (SAN) of the certificate. The certificate installed on the Mailbox and Client Access (and Edge Transport if deployed) servers used for mail transport in the hybrid deployment must all use the same certificate (that is, they are issued by the same CA and have the same subject).

    Learn more at Certificate requirements for hybrid deployments.

     

  • EdgeSync   If you’ve deployed Edge Transport servers in your on-premises organization and want to configure the Edge Transport servers for hybrid secure mail transport, you must configure EdgeSync prior to using the Hybrid Configuration wizard.

    ImportantImportant:
    Although EdgeSync is a requirement in deployments with Edge Transport servers, additional manual transport configuration settings will be required when you configure Edge Transport servers for hybrid secure mail transport.

    Learn more at Edge Transport servers with hybrid deployments.

     

Hybrid deployment protocols, ports and endpoints

Hybrid deployment features and components require certain incoming protocols, ports and connection endpoints to be accessible to Office 365 in order to work correctly. Before configuring your hybrid deployment, verify that your on-premises network and security configuration can support the features and components in the table below:

Transport Protocol Upper Level Protocol Feature/Component On-premises Endpoint On-premises Path Authentication Provider Authorization Method Pre-Auth Supported?

TCP 25 (SMTP)

SMTP/TLS

Mail flow between Office 365 and on-premises

Exchange 2013 CAS/EDGE

Exchange 2010 HUB/EDGE

N/A

N/A

Certificate-based

No

TCP 443 (HTTPS)

Autodiscover

Autodiscover

Exchange 2013/2010 CAS

/autodiscover/autodiscover.svc/wssecurity

/autodiscover/autodiscover.svc

Windows Azure AD authentication system

WS-Security Authentication

No

TCP 443 (HTTPS)

EWS

Free/busy, MailTips, Message Tracking

Exchange 2013/2010 CAS

/ews/exchange.asmx/wssecurity

Windows Azure AD authentication system

WS-Security Authentication

No

TCP 443 (HTTPS)

EWS

Multi-mailbox search

Exchange 2013/2010 CAS

/ews/exchange.asmx/wssecurity

/autodiscover/autodiscover.svc/wssecurity

/autodiscover/autodiscover.svc

Auth Server

WS-Security Authentication

No

TCP 443 (HTTPS)

EWS

Mailbox migrations

Exchange 2013/2010 CAS

/ews/mrsproxy.svc

Basic

Basic

No

TCP 443 (HTTPS)

Autodiscover

EWS

OAuth

Exchange 2013/2010 CAS

/ews/exchange.asmx/wssecurity

/autodiscover/autodiscover.svc/wssecurity

/autodiscover/autodiscover.svc

Auth Server

WS-Security Authentication

No

TCP 443 (HTTPS)

N/A

AD FS

WIN2008/2012 Server

/adfs/*

Windows Azure AD authentication system

Varies per config.

2-factor

Recommended tools and services

In addition to the required prerequisites described earlier, other tools and services are beneficial when you’re configuring hybrid deployments with the Hybrid Configuration wizard:

  • Exchange Server Deployment Assistant   Exchange Server Deployment Assistant is a free web-based tool that helps you deploy Exchange 2013 in your on-premises organization, configure a hybrid deployment between your on-premises organization and Office 365, or migrate completely to Office 365. The tool asks you a small set of simple questions and then, based on your answers, creates a customized checklist with instructions to deploy or configure Exchange Server. The Deployment Assistant gives you exactly the right information you need to configure your hybrid deployment.

    Learn more at Exchange Server Deployment Assistant.

     

  • Remote Connectivity Analyzer tool   The Microsoft Remote Connectivity Analyzer tool checks the external connectivity of your on-premises Exchange organization and makes sure that you’re ready to configure your hybrid deployment. We strongly recommend that you check your on-premises organization with the Remote Connectivity Analyzer tool prior to configuring your hybrid deployment with the Hybrid Configuration wizard.

    Learn more at Remote Connectivity Analyzer Tool.

     

  • Single sign-on   Although not a requirement for hybrid deployments, single sign-on enables users to access both the on-premises and Exchange Online organizations with a single user name and password. Single sign-on provides users with a familiar sign-on experience and allows administrators to easily control account policies for Exchange Online organization mailboxes by using on-premises Active Directory management tools.

    Single sign-on is also highly recommended for organizations that plan on deploying Exchange Online Archiving (EOA) in their Exchange organization.

    If you decide to deploy single sign-on with your hybrid deployment, we recommend that you deploy it with Active Directory synchronization and before using the Hybrid Configuration wizard.

    Learn more at Prepare for single sign-on.

Verify Office 365 tenant version and status

To verify the version and status of your Office 365 tenant, follow the steps below:

  1. Connect to the Office 365 tenant using remote Windows PowerShell. For step-by-step connection instructions, see Connect Windows PowerShell to the Service.

  2. After connecting to the Office 365 tenant, run the following command.

    Copy Code 
    Get-OrganizationConfig | Format-List AdminDisplayVersion,IsUpgradingOrganization

    Verify that your Office 365 tenant and status meet the following requirements:

    • AdminDisplayVersion parameter value is equal to or greater than 15.0.620.28

    • IsUpgradingOrganization parameter is False

    For example, “0.20 (15.0.620.51)” and “False”.

    WarningWarning:
    If your Office 365 tenant version and status don’t meet the hybrid deployment requirements, the Hybrid Configuration wizard won’t complete successfully.

  3. Disconnect from the Office 365 tenant remote PowerShell session. For step-by-step disconnection instructions, see Connect Windows PowerShell to the Service.