Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2013-01-25

In hybrid deployments, you can have mailboxes that reside in your on-premises organization and also in an Exchange Online organization. A critical component of making these two separate organizations appear as one combined organization to users and messages exchanged between them is hybrid transport. With hybrid transport, messages sent between recipients in either organization are authenticated, transferred using Transport Layer Security (TLS), and appear as “internal” to Exchange components such as transport rules, journaling, and anti-spam policies. Hybrid transport is automatically configured by the Manage Hybrid Configuration wizard in Service Pack 3 (SP3) for Exchange 2010.

For hybrid transport configuration to work with the Manage Hybrid Configuration wizard, the on-premises SMTP endpoint that accepts connections from Exchange Online Protection (EOP), which handles transport for the Exchange Online organization, must be an Exchange 2010 SP3 Hub Transport or Edge Transport server. Hybrid transport makes use of new features provided in Exchange 2010 SP3 to secure messages and make them appear as “internal.” While an on-premises Exchange 2010 SP3 server is required for hybrid transport between the on-premises and Exchange Online organizations, you don’t need to route the mail to and from on-premises mailboxes and Internet recipients through an Exchange 2010 server.

Important:
There can be no other SMTP hosts, services, or appliances between the on-premises Exchange 2010 SP3 Hub Transport or Edge Transport server and EOP. Information added to messages that enables hybrid transport features is removed when they pass through a non-Exchange 2010 SP3 server or SMTP host. This includes earlier versions of Exchange. If you have Exchange 2007 Edge Transport servers deployed in your organization, and you want to use them for hybrid transport, they must be upgraded to Exchange 2010 SP3.

Hub Transport and Edge Transport servers must run Exchange 2010 SP3 to use the Manage Hybrid Deployment wizard for hybrid deployment configuration.

Inbound messages sent to recipients in both organizations from external Internet senders follow a common inbound route. Outbound messages sent from the organizations to external Internet recipients can either follow a common outbound route or can be sent via independent routes.

You’ll need to choose how to route inbound and outbound mail when you configure your hybrid deployment. The route taken by inbound and outbound messages sent to and from recipients in the on-premises and Exchange Online organizations depends on the following:

Regardless of how you route messages to and from the Internet, all messages sent between the on-premises and Exchange Online organizations are sent using secure transport. For more information, see “Trusted Communication” later in this topic.

To learn more about how these options affect message routing in your organization, see Understanding Transport Routing in Exchange 2007 Hybrid Deployments.

Exchange Online Protection in Hybrid Deployments

EOP is an online service provided by Microsoft that’s used by many companies to protect their on-premises organizations from viruses, spam, phishing scams, and policy violations. In Office 365, EOP is used to protect Exchange Online organizations from the same threats. When you sign up for Office 365, an EOP company is automatically created that’s tied to your Exchange Online organization.

An EOP company contains several of the mail transport settings that can be configured for your Exchange Online organization. You can specify which SMTP domains must come from specific IP addresses, require a TLS and a Secure Sockets Layer (SSL) certificate, can bypass anti-spam filtering or compliance policies, and more. FOPE is the front door to your Exchange Online organization. All messages, regardless of their origin, must pass through EOP before they reach mailboxes in your Exchange Online organization. And, all messages sent from your Exchange Online organization must go through EOP before they reach the Internet.

When you configure a hybrid deployment with the Manage Hybrid Configuration wizard, all transport settings are automatically configured in your on-premises organization and in the EOP company set up for your Exchange Online organization. The Manage Hybrid Configuration wizard configures all inbound and outbound connectors and other settings in this EOP company to secure messages sent between the on-premises and Exchange Online organizations and route messages to the right destination. If you want to configure custom transport settings for your Exchange Online organization, you’ll configure them in this EOP company also.

Trusted Communication

To help protect recipients in both the on-premises and Exchange Online organizations, and to help ensure that messages sent between the organizations aren't intercepted and read, transport between the on-premises organization and EOP is configured to use forced TLS. TLS transport uses Secure Sockets Layer (SSL) certificates provided by a trusted third-party Certificate Authority (CA). Messages between EOP and the Exchange Online organization also use TLS.

When using forced TLS transport, the sending and receiving servers examine the certificate configured on the other server. The subject name, or one of the subject alternative names (SANs), configured on the certificates must match the FQDN that an administrator has explicitly specified on the other server. For example, if EOP is configured to accept and secure messages sent from the hybrid.contoso.com FQDN, the sending on-premises hybrid server must have an SSL certificate with hybrid.contoso.com in either the subject name or SAN. If this requirement isn't met, the connection is refused.

Note:
The FQDN used doesn't need to match the e-mail domain name of the recipients. The only requirement is that the FQDN in the certificate subject name or SAN must match the FQDN that the receiving or sending servers are configured to accept.

In addition to using TLS, messages between the organizations are treated as “internal”. This approach allows messages to bypass anti-spam settings and other services.

Learn more about SSL certificates and domain security at: Understanding Certificate Requirements for Hybrid Deployments, Understanding TLS Certificates