Exchange 2016 - 2010 co-existance hybrid with O365 RRS feed

  • Question

  • Hello,

    I am currently migrating our hybrid Exchange 2010 environment to a Exchange 2016. Exchange 2010 is in site A (remote form our office), Exchange 2016 is in site B (remote from our office), and there's a VPN tunnel between A <-> B. Exchange 2016 will be a single server for Management purposes only, licensed via MS' hybrid license program. It will -not- route mail. We have a mail filtering system in front of it that acts as smart host. So, it looks like this: Internet <-> Mail Gateway (smart host) <-> O365 

    O365 has Inbound connectors from that smart host, and can relay mail through via an Outbound connector (currently configured to only for a TEST.test domain).

    Exchange 2010 is still connected and uses the hybrid wizard Inbound/Outbound connectors.

    The connector settings are:

    Exchange 2016 Test Inbound (Partner Organization) -> check Mail Gateway (smart host) IP / force TLS / check certificate

    Exchange 2010 Test Outbound (O365 to mail server) -> check if recipient domain is TEST.test / send to Mail Gateway (smart host) IP 

    Hybrid Wizard default Inbound -> check IP / force TLS / check OURDOMAIN.com

    Hybrid Wizard default Outbound -> check * and OURDOMAIN.com / force TLS / send to MX Records (Exchange 2010)

    Almost all of our mailboxes are on Office365/Exhange Online. What is very weird is that when I send a mail via the Mail Gateway (smart host) at site A, it establishes TLS to OURDOMAIN-com.mail.outlook.protection.com and is received.

    But it doesn't go directly to the mailbox in Exchange Online, instead it get routed to our Exchange 2010 at site B, which apparently sees it's a cloud mailbox and then routes back to Exchange Online, which now accepts the message directly to the mailbox. So path is SMTP server -> Mail Gateway (smart host) site A -> O365 -> Exchange 2010 site B -> O365 -> user mailbox.

    How can I prevent that from happening? I can't disable the Hybrid Connectors yet as our new mail gateway isn't fully configured to handle production mail flow.

    Also, over the VPN we have 80 and 443 opened but when I use Autodiscover or OWA (SCPs moved to new Exchange 2016), it is unable to find the mailboxes on Exchange 2010.

    If I use OWA with a cloud mailbox or Autodiscover externally (again, against a cloud mailbox), no issues. It seems something is blocking the Exchange 2016 from proxying connections to the Exchange 2010 CAS servers but the network team at site B claims web ports and protocols are allowed in the A <-> B tunnel.

    Could anyone help here? I need to cutover the 2010 soon and move everything to a clean 2016/O365 hybrid. 


    Wednesday, June 28, 2017 9:59 AM

All replies

  • Hi,

    Do you configured centralized mail transport? In this scenario, incoming Internet mail is routed to on-premises mail server before being routed to EOP and finally to mailboxes hosted in Exchange Online. Additionally, outgoing mail from Exchange Online mailboxes is routed through the on-premises Exchange organization for messages sent to external recipients. It's similar to your description.

    For this problem: "Also, over the VPN we have 80 and 443 opened but when I use Autodiscover or OWA (SCPs moved to new Exchange 2016), it is unable to find the mailboxes on Exchange 2010" Where are outlook clients? In site A or site B? If outlook clients in Site A, do you have A record (Mail.domain.com points to Exchange 2010) in DNS?

    Best Regards,

    TechNet Community Support

    Please remember to mark the replies as answers.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Lynn-Li Monday, July 3, 2017 1:38 AM
    Friday, June 30, 2017 2:44 AM
  • Hi Lynn,

    Yes, we currently have centralized mail transport enabled. So what happens is inbound mail (MX records pointed to site A) go through site A mail filtering system -> EOP -> old Exchange 2010 at site B -> back to EOP -> mailboxes in cloud. Outbound mail follows the same logic, generated in cloud mailbox -> Site B -> EOP -> site A -> Internet.

    I want to disable centralized mail transport so as to avoid using the on premise Exchange 2016 for mail routing. The server needs to be used for management purposes only. However, I still need to route both inbound and outbound mail through our mail filtering system before EOP to perform another layer of spam and virus protection and logging. I also want to have our personal IP addresses for outbound mail rather than use a shared pool.

    If I disable centralized mail transport, I am not sure how to configure the Inbound and Outbound connectors to prevent a mail loop, as there won't be an on-premise Exchange server to handle the headers. I can see both scenarios:


    Point MX records to O365 for Inbound mail, rely only on EOP, create Outbound connector to mail filtering gateway at site A, which routes outbound. Concerned about SPF and DKIM settings here, in addition to losing inbound mail pre-EOP filtering.


    Point MX records to mail filtering gateway at site A. Set mail delivery server on gateway to ourdomain-com.mail.protection.onmicrosoft.com. Set Inbound Connector in O365 to listen for site A IPs and receive email for ourdomain.com . Set Outbound Connector to push * (ALL) to IPs of mail filtering gateway at site A.

    However, this resulted in a mail loop where inbound mail coming to MX record at A -> EOP -> back to MX -> back to EOP ... etc. until maximum hop count was exceeded and one of the systems drops the message. I understand in a hybrid environment Exchange needs to process the header.

    Would it be possible to send/receive via our own IP addresses with centralized mail transport disabled and mail not being routed via on-premise?

    *NOTE: we not have any mailboxes remaining on-premise, everything is in Exchange Online.

    Monday, July 3, 2017 7:22 AM