Office 365 Hybrid Deployment with Exchange 2016 Step by Step

Hybrid Configuration Business Case.

  • On-premises IRM- Information Rights Management (IRM) enables users to apply Active Directory Rights Management Services (AD RMS) templates to messages that they send.
  • Antispam and malware protection- Mailboxes moved to Office 365 are automatically provided with antivirus and anti-spam protection by Exchange Online Protection (EOP), a service provided by Office 365. However, for corporate compliance reason, mail must flow through via on-premises anti-spam and firewall devices.
  • Public Folder- You have on-premises public folder and you would like to retain on-premises public folder.
  • Legacy Application- You have legacy applications that only support localised email server instead internet based email server
  • On-prem UM- You have on-premises unified messaging infrastructure or telephony systems that only communicate with localised email servers
  • Use of current CAPEX- You want to utilise current on-premises investment until the equipment expires and you are not ready to move into cloud completely.

In a hybrid deployment when you connect your Office 365 Exchange Online organization to your existing on-premises Exchange organization using the Hybrid Configuration wizard. After configuring the hybrid deployment, the following features are enabled:

  • Secure mail routing between on-premises between the organizations.
  • Mail routing with a shared domain namespace. For example, both on-premises and Exchange Online organizations use the SMTP domain.
  • A unified global address list (GAL), also called a “shared address book,” showing full details of recipients.
  • Free/busy calendar information sharing between the organizations.
  • Centralized control of inbound and outbound mail flow. You can configure all inbound and outbound Exchange Online messages to be routed through the on-premises Exchange organization.
  • A single Outlook on the web URL for both the organizations.
  • Automatic Exchange ActiveSync profile redirection when mailboxes are moved to Office 365 (dependent on device support).
  • The ability to move on-premises mailboxes to the Exchange Online organization and vice versa.
  • Centralized mailbox management using the on-premises Exchange Administration Center (EAC).
  • Message tracking, internal MailTips and Out of Office replies, and multi-mailbox search between the organizations.
  • Cloud-based message archiving for on-premises Exchange mailboxes. Exchange Online Archiving can be used with a hybrid deployment

A hybrid deployment involves several different services and components:

  • Exchange 2016 Servers-   The Exchange 2016 Mailbox server role is required in your on-premises Exchange organization. All on-premises Exchange 2016 servers need to have the latest release of Exchange 2016, or the release immediately prior to the current release, installed to support hybrid functionality with Office 365.
  • Office 365-   Hybrid deployments are supported with Office 365 Enterprise, Government and Academic plans.
  • Hybrid Configuration wizard-   Exchange 2016 includes the Hybrid Configuration wizard which provides you with a streamlined process to configure a hybrid deployment between on-premises Exchange and Exchange Online organizations.
  • Azure AD authentication system-   The Azure Active Directory (AD) authentication system is a free cloud-based service that acts as the trust broker between your on-premises Exchange 2016 organization and the Exchange Online organization. On-premises organizations configuring a hybrid deployment must have a federation trust with the Azure AD authentication system. The Hybrid Configuration wizard as part of configuring a hybrid deployment creates the federation trust. A federation trust with the Azure AD authentication system for your Office 365 tenant is automatically configured when you activate your Office 365 service account.
  • Azure Active Directory synchronization-   Azure AD synchronization uses Azure AD Connect to replicate on-premises Active Directory information for mail-enabled objects to the Office 365 organization to support the unified global address list (GAL) and user authentication. Organizations configuring a hybrid deployment need to deploy Azure AD Connect on a separate, on-premises server to synchronize your on-premises Active Directory with Office 365.
  • Active Directory Federation Services- AD FS provides simplified, secured identity federation and Web single sign-on (SSO) capabilities for end users who want to access applications within an AD FS-secured enterprise, in federation partner organizations, or in the cloud.
  • Web Application Proxy Server- The Web Application Proxy under the Remote Access role that allows administrators to securely publish applications for external access. This service acts as a reverse proxy and as an Active Directory Federation Services (AD FS) proxy.

Hybrid infrastructure

To be able to configure your current on-premises Exchange organization for a hybrid deployment, the following components are required.

Exchange Server 2016 with Mailbox Role EXCH2016
Exchange Server 2016 with Edge Transport Role EXCH2016EDGE
Windows Server 2016 with Azure Active Directory Connect (AAD Connect) Installed AADCONNECT
Active Directory Federation Server(s) ADFS2016
Web Application Proxy Server in perimeter EDGE2016
Domain Controller running on minimum Windows Server 2008 R2 DC01
Office 365 Subscriptions with default domain configured i.e. Service tenant FQDN
Accepted Domain in Office 365 and On-premises
On-premises domain type Authoritative
Office 365 Domain Type Internal Relay
User principal name domain and Microsoft Online ID domain
External Azure AD Connect with AD FS FQDN
On-premises Autodiscover FQDN
Office 365 Autodiscover

Configuring Hybrid Exchange Server

Step1: Add and validate primary Email domain to Office 365

Perform the following steps to add the primary SMTP namespace to Office 365:

  1. Log on to: Office 365 admin center preview
  2. Click Settings > Domains > Add domain.
  3. Enter the primary SMTP namespace. For example, Then, click Next.
  4. Copy the TXT record from the Wizard, go to domain management portal and add a text record ms=msxxxxxxx record and verify the domain. Setup TTL to 10 minutes. When complete, wait 10 minutes and then click Verify. If the wizard says it can’t verify your domain ownership, you might need to wait longer for your DNS records to update across the Internet; this might take several hours. Also verify that the record you created is correct.
  5. On the Required DNS settings page, click Continue setup. Don’t update your DNS records right now. Instead, you’ll update your DNS records later in your hybrid deployment.
  6. On the Set up your online services page, select I’ll manage my own DNS records and click Next.
  7. On the Update DNS settings page, select Skip this step – I have custom DNS records, so I’ll add the records I need later. I understand that some Office 365 services may be unavailable until I manually add the records with my registrar. Click Skip, and then click Finish.

Step2: Setup Primary SMTP Domain to Internal Relay

Definitions of Domain Type

Authoritative – Selecting this option means that email is delivered to email addresses that are listed for recipients in Office 365 for this domain. Emails for unknown recipients are rejected.

Internal relay – Selecting this option means that recipients for this domain can be in Office 365 or your on-premises mail servers. Email is delivered to known recipients in Office 365 or is relayed to your own email server if the recipients aren’t known to Office 365.

Use the Exchange Online EAC to change the domain type

  1. In the EAC, navigate to Mail flow > Accepted domains.
  2. Select the domain and click Edit .
  3. In the Accepted Domain window, in the This accepted domain is section, select the domain type. Edit the domain value to Internal relay.

Step3: Configure Active Directory synchronization

  1. Download Azure Active Directory Connect on the computer where you’ll install it, and then open it.
  2. On the Welcome page, click Next if you agree to the license terms and privacy notice.
  3. On the Express Settings page, click Customize.
  4. On the Install required components page, click Install.
  5. On the User sign-in page, select Federation with AD FS and then click Next.
  6. On the Connect to Azure AD page, enter the username and password for a user account that is a Global Administrator in your Office 365 organization , and then click Next.
  7. On the Connect your directories page, select the Active Directory forest that contains the Exchange organization you want to configure for hybrid deployment, and then enter the username and password for a user account that’s a member of the Enterprise Administrators group in that forest. Click Next.
  8. On the Domain and OU filtering page, select Sync all domains and OUs if you want to synchronize all of your on-premises Active Directory users to Office 365. If you want to select a specific organizational unit (OU), select Sync selected domains and OUs, and then select the Active Directory domains and OUs you want to synchronize. Click Next.
  9. On the Uniquely identifying your users page, make sure that Users are represented only once across all directories is selected, and then click Next.
  10. On the Filter users and devices page, make sure that Synchronize all users and devices is selected, and then click Next.
  11. On the Optional Features page, select Exchange hybrid deployment, and then click Next.
  12. On the AD FS farm page, select Configure a new Windows server 2016 AD FS farm.
  13. In the Certificate File field, browse to the third-party certificate that includes a subject alternative name (SAN) that matches the external FQDN of the AD FS server. This certificate needs to include a private key. In the Subject Name field, select the SAN you want to use, for example Click Next.
  14. On the AD FS Servers page, click Browse, select the name of the server where you’re installing Azure AD Connect with AD FS, and then click Add.
  15. On the Web application proxy servers page, click Browse, select the name of the server that will act as a web proxy for external connections, and then click Add.
  16. On the Proxy trust credentials page, enter the username and password of a user account that can access the certificate store on the AD FS server that contains the certificate you specified earlier in these steps, and then click Next.
  17. On the AD FS service account page, select Create a group Managed Service Account, enter the username and password for a user that’s a member of the Enterprise Admins group, and then click Next.
  18. On the Azure AD Domain page, select the domain that matches the custom domain that you added to your Office 365 organization and matches the User Principal Name users with which users will log in. For example, if you added the custom domain, and usernames are, select from the list. Click Next.
  19. On the Ready to configure page, select Start the synchronization process as soon as the configuration completes, and then click Next.
  20. On the Configuration complete page, click Exit.
  21. Make sure that your firewall is configured to allow connections on TCP port 443 from external sources to your AD FS web proxy server.
  22. At this point, Azure AD Connect will synchronize your on-premises user accounts and their information to your Office 365 organization. Depending on how many accounts need to be synchronized, this might take a while.

Step4: Create Federation with Azure Active Directory

Remote into the Primary ADFS Server, Run the below cmdlets

Set-MsolAdfsContext -Computer “”
Convert-MsolDomainToFederated -Domain “” -SupportMultipleDomain

If you have multiple userprincipalname, you have run the below cmdlets to federate with Azure AD.
Convert-MsolDomainToFederated -Domain “” -SupportMultipleDomain
Convert-MsolDomainToFederated -Domain “” -SupportMultipleDomain
Update-MsolFederatedDomain -Domain “” -SupportMultipleDomain
Update-MsolFederatedDomain -Domain “” -SupportMultipleDomain

Further reading ADFS Configuration Guide

Step5: Verify tenant configuration

To create a mailbox in the Exchange Online organization, do the following:

  1. Open Active Directory Users and Computers on an Active Directory domain controller in your on-premises organization.
  2. Expand the container or organizational unit (OU) where you want to create a new Active Directory user.
  3. Click Action in the menu bar, and then click New > User.
  4. Enter the required user information. Because this user will be associated with a test mailbox, we recommend that you clearly identify the user as such. For example, name the user “Test User”.
  5. In the User logon name field, provide the user name that the user should specify when logging into their user account. This user name, combined with the user principal name (UPN) in the drop-down box next to the User logon name field, makes up the Microsoft Online Identity of the user. The Microsoft Online Identity typically matches the user’s email address, and the domain suffix chosen should match the federated domain configured in Active Directory Federation Services. For example, Click Next.
  6. Enter a password for the new user, specify any options you want to set, and then click Next.
  7. Click Finish.
  8. Run delta synchronization to synchronize the new user to the Office 365 organization  using this PowerShell Cmdlet. Start-ADSyncSyncCycle -PolicyType Delta
  9. Log on to: Office 365 service administration portal
  10. Assign a E1 or E3 license to the new user.

Step6: Install Edge Transport server

The Edge Transport server role is typically deployed on a computer located in an Exchange organization’s perimeter network and is designed to minimize the attack surface of the organization. The Edge Transport server role handles all Internet-facing mail flow, which provides SMTP relay and smart host services for the on-premises Exchange organization. Use Edge Transport servers if you don’t want to expose internal Exchange 2016 Mailbox servers directly to the Internet.

If you already have an Edge Transport server deployed in your on-premises organization, you can skip this checklist step unless you’d like to install additional Edge Transport servers.

Step7: Configure Edge servers

After installing the Exchange 2016 Edge Transport server, or if you already have an Edge Transport server in your on-premises Exchange organization, you must configure the following services and parameters to enable the Edge Transport server to handle secure communications between the on-premises Exchange servers, clients, and Office 365. If you already have an Edge Transport Server, skip this step.

Follow additional guidelines to Edge Transport Server.

Further References on Edge Transport Server.

Step8: Configure DNS

Hybrid requirement DNS record Record type Value
Required for all hybrid deployments CNAME or A If using CNAME DNS:

If using Host A DNS:  External IP address of an Exchange 2016 Mailbox server or firewall

Recommended as a best practice for all hybrid deployments SPF TXT v=spf1 ~all
ADFS Public record A Public IP address of the AD FS web proxy server or firewall
Internal record by editing Hosts File located %SystemRoot%\system32\drivers\etc\HOSTS of WAP server A Internal IP address of the AD FS Servers

Step9: Firewall Configuration

If your organization uses Office 365 and restricts computers on your network from connecting to the Internet, below you’ll find the endpoints (FQDNs, Ports, URLs, IPv4, and IPv6 address ranges) that you should include in your outbound allow lists to ensure your computers can successfully use Office 365.

Hybrid deployment configuration changes may require you to modify security settings for your on-premises network and protection solutions. Exchange 2016 Mailbox servers must be accessible on TCP port 443, and Edge Transport and Mailbox servers must be accessible on TCP port 25. Other Office 365 services, such as SharePoint Online and Lync Online, may require additional network security configuration changes. If you’re using Microsoft Threat Management Gateway (TMG) in your on-premises organization, additional configuration steps will also be needed to allow full Office 365 integration in the hybrid deployment.

Step10: Configure Exchange Web Services

The external fully qualified domain name (FQDN) of your Internet-facing Exchange 2016 Mailbox server needs to be configured on several virtual directories for a hybrid deployment. By completing this checklist step, the external URL on the Exchange Web Services (EWS), Outlook Address Book (OAB), Outlook Web App (OWA), Exchange Control Panel (ECP), and the Exchange ActiveSync (Microsoft-Server-ActiveSync) virtual directories will be reset to the external FQDN of your Internet-facing Exchange 2016 Mailbox server.

Follow additional guidelines to configure web services.

Further References on Web Services.

Step11: Configure MRS Proxy

The Exchange 2016 Mailbox servers are the internet-facing servers for the organization, with a load balancer distributing traffic across them. Since those servers will be internet-facing for the Hybrid configuration, they need to be MRS Proxy enabled. Currently they are not MRS Proxy enabled, as seen here in the output of Get-WebServicesVirtualDirectory.

GetWebServicesVirtualDirectory ADPropertiesOnly | Where {$_.MRSProxyEnabled ne $true} | SetWebServicesVirtualDirectory MRSProxyEnabled $true

Step12: Configure Exchange certificates

Digital certificates are an important requirement for secure communications between on-premises Exchange 2016 servers, clients, and Office 365. You need to obtain a certificate that will be installed on Mailbox and Edge Transport servers from a third-party trusted certificate authority (CA).

Before you can configure certificates on Exchange servers, you need to get a certificate from a trusted CA. Complete the following task on an Exchange 2016 Mailbox server if you need to generate a request for a new certificate for use with the hybrid deployment.

Follow additional guidelines to install certificates.

Further References on Exchange Certificates.

Step13: Run Hybrid Configuration wizard

The Hybrid Configuration wizard helps you establish your hybrid deployment by creating the HybridConfiguration object in your on-premises Active Directory and gathering existing Exchange and Active Directory topology configuration data. The Hybrid Configuration wizard also enables you to define and configure several organization parameters for your hybrid deployment, including secure mail transport options.

You can use the Hybrid Configuration wizard in the EAC on an Exchange 2016 server in your on-premises organization to create and configure the hybrid deployment.

  1. In the EAC on an Exchange 2016 server in your on-premises organization, navigate to the Hybrid, In the Hybrid node, click Configure to enter your Office 365 credentials.
    At the prompt to log in to Office 365, select sign in to Office 365 and enter the account credentials. The account you log into needs to be a Global Administrator in Office 365.
  2. Click Configure again to start the Hybrid Configuration wizard.
  3. On the Microsoft Office 365 Hybrid Configuration Wizard Download page, click Click here to download wizard. When you’re prompted, click Install on the Application Install, Click Next, and then, in the On-premises Exchange Server Organization section, select Detect a server running Exchange 2013 CAS or Exchange 2016. The wizard will attempt to detect an on-premises Exchange 2016 server. If the wizard doesn’t detect an Exchange 2016 server, or if you want to use a different server, select Specify a server running Exchange 2013 CAS or Exchange 2016 and then specify the internal FQDN of an Exchange 2016 Mailbox server.
  4. In the Office 365 Exchange Online section, select Microsoft Office 365 and then click Next.
  5. On the Credentials page, in the Enter your on-premises account credentials section,  specify a different set of credentials, specify the username and password an Active Directory account you want to use. Whichever selection you choose, the account used needs to be a member of the Enterprise Admins security group.
  6. In the Enter your Office 365 credentials section, specify the username and password of an Office 365 account that has Global Administrator permissions. Click Next.
  7. On the Validating Connections and Credentials page, the wizard will connect to both your on-premises organization and your Office 365 organization to validate credentials and examine the current configuration of both organizations. Click Next when it’s done.
  8. On the Hybrid Features page, select Full Hybrid Configuration and then click Next.
  9. On the Hybrid Domains, select the domain or multiple accepted domains you want to include in your hybrid deployment. In most deployments you can leave the Auto Discover column set to False for each domain. Only select True next to a domain if you need to force the wizard to use the Autodiscover information from a specific domain.
  10. Click Next.
  11. On the Federation Trust page, click Enable and click then Next.
  12. On the Domain Ownership page, click Click copy to clipboard to copy the domain proof token information for the domains you’ve selected to include in the hybrid deployment. Open a text editor such as Notepad and paste the token information for these domains. Before continuing in the Hybrid Configuration wizard, you must use this info to create a TXT record for each domain in your public DNS.
  13. Click Next after the TXT records have been created and the DNS records have replicated.
  14. On the Hybrid Configuration page, select the Configure my Edge Transport servers for secure mail transport option to configure your on-premises Edge Transport servers for secure mail transport with Office 365. Click Next.
  15. If you want Office 365 to send all outbound messages to external recipients to your on-premises transport servers, select the Enable centralized mail transport check box in the More options section.The on-premises transport servers will be responsible for delivering the messages to external recipients. This approach is helpful in compliance scenarios where all mail to and from the Internet must be processed by on-premises servers. If this check box is not selected, Office 365 will bypass the on-premises organization and deliver messages to external recipients directly using the recipient’s external DNS settings.You select this option if you want to use your own Spam Filter.
  16. On the Edge Transport Servers page, select the Edge Transport server you want to configure for secure mail transport. click Next. In this section, you have to provide the public IP addresses of edge servers or public FQDN of edge servers.
  17. On the Transport Certificate page, in the Select a reference server field, select Exchange 2016 Mailbox server that has the certificate you configured earlier in the checklist.
  18. In the Select a certificate field, select the certificate to use for secure mail transport. This list displays the digital certificates issued by a third-party certificate authority (CA) installed on the Mailbox server selected in the previous step. Click Next.
  19. On the Organization FQDN page, enter the externally accessible FQDN for your Internet-facing Exchange 2016 Mailbox server. Office 365 uses this FQDN to configure the service connectors for secure mail transport between your Exchange organizations. For example, enter “”. Click Next.
  20. The hybrid deployment configuration selections have been updated, and you’re ready to start the Exchange services changes and the hybrid deployment configuration. Click Update to start the configuration process. While the hybrid configuration process is running, the wizard displays the feature and service areas that are being configured for the hybrid deployment as they are updated.
  21. When the wizard has completed all of the tasks it can perform automatically, it’ll list any tasks that you need to address manually before your hybrid deployment configuration is complete.
  22. The wizard displays a completion message and the Close button is displayed. Click Close to complete the hybrid deployment configuration process and to close the wizard.
  23. You’ll probably need to configure the Receive connector on your Edge Transport server by doing the following.
    Open the Exchange Management Shell on your Exchange 2016 Edge Transport server.
    Run the following command to list the Receive connectors on your Edge Transport server. Make note of the Receive connector that’s listening on TCP port 25.Get-ReceiveConnectorRun the following command to configure the Receive connector. Replace the name of the Receive connector in the following command with the name of the connector you identified in the previous step.Set-ReceiveConnector “Edge\Default internal receive connector Edge” -TlsDomainCapabilities -Fqdn “”24. Additional Steps for Centralised Mailflow or Route all inbound-outbound emails through on-premises servers. You need to enable remote mailbox using enable-remotemailbox and set target address using set-remotemailbox for this each mailbox as where domain is your domain name in Office 365. You must run full sync after this on the AAD Connect Server. You must run start-edgesynchronization –Server EXCH2016MailboxServer on the Edge Transport 2016 Server

Step14: Send Connector and Receive Connector Configuration on the on-premises server

Use the EAC to create an Internet Send connector

  1. In the EAC, navigate to Mail flow > Send connectors, and then click Add . This starts the New Send connector
  2. On the first page, enter the following information: Name: To Office 365 and Type: Internet When you are finished, click Next.
  3. On the next page, verify that MX record associated with recipient domain is selected. When you are finished, click Next.
  4. On the next page, In the Address space section, click Add . In the Add domain dialog box that appears, in Fully Qualified Domain Name (FQDN), enter an asterisk (*), and then click Save. This value indicates that the Send connector applies to messages addressed to all external domains. When you are finished, click Next.
  5. On the next page, in the Source server section, click Add . In the Select a Server dialog box that appears, select one or more Edge Transport Servers if you route email through Edge Server if not enter mailbox servers that you want to use to send mail to the Internet. If you have multiple Mailbox servers in your environment, select the ones that can route mail to the Internet. If you have only one Mailbox server, select that one. After you’ve selected at least one Mailbox server, click Add, click OK, and then click Finish.

Use the EAC to Create a Receive Connector to Receive Secure Messages from a Partner

  1. In the EAC, navigate to Mail flow > Receive connectors. Click Add to create a new Receive connector.
  2. On the New receive connector page, specify a name for the Receive connector and then select Frontend Transport for the Role. Since you are receiving mail from a partner in this case, we recommend that you initially route mail to your front end server to simplify and consolidate your mail flow.
  3. Choose Partner for the type. The Receive connector will receive mail from a trusted third party.
  4. For the Network adapter bindings, observe that All available IPV4 is listed in the IP addresses list and the Port is 25. (Simple Mail Transfer Protocol uses port 25.) This indicates that the connector listens for connections on all IP addresses assigned to network adapters on the local server. Click Next.
  5. If the Remote network settings page lists, which means that the Receive connector receives connections from all IP addresses, click Remove 0.0.0- to remove it. Click Add EOP IP Addresses, and Datacentre IP Addresses add the IP address for your partner’s server, and click Save.
  6. Click Finish to create the connector.
  7. Run the below Cmdlets in Mailbox Server

Get-ReceiveConnector “Inbound from Office 365“ | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”

  1. Verify Receive Connector using below Cmdlets

Get-ADPermission -Identity “ Inbound from Office 365” -User “NT AUTHORITY\ ANONYMOUS LOGON” | where {($_.Deny -eq $false) -and ($_.IsInherited -eq $false)} | Format-Table User,ExtendedRights

  1. Add Datacentre IP Addresses using this Link
  2. Troubleshoot using this link

Step14: Create a test mailbox

You can use the Office 365 Mailbox wizard in the EAC on an Exchange server to create a test mailbox in Office 365. If you want to create more than one test mailbox, you’ll have to use this wizard for each test mailbox. You can’t use the wizard to create multiple test mailboxes.

  1. Log into the EAC on an on-premises Exchange 2016 server.
  2. In the EAC, navigate to Enterprise > Recipients > Mailboxes.
  3. Expand the menu at the Add  control and select Office 365 mailbox.
  4. On the New Office 365 mailbox page, specify the following settings:
    • First Name   Type the first name of the new user.
    • Initials   Type the initials of the new user.
    • Last Name   Type the last name of the new user.
    • User logon name   Type the user logon name of the new user and select the primary SMTP domain used for your other on-premises users. For example,
    • Mailbox type   Choose the type of mailbox to create. For example, User mailbox.
    • Password   Type the password.
    • Confirm password   Retype the password.
    • Make sure the Create an archive mailbox check box is not selected.
  5. Click Save to continue.
  1. Start-ADSyncSyncCycle -PolicyType Delta

Step15: Move or create mailboxes

You can use the remote move migration wizard in the Office 365 tab in the Exchange admin center (EAC) on an Exchange server to move existing user mailboxes in the on-premises organization to Office 365:

  1. Open the EAC and navigate to Office 365 > Recipients > migration.
  2. Click Add  and select Migrate to Exchange Online.
  3. On the Select a migration type page, select Remote move migration and then click Next.
  4. On the Select the users page, click Add , select the on-premises users to move to Office 365 and click Add, and then click OK. Click Next.
  5. On the Enter the Windows user account credential page, enter the on-premises administrator account name in the On-premises administrator name text field and enter the associated password for this account in the On-premises administrator password text field. For example, “Domain\administrator” and a password. Click Next.
  6. On the Confirm the migration endpoint page, verify that the FDQN of your on-premises Mailbox server is listed when the wizard confirms the migration endpoint. For example, “”. Click Next.
  7. On the Move configuration page, enter a name for the migration batch in the New migration batch name text field. Use the down arrow  to select the target delivery domain for the mailboxes that are migrating to Office 365. In most hybrid deployments, this will be the primary SMTP domain used for both on-premises and Office 365 mailboxes. For example, Verify that the Move primary mailbox along with archive mailbox option is selected, and then click Next.
  8. On the Start the batch page, select at least one recipient to receive the batch complete report. Verify that the Automatically start the batch and Automatically complete the migration batch options are selected. Click New.
  9. While the mailboxes are being moved, you will see a status of Synching in the migration status for each mailbox moved to Office 365. After the mailbox move request reaches a status of Completed, the mailbox migration process is complete.

Step16: Test hybrid deployment connectivity

Testing the external connectivity for critical Exchange 2016 and Office 365 features is an important step in ensuring that your hybrid deployment features are functioning correctly. The Microsoft Remote Connectivity Analyzer is a free online web service that you can use to analyze, and run tests for, several Exchange 2016 and Office 365 services, including Exchange Web Services, Outlook, Exchange ActiveSync, and Internet email connectivity.

Centralized Mailflow: NDR Remote Server returned ‘550 5.7.1 Unable to relay’


  • Mailbox hosted on the Exchange Online
  • Hybrid on-prem Exchange 2010/2013 with Microsoft Exchange Online
  • Centralized Mailflow configured for Exchange 2013
  • Route all emails through on-premises configured for Exchange 2010
  • Accepted domain configured either Managed or Authoritative on the Exchange Online Side 
  • MX Record pointed to third party cloud Antispam or On-prem Antispam/Firewall

 Issue: When you send email from a mailbox hosted in Exchange Online to an internal recipient or an external recipient via on-premises server, you receive a NDR ‘550 5.7.1 Unable to relay’

Root Cause: There are customers who would like to utilize existing investment on the on-premises Antispam filter or use third part cloud based Antispam filter for compliance purpose. Hence these customers configured centralized mailflow on the hybrid configuration wizard which lead to “unable to relay” NDR when they change few configuration and introduce new domain on the Exchange Online. There are many possible reasons why you have been issued with a NDR ‘550 5.7.1 Unable to relay’.

  • You have added multiple federated domains (e..g, ) but these domains (e.g., are not in Hybrid Configuration
  • You have added multiple federated domains (e.g., ) and domains (e.g., ) have been setup as “Authoritative Domain” instead of “Internal Relay” on the Exchange Online side
  • You have added multiple federated domains (e.g., ) but you have configured Office 365 Connectors to Send and Receive Email from only One Domain e.g. Wild card “*” not configured within the Send Connector of Exchange Online.
  • Microsoft has changed EOP IP addresses and you did not add latest EOP IP Addresses on the Receive Connector of Edge Server
  • You configured an application to use Office 365 SMTP Relay but the Receive Connector of on-premises server has not been configured to accept email from any recipient

 To remediate the root cause, follow the steps.

  1. Copy the Message Header of Original NDR and Paste on the message analyser of website. Analyse the message. Find out which IP address the message coming from e.g. EOP APAC IP Address is Make sure these EOP IP Addresses are added on the receive connector of the on-premises server. List of EOP IP Addresses are subject to change without notice. Add all EOP IP addresses on the receive connector “Inbound from Office 365”. Refer to Microsoft KB 2750145
  2. Make sure Datacentre IP Addresses are added on the Receive Connector Properties. Refer to TechNet Blog.
  3. View Extended Rights of Receive Connectors of On-premises Server.

 Get-ReceiveConnector | Get-ADPermission | where {$_.User -like ‘*anonymous*’} | ft identity,user,extendedrights,accessrights

     4. Assign Extended Rights to accept email from any recipient.

Get-ReceiveConnector Inbound from Office 365 | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”

     5. Open Office 365 Connector on the Office 365 Admin Center and make sure you have entered “*” wild card as the domain

    6. Rectify SPF Record with the following records. If you have DKIM Record and DMARC Record. Rectify those records as well. SPF Record of looks like this one

 v=spf1 ip4:<Public IP Address of>, ip4: :<Public IP Address of MX Record>, ip4: :<Public IP Address of Application/devices>, ~all

   7. Download .NET Framework 4.5 and install .NET Framework. .NET is a Pre-req. Run Hybrid Configuration wizard select desired Federated Domains, Select all CAS Servers, Type the correct public IP addresses of Edge Server, select centralised mailflow, Select Correct certificate. Complete the Wizard.

 8. Open Send Connector on the On-premises Server, Remove all the Hub/CAS servers and add Edge Servers.

 Restart Transport Services from On-premises Server

 9. On a Hybrid Configuration, you must configure Accepted Domain as Authoritative Domain on the On-premises side and Office 365 side as Internal Relay. For Example, should be configured as Authoritative Domain on the on-premises side and should be configured as Internal Relay on the Exchange Online side.  

 10. Open On-premises Exchange Management Shell and run Start-EdgeSynchronization start syncing Edge Transport Server.

 11. Test mailflow from internal and external sender to internal recipient

 Relevant Articles

Fix email delivery issues for error code 5.7.1 in Office 365

Exchange Online Protection IP addresses

Hybrid Mailflow Best Practices

Set up connectors to route mail between Office 365 and your own email servers

Transport Options Hybrid Deployment

 Transport Routing Hybrid Deployment 

TrendMicro Worry-Free Business Advanced Configuration Step by Step

Trend Micro Worry-Free Business Security (WFBS) protects business users and assets from data theft, identity theft, risky websites, and spam (Advanced only).

Trend Micro offers the following editions:

Standard: Designed to protect clients (desktops, portable computers, and servers) on your local network. This edition includes Outbreak Defence, Firewall, and Antivirus/Anti-spyware scanning. It also comes with technical support, malware/virus pattern file downloads, real-time scanning, and program updates for one year.

Advanced: Designed to protect clients and Microsoft Exchange servers on your network. In addition to all the features in Worry-Free Business Security Standard, this edition includes Anti-spam, Content Filtering, Data Loss Prevention, and Attachment Blocking.

Features worry-free business Features

  • Component Updates
  • Device Control
  • Antivirus/Anti-spyware
  • Firewall
  • Web Reputation
  • URL Filtering
  • Behavior Monitoring
  • User Tools
  • Instant Messaging Content
  • Filtering
  • Mail Scan (POP3)
  • Mail Scan (IMAP)
  • Anti-Spam (IMAP)
  • Email Message Content
  • Filtering
  • Email Message Data Loss Prevention
  • Attachment Blocking

TrendMicro Components:

Registration Key

A Registration Key comes with your purchase of Worry-Free Business Security. It has

22 characters (including hyphens) and is in the following format: xx-xxxx-xxxxx-xxxxx-xxxxx

Use a fully licensed Registration Key to register Worry-Free Business Security on the Trend Micro website at

Security Server

At the center of Worry-Free Business Security is the Security Server. The Security Server hosts the web console, the centralized web-based management console for Worry-Free Business Security. Hosts the Web Console, downloads updates from the Trend Micro ActiveUpdate Server, collects and stores logs, and helps control virus/malware Outbreaks Manages all agents from a single location

Scan Server

The Security Server includes a service called Scan Server, which is automatically installed during Security Server installation. As such, there is no need to install it separately. The Scan Server runs under the process name iCRCService.exe and appears as Trend Micro Smart Scan Service from Microsoft Management Console.

Downloads scanning-specific components from Trend Micro and uses them to scan clients


Agents protect clients from security threats. Clients include desktops, servers, and Microsoft Exchange servers.

Security Agent Protects desktops and servers from security threats and intrusions Protects Windows 7/Vista/XP/Server 2003/Server 2008 computers from malware/viruses, spyware/grayware, Trojans, and other threats

Messaging Security Agent Protects Microsoft Exchange servers from email-borne security Threats

Web Console

The web console is the central point for monitoring clients throughout the corporate network. It comes with a set of default settings and values that you can configure based on your security requirements and specifications. The web console uses standard Internet technologies, such as Java, CGI, HTML, and HTTP.

WFBS Ports

WFBS uses the following ports:

Server listening port (HTTP port): Used to access the Security Server. By default, WFBS uses one of the following:

IIS server default website: The same port number as your HTTP server’s TCP port.

IIS server virtual website: 8059

Apache server: 8059

Client listening port: A randomly generated port number through which the Security Agent and Messaging Security Agent receive commands from the Security Server.

Trend Micro Security (for Mac) Communication port: Used by the Trend Micro Security (for Mac) server to communicate with Mac clients. The default is port 61617.

SMTP port: Used by the Security Server to send reports and notifications to administrators through email. The default is port 25.

Proxy port: Used for connections through a proxy server.

Systems requirements:

  • 1 vCPU, 2GB RAM, 10GB additional space
  • IIS 7.5 Windows Server 2008 R2
  • Internet Explorer
  • Adobe Acrobat
  • Java client
  • Clients that use Smart Scan must be in online mode. Offline clients cannot use Smart Scan
  • Administrator or Domain Administrator access on the computer hosting the
  • Security Server
  • File and printer sharing for Microsoft Networks installed
  • Transmission Control Protocol/Internet Protocol (TCP/IP) support installed
  • If Microsoft ISA Server or a proxy product is installed on the network, you need to open the HTTP port (8059 by default) and the SSL port (4343 by default) to allow access to the Web Console and to enable client-server communications

TrendMicro Download Location:

WFB 8.0

Download Center


1. Double-click the SETUP.EXE file. The Trend Micro Installation screen appears.

2. Click Next. The License Agreement screen appears.

3. Read the license agreement. If you agree with the terms, select I accept the terms of the license agreement.

4. Click Next. The Setup Type screen appears.

5. From the Setup Type page, choose one of the following options:

  • Typical install (Recommended) – This provides an easy solution for installing WFBS using Trend Micro default values. This method is suitable for a small business using a single Trend Micro Security Server and up to ten clients.
  • Minimal Install
  • Custom install – This provides flexibility in implementing your network security strategy. This method is suitable if you have many computers and servers or multiple Exchange servers.

6. Click Next. The Product Activation page appears Note: If you do not have an Activation Code, you may not have registered your copy of WFBS yet. Click Register Online to open a new browser window.

7. Click Next. The Setup Overview page appears. The Setup Overview page shows the components that you need configure in order to install the Trend Micro Security Server and the Security Agent (as well as the Messaging Security Agent [MSA] if you are using WFBS Advanced).

8. Click Next. If you selected Custom Installation, the Select Target Folder page would appear. The default WFBS install folder is C:Program FilesTrend MicroSecurity Server. If you want to install WFBS in another folder, click Browse.

9. Click Next. The Select Components page appears.

10. Select the components that you want to install. For WFBS Advanced only: The Configure Security Server page now highlights the Security Server.

  • Security Server (default): The Security Server hosts the centralized web-based management console.
  • Security Agent (default): The agent protects desktops and servers.
  • Messaging Security Agent (optional): When installing the Security Server on a computer that has a Microsoft Exchange server installed on the same computer, Setup prompts you to install a local MSA.
  • Remote Messaging Security Agent (optional):When installing the Security Server on a computer that cannot detect the existence of local Microsoft Exchange servers, Setup prompts you to install the remote MSA to remote servers.

11. Configure the Security Server. The Security Server configuration tasks consist of pre-scanning the server for malware as well as configuring the web server and the proxy server.

12. Click Next. The Computer Prescan page appears.

13. Choose whether or not to pre-scan your computer for threats by selecting one of the following options:

Prescan my computer for threats– The prescan targets the most vulnerable areas of the computer, which include the following:

  • the boot area and boot directory (for boot sector viruses)
  • the Windows folder
  • the Program Files folder
  • Do not prescan my computer for threats – Trend Micro highly recommends pre-scanning your computer for security threats to ensure that the installation goes into a clean environment. Not pre-scanning the computer could prevent a successful installation.

14. Click Next. If you selected Custom Installation, the Web Server page would appear. Select a web server to host the Security Server web console. Choose one of the following:

  • Internet Information Services (IIS) server
  • Apache Web server 2.0.xx

15. Click Next. The Web Server Identification page appears.

16. Choose from one of the following server identification options for client-server communication:

  • Server information – Choose domain name or IP address:
  • Fully Qualified Domain Name – Use the web server’s domain name to ensure successful client-server communications.
  • IP address – Verify that the target server’s IP address is correct.

17. Click Next. The Administrator Account Password page appears.

18. Specify different passwords for the Security Server web console and the Security Agent.

Note: The password field holds 1-24 characters and is case sensitive.

  • Security Server web console – You will need a password to log on the web console. Provide the password and confirm the password.
  • Security Agents – You will need the password to uninstall Security Agents and remove them from your computer.

19. Click Next. The SMTP Server and Notification Recipient(s) page appears.

20. Enter the required information:

  • SMTP server – the IP address of your email server
  • Port – the port that the SMTP server uses for communications
  • Recipient(s) – the email address(es) that the SMTP server uses to send alert notifications. You can enter multiple email addresses when more than one person needs to receive notifications.

21. Click Next. The Trend Micro Smart Protection Network page appears.

22. Choose whether or not you want to participate in the Trend Micro Smart Protection Network feedback program.

23. Click Next. If you selected Custom Installation, the General Proxy Settings page would appear. The Configuring Security Agent page highlights the Security Agent.

  • Proxy server type
  • Server name or IP address
  • Port
  • User name and Password – Provide these only if the proxy server requires authentication.

24. Configure the Security Agent. The Security Agent configuration tasks consist of setting the agent installation path, configuring the agent’s server and desktop settings as well as the proxy server settings for additional services.

25. Click Next. If you selected Custom Installation, the Security Agent Installation Path page would appear.

26. Set the following items:

  • Installation Path – This is the destination folder where the Security Agent files are installed.
  • Security Agent Listening Port – This is the port number used for Security Agent and Security Server communications.

27. Click Next. If you selected Custom Installation, the Configuring Security Agents Settings page would appear.

28. You can configure Security Agent settings for Servers and Desktops: In each group, you can configure the following components:

  • Servers – Windows Server 2003/2008 computers will be added to the default Servers group when you first add them to the web console. You can enable different technologies for this group based on your particular needs.
  • Desktops – Windows XP/Vista/7 computers will be added to the default Desktops group when you first add them to the web console. You can enable different technologies for this group based on your particular needs.
  • Smart Scan – Smart Scan uses a central scan server on the network to take some of the burden of the scanning of clients.
  • Antivirus and Anti-Spyware – This scans files for malicious code as they are accessed or created.
  • Firewall – This protects clients against malware attacks and network viruses by creating a barrier between the clients and the network.
  • Web Reputation – This blocks malicious websites through the credibility of web domains and assigning a reputation score based on several identifying factors.
  • URL Filtering – This blocks specified categories of websites (for example, pornographic sites and social networking) according to your company’s policy.
  • Behavior Monitoring – This analyses program behaviour to proactively detect known and unknown threats.
  • Device Control – This regulates access to external storage devices and network resources.

29. Click Next. If you selected Custom Installation, the Proxy Setting for Additional Services page would appear. The Smart Scan, Web Reputation, and Behaviour Monitoring services use the proxy server address and port used by Internet Explorer on client computers. If that proxy server requires authentication, use this page to specify logon credentials.

30. For WFBS Advanced only: Configure the MSA. You will be prompted to install the MSA at one of the following points: Note: This procedure applies to both local and remote MSA installation.

  • When installing the Security Server on a computer that has Microsoft Exchange server installed on the same computer, Setup prompts you to install a local Messaging Security Agent.
  • When installing the Security Server on a computer that cannot detect the existence of local Microsoft Exchange servers, Setup prompts you to install the remote Messaging Security Agent to remote servers.

31. Click Next. The Install Messaging Security Agent page appears.

32. Provide the following information:

i. Exchange Server

ii. Domain Administrator Account

iii. Password

33. Click Next. If you selected Custom Installation, the Messaging Security Agent Settings page would appear. Configure the following:

  • Target Folder – This is the folder where the MSA files are installed.
  • Temp Folder – This is the system root folder for MSA Agent installation.
  • Spam management
  • End User Quarantine – If selected, WFBS creates a separate spam folder on Microsoft Outlook in addition to the Junk E-mail folder.
  • Outlook Junk Email folder – If selected, WFBS stores spam mail into this folder. Since Outlook typically moves spam mail in the End User Quarantine (EUQ) folder to the Junk E-mail folder, Trend Micro recommends to select this option.

35. Proceed with the installation process. The Start Copying Files page shows a summary of all the parameters that will be used during the installation of WFBS. Do one of the following:

    • If you wish to verify previous installation settings, click Back.
    • Click Next to proceed with the actual installation.

The Install Third Party Components page appears. This page informs you which third party components will be installed.

36. Click Next to start installing the selected components. The entire installation process may take some time to complete. During the installation, a status page will show the progress being made. When the Setup Wizard Complete screen appears, click Finish.

Installing the Client/Server Security Agent (CSA) or Security Agent (SA) using Remote Install

  1. Log on to the WFBS console.
  2. Click Security Settings > Add. The Add Computer page appears.
  3. Under Computer Type section, choose Desktop or server.
  4. Under Method section, choose Remote install.
  5. Click Next. The Remote Install page appears.
  6. From the Groups and Computers list, select the computer on which you will install the CSA and click Add. A prompt for a username and password appears. Note: You need an account with administrator rights for the installation.
  7. Type the username and password of an account with administrator rights, and click Login. For the domain computers, use the Domain_NameUsername format; for workgroup computers, use the Target_Computer_NameLocal_Administrator_User_Name format.
    The computer is added to the Selected Computers list.
  8. Repeat Steps 6-7 if you want to add more computers to the list.
  9. Click Install, and then click Yes when the confirmation window shows up. A progress screen will show the installation status, and the computer names will have a green check mark when the installation is complete.

Installing Agent for Exchange Server

The Messaging Security Agent (MSA) can also be installed from the Web Console.

1. Log on to the Web Console.

2. Click the Security Settings tab, and then click the Add button.

3. Under the Computer Type section, click Microsoft Exchange server.

4. Under Microsoft Exchange Server Information, type the following information:

Server name: The name of the Microsoft Exchange server to which you want

to install MSA.

Account: The built-in domain administrator user name.

Password: The built-in domain administrator password.

5. Click Next. The Microsoft Exchange Server Settings screen appears.

6. Under Web Server Type, select the type of Web server that you want to install on

the Microsoft Exchange server. You can select either IIS Server or Apache Server.

7. For the Spam Management Type, End User Quarantine will be used.

8. Under Directories, change or accept the default target and shared directories for

the MSA installation. The default target and shared directories are C:Program

FilesTrend MicroMessaging Security Agent and C$, respectively.

9. Click Next. The Microsoft Exchange Server Settings screen appears again.

10. Verify that the Microsoft Exchange server settings that you specified in the

previous screens are correct, and then click Next to start the MSA installation.

11. To view the status of the MSA installation, click the Live Status tab.

Configure Smart Host for Outbound Email

1. Open the Exchange Management Console.

2. Click on the plus sign (+) next to Organization Configuration.

3. Select Hub Transport and click the Send Connectors tab.

4. Right-click the existing Send Connector then select Properties and go to the Network tab.

5. Select Route mail through the following smart hosts and click Add.

6. Select Fully Qualified Domain Name (FQDN)and specify the HES relay servers:

o HES US / Other Regions Relay Record:

o HES Europe, Middle East, and Africa (EMEA) Relay Record:

7. Click OK.

8. Go to the Address Space tab and click Add.

9. Add an asterisk (*) and then click OK.

10. Click Apply > OK.

11. Go to the Source Server tab and add your Exchange Server.

12. Click Apply > OK.

Before you begin next step, make sure you have a valid public DNS and MX record configured and available via ping or nslookup. To find Out MX Record, follow the step or contact your ISP.

C:Usersraihan >nslookup

> set type=mx


Non-authoritative answer: MX preference = 20, mail exchanger = MX preference = 10, mail exchanger = internet address = 203.161.x.x internet address = 116.212.x.x

Pinging [203.161.x.x] with 32 bytes of data:

Registered Hosted Email Security

Firstly you’ll need to have registered with Trend Micro Online .

Create service account (See upcoming post on creating a secure services account)

  1. Open ActiveDirectory Users and Computers
  2. Create a user sa-TrendMicroHE with password never expires

Open Hosted Email Security Web console

Register Your Domains with Trend Micro

1. Go to the Trend Micro Online Registration portal.

2. Create a new OLR account.

a. Under the “Not registered” section, select your country and language from the dropdown list, then click Continue.


Enter your HES Registration Key.


If you have other Trend Micro products or services you want to register, enter their Registration Keys and click Continue. Otherwise, click No. The License Terms page appears.

Select I Accept, then click Submit.

Complete the registration information form.


Specify your OLR logon ID.


Note: The OLR logon ID will also serve as your HES portal login ID.

Click Submit.

The next page will show your HES Activation Code (AC). This means that you have successfully registered HES. You will receive an email copy containing your Activation Code, username and temporary password.

3. Using the provided OLR username and password, log on to the HES console:

For US:


Note: Make sure that the Log on with Trend Micro Online Registration user name and password checkbox is ticked.

4. Enter your domain and IP information, then click Add Domain.


5. Once your managed domain list is complete, tick the checkbox beside your managed domain and click Submit.

6. Wait for your confirmation email. This will take 48 hours at most. The confirmation email will guide you through the final steps needed before starting the service.


Navigate to Administration > Domain Management

  1. All the fields are pretty much self-explanatory, except for Seats assigned: 1 (no need to use more)
  2. Click Activate Domain
  3. Now this you would think would be it, except it goes to the list below which you then need to check the tick box of the domain and then Click Check MX Record

Download the ActiveDirectory Sync Client

  1. Navigate to Administration > Directory Management


  1. Click Imported User Directories so it becomes Enabled with a green tick
  2. Navigate to Administration > Web Services


  1. Click on the Applications bar so it get’s a Green Tick as above
  2. Click on Generate Service Authentication Key, copy this key for use later in the setup
  3. Click and download the ActiveDirectory Sync Client

Install the ActiveDirectory Sync Client

1. Extract the ActiveDirectory Sync Client file and run setup.exe

2. Usual I agree, next, next stuff

3. Then you’ll need your DOMAIN, the user will be the sa-TrendMicroHE we created earlier along with it’s password.

4. Click Next

5. Leave installation path as is, and change to install for Everyone

6. Click Next

7. Click Next

8. Click Close when finish

9. The ActiveDirectory Sync Client will then open

10. For the source paths you’ll need to enter the LDAP source paths for your server where users and groups are located to get you start some defaults are (don’t forget to change it to <yourdomain>)


11. Click Add

LDAP://OU=Distribution Groups, OU=companyname,DC=<yourdomain>,DC=com

12. Click Add

13. Click Configure

  • Username: as per web login
  • Service Auth Key: as the key we copied earlier from the web console under Administration> Web Services
  • Proxy: leave as automatic unless your network requires otherwise
  • Synchronize: leave at 1

14. Click OK

15. Click Apply

16. This will restart the service

Amend ClientMHS_AD_ACL.config

1. Open C:Program Files (x86)Trend MicroHosted Email Security ActiveDirectory Sync ClientIMHS_AD_ACL.config in notepad

2. Installed Config file looks like this:

<?xml version=”1.0″ encoding=”utf-8″?>
<ldap_path name=”default”>
<objectClass name=”User”>

3. Change the following to add groups and public folders. Ref

<?xml version=”1.0″ encoding=”utf-8″?>


<ldap_path name=”default”>

<objectClass name=”User”>






<ldap_path name=”default”>

<objectClass name=”group”>







<ldap_path name=”default”>

<objectClass name=”publicFolder”>







<ldap_path name=”default”>

<objectClass name=”*”>







4. Save this (you’ll need to save to desktop then move it back over the original file, otherwise it will Access Denied) and return the the ActiveDirectory Sync Client

5. Click Sync Now

6. Give it a few moments then click History

7. Here you should see the correct number of groups and users you expect.  Check the times are correct for when you’ve pressed. And it should finish with Sync domain <> successful

8. Click Close

9. Click Close

Post Configuration Check

  1. open the Hosted Email Security Console
  2. Navigate to Administration > Directory Management
  3. Click the Export to CSV for the domain you’re wanting to check
  4. This will generate a CSV file, which you can use notepad to check that all your email addresses have synced

Worry Free Business Files and Folder Exclusion

Worry-Free Business Best Practice

How to configure Exchange 2010 Hub Transport (HT) Server

Hub Transport server role manages all mail flow inside the organization, applies transport rules, applies journaling policies and delivers messages to a recipient’s mailbox. Hub Transport server is placed internal network with an Active Directory Forrest. Messages that are sent to the Internet are relayed by the Hub Transport server to the Edge Transport server role that’s deployed in the perimeter network. Messages that are received from the Internet are processed by the Edge Transport server before they’re relayed to the Hub Transport server. If you don’t have an Edge Transport server, you can configure the Hub Transport server to relay Internet messages directly or utilize a third-party smart host. You can also install and configure the Edge Transport server agents on the Hub Transport server to provide anti-spam and antivirus protection inside the organization. It is best practice to keep two separate servers for HT and ET roles.

You must deploy a Hub Transport server role in each Active Directory site that contains a Mailbox server role. Deploying more than one Hub Transport server per site provides redundancy. When you install more than one Hub Transport server in an Active Directory site, the connections are distributed. HT server or HT servers read Active Directory for user authorization. That means you can deploy Single Sign on (SSO) in your organization.

To configure HT and ET, DNS record maintaining is vital part. The Edge Transport server queries the configured external DNS servers to find the DNS records that are required to deliver the message. The DNS servers that are configured for external DNS lookups are queried in the order in which they’re listed. If one of the DNS servers is unavailable, the query goes to the next DNS server on the list. The DNS servers are queried for the following information:

Mail exchange (MX) records for the domain part of the external recipient.   The MX record contains the fully qualified domain name (FQDN) of the messaging server that’s responsible for accepting messages for the domain, and a preference value for that messaging server. To optimize fault tolerance, most organizations use multiple messaging servers and multiple MX records that have different preference values.

Address (A) records for the destination messaging servers.   Every messaging server that’s used in an MX record should have a corresponding A record. The A record is used to find the IP address of the destination messaging server. The subscribed Edge Transport server uses the IP address to open an SMTP connection with the destination messaging server. The required combination of iterative DNS queries and recursive DNS queries that start with a root DNS server is used to resolve the FQDN of the messaging server that’s found in the MX record into an IP address.

In HT server or HT servers, you must obtain certificates from a Windows Enterprise Root Certificate Authority before you start installing HT role.

Prepare Windows Server 2008 x64

Install windows Features:

Windows Server 2008 x64 SP 2 or Windows Server 2008 R2

HT server must be a member of Active Directory Domain

Microsoft .NET Framework 3.5

WCF Activation

Windows Remote Management 2.0

Windows PowerShell V2

Active Directory Lightweight Directory Services (AD LDS)

Net TCP port sharing services started and automatic start-up

Microsoft Office Filter Pack installed.

Computer Certificate and web certificates installed




2   5 6 7

Install HT server

8 9 10 11 12 13 14 15 16 17 18 19

Configure HT Server

 20 21

Add IP address of HT server as internal connector.

22 23 24 25

Specify local IP ranges.

 26 27 28 29 30 31 32 33 34 35 36 37

Test Outlook Web App


Relevant Topics

How to configure Exchange 2010 Client Access Server (CAS) Role

Step by Step Guide on Exchange Server 2010 Edge Transport Role

Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010

Forefront Protection 2010: how to install and configure Forefront Protection 2010 for Exchange Server 2010—Step by step

share thisAdd to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine