Transport options in Exchange hybrid deployments

A hybrid deployment contains mailboxes in an on-premises Exchange organization and also in an Exchange Online organization. For more information about hybrid, see Exchange Server hybrid deployments.

A critical component of making these two separate organizations appear as one is hybrid transport. Messages sent between recipients in either organization are authenticated, encrypted, and transferred using Transport Layer Security (TLS). These messages appear as "internal" to Exchange components (for example, as transport rules, journaling, and anti-spam policies). The Hybrid Configuration wizard automatically configures hybrid transport in Exchange 2013.

For hybrid transport to work with the Hybrid Configuration wizard, the on-premises SMTP endpoint that accepts connections from Exchange Online must be one of the following Exchange servers:

• Exchange 2016 Cumulative Update 8 (CU8) or later:
  • Mailbox server
  • Edge Transport server.
• Exchange 2013 Cumulative Update 15 (CU15) or later:
  • Client Access server.
  • Edge Transport server.
• Exchange 2010 Service Pack 3 (SP3) with Update Rollup 11 (RU11) or later:
  • Hub Transport server.
  • Edge Transport server.

Hybrid routing options

You need to choose how to route inbound and outbound mail when you plan and configure your hybrid deployment:

• Do you want to route inbound mail from external internet senders to on-premises and cloud recipients through Microsoft 365 or through your on-premises Exchange organization? Configuration depends on various factors:

  • Are most of your mailboxes in the cloud or in on-premises Exchange?
  • Do you want to use the Built-in security add-on for on-premises mailboxes to protect your on-premises Exchange organization?
  • Where is your compliance infrastructure configured?

  The route for inbound messages to both organizations depends on whether you enable centralized mail transport in your hybrid deployment.

• Do you want to route outbound mail from Exchange Online senders to external recipients through your on-premises organization (centralized mail transport) or directly to the internet?

  Centralized mail transport routes all mail from Exchange Online senders through the on-premises organization before delivery to the internet. This approach is important in compliance scenarios where on-premises servers must process all mail sent to and from the internet. Or, you can send messages from Exchange Online senders to external recipients directly to the internet.

  Note

  We recommend centralized mail transport only for organizations with specific compliance-related transport needs. Our typical recommendation is to not use centralized mail transport due to the increased bandwidth and mail processing overhead on your on-premises organization.

• Do you want to deploy an Edge Transport server in your on-premises organization?

  If you don't want to expose your domain-joined, internal Exchange servers directly to the internet, you can deploy supported Edge Transport servers in your perimeter network. For more information, see Edge Transport servers with hybrid deployments.

Regardless of your selection, all messages sent between the on-premises Exchange organization and the Exchange Online organization use secure transport. For more information, see Trusted communication later in this article.

To learn more about how these options affect message routing in your organization, see Transport routing in Exchange hybrid deployments.

Built-in cloud security features in hybrid deployments

All Microsoft cloud organizations with cloud mailboxes include built-in security features to protect recipients from viruses, spam, phishing scams, and policy violations. These same built-in security features are also available to protect on-premises email environments (not just Exchange) in the Built-in security add-on for on-premises mailboxes.

The built-in security features for all cloud mailboxes are the front door to your Exchange Online organization. All incoming messages (regardless of their origin) pass through these built-in security features before they reach recipients in your cloud organization. All messages sent from your Exchange Online organization pass through these built-in security features before they reach the internet.

Trusted communication

Mail flow between the on-premises organization and the Exchange Online organization is configured to use forced TLS. This configuration helps ensure messages sent between the organizations aren't intercepted. Secure mail transport uses TLS certificates provided by a trusted commercial certification authority (CA).

In forced TLS transport, the sending and receiving servers examine each other's certificates. The certificate's Subject or Subject Alternative Name (SAN) field must contain the FQDN that identifies the other server.

For example, the Exchange Online organization is configured to accept and secure messages sent from the FQDN mail.contoso.com. The TLS certificate on the source on-premises Client Access server or Edge Transport server must contain mail.contoso.com in the Subject or Subject Alternative Name (SAN) field. Otherwise, Microsoft 365 refuses the connection.

In addition to using TLS, messages between the on-premises and cloud organizations are treated as "internal." This approach allows messages to bypass some threat protection filtering and other services.

For more information, see Certificate requirements for hybrid deployments and Understanding TLS Certificates.