Shared Address Space with On-Premises Relay Scenario (MX Points to On-Premises)
Applies to: Office 365 Enterprise, Live@edu, Forefront Online Protection for Exchange
Topic Last Modified: 2012-07-31
The shared address space with on-premises relay scenario (MX points to on-premises) refers to when email is hosted partially in the cloud using Microsoft Exchange Online and partially on-premises, and mail flow is controlled on-premises. In this scenario, Exchange Online is provisioned with Forefront Online Protection for Exchange (FOPE) and incoming mail is routed to your on-premises mail server before being routed to FOPE and your hosted mailboxes. This configuration lets you use a single SMTP domain namespace for all mailboxes in both your on-premises Exchange organization and in your cloud organization.
To implement this scenario, you must configure FOPE connectors to control how mail is routed inbound, outbound, and internally (intra-organizational). This topic provides diagrams that show how mail flow works, links to additional Exchange documentation about hybrid deployments, and the recommended configuration procedures in the Exchange Deployment Assistant.
|This scenario requires an on-premises hybrid server, which is a server that coordinates communication between your existing on-premises Exchange organization and your cloud-based organization, running Exchange Server 2010 SP1 or later. Hybrid Deployments provides more information regarding hybrid deployments, including check lists for configuring a hybrid deployment between an on-premises Exchange server and Office 365 for enterprises.|
When Exchange Online receives email inbound from an external Internet address, the scenario is as follows:
In this example, Contoso has an on-premises solution for email. After purchasing Exchange Online with FOPE (separately or as part of the Office 365 service), Contoso migrates some of their mailboxes to the cloud (Exchange Online). However, given the highly confidential nature of some of their email (like the legal department), Contoso decides to leave these mailboxes on-premises, thereby enabling them to maintain greater control over their mail flow, while continuing to take advantage of their existing on-premises infrastructure. FOPE is configured using connectors and on-premises mail servers are configured using the MX record.
In such a scenario, when email is sent inbound from an external Internet source to a Contoso user whose mail is hosted in Exchange Online, email is initially delivered on-premises as per directive by the MX record. The on-premises protection solution, such as Forefront Protection 2010 for Exchange Server, then performs its various functions, such as virus scanning, custom filtering, or archiving. The on-premises protection solution then redirects the email to FOPE through an address rewrite, which, based on the recommended inbound FOPE connector configuration, skips filtering because the mail has already passed perimeter inspection and is therefore trusted. The email is then delivered to the specified recipient whose mailbox is hosted in Exchange Online.
Alternatively, you can specify that FOPE apply inbound policy and spam filtering for mail sent from external sources, and only skip filtering for intra-organizational mail. For more information, see Configuring the FOPE Connectors for a Shared Address Space with On-Premises Relay Scenario (MX Points to On-Premises) – Adding FOPE Filtering.
When sending email outbound from Exchange Online to an external Internet address, the scenario is as follows:
In this example, email is sent outbound from a Contoso (Exchange Online) user to an external Internet address. First, Exchange Online sends the email to FOPE, which performs outbound filtering operations. FOPE then sends the email to the on-premises server, which performs its own custom processing on the message before delivering it.
When dealing with intra-organizational email, where both the sender and the recipients reside within the same organization, the scenario is as follows:
In this example, an email message is sent from an on-premises Contoso user to a Contoso user whose mail is hosted in Exchange Online. The on-premises mailbox sends the email outbound where custom processing is performed by the on-premises protection solution. The email is then sent to FOPE, which skips filtering operations and delivers the mail message to the Contoso cloud user whose mailbox is hosted in Exchange Online.
|In this scenario, the IP address space is securely locked down to receive email only from the on-premises server, and transport layer security (TLS) can be configured so that the email is safe in transit across the cloud (and also when the reverse occurs, when Exchange Online sends mail to the on-premises mailboxes).|
|When intra-organizational email is sent from Exchange Online to on-premises, FOPE skips all filtering operations. In this scenario, intra-organizational email is always securely sent without any FOPE filtering since a bi-directional trusted relationship exists within the organization.|
|If you are using Exchange Server, we highly recommend that you use the Exchange Deployment Assistant (EDA) to perform your hybrid deployment and recommend that you run Microsoft Exchange Server 2010 Service Pack 2 (SP2) on your hybrid server. When you follow this process, your FOPE connectors are automatically created and configured. However, in a case where you need to create additional connectors that include FOPE filtering, follow the guidance in Configuring the FOPE Connectors for a Shared Address Space with On-Premises Relay Scenario (MX Points to On-Premises) – Adding FOPE Filtering.|
For end-to-end guidance in configuring this shared address space with on-premises relay scenario, it is recommended that you use the Exchange Deployment Assistant and specify the following initial parameter values:
On the opening page, select Hybrid (On-Premises + Cloud).
Select your current on-premises Exchange version.
Make sure that you select No for the question Do you want to configure an Exchange Online Archiving-ONLY deployment, and then click the Next arrow.
On the next page, select Yes for question 2, Do you want to route inbound mail for both your on-premises and Exchange Online mailboxes through your on-premises organization?
You can answer the other questions on this page depending on your messaging needs.
If you select Yes for question 4, Do you already use Forefront Online Protection for Exchange to protect your on-premises mailboxes?, instead of this scenario we recommend that you follow the configuration steps specified in: Shared Address Space with On-Premises Relay Scenario (MX Points to FOPE)
The wizard will generate a checklist that explains how to set up a functioning hybrid deployment where the MX record points to the on-premises Exchange organization.
Follow the checklist that the Exchange Deployment Assistant provides. Note that the configuration steps that directly tie into the mail flow diagrams above are included in the Create and configure hybrid deployment section.
|By default, when you use the EDA to configure this scenario, spam filtering is not automatically enabled on the FOPE connectors. If you want to use FOPE to perform spam filtering on email sent inbound to your Exchange Online mailboxes from an external address, after that mail has been processed by your on-premises server, you can follow the configuration steps in the Exchange Deployment Assistant and then follow the steps outlined in Configuring the FOPE Connectors for a Shared Address Space with On-Premises Relay Scenario (MX Points to On-Premises) – Adding FOPE Filtering.|
The following video, TechNet Radio: “Road to TechEd 2012” - How the Hybrid Configuration Engine Works in Exchange Server, has more information about the EDA and how you can use it to perform a hybrid deployment.