Understanding Transport for Existing FOPE Customers in Exchange 2003 Hybrid Deployments

 

Applies to: Exchange Server 2010 SP2

How your mail is routed into, and out of, your on-premises and Exchange Online organizations is directly affected by whether you’re an existing Microsoft Forefront Online Protection for Exchange (FOPE) customer. If you currently use FOPE to protect your on-premises organization, answer Yes to this question in the Exchange Server Deployment Assistant (ExDeploy) environment questions section:  Do you already use Microsoft Forefront Online Protection for Exchange to protect your on-premises mailboxes?

If you're an existing FOPE customer, we make the assumption in ExDeploy that you want to keep using FOPE to protect messages sent to and from your on-premises organization. A new Exchange Online FOPE company will be automatically created to support any domains that are configured for use with your new Exchange Online tenant. Depending on how you want to route inbound messages, you'll continue to manage your on-premises domains using your existing FOPE company or you’ll need to merge your existing company with the new Exchange Online FOPE company.

Note

The examples in this topic don’t include the addition of Edge Transport servers into the hybrid deployment. The routes messages take between the on-premises organization, the Exchange Online organization, and the Internet, do not change with the addition of an Edge Transport server. Only the routing within the on-premises organization changes. For more information about adding Edge Transport servers to a hybrid deployment, see: Understanding Edge Transport Servers in Exchange 2003 Hybrid Deployments

This topic discusses your routing options for the following:

  • Inbound messages from the Internet
  • Outbound messages from on-premises senders to the Internet
  • Outbound messages from Exchange Online senders to the Internet

Inbound Messages from the Internet

All messages sent to your on-premises and Exchange Online organizations are delivered to FOPE first. After a message has been accepted by FOPE, the path taken by messages sent to recipients in your on-premises and Exchange Online organizations depends on how you answer this question in the ExDeploy environment questions section:  Do you want to route inbound mail for both your on-premises and Exchange Online mailboxes through your on-premises organization?

  • If you answer Yes:   All messages sent to any recipient configured to use the domain namespace shared by the on-premises and Exchange Online organizations will be routed through your on-premises organization first. A message addressed to a recipient that's located in Exchange Online will be routed first through your on-premises organization and then delivered to the recipient in Exchange Online.
    • This route can be helpful for organizations where you have compliance policies that require messages sent to and from an organization be examined by a journaling solution. This route is also recommended if you have more recipients in your on-premises organization than in your Exchange Online organization.
    • If you choose this option, you’ll need to manage your pre-existing FOPE company separately from the new Exchange Online FOPE company that’s created when you sign up for Exchange Online. You’ll have an option to combine the FOPE companies after you’ve completed your hybrid deployment.
  • If you answer No:   All messages sent to any recipient in either organization will be routed through the Exchange Online organization first. A message addressed to a recipient that's located in your on-premises organization will be routed first through your Exchange Online organization and then delivered to the recipient in your on-premises organization.
    • This route is recommended if you have more recipients in your Exchange Online organization than in your on-premises organization.

    • If you choose this option, you’ll need to merge your existing FOPE company with the new Exchange Online FOPE company created when you sign up for Exchange Online. To merge companies, you’ll need to contact FOPE technical support.

      Important

      If you respond No to this question, you can't route outbound messages from the Exchange Online organization through your on-premises organization to the Internet. For more information, see the Outbound messages from Exchange Online senders to the Internet section later in this topic.

Read the section below that matches how you plan to route messages sent from Internet recipients to your on-premises and Exchange Online recipients.

Route Messages Through Your On-Premises Organization

If you decide to route all mail through your on-premises organization, you’ll manage your existing FOPE company and the new Exchange Online FOPE company separately. Your existing transport configuration, such as inbound and outbound FOPE connectors, domains, scanning policies, and so on, remains in your existing FOPE company. Inbound and outbound connectors, domains, and so on for the Exchange Online organization are configured in the Exchange Online organization by the Manage Hybrid Configuration wizard. Unless you need to customize transport for your hybrid deployment, you shouldn’t need to modify the default configuration of the new Exchange Online FOPE company configured by the wizard.

The following steps and diagram illustrate the inbound message path that will occur in your hybrid deployment, assuming that you answer Yes to the question: Do you want to route inbound mail for both your on-premises and Exchange Online mailboxes through your on-premises organization?

  1. An inbound message is sent from an Internet sender to the recipients chris@contoso.com and david@contoso.com. Chris's mailbox is located on an Exchange 2003 server in the on-premises organization. David's mailbox is located in Exchange Online.
  2. Because the recipients both have contoso.com e-mail addresses, and the MX record for contoso.com points to the pre-existing FOPE company, the message is delivered to FOPE.
  3. FOPE scans the messages for viruses, policy, and spam, and then routes the messages for both recipients according to the settings on the contoso.com domain. In this example, the messages are delivered to the Exchange 2003 server in your on-premises organization.
  4. The Exchange 2003 server performs a lookup for each recipient using an on-premises global catalog server. Through the global catalog lookup, it determines that Chris's mailbox is located on the Exchange 2003 server while David's mailbox is located in the Exchange Online organization and has a routing address of david@contoso.mail.onmicrosoft.com.
  5. The Exchange 2003 server splits the message into two copies. One copy of the message is delivered to Chris’s mailbox.
  6. The second copy is sent through the routing group connector that's configured between the hybrid servers and the Exchange 2003 server.
  7. A hybrid Hub Transport server sends the message to the Exchange Online FOPE company, which receives messages sent to the Exchange Online organization, using a Send connector configured to use TLS.
  8. FOPE scans the message for viruses and then sends the message to the Exchange Online organization where the message is delivered to David's mailbox.

Route inbound mail through the on-premises organization for both on-premises and Exchange Online organizations

Inbound via on-premises with pre-existing FOPE

Route messages through the Exchange Online organization

If you decide to route mail for both organizations through Exchange Online, you need to merge your existing FOPE company with the new FOPE company that’s created when you sign up for Exchange Online. Merging the FOPE companies requires that you open a support ticket with Office 365 support so that the IP addresses of your outbound mail servers can be added to the new FOPE company. The new FOPE company doesn’t permit you to directly modify the IP addresses configured on it. When the companies are merged, all the settings that are configured on your existing FOPE company are moved over to the new FOPE company.

By default, antivirus scanning isn’t enabled on messages sent to and from your on-premises organization when your existing FOPE company is merged with the new Exchange Online FOPE company. It can, however, be enabled for domains configured in the company. Inbound messages from the Internet are always scanned by Exchange Online.

The following steps and diagram illustrate the inbound message path that will occur in your hybrid deployment, assuming that you answer No to the question: Do you want to route mail for both your on-premises and Exchange Online mailboxes through your on-premises organization?

  1. An inbound message is sent from an Internet sender to the recipients chris@contoso.com and david@contoso.com. Chris's mailbox is located on an Exchange 2003 server in the on-premises organization. David's mailbox is located in Exchange Online.
  2. Because the recipients both have contoso.com e-mail addresses, and the MX record for contoso.com points to the Exchange Online FOPE company, the message is delivered to FOPE.
  3. FOPE routes the messages for both recipients to Exchange Online.
  4. Exchange Online scans the messages for viruses and performs a lookup for each recipient. Through the lookup, it determines that Chris's mailbox is located in the on-premises organization while David's mailbox is located in the Exchange Online organization.
  5. Exchange Online splits the message into two copies. One copy of the message is delivered to David's mailbox.
  6. The second copy is sent from Exchange Online back to FOPE.
  7. FOPE sends the message to the hybrid Hub Transport servers in the on-premises organization. FOPE is configured to send messages sent from the Exchange Online organization to contoso.com to the on-premises organization.
  8. A hybrid Hub Transport server sends the message through the routing group connector that's configured between the hybrid servers and the Exchange 2003 server and the message is delivered to Chris's mailbox.

Route inbound mail through the Exchange Online organization for both on-premises and Exchange Online organizations

Inbound via Exchange Online

Outbound Messages from On-Premises Senders to the Internet

The route messages take from on-premises senders to Internet recipients depends on how you answer this question in the ExDeploy environment questions section:  Do you want to route inbound mail for both your on-premises and Exchange Online mailboxes through your on-premises organization? Your decision determines whether your deployment will have two separate FOPE companies or whether you’ll need to merge the companies. The route outbound messages from your on-premises senders takes depends on whether you have two separate FOPE companies or one merged company.

  • If you answer Yes:   Your hybrid deployment will have two separate FOPE companies. Messages sent from on-premises senders will be routed to the Internet through your pre-existing FOPE company.
  • If you answer No:   Your hybrid deployment will have one merged FOPE company. Messages sent from on-premises senders will be routed through the new Exchange Online FOPE company.

Read the section below that matches how messages will be routed from your on-premises senders to the Internet.

On-Premises Messages Routed through Pre-Existing FOPE Company

The following steps and diagram illustrate the outbound message route for messages sent from on-premises senders to Internet recipients that will occur in your hybrid deployment, assuming that you answered Yes to:  Do you want to route inbound mail for both your on-premises and Exchange Online mailboxes through your on-premises organization?

  1. Chris, who has a mailbox on the on-premises Exchange 2003 server, sends a message to an external Internet recipient, erin@cpandl.com.
  2. The Exchange 2003 server sends Chris's message directly to the pre-existing FOPE company. The message doesn't go through an on-premises hybrid Hub Transport server because it's not addressed to an Exchange Online recipient.
  3. FOPE scans the messages for viruses, looks up the MX record for cpandl.com, and then sends the message directly to the cpandl.com mail servers located on the Internet.

Messages from on-premises senders to Internet recipients

Outbound from on-premises with pre-existing FOPE

On-Premises Messages Routed through Exchange Online FOPE Company

The following steps and diagram illustrate the outbound message route for messages sent from on-premises senders to Internet recipients that will occur in your hybrid deployment, assuming that you answered No to:  Do you want to route inbound mail for both your on-premises and Exchange Online mailboxes through your on-premises organization?

  1. Chris, who has a mailbox on the on-premises Exchange 2003 server, sends a message to an external Internet recipient, erin@cpandl.com.
  2. The Exchange 2003 server sends Chris's message directly to the Exchange Online FOPE company. The message doesn't go through an on-premises hybrid Hub Transport server because it's not addressed to an Exchange Online recipient.
  3. FOPE scans the messages for viruses, looks up the MX record for cpandl.com, and sends the message directly to the cpandl.com mail servers located on the Internet.

Messages from on-premises senders to Internet recipients

Outbound on-premises with FOPE via Exchange Online

Outbound Messages from Exchange Online Senders to the Internet

In addition to choosing how inbound messages addressed to recipients to your organizations are routed, you can also choose how outbound messages sent from Exchange Online recipients are routed. When you run the Manage Hybrid Configuration wizard, you can select one of two options:

  • Route all Internet-bound messages through your on-premises Exchange servers   This option routes outbound messages sent from the Exchange Online organization through your on-premises organization. Except for messages sent to other recipients in the same Exchange Online organization, all messages sent from recipients in the Exchange Online organization are sent through the on-premises organization. This enables you to apply compliance rules to these messages and any other processes or requirements that must be applied to all of your recipients, regardless of whether they're located in the Exchange Online organization or the on-premises organization.

    Warning

    You must not select this option if you responded No to this question in the ExDeploy environment questions section:  Do you want to route inbound mail for both your on-premises and Exchange Online mailboxes through your on-premises organization? These two choices are incompatible with each other and will prevent mail from being delivered correctly in your hybrid deployment.

  • Deliver Internet-bound messages directly using the external recipient's DNS settings   This option routes outbound messages sent from the Exchange Online organization directly to the Internet. Use this option if you don't need to apply any on-premises compliance policies or other processing rules to messages that are sent from recipients in the Exchange Online organization.

Read the section below that matches how you plan to route messages sent from recipients in the Exchange Online organization to Internet recipients.

Route Internet-bound Messages from Exchange Online through Your On-Premises Organization

The following steps and diagram illustrate the outbound message path for messages sent from Exchange Online recipients to an Internet recipient that will occur in your hybrid deployment, assuming that you select Route all Internet-bound messages through your on-premises Exchange servers in the Manage Hybrid Configuration wizard.

  1. David, who has a mailbox in the Exchange Online organization, sends a message to an external Internet recipient, erin@cpandl.com.
  2. Exchange Online scans the message for viruses and sends the message to the Exchange Online FOPE company.
  3. The Exchange Online FOPE company is configured to send all Internet-bound messages to an on-premises hybrid server, so the message is routed to a hybrid Hub Transport server. The message is sent using TLS.
  4. A hybrid Hub Transport server performs any compliance, anti-virus, and any other processes configured by the administrator, on David's message. It then sends the message through the routing group connector that's configured between the hybrid servers and the Exchange 2003 server.
  5. The Exchange 2003 server then sends Chris’s message to the pre-existing FOPE company. FOPE scans the messages for viruses, looks up the MX record for cpandl.com, and sends the message to the cpandl.com mail servers located on the Internet.

Mail from Exchange Online senders routed through on-premises organization

Outbound Exchange Online via on-premises with FOPE

Deliver Internet-bound Messages from Exchange Online Using DNS

The following steps and diagram illustrate the outbound message path for messages sent from Exchange Online recipients to an Internet recipient that will occur in your hybrid deployment, assuming that you select Deliver Internet-bound messages directly using the external recipient's DNS settings in the Manage Hybrid Configuration wizard.

  1. David, who has a mailbox in the Exchange Online organization, sends a message to an external Internet recipient, erin@cpandl.com.
  2. Exchange Online scans the message for viruses and sends the message to FOPE.
  3. FOPE looks up the MX record for cpandl.com and sends the message to the cpandl.com mail servers located on the Internet.

Mail from Exchange Online senders routed directly to the Internet

Outbound Exchange Online direct to Internet

 © 2010 Microsoft Corporation. All rights reserved.