There are a few prerequisites needed for an Exchange 2010 hybrid server to connect to resources in Office 365.
If the on premise messaging environment is Exchange 2003 and/or Exchange 2007, an Exchange 2010 server will be a must for a hybrid configuration with Office 365. One thing to note however, is that we do not need to purchase a license for Exchange 2010 if we use it as a hybrid only server (without mailboxes) but we will need a properly licensed and configured Windows server to host Exchange 2010. We can request an Exchange hybrid server product key. This key allows us to install the hub transport and client access role, and we are not allowed to install the mailbox role or have mailboxes stored on a hybrid server (based on the hybrid license agreement).
NOTE: In order to request and receive a hybrid product key, we must have an Office 365 Enterprise subscription (non-trial).
NOTE: If an Exchange 2010 server is already present in the environment, then a hybrid product key is not needed.
Exchange Server Updates
Once we have our hybrid key, we can download and install the latest supported version of Exchange 2010 with SP3 and the most recent update rollup for SP3 (UR7). If an Exchange 2010 server already exists on premise, update it to Exchange 2010 SP3 and UR7.
NOTE: Exchange 2010 RTM, SP1 and SP2 are no longer in support.
Once we have our Exchange 2010 hybrid server updated, we can proceed with the next prerequisites.
For proper communication with Office 365, the hybrid server must be accessible and it must be able to access O365. At a basic level, the firewall needs to be open for ports 25, 80, 443, and 587 between the hybrid server and Office 365. Refer to this article on firewall requirements for Exchange hybrid with O365 for additional ports, URLs and IP addresses that need to be configured.
The next requirement is a with securing the connection between the hybrid server and O365. An SSL US/SAN certificate from trusted certificate authority (CA) is required. I recommend DigiCert but really any public CA that offers UC/SAN certificates will suffice.
NOTE: Private or self-signed certs are not supported when performing either cutover, staged or hybrid migrations to O365. Refer to “Certificates” in Things to consider before configuring a hybrid deployment and “Setup 1” in Migrate all mailboxes to Exchange Online with a cutover migration regarding requirements for SSL certificates and migrating to Office 365 from an on premise Exchange environment.
Connect with Office 365
Finally, we need to be able to actually connect and authenticate with Office 365 from our hybrid server before we can start moving mailboxes, etc. The last two requirements are…
- Microsoft Online Services Sign-in Assistant; and
- Windows Azure Active Directory Module for Windows PowerShell
Without the Sign-in Assistant, connecting to Office 365 via the Exchange Management Console (EMC) will not work as a prompt will state the application is missing. To install the Sign-in Assistant, it can be downloaded from the O365 portal via the Desktop Setup or from the Microsoft Download Center.
NOTE: It is recommended that the hybrid server be restarted after installing the Sign-in Assistant.
To install the Windows Azure Active Directory Module for Windows PowerShell (Azure AD PowerShell), download it from the O365 Admin Center (Users > Active Users > Single Sign-on Set up > Install the Windows Azure Active Directory Module for Windows PowerShell > Select the 64-bit version > Click Download) or from Manage Azure AD using Windows PowerShell.
NOTE: Effective October 20, 2014, the 32-bit version of Azure Active Directory Module for Windows PowerShell is discontinued. Support for the 32-bit version will no longer occur, and future updates to the Azure Active Directory Module will be released only for the 64-bit version. We strongly recommend you install the 64-bit version to ensure future support and compatibility. Refer to “Install the Azure AD Module” in Manage Azure AD using Windows PowerShell.
To conclude this set of prerequisites, restart the server.
In conclusion, this article is meant to outline the prerequisites specific for an Exchange 2010 Hybrid server and does not outline the entire requirements needed to configure a hybrid solution; which will include DirSync and DNS changes at a minimum, and maybe AD FS for single sign-on (SSO); as well as required workstation updates for those still using Windows XP, Windows Vista, Outlook 2007 and 2010.
Additionally, it will be important to check if your public IP is blacklisted or blocked prior to redirecting mail flow from on premise to Office 365. To find out if your public IP is on one of the lists, use these tools…
- The Spamhaus Project (Spamhaus provides info on how to remove an IP address from a block/blacklist)
- Exchange Hybrid Server License For Office 365
- Microsoft Exchange Server 2010 Service Pack 3 (SP3)
- Update Rollup 7 For Exchange 2010 SP3 (KB2961522)
- Set up your desktop applications to work with Office 365
- Manage Azure AD using Windows PowerShell (Install the Azure AD Module)
- Things to consider before configuring a hybrid deployment
- Migrate all mailboxes to Exchange Online with a cutover migration