Skip to content

Hybrid deployment in Office 365 | Checklist and pre requirements | Part 3/3

The last article serves a recap and summary for all the Exchange hybrid environment Pre-requirements.
To simplify the process of managing and implementing all of the required configuration settings and infrastructures, I have prepared a “Hybrid deployment in Office 365 -Checklist document” that will help to get a clear view of all the required tasks, what task has already completed, etc.

Hybrid deployment Office 365 – The article series

The article series includes the following articles:

Hybrid deployment in Office 365 | Checklist

1. Exchange Hybrid server version

Exchange 2010
In case that the Exchange Hybrid server is Exchange 2010, verify that you have installed Exchange 2010 service pack 3 and the last Exchange 2010 Rollup.
At the current time, the most updated Rollup for Exchange 2010 SP3 is: Rollup 9

Exchange 2013
In case that the Exchange Hybrid server is Exchange 2013, verify that you have installed Exchange 2013 service pack 1 + Cumulative Update 8.

Check for more information in the section: 1. Exchange Hybrid server version

2. Exchange On-Premise Hybrid server | Public IP address and Public name (FQDN)

Exchange On-Premise Hybrid server | Public IP address

  • Verify that a dedicated Public IP address was assigned to the Exchange On-Premise Hybrid server.
    (Check that the required Firewall was created)

Exchange On-Premise Hybrid server | Public Name

  • Verify that the Exchange On-Premise Hybrid server Public name is published in the Public Network.
    (Check that the required Public DNS record was created)

General

  • Verify that the Exchange On-Premise Hybrid server “Public name” (FQDN) is “mapped” to the Public IP address.

Check for more information in the section: 2. Exchange On-Premise Hybrid server | Public IP address and Public name (FQDN)

3. Exchange On-Premise Hybrid server | Port number and protocols

  • Verify that Public Hosts can access Exchange On-Premise Hybrid server using the port 443 (HTTPS) and 25 (SMTP).
  • Verify that the Exchange On-Premise Hybrid server can access hosts on the public network using the ports 443 (HTTPS) and 25 (SMTP).

Check for more information in the section:3. Exchange On-Premise Hybrid server | Port number and protocols

4. Exchange On-Premise Hybrid server | Public IP address and Static NAT

Verify that the organization Firewall has a static NAT rule that assigns a public IP address to the Exchange Online when the Exchange on-Premises server creates an outbound session (communicate with external hosts) and, the same public IP that is mapped to the Exchange on-Premises server public name and will be used by external hosts such as the Exchange Online server.

Check for more information in the section: 4. Exchange On-Premise Hybrid server | Public IP address and Static NAT

5. ISA\TMG server and a Firewall server

In case that you use the ISA\TMG server to publish the Exchange on-Premises server verifies that:

  • The ISA\TMG web publishing rule includes the required “path” for the Exchange on-Premises server EWS virtual folder and AutoDiscover Virtual folder.
  • The ISA\TMG web publishing rule doesn’t configure with a requirement of authentication for the Exchange on-Premises server EWS virtual folder and AutoDiscover Virtual folder.

Check for more information in the section: 5. ISA\TMG server and a Firewall server

6. Firewall inbound\Outbound access policy | Office 365 and Exchange Online Public IP range

In case that you implement Firewall policy, such as:

  1. Outbound Policy that enables the Exchange Hybrid server to connect only a predefined Public IP range of the Office 365 and Exchange Online servers.
  2. Inbound Policy that enables only Office 365 and Exchange Online servers to communicate with the Exchange Hybrid server.
  • Try to avoid these restrictions when running the “first-time time Hybrid configuration”
  • Verify and double-check that you get the accurate information about all the Public IP range that is the use by Microsoft for the Office 365 services (Exchange Online, Windows Azure Active Directory and more)
  • Subscribe to RSS feed for getting updates about changes in the Office 365 services public IP ranges

Check for more information in the section: 6. Firewall inbound\Outbound access policy | Office 365 and Exchange Online Public IP range

7. Exchange On-Premise Hybrid server | AutoDiscover service

AutoDiscover record and Public Network

  • Verify that the AutoDiscover record was created and published on the Public Network.

Verify successful operation of Exchange On-Premise AutoDiscover process

  • Verify that you can access the Exchange On-Premise server from the public network and, get the required information from the AutoDiscover service. Verify that the Autodiscover service is configured correctly, meaning: that you can access Autodiscover service from public network and get the required XML file.

AutoDiscover and Exchange On-Premise server version

  • In case that your Exchange on-Premises environment includes a couple of Exchange versions such as – Exchange 2003, 2007, etc., redirect the AutoDiscover record to the Exchange On-Premise Hybrid server (AutoDiscover record is pointing to the Exchange On-Premise server with the most updated version.)

AutoDiscover record pointing to the Exchange On-Premise server

  • Verify that the AutoDiscover record pointing to the Exchange On-Premise server and not to the Office 365 AutoDiscover services.

Check for more information in the section: 7. Exchange On-Premise Hybrid server | AutoDiscover service

8. Exchange On-Premise Hybrid server | EWS service

  • Verify that the EWS services on the Exchange On-Premise Hybrid server is configured correctly: that you can access the EWS service from a public network and, get the required XML file.

Check for more information in the section: 8. Exchange On-Premise Hybrid server | EWS service

9. Exchange On-Premise Hybrid server | Public Certificate

  • Verify that the Exchange On-Premise Hybrid server has a Public Certificate (certificate that was created by a Public CA).
  • Verify that the Public Certificate expiration date is valid.
  • In case that you use SAN certificate, verify that certificate alternative subject name includes all the public host’s names of the AutoDiscover service, the Exchange On-Premise Hybrid server and so on.
  • Verify that the Public certificate on the Exchange On-Premise Hybrid server assigned to the IIS and SMTP services.

Check for more information in the section: 9. Exchange On-Premise Hybrid server | Public Certificate

10. Microsoft MFG server and the proof of the ownership process

To be able to create the trust with the Microsoft MFG server, you will need to configure a TXT record and the Public DNS.

  • Verify that you have Access (the administrator account) to the Public DNS that “Hosts” the organization Public domain name.
  • Verify that the proof of ownership TXT record was created in the Public DNS

Check for more information in the section: 10. Microsoft MFG server and the proof of the ownership process

11. Direct communication channel | Exchange on-Premises server to Exchange Online

Verify that the On-Premise “End-point” is the Exchange On-Premise Hybrid server
Check for more information in the section: 11. Direct communication channel | Exchange on-Premises server to Exchange Online

Hybrid deployment in Office 365 – Checklist Document | Checklist

To be able to document the different components and infrastructure that include in the “hybrid deployment in Office 365 Checklist” I have created a checklist document that you can download and use.
Each of the “sections” includes a form button that will help you to choose the answer for the particular section.

In the following screenshot, we can see an example of the “answer form button” that appears in each of the checklist sections.

Using the Hybrid deployment in Office 365 - Checklist document
o365info Team

o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.

This Post Has 2 Comments

  1. Sorry my comment got posted before I could ask the question. If my onprem environment is “domain.local” and I plan on using “domain.com”, what do I set as the internalurl and externalurl on virtual directories and the autodiscoverserviceuri on the hybrid server? How will autodiscover and ews function properly when it is entering the network as “autodiscover.domain.com” or “domain.com/ews/exchange.asmx? Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *