Exchange Online migration with the Hybrid Agent
Mailbox Migration
When it comes to leveraging the full Office 365 feature set, migrating mailboxes to Exchange Online is one of the greatest challenges. Unlike migrating within an organization, moving to Exchange Online is problematic, because mailboxes are shifted between two separately managed organizations.
This connection between an on-premises Exchange instance and Exchange Online is known as a hybrid connection. Microsoft refers to this connection as the Exchange Modern Hybrid and has extended its Hybrid Configuration Wizard (HCW) with Hybrid Agent (Figure 1) to facilitate the connection. With HCW, Hybrid Agent establishes a connection between the local Exchange and Exchange Online, reducing the requirements for external DNS records, certificate updates, and incoming firewall network connections – all of which made the task complex in the past.
Multiple Choices
Hybrid Agent does not support Hybrid Modern Authentication, which includes, for example, multifactor authentication and authentication with client certificates. If your setup uses Hybrid Modern Authentication, you need to keep on using the classic Exchange Hybrid topology. Additionally, Hybrid Agent does not cover MailTips, Message Tracking, and Multi-Mailbox Search. If your setup uses these functions across the board, again, keep on using the classic model.
Hybrid Agent is constantly being optimized – improvements to the preview were delivered just two months after the first launch. In its first release in February 2019, Hybrid Agent only supported a single installation, which was a big limitation because it offered no redundancy options, free/busy information could not be viewed in an offline scenario, and move actions were not carried out. With the April 2019 updated version, several agents now can be installed in a local organization, and you can now view status information for Hybrid Agent and use Hybrid Agent instead of specific Exchange servers to address load balancers.
Hybrid Agent Preparation
You can install Hybrid Agent either on a standalone server (agent server) or on an Exchange server with the Client Access Server (CAS) role. Exchange 2010 or newer is required. It must be installed on Windows Server 2012 R2 or 2016 with .NET Framework 4.6.2 or higher. If Hybrid Agent and Exchange are set up on a server, you need to ensure compatibility between Exchange and .NET [1] to avoid the use of an unsupported combination. Beyond this, the server only needs to be a domain member and have access to the Internet.
The only required output connections are ports 443 and 80; the latter is only used for certificate revocation list checks. The agent communicates with Azure Application Proxy, an Azure proxy service with a client-specific endpoint that leads to your online environment. Availability information and mailbox migrations are managed by the Azure Application Proxy. If the agent is not installed on an Exchange server with CAS, you also need to enable ports 5985 and 5986 to the CAS servers so communications actually work. Additionally, all CAS servers need to be able to connect to Office 365 over port 443 to retrieve available/busy information.
Microsoft provides a script [2] for checking the connection settings before installation. Start by integrating the script as follows:
Import Modules .\HybridManagement.psm1
The following call runs the actual test:
Test-HybridConnectivity -testO365Endpoints
For everything to run smoothly, you need to make sure that at least one identical email domain is set up as the accepted domain in each Exchange organization.
Installing the Agent
Hybrid Agent is part of the Office 365 HCW. The installer automatically downloads the latest version of Hybrid Agent in the background. The easiest way to start HCW is in the Exchange Admin Center (EAC) from the Hybrid menu item. HCW (Figure 2) is a click-to-run application that you download directly from Microsoft – the latest version is always launched. To run it, you need to be an Exchange Online global administrator. You can see the HCW version number in the top right corner, and further information is added during the next few steps.
After launching, select a local Exchange server that is configured for the hybrid connection. To continue, the server needs to be licensed. You can also license an Exchange Hybrid server at this point. When using the Hybrid license, no mailboxes can reside on the server. You also need to select the target platform, which is where you enter the location of your online environment – this could be a cloud environment or the standard Microsoft environment.
First, you will be prompted to choose your hybrid configuration. Hybrid Agent is available in two variants: minimal and full. The full Hybrid configuration is primarily intended for long-term coexistence and takes the mail flow, eDiscovery, and sharing of available/busy information into account. Because the minimal configuration is mainly designed to transfer mailboxes to Exchange Online seamlessly, I am selecting the minimal configuration here. If you do not see the Hybrid configuration window, you have already successfully set up a hybrid topology.
Next, you need to check the domain ownership. Verification is similar to domain verification in Office 365: Enter the displayed DNS-TXT record in your DNS zone and confirm ownership. Now select the topology. Hybrid Agent is offered to you as part of the Exchange Modern Hybrid topology, which you can download after confirming.
Once this is done, set up the send and receive connectors. Email traffic is secured by TLS; you need to select a valid certificate for this in the next step. The external hostname must be entered in the certificate; it must be possible to resolve this name externally, and it must be accessible over port 25. Hybrid Agent is not responsible for routing email, only for making the appropriate configurations. You can see the result after completion of the configuration in the EAC under mail flow | connectors .
After you have entered the specifications, the corresponding configuration is performed in the Exchange organizations. If all goes well, this completes the hybrid connection between your on-premises Exchange instance and Exchange Online. During the installation, shortcuts are also created on the server; you can use them to restart the HCW in case of changes in your Exchange organization.
Buy this article as PDF
(incl. VAT)