Jaa


Office 365 – Hybrid Configuration Wizard (HCW)

Whilst working on a few O365 engagements over the last month or so I have seen various issues that have been caused by on-premise infrastructure/setup and which have not allowed the HCW (which was introduced in Exchange 2010 SP2) to complete successfully. These issues range from not correctly publishing autodiscover to not having the correct patches/updates installed, so I thought I’d share my experiences.

 

HCW Issues:-

I have seen issues with the HCW failing on Get-FederationInformation, this can be caused by various things such as:-

· The customer did not publish the autodiscover endpoints correctly to allow O365 to make federated autodiscover lookups

· There is pre-authentication set on the TMG/ISA or UAG. By connecting to https://autodiscover.company.com/autodiscover/autodiscover.xml for example as shown in Figure 1 - Autodiscover pre-auth authenticating - UAG and Figure 2 - Autodiscover pre-auth authenticating - TMG, you can see that UAG/TMG is prompting for pre-auth instead of the auth being directly on exchange, as shown in Figure 3 - No pre-authentication

clip_image002

Figure 1 - Autodiscover pre-auth authenticating - UAG

clip_image004

Figure 2 - Autodiscover pre-auth authenticating - TMG

clip_image006

Figure 3 - No pre-authentication

· You can also run the command in powershell with the –verbose switch to get more detail, such as get-federationinformation……-verbose

· If you are using TMG you can follow this article for configuring TMG with hybrid setups

· You can also check autodiscover and other O365 endpoints (such as AD FS) have been published and are reachable from the internet using the ExRCA

 

Another issue I have seen is with certificates and as you run through the HCW, under Manage Hybrid Configuration – Mail Flow Security, you are asked to select the certificate that will be used for TLS mail flow between on-prem on and the cloud. If you are using a wildcard cert such as *.company.com then you will need to ensure you are running at least Exchange 2010 SP2 RU1. If you are not running SP2 RU1 then you most probably see an empty box when you get to the certificate page as shown in Figure 4 - HCW certificate blank below.

 

clip_image007

Figure 4 - HCW certificate blank

Of course you need to also ensure the certificate has been installed onto the exchange hybrid server(s) via the EMC or powershell, you can check using get-exchangecertificate from powershell.

Hybrid steps

Below are the detailed steps that run behind the scenes when you start the hybrid wizard:-

 

Create Federation Delegation and Organizational Relationships

Creates a new Delegation Federated Trust to 'Microsoft Federation Gateway'

Creates new 'On Premises to Exchange Online Organization Relationship'

Creates new 'Exchange Online to on premises Organization Relationship'

Enables MRSProxy on the Exchange 2010 Hybrid Servers

Configure the 'On Premises to Exchange Online Organization Relationship' to set:-

MailboxMoveEnabled 'True'

FreeBusyAccessEnabled 'True'

FreeBusyAccessLevel 'LimitedDetails' –

ArchiveAccessEnabled 'True'

MailTipsAccessEnabled 'True'

MailTipsAccessLevel 'All'

DeliveryReportEnabled 'True'

TargetOwaURL 'https://outlook.com/owa/<company.com>

Configure the 'Exchange Online to on premises Organization Relationship' to set:-

FreeBusyAccessEnabled 'True'

FreeBusyAccessLevel 'LimitedDetails'

MailTipsAccessEnabled 'True'

MailTipsAccessLevel 'All'

DeliveryReportEnabled 'True'

Create Send and Receive Connectors

HCW creates a new On Premise Send Connector -Name 'Outbound to Office 365' and below is the full output from the send connector created by the HCW:-

 

AddressSpaces : {smtp:TenantName.mail.onmicrosoft.com;1}

AuthenticationCredential :

Comment :

ConnectedDomains : {}

ConnectionInactivityTimeOut : 00:10:00

DNSRoutingEnabled : True

DomainSecureEnabled : False

Enabled : True

ErrorPolicies : DowngradeAuthFailures

ForceHELO : False

Fqdn : Company.com

HomeMTA : Microsoft MTA

HomeMtaServerId : ServerName

Identity : Outbound to Office 365

IgnoreSTARTTLS : False

IsScopedConnector : False

IsSmtpConnector : True

LinkedReceiveConnector :

MaxMessageSize : 10 MB (You can increase from 10MB which is the default in 2007 and 2010 to 25MB which is set in the service)

Name : Outbound to Office 365

Port : 25

ProtocolLoggingLevel : None

RequireOorg : False

RequireTLS : True

SmartHostAuthMechanism : None

SmartHosts : {}

SmartHostsString :

SmtpMaxMessagesPerConnection : 20

SourceIPAddress : 0.0.0.0

SourceRoutingGroup : Exchange Routing Group (DWBGZMFD01QNBJR)

SourceTransportServers : {ServerName}

TlsAuthLevel : DomainValidation

TlsDomain : outlook.com

UseExternalDNSServersEnabled : False

 

 

HCW creates a new On Premise Receive Connector 'Inbound from Office 365' on each of the Hybrid HT servers and below is the full output from the receive connector created by the HCW:-

 

AuthMechanism : Tls, Integrated, BasicAuth, BasicAuthRequireTLS

Banner :

BinaryMimeEnabled : True

Bindings : {LocalIP:25}

ChunkingEnabled : True

DefaultDomain :

DeliveryStatusNotificationEnabled : True

EightBitMimeEnabled : True

BareLinefeedRejectionEnabled : False

DomainSecureEnabled : False

EnhancedStatusCodesEnabled : True

LongAddressesEnabled : False

OrarEnabled : False

SuppressXAnonymousTls : False

AdvertiseClientSettings : False

Fqdn : Company.com

Comment :

Enabled : True

ConnectionTimeout : 00:10:00

ConnectionInactivityTimeout : 00:05:00

MessageRateLimit : unlimited

MessageRateSource : IPAddress

MaxInboundConnection : 5000

MaxInboundConnectionPerSource : 20

MaxInboundConnectionPercentagePerSource : 2

MaxHeaderSize : 64 KB (65,536 bytes)

MaxHopCount : 60

MaxLocalHopCount : 12

MaxLogonFailures : 3

MaxMessageSize : 28 MB (29,360,128 bytes)

MaxProtocolErrors : 5

MaxRecipientsPerMessage : 200

PermissionGroups : AnonymousUsers

PipeliningEnabled : True

ProtocolLoggingLevel : None

RemoteIPRanges : {RemoteIP Ranges}

RequireEHLODomain : False

RequireTLS : True

EnableAuthGSSAPI : False

ExtendedProtectionPolicy : None

LiveCredentialEnabled : False

TlsDomainCapabilities : {outlook.com:AcceptOorgProtocol}

Server : LocalServerName

SizeEnabled : Enabled

TarpitInterval : 00:00:05

MaxAcknowledgementDelay : 00:00:30

AdminDisplayName :

ExchangeVersion : 0.1 (8.0.535.0)

Name : Inbound from Office 365

DistinguishedName : CN=Inbound from Office 365,CN=SMTP Receive Connectors,CN=Protocols,etc…

Identity : LocalServerName\Inbound from Office 365

Guid : 9feef51e-1bd9-4aa4-9202-0614a1fcc0dd

ObjectCategory : company.com/Configuration/Schema/ms-Exch-Smtp-Receive-Connector

ObjectClass : {top, msExchSmtpReceiveConnector}

OriginatingServer : ServerName

IsValid : True

 

There are also some connectors created in Forefront Online Protection for Exchange (FOPE). The connector created in FOPE will be called ‘Hybrid Mail Flow Inbound Connector’ and will have the following settings (assuming you are routing mail back on-premise):-

Description: The Hybrid Mail Flow inbound connector was created when hybrid mail flow was configured. This connector cannot be modified.
Sender Domains: *.*
Sender IP Addresses:
Transport Layer Security (TLS) Settings: Forced TLS, and certificate matches specified domain

The recipient certificate matches: mail.company.com

Filtering Settings: Add these IP addresses to the safelist and only accept mail from these IP addresses for the domains specified above
IP Reputation Filtering: Disabled
Spam Filtering: Disabled
Policy Rules: Disabled

 

The other connector created in FOPE will be called ‘Hybrid Mail Flow Outbound Connector’ and will have the following settings:-

Description: The Hybrid Mail Flow outbound connector was created when hybrid mail flow was configured. This connector cannot be modified.
Recipient Domains: mail.company.com,*.*
Message Delivery Settings:

Fully Qualified Domain Name: mail.company.com

Transport Layer Security (TLS) Settings: Forced TLS, and certificate matches specified domain

The recipient certificate matches: mail.company.com

 

Create Remote Domains

Create new Remote Domain 'Hybrid Domain – company.com' set with:-

TrustedMailInbound 'True'

Create new Remote Domain 'Hybrid Domain - TenantName.mail.onmicrosoft.com' set with:-

 TrustedMailOutbound 'True'

TargetDeliveryDomain 'True'

AllowedOOFType 'InternalLegacy'

AutoReplyEnabled 'True'

AutoForwardEnabled 'True'

DeliveryReportEnabled 'True'

DisplaySenderName 'True'

NDREnabled 'True'

TNEFEnabled 'True'

Create new Remote Domain 'Hybrid Domain - mail.company.com '

DomainName 'mail.company.com'

TrustedMailInbound 'True

Setup Hybrid Mailflow

Set Hybrid Mailflow to:-

SecureMailEnabled 'True'

CentralizedTransportEnabled 'True'

OnPremisesFQDN 'mail.company.com '

CertificateSubject 'mail.company.com '

InboundIPs <>

OutboundDomains <>

 

 Set Address Policies

Update Default Recipient Policy to add <alias>@TenantName.mail.microsoft.com

Apply the updated Default Recipient Policy immediately

 

 

Written by Daniel Kenyon-Smith

Comments