Decommissioning Exchange Hybrid Servers – Think again…

Recently I have been asked on a number of occasions “now that we have migrated all mailboxes to Exchange Online, when is a good time to decommission our Exchange Hybrid server?”.

Often I see many customers who have already established a hybrid and moved mailboxes to Office 365 assuming that they can simply decommission the on-premises Exchange server. I’m afraid it’s not that simple! The Exchange Hybrid server is still providing a lot more functionality that you may realise. There’s never a good time to do it however, you will need to consider all of the below key points before achieving a “full cloud” model for Exchange:

Secure Mail Transport to Office 365:
Whilst in Hybrid, the Exchange Hybrid server has connectors that are setup to route mail to Exchange Online using Transport Layer Security (TLS) providing a secure way to send mail between the environments. If the Exchange Hybrid server is removed, there needs to be a way to secure mail transport between the environments. Whilst this is possible using a virtual SMTP server (see:, it does not provide a familiar set of tools to monitor the transport and Message Trace functions or negate the fact you need a server for the relaying over TLS. So why would you get rid of the Exchange Hybrid server?
Also, it is possible to setup devices to use Direct Send (See: to Exchange Online however, some devices may not support TLS and therefore will compromise the secure mail transport to Exchange Online.
In my opinion, it’s better to stick with the Exchange Hybrid server, as this uses a familiar IP address that devices can send mail to, provides the monitoring tools and can secure the mail between on-premises and Exchange Online using TLS.
Management of Mail attributes:
Managing mail attributes using the Exchange is rather easy, you can add/remove/change mail attributes using the familiar tools that Exchange provides. The only way of administering mail attributes without an Exchange server would be using third party tools, ADSI Edit or PowerShell, which can be a rather daunting task unless you are familiar using those tools.
It’s just easier to use the Exchange Tools in this circumstance.
Multi-function Devices (scan to email):
Most Multi-function Devices (MFDs) have the ability to send mail, such as the scan to email function however, as mentioned above, some MFDs may not support TLS which is required to secure the transport to Exchange Online. Without TLS you are compromising email security.
Line-of-Business Apps:
Line-of-Business (LoB) Apps, such as the alerts that are generated from backup software, need to be setup to route emails to an SMTP server within the LoB App mail configuration however, not all apps support using a hostname or TLS, which is needed to use the aforementioned Direct Send feature to Exchange Online. Often only an IP can be entered into the LoB App, which means you need to relay the mail to an SMTP server before applying TLS to Exchange Online. So again, why would you get rid of the Exchange Hybrid server?

The only reason that I see currently for when you should consider decommissioning the Exchange Hybrid server, would be when the product becomes unsupported by Microsoft, at which time you would need to upgrade the Exchange Hybrid to a supported level therefore allowing the legacy Exchange Hybrid server to be decommissioned.

And on the upgrade note, Microsoft have recently released an article (see: regarding the End-of-Support for Exchange 2010 in January 2020, so I recommend you start to look to upgrade the Exchange 2010 Hybrid servers to a supported level as soon as possible and before this date.


By Randolph Graham

UC Consultant at risual Ltd

#Microsoft #Exchange #ExchangeHybrid #ExchangeHybridDecommission #ExchangeTLS #Office365 #Blog #risualBlog #BeTheDifference

About the author