Exchange “Modern” Hybrid

Microsoft announced at Ignite that a new Hybrid connection method was in the works. This new “agent” was based off of Azure AD Application Proxy technology and would not require any ports to be opened inbound for it to work. Well three days ago, this new topology was released to Public Preview and with it a few new pieces of information. Below I have highlighted what I think are the important things to take away. A link to the full blog will be below.

  • You cannot configured Exchange “Modern” Hybrid if you already have an Exchange Hybrid connection in place. It is currently unknown if you can remove your Exchange Hybrid connection and recreate with the Modern topology.
  • HTTPS traffic does not need to be opened inbound, however, SMTP traffic does not traverse the Hybrid agent and still has to go direct to your Exchange server (or Edge server if it needs to be terminated in the DMZ).
  • HTTPS traffic will not require a TLS certificate but SMTP traffic will. The upside to this is you may be able to get a certificate cheaper as you will only need the one certificate name and the certificate is for SMTP only. Internal certificates could be used on the IIS service if you do not currently use 3rd party certificates on-premises.
  • MailTips, Message Tracking and Multi-Mailbox Search do not traverse the Hybrid Agent.
  • Only one agent can be configured at a time. Microsoft are hoping to support multiple agents in the future.
  • There is a single point of failure in the server with the agent installed. If it goes down, free/busy and mailbox moves will stop working.
  • You can install the agent on to a member server of the domain, as long as it’s running Windows Server 2012 R2 or 2016.
  • The Hybrid Agent is supported with Exchange 2010, 2013, 2016 and 2019 and can be installed on a CAS server if preferred. For those running Exchange 2010, you will have to build a new server on Windows Server 2012 R2, which will be supported when Update Rollup 26 for Exchange 2010 SP3 is released.
  • You cannot use Modern Hybrid with Hybrid Modern Authentication.

So the Modern Hybrid approach looks like a great option, but there are limitations to consider. It’s important to note this is only in preview, and as we know with Office 365 services, things can change very quickly.


Full blog post is here:


About the author