Exchange Modern Hybrid (Hybrid Agent)

Running the Hybrid Configuration wizard recently I came across the option to choose “Exchange Modern Hybrid Topology”.

There has been plenty of times I have come across a customer who haven’t published their Exchange to the internet and as such didn’t require a trusted 3rd party SSL or inbound firewall ports open and configured .

The modern hybrid option can be chosen with the Minimal and Full Hybrid Configuration install.

As its still in preview I decided to check this out in my lab and was pleasantly surprised with how easy the agent was to install.

MRS Proxy still needs to be enabled on the Exchange server(s) but the Hybrid Agent publishes the Exchange on-premises environment to Exchange Online to support Free/busy and mailbox migrations. This removes the customer previously having to setup external DNS, publishing of EWS and inbound connections ports having to be opened. When I ran the mailbox migration I could see that it created a tenant endpoint for the mailbox migrations.

You require the following prerequisites for the agent server:

  • Ports to be opened outbound are HTTPS (TCP) 443 and 80, as shown here.
  • The agent machine must be able to connect HTTPS (TCP) 443, 80, 5985 and 5986 to the target CAS selected in the Hybrid Configuration Wizard.
  • The machine hosting the Hybrid Agent install must be able to establish outbound HTTPS connections to the internet, and HTTPS and Remote PowerShell (RPS) connections to the CAS chosen for hybrid configuration.
  • The machine hosting the Hybrid Agent should be running Windows Server 2012 R2 or 2016, with .NET Framework 4.6.2 (or later, as supported by the Exchange version you are installing on) installed.
  • The machine where the Hybrid Agent is installed must be able to communicate with a Domain Controller to authenticate your on-premises Exchange Org admin credentials. This means that the machine must be domain joined.
  • Installation must be done using a local machine administrator account and will require tenant global administrator credentials for registering the connector.
  • TLS 1.2 must be enabled on the machine where the Hybrid Agent is installed

At present SMTP mail flow is not included in the Hybrid Agent and will still require a public certificate for mail flow between Office 365 and on-premises and public preview only supports a single Hybrid Agent install for the Exchange Organization so there is no high availability.

I am very excited about the Modern Hybrid option. At present there are few capabilities missing but is still in preview. This is step in the right direction to potentially remove the complicated requirements for a customer to migrate to Exchange Online.


About the author