Microsoft Exchange Hybrid Agent

Microsoft Exchange Hybrid Agent – New method available for email migrations

Exchange Hybrid environments have been around for years and continue to be the primary method to migrate mailboxes to Office 365 Exchange Online. However, with each new deployment comes a similar set of challenges that can significantly delay migrations due to impact to the production environment including,

Adding additional servers to environment
Additional firewall rules exposing more areas to the Internet
External DNS entries
Public Certificates
Load Balancer configurations (SSL Offloading)
- MRSProxy does not support SSL Offloading

To solve these recurring challenges, Microsoft has created the Microsoft Exchange Hybrid Agent. This agent is built on the same technology as the Azure Application Proxy, which utilizes Azure as a reverse proxy to process external traffic through a secure inbound TLS connection using the agent. All firewall requirements are for outbound connections only. Therefore, using this agent, you bypass existing network configurations, including firewall and/or load balancers. The hybrid agent is only used for mailbox migrations and Free/Busy requests. All other hybrid capabilities, including mail flow, are not included in the agent and function separately as they do in a traditional hybrid deployment.

The hybrid agent is installed using the same Hybrid Configuration Wizard for a traditional hybrid deployment. You can install the agent on a standalone server, or it can also be installed on an existing Exchange 2010 or later server with the CAS role installed.

Prerequisites

The computer it’s installed on needs to be:
- Running Windows Server 2012 R2 or 2016 with .NET Framework 4.6.2 (or later, as supported by the Exchange version you are installing on)
- Active Directory domain-joined
- TLS 1.2 enabled
Firewall Requirements
- Capable of establishing outbound HTTPS connections to the Internet
  - Outbound TCP Ports 80 and 443
- Capable of establishing HTTPS and remote PowerShell connections to the Client Access Server (CAS) chosen for hybrid configuration.
  - TCP ports 80, 443, 5985, and 5986
- All CAS servers must be able to reach outbound HTTPS (TCP 443) Office 365 Endpoints for Free/Busy requests
  - These requests do not use the Hybrid agent
- Use a browser, like Microsoft Edge, that supports ClickOnce technology.
- Administrative Permissions
  - On-Premises:
    - Be a member of the Organization Management role group in your on-premises Exchange organization
    - Be a member of the local Administrators group on the computer where you’re installing the Hybrid agent.
  - Office 365
    - The account you use to connect to your Office 365 tenant must be a Global Administrator.
  - Enable MRSProxy
    - Set-WebServicesVirtualDirectory -Identity “EWS (Default Web Site)” -MRSProxyEnabled $true

Adding additional servers to environment
Additional firewall rules exposing more areas to the Internet
External DNS entries
Public Certificates
Load Balancer configurations (SSL Offloading)
- MRSProxy does not support SSL Offloading

Deployment

The deployment of the Hybrid agent is almost the same as a traditional Exchange Hybrid configuration. You still use the Hybrid Configuration Wizard to perform the agent installation. Once you run the HCW, you still connect to Exchange On-premises and Online environments, choose Full or Minimal Hybrid configuration, setup Federation, but there will be a new screen shown below. Select Use Exchange Modern Hybrid Topology to deploy the agent.

This process can take a few minutes, but follows this process:

Downloads and Installs the agent on the local computer
Registers the agent in Azure. Creates a URL in the format of resource.mailboxmigration.his.msappproxy.net
Tests connectivity from Office 365 to your on-premises Exchange environment via the agent

Assuming the installation succeeds, the rest of the HCW is exactly the same as a traditional hybrid deployment. The HCW will create a Migration Endpoint using the custom URL and will set the TargetSharingEpr as well, both on the Office 365 side. Once complete, you can verify the service is running in the Services console.

You can now begin migrating your mailboxes to the cloud using the same commands or processes as a traditional hybrid, just select the correct Migration Endpoint. You can test the availability at any time with the following command where the credentials are for your on-premises environment:

Test-MigrationServerAvailability -ExchangeRemoteMove: $true -RemoteServer ‘<GUID>.resource.mailboxmigration.his.msappproxy.net’ -Credentials (Get-Credential)

Limitations

With new technology also comes additional issues to consider. They are as follows:

In preview as of this writing
Hybrid Modern Authentication not supported
MailTips, Message Tracking, and Multi-mailbox search not supported
Single Agent only, redundancy not available yet.
- If offline, Free/Busy lookups (cloud to on-prem) and mailbox migrations won’t work
- Registers with a single CAS server.
- Can be reinstalled or registered to a different CAS in the event of failure using HCW

This deployment option is available for new hybrid configurations. If you have already established a hybrid configuration (Full or Minimal), this option will not be available. Ideally, this deployment method seems well suited for customers with short-term migration goals (under 6 months). Hybrid deployments meant for long-term or indefinite hybrid environments should configure the traditional hybrid deployment. This may change depending on any feature updates for General Availability.

Work with our team of Cloud Computing Consultants who have done this so many times they know all of the “minefields” to prevent missteps.

Managed IT Services

IT Management Solutions​

Cloud Management Solutions​

Backup & Disaster Recovery

Managed Security​

Strengthen Security

Data Security

Threat Detection & Response​

Risk Management

Secure Connectivity

Accelerate with AI​

AI Solutions​

Generative AI​

Intelligent Analytics​

App Development

Improve Collaboration​

Collaboration Tools​

Unified Communications​

Modernize Infrastructure​

Hybrid Cloud

Networking

Data Center​

Optimize Cloud Operations​

Azure Infrastructure & Platforms​

Virtual Desktop​

Data Protection​

Drive Decisions with Data​

Data Architecture

Data Engineering

Insight & Analytics​

Transform Your Business

Organizational Change Management​

Strategic Advisory Services​

Licensing Optimization

Quick Links

Our Strategic Advantage

Customer Success Stories

Schedule a Consultation

Support Hub

Submit a Support Request

Contact Us

Page Links

Contacts

IT Management Solutions

Cloud Management Solutions

Managed Security

Threat Detection & Response

Accelerate with AI

AI Solutions

Generative AI

Intelligent Analytics

Improve Collaboration

Collaboration Tools

Unified Communications

Modernize Infrastructure

Data Center

Optimize Cloud Operations

Azure Infrastructure & Platforms

Virtual Desktop

Data Protection

Drive Decisions with Data

Insight & Analytics

Organizational Change Management

Strategic Advisory Services