Shared Address Space with On-Premises Relay Scenario (MX Points to FOPE)
_Applies to: Office 365 Enterprise, Live@edu_
Using the shared address space with on-premises relay scenario (MX points to FOPE) refers to when you host some of your mailboxes in the cloud and some of your mailboxes on-premises, and your MX record points to Forefront Online Protection for Exchange (FOPE). This scenario is appropriate for when you use the Microsoft Office 365 service to host some of your organization’s mailboxes and you want FOPE to protect both your on-premises and cloud mailboxes. Specifically, in this scenario, mail sent to recipients within your organization is initially routed through FOPE, where spam and policy filtering occurs, before it reaches your on-premises mailboxes and cloud mailboxes.
When you use Microsoft Office 365, your Microsoft Exchange Online hosted mailboxes are automatically provisioned with FOPE. You must configure FOPE connectors to control how mail is routed in the various mail-flow scenarios (inbound, outbound, and intra-organizational). You must also configure on-premises Exchange server settings and Exchange Online data center server settings in order to successfully implement this scenario. This topic provides diagrams that show how the mail-flow scenarios work, followed by configuration procedures.
This scenario requires an on-premises hybrid server, which is a server that coordinates communication between your existing on-premises Exchange organization and your cloud-based organization, running Exchange Server 2010 SP1 or later. Hybrid Deployments provides more information regarding hybrid deployments, including check lists for configuring a hybrid deployment between an on-premises Exchange server and Office 365 for enterprises.
Additionally, this topic assumes that your on-premises mailboxes are protected with FOPE standalone. Feature Set Comparison for FOPE Deployments explains the features available for various Microsoft email hosting products.
For inbound email (mail sent from outside the organization to recipients inside the organization), the scenario is as follows:
In this example, Contoso has an on-premises solution for email, and they use FOPE to inspect all inbound mail. After purchasing Exchange Online with FOPE as part of the Office 365 service, Contoso migrates some mailboxes to the cloud (Exchange Online). However, given the compliance rules for some of their email, such as the legal department’s, Contoso keeps some of their mailboxes on-premises. This enables them to maintain more control over their mail flow and to continue to take advantage of their existing on-premises infrastructure. FOPE is configured by use of an inbound connector and on-premises mail servers are configured by using a send connector and a receive connector.
In the case where the recipient’s mailbox is hosted on premises, each inbound message is processed by FOPE, as per directive by the MX record. FOPE performs spam removal, virus scanning, and custom filtering. If a message fails inspection, FOPE performs actions on the message, depending on configuration settings set by the organization. After inspection, FOPE directs email to the on-premises server, where additional filtering may occur. Subsequently, the message is delivered to the intended recipient.
When email is sent inbound from an external Internet source to a Contoso user whose mail is hosted in the Office 365 cloud hosting service, it is delivered to FOPE and subsequently to the on-premises server like all inbound mail. Following that, each message is stamped and redirected back to FOPE, where it is forwarded to the recipient’s mailbox at the Office 365 cloud hosting service.
When sending email outbound from the Office 365 cloud hosting service or on premises, the scenario is as follows:
In this example, an email message is sent outbound from a Contoso cloud user to an external Internet address. Before the message is sent, Forefront Protection 2010 for Exchange Server scanning is performed on the message on the Exchange Online mail hubs. Following this, Exchange Online sends the message to FOPE, which performs filtering operations on the message, dependent on the customer’s configuration settings. FOPE then sends the email to the on-premises server, which can optionally perform its own custom processing on the message before it returns the stamped message back to FOPE. Subsequently, FOPE performs full outbound scanning and filtering on the message before it is delivered to the Internet and to its recipient.
If an outbound mail message is sent from an on-premises mailbox, the message is processed on the on-premises server, sent to FOPE, where full scanning and processing occurs, and finally to the Internet and to its recipient.
For intra-organizational email (both the sender and the recipient are in the same organization), the scenario is as follows:
In this example, an email message is sent from a Contoso user whose mail is hosted in the Office 365 cloud hosting service to an on-premises Contoso user. The Office 365 mailbox sends the email, where it is processed by FOPE. In this case, virus scanning is disabled by default, and filtering operations may be performed according to each customer’s policy-filtering settings. After processing, the message is delivered to the recipient’s on-premises mailbox.
If the message is traveling from an on-premises sender to a recipient whose mailbox is hosted by the Office 365 cloud hosting service, FOPE processing is dependent on each customer’s FOPE inbound connector settings.
TLS can be used to protect messages traveling from Office 365 to the on-premises mailboxes. See Configuring the FOPE Connectors for a Shared Address Space with On-Premises Relay Scenario (MX Points to FOPE).
Configuring a Shared Address Space with On-Premises Relay Scenario (MX Points to FOPE)
If you are using Exchange Server, we highly recommend that you use the Exchange Deployment Assistant (EDA) to perform your hybrid deployment and recommend that you run Microsoft Exchange Server 2010 Service Pack 2 (SP2) on your hybrid server. When you follow this process, your FOPE connectors are automatically created and configured.
For end-to-end guidance in configuring this shared address space with on-premises relay scenario, use the Exchange Deployment Assistant and specify the following initial parameter values:
On the opening page, select Hybrid (On-Premises + Cloud).
Select your current on-premises Exchange version
Make sure that you select No for the question Do you want to configure an Exchange Online Archiving-ONLY deployment, and then click the Next arrow.
On the next page, Make sure that you select No for question 2, Do you want to route inbound mail for both your on-premises and Exchange Online mailboxes through your on-premises organization?
Answer Yes or No to question 3, depending on your messaging needs.
Make sure that you select Yes for question 4, Do you already use Forefront Online Protection for Exchange to protect your on-premises mailboxes?
The wizard will generate a checklist that explains how to set up a functioning hybrid deployment where the MX record points to FOPE.
Follow the checklist that the Exchange Deployment Assistant provides. Note that the configuration steps that directly tie into the mail flow diagrams above are included in the Create and configure hybrid deployment section.
For more information about how to manually perform these configuration steps, see the following topics: