Exchange 2013/Exchange 2010 混合部署中的传输选项Transport options in Exchange 2013/Exchange 2010 hybrid deployments

在混合部署中,可以具有既驻留在内部部署 Exchange 组织中也驻留在 Exchange Online 组织中的邮箱。为了使这两个单独组织对用户及在他们之间交换的邮件表现为一个合并的组织,关键组件是混合传输。通过混合传输,在任一组织中的收件人之间发送的邮件会经过身份验证、加密并使用传输层安全性 (TLS) 传输,并且向 Exchange 组件(如传输规则、日记和反垃圾邮件策略)显示为"内部"。混合传输由 Exchange 2013 中的混合配置向导自动配置In hybrid deployments, you can have mailboxes that reside in your on-premises Exchange organization and also in an Exchange Online organization. A critical component of making these two separate organizations appear as one combined organization to users and messages exchanged between them is hybrid transport. With hybrid transport, messages sent between recipients in either organization are authenticated, encrypted, and transferred using Transport Layer Security (TLS), and appear as "internal�? to Exchange components such as transport rules, journaling, and anti-spam policies. Hybrid transport is automatically configured by the Hybrid Configuration wizard in Exchange 2013

为了在混合配置向导中使用混合传输配置,接受来自 Microsoft Exchange Online Protection (EOP)(用于处理 Exchange Online 组织的传输)的连接的本地 SMTP 终结点必须是 Exchange 2013 客户端访问服务器、Exchange 2013 边缘传输服务器或 Exchange Server 2010 SP3 边缘传输服务器。For hybrid transport configuration to work with the Hybrid Configuration wizard, the on-premises SMTP endpoint that accepts connections from Microsoft Exchange Online Protection (EOP), which handles transport for the Exchange Online organization, must be an Exchange 2013 Client Access server, an Exchange 2013 Edge Transport server, or an Exchange Server 2010 SP3 Edge Transport server.

重要

本地 Exchange 2013 客户端访问服务器或 Exchange 2013/Exchange 2010 SP3 边缘传输服务器与 EOP 之间可以没有任何其他 SMTP 主机或服务。当邮件经过非 Exchange 2013 服务器、预 Exchange 2010 SP3 服务器或 SMTP 主机时,会删除添加到邮件中用于启用混合传输功能的信息。如果在组织中部署了 Exchange 2010 SP2 边缘传输服务器,并且要将这些服务器用于混合传输,则它们必须升级到 Exchange 2010 SP3。There can be no other SMTP hosts or services between the on-premises Exchange 2013 Client Access servers or an Exchange 2013/Exchange 2010 SP3 Edge Transport server and EOP. Information added to messages that enables hybrid transport features is removed when they pass through a non-Exchange 2013 server, pre-Exchange 2010 SP3 servers, or an SMTP host. If you have any Exchange 2010 SP2 Edge Transport servers deployed in your organization, and you want to use them for hybrid transport, they must be upgraded to Exchange 2010 SP3.

从外部 Internet 发件人发送到两个组织中的收件人的入站邮件会采用通用入站路由。从组织发送到外部 Internet 收件人的出站邮件可以采用通用出站路由,也可以通过独立的路由发送。Inbound messages sent to recipients in both organizations from external Internet senders follow a common inbound route. Outbound messages sent from the organizations to external Internet recipients can either follow a common outbound route or can be sent via independent routes.

在计划和配置混合部署时需要选择如何路由入站和出站邮件。发送到和发送自内部部署和 Exchange Online 组织中收件人的入站和出站邮件采用的路由取决于以下因素:You'll need to choose how to route inbound and outbound mail when you plan and configure your hybrid deployment. The route taken by inbound and outbound messages sent to and from recipients in the on-premises and Exchange Online organizations depends on the following:

  • 您是否希望通过 Microsoft Office 365 和 EOP 或内部部署组织路由内部部署和 Exchange Online 邮箱的入站 Internet 邮件?Do you want to route inbound Internet mail for both your on-premises and Exchange Online mailboxes through Microsoft Office 365 and EOP or through your on-premises organization?

    可以选择通过内部部署组织或通过 EOP 和 Exchange Online 组织为两个组织路由入站 Internet 邮件。两个组织入站邮件的路由取决于是否在混合部署中启用了集中邮件传输。You can choose to route inbound Internet mail for both organizations through your on-premises organization or through EOP and the Exchange Online organization. The route that inbound messages for both organizations take depends on whether you enable centralized mail transport in your hybrid deployment.

  • 是要通过内部部署组织(集中邮件传输)路由来自 Exchange Online 组织的出站邮件到外部收件人,还是要将其直接路由到 Internet?Do you want to route outbound mail to external recipients from your Exchange Online organization through your on-premises organization (centralized mail transport), or do you want to route it directly to the Internet?

    作为集中邮件传输,可以先通过内部部署组织路由来自 Exchange Online 组织中邮箱的所有邮件,然后再将这些邮件传递到 Internet。此方法用于合规性方案,在这类方案中,发送到和发送自 Internet 的所有邮件都必须由内部部署服务器进行处理。或者,可以配置 Exchange Online 以将外部收件人的邮件直接传递到 Internet。Known as centralized mail transport, you can route all mail from mailboxes in the Exchange Online organization through the on-premises organization before they're delivered to the Internet. This approach is helpful in compliance scenarios where all mail to and from the Internet must be processed by on-premises servers. Alternately, you can configure Exchange Online to deliver messages for external recipients directly to the Internet.

    备注

    仅对具有与符合性相关的特定传输需求的组织推荐使用集中式邮件传输。我们建议典型的 Exchange 组织不要启用集中式邮件传输。Centralized mail transport is only recommended for organizations with specific compliance-related transport needs. Our recommendation for typical Exchange organizations is not to enable centralized mail transport.

  • 是否要在内部部署组织中部署边缘传输服务器?Do you want to deploy an Edge Transport server in your on-premises organization?

    如果您不想将加入域的内部 Exchange 2013 服务器直接向 Internet 公开,则可在外围网络中部署 Exchange 2013 边缘传输服务器或 Exchange 2010 SP3 边缘传输服务器。有关向混合部署添加边缘传输服务器的详细信息,请参阅 Exchange 2013/Exchange 2010 混合部署中的边缘传输服务器If you don't want to expose your domain-joined internal Exchange 2013 servers directly to the Internet, you can deploy Exchange 2013 Edge Transport servers or Exchange 2010 SP3 Edge Transport servers in your perimeter network. For more information about adding an Edge Transport server to your hybrid deployment, see Edge Transport servers in Exchange 2013/Exchange 2010 hybrid deployments.

无论如何路由发送到和发送自 Internet 的邮件,在内部部署与 Exchange Online 组织之间发送的所有邮件都使用安全传输进行发送。有关详细信息,请参阅本主题后面的受信任通信Regardless of how you route messages to and from the Internet, all messages sent between the on-premises and Exchange Online organizations are sent using secure transport. For more information, see Trusted communication later in this topic.

有关这些选项如何影响您的组织中的邮件路由的详细信息,请参阅Exchange 2013/Exchange 2010 混合部署中的传输路由To learn more about how these options affect message routing in your organization, see Transport routing in Exchange 2013/Exchange 2010 hybrid deployments.

混合部署中的 Exchange Online ProtectionExchange Online Protection in hybrid deployments

EOP 是 Microsoft 提供的联机服务,由许多公司用于保护其内部部署组织免受病毒、垃圾邮件、欺诈邮件和策略违规的危害。在 Office 365 中,EOP 用于保护 Exchange Online 组织免受相同威胁的危害。在注册 Office 365 时,会自动创建与您的 Exchange Online 组织关联的 EOP 公司。EOP is an online service provided by Microsoft that's used by many companies to protect their on-premises organizations from viruses, spam, phishing scams, and policy violations. In Office 365, EOP is used to protect Exchange Online organizations from the same threats. When you sign up for Office 365, an EOP company is automatically created that's tied to your Exchange Online organization.

EOP 公司包含一些邮件传输设置,可以为 Exchange Online 组织配置这些设置。可以指定哪些 SMTP 域必须来自特定 IP 地址,需要 TLS 和安全套接字层 (SSL) 证书,可以绕过合规性策略,等等。EOP 是 Exchange Online 组织的前门。所有邮件(无论其来源如何)都必须先经过 EOP,然后才能到达 Exchange Online 组织中的邮箱。而且,从 Exchange Online 组织发送的所有邮件都必须先经过 EOP,然后才能到达 Internet。An EOP company contains several of the mail transport settings that can be configured for your Exchange Online organization. You can specify which SMTP domains must come from specific IP addresses, require a TLS and a Secure Sockets Layer (SSL) certificate, can bypass compliance policies, and more. EOP is the front door to your Exchange Online organization. All messages, regardless of their origin, must pass through EOP before they reach mailboxes in your Exchange Online organization. And, all messages sent from your Exchange Online organization must go through EOP before they reach the Internet.

在使用混合配置向导配置混合部署时,会在内部部署组织以及为 Exchange Online 组织设置的 EOP 公司中自动配置所有传输设置。混合配置向导会在此 EOP 公司中配置所有入站和出站连接器及其他设置,以保护在内部部署与 Exchange Online 组织之间发送的邮件并将邮件路由到正确目标。如果要为 Exchange Online 组织配置自定义传输设置,则也会在此 EOP 公司中配置这些设置。When you configure a hybrid deployment with the Hybrid Configuration wizard, all transport settings are automatically configured in your on-premises organization and in the EOP company included in your Exchange Online organization. The Hybrid Configuration wizard configures all inbound and outbound connectors and other settings in this EOP company to secure messages sent between the on-premises and Exchange Online organizations and route messages to the right destination. If you want to configure custom transport settings for your Exchange Online organization, you'll configure them in this EOP company also.

受信任通信Trusted communication

为了帮助保护内部部署和 Exchange Online 组织中的收件人,并帮助确保不会截获和读取组织之间发送的邮件,内部部署组织与 EOP 之间的传输会配置为使用强制 TLS。TLS 传输使用受信任第三方证书颁发机构 (CA) 提供的安全套接字层 (SSL) 证书。EOP 与 Exchange Online 组织之间的邮件也使用 TLS。To help protect recipients in both the on-premises and Exchange Online organizations, and to help ensure that messages sent between the organizations aren't intercepted and read, transport between the on-premises organization and EOP is configured to use forced TLS. TLS transport uses Secure Sockets Layer (SSL) certificates provided by a trusted third-party certificate authority (CA). Messages between EOP and the Exchange Online organization also use TLS.

当使用强制 TLS 传输时,发送和接收服务器会检查在其他服务器上配置的证书。对证书配置的使用者名称或使用者替代名称 (SAN) 之一,必须与管理员在其他服务器上显式指定的 FQDN 匹配。例如,如果 EOP 配置为接受并保护从 mail.contoso.com FQDN 发送的邮件,则发送内部部署客户端访问或边缘传输服务器必须具有在主题名称或 SAN 中包含 mail.contoso.com 的 SSL 证书。如果不满足此要求,则 EOP 会拒绝连接。When using forced TLS transport, the sending and receiving servers examine the certificate configured on the other server. The subject name, or one of the subject alternative names (SANs), configured on the certificates must match the FQDN that an administrator has explicitly specified on the other server. For example, if EOP is configured to accept and secure messages sent from the mail.contoso.com FQDN, the sending on-premises Client Access or Edge Transport server must have an SSL certificate with mail.contoso.com in either the subject name or SAN. If this requirement isn't met, the connection is refused by EOP.

备注

使用的 FQDN 无需与收件人的电子邮件域名匹配。唯一要求在于证书主题名称或 SAN 中的 FQDN 必须与接收或发送服务器配置为接受的 FQDN 匹配。The FQDN used doesn't need to match the email domain name of the recipients. The only requirement is that the FQDN in the certificate subject name or SAN must match the FQDN that the receiving or sending servers are configured to accept.

除了使用 TLS,组织之间的邮件被视为"内部。?"此方法使邮件可以绕过反垃圾邮件设置和其他服务。In addition to using TLS, messages between the organizations are treated as "internal.�?" This approach allows messages to bypass anti-spam settings and other services.

有关 SSL 证书和域安全性的详细信息,请参阅 混合部署的证书要求了解 TLS 证书Learn more about SSL certificates and domain security at Certificate requirements for hybrid deployments and Understanding TLS Certificates.