Exchange 2013/Exchange 2007 混合式部署中的傳輸選項Transport options in Exchange 2013/Exchange 2007 hybrid deployments

在混合式部署中,您可以將信箱放在內部部署 Exchange 組織中,也可放在 Exchange Online 組織中。兩個不同的組織之所以能夠對使用者以及在其之間交換的郵件顯示為一個合併組織,其中一個重要元件就是混合式傳輸。在採用混合傳輸的情況下,任一組織中的收件者之間傳送的郵件都會使用傳輸層安全性 (TLS) 進行驗證、加密及傳輸,並對傳輸規則、日誌及反垃圾郵件原則等 Exchange 元件顯示為「內部�?」。混合傳輸是由混合組態精靈在 Exchange 2013 中自動設定。In hybrid deployments, you can have mailboxes that reside in your on-premises Exchange organization and also in an Exchange Online organization. A critical component of making these two separate organizations appear as one combined organization to users and messages exchanged between them is hybrid transport. With hybrid transport, messages sent between recipients in either organization are authenticated, encrypted, and transferred using Transport Layer Security (TLS), and appear as "internal�? to Exchange components such as transport rules, journaling, and anti-spam policies. Hybrid transport is automatically configured by the Hybrid Configuration wizard in Exchange 2013

為了讓混合傳輸組態與 [混合組態精靈] 搭配使用,接受 Microsoft Exchange Online Protection (EOP) 連線並處理 Exchange Online 組織之傳輸作業的內部部署 SMTP 端點,必須為 Exchange 2013 Client Access Server、Exchange 2013 Edge Transport Server 或 Exchange Server 2010 Service Pack 3 (SP3) Edge Transport Server。For hybrid transport configuration to work with the Hybrid Configuration wizard, the on-premises SMTP endpoint that accepts connections from Microsoft Exchange Online Protection (EOP), which handles transport for the Exchange Online organization, must be an Exchange 2013 Client Access server, an Exchange 2013 Edge Transport server, or an Exchange Server 2010 Service Pack 3 (SP3) Edge Transport server.

重要

內部部署 Exchange 2013 Client Access Server 或 Exchange 2013/Exchange 2010 SP3 Edge Transport Server 與 EOP 之間不能有其他 SMTP 主機或服務。新增至可啟用混合傳輸功能的郵件資訊,會在通過非 Exchange 2013 伺服器、Exchange 2010 SP3 預備伺服器或 SMTP 主機時移除。如果您的組織已部署任何 Exchange 2010 SP2 Edge Transport Server,而且您想將其用於混合傳輸,則這些伺服器必須升級至 Exchange 2010 SP3。There can be no other SMTP hosts or services between the on-premises Exchange 2013 Client Access servers or Exchange 2013/Exchange 2010 SP3 Edge Transport servers and EOP. Information added to messages that enables hybrid transport features is removed when they pass through a non-Exchange 2013 server, pre-Exchange 2010 SP3 servers, or an SMTP host. If you have any Exchange 2010 SP2 Edge Transport servers deployed in your organization, and you want to use them for hybrid transport, they must be upgraded to Exchange 2010 SP3.

從外部網際網路寄件者傳送到兩個組織收件者的內送郵件,會遵循通用內送路由。從組織傳送給外部網際網路收件者的外寄郵件,可遵循通用外寄路由,或可經由獨立路由傳送。Inbound messages sent to recipients in both organizations from external Internet senders follow a common inbound route. Outbound messages sent from the organizations to external Internet recipients can either follow a common outbound route or can be sent via independent routes.

當您規劃及設定混合式部署時,需要選擇如何路由傳送內送和外寄郵件。內部部署和 Exchange Online 組織收件者傳送的內送與外寄郵件所使用的路由,取決於下列條件:You'll need to choose how to route inbound and outbound mail when you plan and configure your hybrid deployment. The route taken by inbound and outbound messages sent to and from recipients in the on-premises and Exchange Online organizations depends on the following:

  • 您想要透過 Microsoft Office 365 和 EOP 或您的內部部署組織,路由傳送您內部部署與 Exchange Online 信箱的內送網際網路郵件嗎?Do you want to route inbound Internet mail for both your on-premises and Exchange Online mailboxes through Microsoft Office 365 and EOP or through your on-premises organization?

    您可以選擇透過內部部署組織或透過 EOP 和 Exchange Online 組織,為這兩個組織路由傳送內送網際網路郵件。這兩個組織的內送郵件採用的路由,取決於您是否啟用混合式部署中的集中式郵件傳輸。You can choose to route inbound Internet mail for both organizations through your on-premises organization or through EOP and the Exchange Online organization. The route that inbound messages for both organizations take depends on whether you enable centralized mail transport in your hybrid deployment.

  • 您想透過內部部署組織 (集中式郵件傳輸) 路由傳送 Exchange Online 組織的外寄郵件至外部收件者,還是要將郵件直接路由傳送到網際網路?Do you want to route outbound mail to external recipients from your Exchange Online organization through your on-premises organization (centralized mail transport), or do you want to route it directly to the Internet?

    利用所謂的集中式郵件傳輸,您可以先透過內部部署組織路由傳送 Exchange Online 組織中信箱的所有郵件,然後再傳遞到網際網路。這個方法用於規範案例中,因為所有傳送到及傳送自網際網路的郵件,都必須由內部部署伺服器處理。或者,您可以設定 Exchange Online 將外部收件者的郵件直接傳遞至網際網路。Known as centralized mail transport, you can route all mail from mailboxes in the Exchange Online organization through the on-premises organization before they're delivered to the Internet. This approach is helpful in compliance scenarios where all mail to and from the Internet must be processed by on-premises servers. Alternately, you can configure Exchange Online to deliver messages for external recipients directly to the Internet.

    注意

    對於有特定規範相關傳輸需求的組織,才建立使用集中式郵件傳輸。對於一般 Exchange 組織,建議不啟用集中式郵件傳輸。Centralized mail transport is only recommended for organizations with specific compliance-related transport needs. Our recommendation for typical Exchange organizations is not to enable centralized mail transport.

  • 您想要在內部部署組織中部署 Edge Transport Server 嗎?Do you want to deploy an Edge Transport server in your on-premises organization?

    如果您不想讓加入網域的內部 Exchange 2013 伺服器直接暴露至網際網路,則可以在周邊網路中部署 Exchange 2013 Edge Transport Server 或 Exchange 2010 SP3 Edge Transport Server。如需新增 Edge Transport Server 至混合式部署的詳細資訊,請參閱Exchange 2013/Exchange 2007 混合式部署中的 Edge Transport ServerIf you don't want to expose your domain-joined internal Exchange 2013 servers directly to the Internet, you can deploy Exchange 2013 Edge Transport servers or Exchange 2010 SP3 Edge Transport servers in your perimeter network. For more information about adding an Edge Transport server to your hybrid deployment, see Edge Transport servers in Exchange 2013/Exchange 2007 hybrid deployments.

不論您如何將郵件路由傳送到網際網路,或從網際網路路由傳送郵件,所有在內部部署與 Exchange Online 組織之間傳送的郵件都會使用安全傳輸進行傳送。如需詳細資訊,請參閱本主題稍後的信任的通訊Regardless of how you route messages to and from the Internet, all messages sent between the on-premises and Exchange Online organizations are sent using secure transport. For more information, see Trusted communication later in this topic.

若要深入了解這些選項如何影響組織中郵件路由傳送的方式,請參閱Exchange 2013/Exchange 2007 混合式部署中的傳輸路由To learn more about how these options affect message routing in your organization, see Transport routing in Exchange 2013/Exchange 2007 hybrid deployments.

混合式部署中的 Exchange Online ProtectionExchange Online Protection in hybrid deployments

EOP 是 Microsoft 提供的線上服務,許多公司皆利用它保護內部部署組織免於病毒、垃圾郵件、網路釣魚詐騙及原則違規情形。在 Office 365 中,也使用 EOP 保護 Exchange Online 組織不受相同威脅的侵害。註冊 Office 365 時,會自動建立一個連結至您 Exchange Online 組織的 EOP 公司。EOP is an online service provided by Microsoft that's used by many companies to protect their on-premises organizations from viruses, spam, phishing scams, and policy violations. In Office 365, EOP is used to protect Exchange Online organizations from the same threats. When you sign up for Office 365, an EOP company is automatically created that's tied to your Exchange Online organization.

EOP 公司包含數個可為您 Exchange Online 組織設定的郵件傳輸設定。您可以指定哪些 SMTP 網域必須來自特定 IP 位址、要求 TLS 與安全通訊端層 (SSL) 憑證、略過規範原則等等。EOP 是進入 Exchange Online 組織的前哨。不論郵件來源為何,所有郵件都必須通過 EOP 才能傳送到您 Exchange Online 組織中的信箱。而且,所有從您 Exchange Online 組織送出的郵件,都必須通過 EOP 才能傳送到網際網路。An EOP company contains several of the mail transport settings that can be configured for your Exchange Online organization. You can specify which SMTP domains must come from specific IP addresses, require a TLS and a Secure Sockets Layer (SSL) certificate, can bypass compliance policies, and more. EOP is the front door to your Exchange Online organization. All messages, regardless of their origin, must pass through EOP before they reach mailboxes in your Exchange Online organization. And, all messages sent from your Exchange Online organization must go through EOP before they reach the Internet.

使用混合組態精靈設定混合式部署時,所有傳輸設定都會自動在您的內部部署組織,以及在 Exchange Online 組織內含的 EOP 公司中設定。混合組態精靈會設定這個 EOP 公司中的所有內送和外寄連接器以及其他設定,以保護在內部部署與 Exchange Online 組織之間傳送的郵件安全,並將郵件路由傳送到正確的目的地。如果您想要為 Exchange Online 組織設定自訂傳輸設定,則也會在這個 EOP 公司中設定這些設定。When you configure a hybrid deployment with the Hybrid Configuration wizard, all transport settings are automatically configured in your on-premises organization and in the EOP company included in your Exchange Online organization. The Hybrid Configuration wizard configures all inbound and outbound connectors and other settings in this EOP company to secure messages sent between the on-premises and Exchange Online organizations and route messages to the right destination. If you want to configure custom transport settings for your Exchange Online organization, you'll configure them in this EOP company also.

信任的通訊Trusted communication

為了協助保護在內部部署與 Exchange Online 組織中的收件者,並且協助確保組織之間傳送的郵件不會遭受攔截與讀取,內部部署組織與 EOP 之間的傳輸會設定為使用強制 TLS。TLS 傳輸會使用由信任的協力廠商憑證授權單位 (CA) 所提供的安全通訊端層 (SSL) 憑證。EOP 和 Exchange Online 組織之間的郵件也會使用 TLS。To help protect recipients in both the on-premises and Exchange Online organizations, and to help ensure that messages sent between the organizations aren't intercepted and read, transport between the on-premises organization and EOP is configured to use forced TLS. TLS transport uses Secure Sockets Layer (SSL) certificates provided by a trusted third-party certificate authority (CA). Messages between EOP and the Exchange Online organization also use TLS.

使用強制執行的 TLS 傳輸時,傳送和接收伺服器會檢查另一部伺服器上設定的憑證。憑證上所設定的主體名稱或是其中一個主體替代名稱 (SAN),必須符合系統管理員在另一部伺服器上明確指定的 FQDN。例如,若 EOP 設定為接受並保護傳送自 mail.contoso.com FQDN 的郵件,則負責傳送的內部部署 Client Access Server 或 Edge Transport Server,必須有主旨名稱或 SAN 內包含 mail.contoso.com 的 SSL 憑證。如果未符合此需求,則 EOP 會拒絕連線。When using forced TLS transport, the sending and receiving servers examine the certificate configured on the other server. The subject name, or one of the subject alternative names (SANs), configured on the certificates must match the FQDN that an administrator has explicitly specified on the other server. For example, if EOP is configured to accept and secure messages sent from the mail.contoso.com FQDN, the sending on-premises Client Access or Edge Transport server must have an SSL certificate with mail.contoso.com in either the subject name or SAN. If this requirement isn't met, the connection is refused by EOP.

注意

使用的 FQDN 不需要符合收件者的電子郵件網域名稱。唯一的需求是憑證主旨名稱或 SAN 中的 FQDN 必須符合負責接收或傳送的伺服器所設定要接受的 FQDN。The FQDN used doesn't need to match the email domain name of the recipients. The only requirement is that the FQDN in the certificate subject name or SAN must match the FQDN that the receiving or sending servers are configured to accept.

除了使用 TLS 以外,組織之間的郵件也被視為「內部�?」郵件。此方法允許郵件略過反垃圾郵件設定和其他服務。In addition to using TLS, messages between the organizations are treated as "internal.�? This approach allows messages to bypass anti-spam settings and other services.

若要深入了解 SSL 憑證和網域安全性,請參閱混合部署的憑證需求了解 TLS 憑證Learn more about SSL certificates and domain security at Certificate requirements for hybrid deployments and Understanding TLS Certificates.