Sunday, September 11, 2016

Office 365 - hybrid configuration - change Mail Flow

As readers may have observed when consulting previous blog posts, I have an Office 365 subscription associated with on-premises Exchange servers in what is known as a hybrid deployment. Concerning mail flow, I had configured the MX records so that incoming messages would be directed to my on-premises Exchange servers (after 1 to 1 NAT at the perimeter firewall and transiting by a Citrix NetScaler VPX load balancer). This configuration has a significant disadvantage: I do not benefit from the antimalware and antispam services of Exchange Online Protection. This is less critical in a practice or test environment where the future of the business is not at stake, but after my test users started receiving suspicious emails (apparently someone is reading my blog... ), I thought is would be prudent to adjust mail flow so that incoming messages are routed to Exchange Online and, when necessary, forwarded to on-premises mailboxes via the organization send and receive connectors configured for Office 365.

According to the sources I consulted, it would be a simple matter of changing my MX records and then re-running the Office 365 Hybrid Configuration Wizard.

For more information on this wizard, you can consult this previous blog post:

The new Office 365 Hybrid Configuration Wizard


Change MX records

For this step, we have to use whatever interface we normally use to manage our DNS records. In my case, this would be No-IP which I will use as an example.

Note: I have edited the images (screenshots) below to conceal certain details.

So I log in and go to the "Manage Domains" section...

I select the domain associated with the MX records that I want to change:

We have a number of "hosts" which are essentially A records (or CNAME). In the No-IP management interface, we have to open the A record to see any associated MX records. Since my email address uses the format "", I will modify the A record (in fact the associated MX record) for "" (click on the "Modfiy" icon):

In the following screen, we have to scroll to the very bottom where we see the section for MX records. This is what was configured before the modification:

The MX record (which is not displayed as in other interfaces - it seems that we do not see the record itself) points to the A record for "" which in turn points to the external IP address of my test network (where 1 to 1 NAT forwards incoming messages to my Citrix NetScaler VPX).

Regardless, I change the MX record so it points to the following A record:

But wait! Where did I find that record?

We have to access our Office 365 account and in the Admin center, we click on "Domains":

I select my domain:

Here is the MX record that should be entered:

Run the Office 365 Hybrid Configuration Wizard (again)

Please consult the blog post referenced in the hyperlink above.

We repeat exactly the same steps with one exception:

 We do not check the "Enable centralized mail transport" option.


And that's all.

Additional testing confirmed that incoming messages are routed to Office 365 instead of the on-premise servers. If the test user has a mailbox hosted by Office 365 (Aisha Bhari), the message is delivered directly. If the test user has a mailbox that is still hosted by an on-premises server (Alannah Shaw), Exchange Online forwards the message to that final destination via the send and receive connectors configured for the hybrid deployment.

1 comment:

  1. I've been using Kaspersky protection for a couple of years now, I would recommend this product to everyone.