Exchange SE Hybrid Enterprise Setup

In a hybrid Exchange environment, Exchange Online handles most of the cloud mailboxes, while Exchange Server SE remains on-premises for hybrid management, on-prem mailbox support, SMTP relay, mailbox migrations, and mail attribute management.

The goal of this setup is to make on-prem Exchange and Exchange Online work together as one shared Exchange organization. This allows the company to use the same email domain, secure mail routing, a unified Global Address List, calendar free/busy sharing, and mailbox moves between on-premises and the cloud.

Simple Enterprise Design

Internet senders send email to the company’s MX record. The MX record points to Microsoft 365 EOP / Microsoft Defender for Office 365, which acts as the main email security layer.

From there, the mail is routed based on where the mailbox is located:

• If the user mailbox is in Exchange Online, the email stays in Microsoft 365.

• If the mailbox is still on-premises, Microsoft 365 sends the email through the hybrid connector to the on-prem Exchange SE servers.

The on-prem Exchange SE environment usually sits behind a firewall, load balancer, or optional Edge Transport server. Exchange SE communicates with on-prem Active Directory for mailbox attributes, user details, and recipient information. Active Directory then syncs with Microsoft Entra ID using Entra Connect or Cloud Sync.

Main Components

1. Exchange Server SE On-Premises

Exchange Server SE is the on-premises Exchange layer. In an enterprise environment, companies usually deploy two or more Exchange SE Mailbox servers, often with a Database Availability Group if they still host mailboxes on-premises.

Exchange SE is mainly used for hybrid mail routing, on-prem mailbox hosting, SMTP relay for internal applications, printers and scanners, recipient management, mailbox migrations, and Exchange troubleshooting using Exchange Management Shell.

2. Microsoft 365 / Exchange Online

Exchange Online is the cloud mailbox platform. Most modern organizations move user mailboxes to Exchange Online because it provides cloud-based mailboxes, Outlook access, Microsoft 365 integration, mail protection, retention, compliance, and security features.

3. EOP / Microsoft Defender for Office 365

For a clean enterprise design, the MX record should point to Microsoft 365 EOP. This allows Microsoft 365 to become the first layer of protection for inbound emails.

When email arrives, Microsoft 365 checks whether the mailbox is in the cloud or on-premises. If the mailbox is in Exchange Online, the email is delivered directly there. If the mailbox is on-premises, Microsoft 365 routes the email securely to Exchange SE through the hybrid connector.

4. Hybrid Configuration Wizard

The Hybrid Configuration Wizard is used to connect the on-prem Exchange organization with Exchange Online. It creates the hybrid relationship, mail flow connectors, OAuth or organization relationships, and the required hybrid configuration.

For Exchange SE, the Hybrid Configuration Wizard is now cloud-based and can be downloaded as a small app. It helps make hybrid setup easier, provides faster updates, and improves troubleshooting.

5. Entra Connect / Cloud Sync

On-prem Active Directory remains the source of authority for many users, groups, and mail attributes in a hybrid environment. Entra Connect or Cloud Sync is used to synchronize those identities into Microsoft Entra ID.

This allows users to appear in both on-prem Exchange and Exchange Online, supports a unified Global Address List, and helps users sign in consistently across Microsoft 365 services.

6. Certificates and DNS

A trusted third-party public certificate is required for secure hybrid mail transport. A self-signed certificate is not enough for a proper enterprise hybrid setup.

The certificate should be installed on the required on-prem Exchange Mailbox servers and Edge Transport servers if Edge is being used.

Typical DNS records include:

• MX record pointing to Microsoft 365 EOP

• Autodiscover record pointing to the hybrid endpoint or Microsoft 365, depending on the migration stage

• SPF record including Microsoft 365 protection

• DKIM enabled in Microsoft 365

• DMARC enabled for domain protection

• mail.company.com pointing to the load balancer or Exchange SE HTTPS endpoint

Mail Flow Explanation

Inbound Mail Flow

External email first reaches the company’s MX record, which points to Microsoft 365 EOP or Defender for Office 365.

From there:

• Mail for Exchange Online users is delivered directly to Exchange Online.

• Mail for on-prem users is sent through the hybrid connector to Exchange Server SE.

This is the recommended modern design because Microsoft 365 becomes the main email security gateway.

Outbound Mail Flow

For Exchange Online users, outbound mail usually goes directly from Exchange Online through EOP to the external recipient.

For on-prem users or internal applications, mail usually flows from Exchange SE to EOP or another approved smart host, and then to the internet.

This allows cloud mailboxes and on-prem systems to send mail securely while still keeping proper control over mail routing.

Centralized Mail Transport

Centralized mail transport is an optional design where outbound mail from Exchange Online is routed back through the on-prem Exchange environment before going to the internet.

This setup is normally used only when the organization has strict compliance requirements, such as on-prem DLP, journaling, legal archiving, or a legacy security gateway.

However, centralized mail transport is not usually recommended unless there is a clear business need, because it adds more traffic, processing, and dependency on the on-prem Exchange environment.

Important Ports

The main ports used in a hybrid Exchange setup are:

• TCP 25 with TLS for SMTP hybrid mail flow

• TCP 443 for Autodiscover and Exchange Web Services

• TCP 443 for MRS Proxy mailbox migrations

• TCP 443 for Entra synchronization and cloud communication

These ports allow Exchange Online and Exchange SE to communicate securely for mail flow, mailbox moves, calendar sharing, and hybrid management.

Enterprise Best-Practice Design

For a large enterprise or banking-style environment, the recommended design would include:

• Two or more Exchange SE Mailbox servers

• A load balancer for HTTPS traffic

• Optional Edge Transport servers in the DMZ

• A trusted public certificate

• MX record pointing to Microsoft 365 EOP

• Entra Connect or Cloud Sync

• Hybrid Configuration Wizard

• Secure hybrid connectors between Microsoft 365 and Exchange SE

• No unsupported SMTP relay or generic SMTP server placed between Microsoft 365 and the on-prem Exchange hybrid endpoint

This design provides better security, high availability, centralized identity, proper mail routing, and easier migration from on-prem Exchange to Exchange Online.

Summary

Exchange SE Hybrid means the organization uses on-prem Exchange Server SE and Exchange Online together as one mail system.

Microsoft 365 handles cloud mailboxes, email protection, and modern collaboration services, while Exchange SE continues to support hybrid mail flow, on-prem mailboxes, SMTP relay, mailbox migrations, and recipient management.

This setup is commonly used by enterprises that are moving to the cloud but still need some on-prem Exchange functionality for management, compliance, applications, or gradual migration.