Many of Citihub Consulting’s enterprise clients have committed to adopting Office 365 as their end user productivity suite, which includes the de facto standard messaging platform, Microsoft Exchange. Many of these organisations will begin by deploying Exchange Server Hybrid as an intermediate step towards moving to Exchange Online. This process presents some challenges for regulated firms. These firms need to be aware of the pitfalls and risks associated with the “out of the box” configuration tool, the Hybrid Configuration Wizard, and the underlying Hybrid deployment infrastructure.
Read the latest update on this blog
Here are six key considerations for planning an Exchange Hybrid deployment at a Financial Services institution:
1. Use of Dedicated Exchange Hybrid Servers
Microsoft articles don’t typically discuss the deployment of dedicated Exchange Hybrid Servers. However, we’ve found that deploying them in a DMZ, where they are away from confidential data, can deliver significant security benefits and this is especially true for firms that are prone to high volumes of attacks. The Exchange Hybrid acts as a buffer between Exchange Online (ExO) and Exchange On-Premise (ExOP), allowing them to be shut down in the non-compromised location in order to prevent the spread of attacks, protecting mailboxes.
Creating Hybrid Servers has multiple benefits:
- Exchange Hybrid Servers in DMZ
- Exchange Hybrid Config Wizard ran on non-Database (DAG) Members
- Power down in the event of a security breach
- Power down in the event of a Zero-Day Attack
- Easily upgrade the Hybrid Configuration Wizard (HCW) versions
- Increased Velocity Migration Performance
- Simplified Email Transit Path
- Improved Compliance and Journaling
Of course, this approach may lead to additional costs and maintenance overhead. Nevertheless, on the balance of these, we certainly think this is worthwhile considering.
2. Creation of a Dedicated Logical Active Directory Site for Hybrid Servers
Creating a dedicated AD site within Active Directory Sites & Services for your Hybrid Servers has multiple benefits:
- Cloud Email and client traffic can be segregated
- Journaling of mail from the cloud at the point of entry
- Deploying Exchange Edge Transport Servers in the perimeter network for Cloud Mail Flow and creating an Edge Subscription to the Hybrids within this site. Therefore, security risks can be reduced since there is an additional hop for mail traffic inbound from Exchange Online and outbound to Exchange Online
- Keeping Cloud email separate with Hybrid to Edge and Edge to Hybrid Server configurations increases the ease of email diagnostics, compliance and message tracking to and from Exchange Online
Bear in mind, this requires careful planning and additional set-up cost for the servers.
However, beware: deploying Edge Servers and creating an Edge Subscription in your current mail environment without a new AD Site is not recommended since the Edge Servers within the subscription will become the default route for the ingress and egress of all emails in your environment and consequently bypassing the Internet Mail Gateway Stack, effectively eliminating email security. An alternative approach might be to force all outbound mail through the Online Protection Routing and utilise Office 365 Security and Compliance Centre Toolset. Albeit these toolsets also come with caveats given the current limitations of these maturing features.
3. Enabling Centralised Mail Transport
Centralised Mail Transport (CMT) will force all internet bound email from Exchange Online back to the on-premise Exchange environment, thereby, facilitating the following important regulatory functions:
If this functionality is not enabled, an email will transit via an Exchange Online Protection Routing model through SMTP connectors onto the internet. Organisations must decide whether the benefits of simplifying regulatory compliance offsets the downside of enabling CMT.
There are two potential disadvantages, firstly; this may result in extending a client’s Exchange On-Premises Servers in order to deal with the extra email coming back on-premise and of course, the extra journaling mail-flow rules they would execute. However, we only suspect this would happen if they go with a dedicated AD Site, or, the current infrastructure doesn’t provide the performance needed to run the extra workload. Still, we suspect in this eventuality, poor mail performance would already be noticeable.
Secondly; when you have CMT enabled, you cannot create additional Exchange Online (SMTP) Routing Connectors. Due to a wildcard being applied to the Routing Connector created by CMT, this alone acts as your main routing connector outbound to Exchange On-Premises.
4. Deploying Dedicated Mailbox Replication Service Proxy End-Points
Using your dedicated Hybrids as MRS Proxy end-points has two key benefits. Firstly, velocity and large batch mailbox migrations can place a considerable workload on already busy Exchange servers, especially if you’re using legacy versions. By using the Hybrids as your MRS Proxy end-points, this offloads the batch migration workloads. Secondly, you can amend the Mailbox Replication Service Proxy Configuration to suit your environmental needs to gain the maximum performance for migrations without affecting the performance of your day-to-day Exchange Servers, depending on your Exchange version.
- Offloads large batch migration workloads to these dedicated servers
- Enhances Mailbox Replication Service Configurations Proxy (MRS) to enable large batch velocity migrations
However, deploying additional MRS End-Points creates increased maintenance and management overhead, plus the obvious additional costings.
Stay current on your favourite topics
5. Enabling Exchange Write-Back Attributes
Azure AD & Exchange Online server supports the write-back of certain attributes configured in the cloud back to on-premise servers. In large Financial Services organisations, IT Risk functions will initially want to prohibit the write-back of such metadata and other attributes, on the grounds that attributes changed in the cloud could be a security risk when reproduced on the on-premise infrastructure. Citihub Consulting suggests careful consideration to the write-back of certain attributes in support of a secure and functional environment.
Most organisations will want to track the litigation hold status of their users so that any individual subject to an investigation has email retained until the matter has been resolved. Often, certain online email accounts will need to be brought back on-premise should a user’s status changes (for example, they are promoted to a data sensitive role). Certainly, in most financial services companies, the list of restricted and/or monitored email accounts can vary quite significantly over time and can be complicated by information barriers between advisory and trading functions. However, unless the litigation holds write back attribute is enabled, all accounts being migrated back on-premise will not be flagged for litigation hold once the migration has completed. This results in a failure to retain some of the data required for litigation purposes. Another example is the mail routing X500 address which can cause Non-Deliverable Report (NDR) if the Exchange Online Forest attributes are not written back before mailboxes are migrated. Organisations need to carefully consider the functional and regulatory benefits of enabling a subset of writing back attributes against the possible increased risk of writing the metadata back on-premise.
Recommended write-back attributes to enable and track:
- Legal/Litigation Hold Tracking
- Online Archive Tracking
- X500 Address Tracking
- External Directory ObjectID
A careful approach should be taken as blanket enablement of write back may expose security holes and other exploits.
6. Adding @onmicrosoft.com SMTP Addresses and the Potential Impact on the Address Book
The Hybrid Configuration Wizard will, by default, inject an additional SMTP address into the Default Email Address Policy for every mail-enabled item in the Global Address List (GAL) and consequently, will append to the Offline Address Book (OAB). This is acceptable for tens or even hundreds of mailboxes, however, it also brings a significant performance impact for large enterprises. Adding addresses to every mail-enabled item at once will trigger a mass regeneration of the GAL/OAB. Consequently, Cached Outlook Clients will start to re-download the OAB, which could easily be several hundred Megabytes and across tens of thousands of devices. Citihub Consulting has previously witnessed cases where organisations have triggered the default Email Address Policy changes and brought their On-Premises Exchange and global WAN performance to a grinding halt for several weeks.
- Global Address List Population Management
- Offline Address List Download Management
Again, there are two potential disadvantages, firstly; careful consideration should be explored on how best to perform the staggered introduction of these SMTP addresses and not simply rely on the HCW to perform its default insertion of them.
Secondly; the complexity of a staggered approach may not be needed in smaller organisations or where network performance is adequate, and clients are not spread across the globe.
Citihub Consulting has been helping Financial Services clients with major technology change programmes for over twenty years. Our knowledge of existing and target state technology platforms within Financial Services supports our clients in their migration activities and allows them to deal with the unique challenges faced within these increasingly heavily regulated environments. To discuss your organisation’s Office 365 adoption approach, please contact us at firstname.lastname@example.org