As engaged with office 365 migration therefore I am learning more & more about office 365 and one of the interesting topic is email routing to & from exchange online /on-premise.
There are two options that are suggested by Hybrid wizard
When you select Typical , internal mail flow i.e
Exchange online to Exchange on-premise & vice versa happens thru Hybrid servers but internet email from Exchange online routes using EOP & from Exchange on-premise routes whatever you have already defined in connectors (example: third party gateways). This is also known as Decentralized routing.
When you select “Enable Centralized mail transport” , internal mail flow i.e
Exchange online to Exchange on-premise & vice versa happens thru Hybrid servers along with internet email , That’s why it is called Centralized routing & is generally selected by enterprise customers as they want to control the flow for different security purposes.
When you run the hybrid wizard what it does is create connectors in on-prem/ cloud environment based on the option you choose.
You can edit these connectors based on your requirements for mail routing.( be cautious as it will impact routing)
In one configuration where we were using third-party cloud as email gateway , we have Chosen Typical mail flow & after that added a connector on EOP to route all the internet email via third party gateway ( you need to do settings on third party device so that it can accept email for relay from office 365). This configuration had removed the extra overhead of routing the email internally & than reaching third party.
You have to select Partner organization when configuring the out bound connector from EOP to Internet.
There are other solutions that happen while you work thru the setup for enterprises, As per Microsoft Recommendation they need direct connection(NAT ) from exchange online to hybrid hub servers , no devices should interfere in between the mailflow as that can alter the headers. Only supported device if your organization doesn’t want to direct NAT SMTP is having edge servers in the DMZ.
Here is what we have done for one organization & Microsoft told us that they will not assist in this configuration but if it will work than its fine.
We have reverse proxy the 443 as well as port 25 behind F5 & made it work , This can cause performance issues with large enterprises during mailbox moves as well as SMTP traffic performance can get affected that’s why MS or other cloud members always ask for direct connection but some time situation doesn’t favor because of security concerns raised by the organization so you need to think outside the box & mitigate the concerns.