So after youve moved your mailboxes and maybe public folders to exchange online, then if youre still running active directory on premises, then you still usually need to run exchange server, primarily if youve got azure ad connecting place, because this is known as hybrid identity. So ad remains the master. All of your attributes that relate to exchange like proxy addresses, mailbox recipient types and so on, theyre all managed from on prem ad and the tool microsoft support to do that is naturally exchange server. Now they have promised that theyll get rid of this, and you can find more about this in my tech session and on practical 365, but if youre keeping that server around for now. I wanted to talk through some top tips for dealing with that last one or two exchange servers, while youve still got them so the first one is minimize your exchange infrastructure, so lets say: youve moved, exchange 2016 mailboxes to the cloud and you had a dag. Maybe a multi site deck, oh preferred architecture, and well. You need to minimize that now. What youll probably find is that you dont need to build out a whole bunch of new physical servers for this virtual machines will suffice. If youve got a lot of mail relay going through these boxes, then youll need to consider transport and sizing for male cues, but in general, actually you know you, the minimum specifications for exchange arent going to be quite there, but you will be fine with something like Two to four virtual cpus, 12 gig of ram, maybe 16 gig of ram.
You know ram – is cheap in virtual machines as well these days to be frank and 100 to 200 gig of space. You know you dont need a lot to keep these running because theyre not running mailboxes. You know youre going to have a mailbox database on there, naturally for the things that you actually need, but you dont need to size these out because for a free, hybrid license. Well, you cant run mailboxes on them. It is for relay its for exchange management and theyre, not really they shouldnt be providing true, hybrid services. Clients should not be accessing these now. The other one of these is that i guessed a lot is well. Should i upgrade to exchange server 2019 now theres a few cases where? Well, if you really dont care about the cost – and you want to buy some new copies of exchange, server, standard edition or enterprise edition um, then you can right and you get a few small benefits, so youll be able to run it on server core exchange 2019 To support in place os upgrades, but how long realistically do you think its going to be until microsoft deal with this? Okay, theyve been promising for a long time, but it is getting to that point now where we are expecting that to be an imminent solution and things over the last few years have changed priorities somewhat, but it will come soon enough and they have committed on the Exchange team blog and my article on practical 365, which youll see linked down below, does tell you where to find that statement for microsoft.
That says we will deal with this um, so you can stay on exchange 2016, even though its in extended support so stay on exchange 2016. thats, the last version youll get a free hybrid license for you, dont need to upgrade to exchange server 2019. Okay. Now what else have we got? Weve got a whole bunch of these here. So oh dont publish the last exchange server to the internet. I mean why would you right, you know no ones accessing it. Surely youre not youre, not sitting at home, connecting with exchange remote powershell, i hope um at least if you are dont uh, you shouldnt need this published to the internet. So, if you have it published, youve still got your load balances in place, valid ssl certificates and so on. Uh. Why why you know, even if youve got pre authentication in front of it and all sorts you shouldnt need to do this anymore um? If youve not been patching your exchange servers religiously, then youve exposed. You know yourself to some unnecessary risk. One reason why people do is because, after they finish their migration, theyve, perhaps not cleaned up properly and theyve left autodiscover published and when you are doing an exchange, hybrid migration. You will keep autodiscover pointed on premises so that new clients will discover where their mailbox is by. First. Looking at the auto discovery record for your domain, that will then attempt to authenticate to exchange on premises that will then find a remote mailbox with a target address which will point at your alias at your tenantname.
mail.microsoft.com itll return that, in an author discover response which will Then tell the client to redirect that request over to exchange online and once youve moved the last mailbox you can set the scp to null. So you can set client access service order, discover service internal uri, no normal out, so that the auto discover lookup for domain. Join clients doesnt find that and those dns records they can be moved, so you autodiscover.practical365.com or whatever that can be moved to the cloud as well, its no longer needed and uh. They also discover records on modern outlook, clients. You know if the the outlook client actually finds that theres a mailbox licensed its signed into your office 365 tenant using microsoft, 365 apps for enterprise or business, then its going to discover where the mailbox is anyway without want to discover but good housekeeping move that over To the cloud again, you dont need to publish this to the internet and its talking about this on our live stream, with michael van hornbik, who said well actually, if its just management purposes and you patch it and bring it online. You know a few times a week, perhaps for new recipients or making changes to users, then you could actually shut down the server, because, if its not being used for anything apart from management, you might not need it. If you do need it things like mail relay at the moment, then again you could consider restricting that now.
Exchange servers do need any to any firewall rules between exchange servers and ad domain controllers, theres a whole bunch of documentation for microsoft over the years that states what those requirements are, but clients dont need to access the exchange servers for years. You know organizations that have effectively had to do a zero trust model. Universities, for example, of blocks student access, direct to their exchange, servers and treated them almost like external clients. You can do the same, because if your clients dont need to access those exchange servers, the outlook clients your users. What are they? What are they accessing on exchange? They shouldnt be accessing anything, so you could consider restricting access because they dont need that. You know its a small group of administrators that need to be able to get into the exchange admin center on exchange 2016, for you know fairly routine tasks again for powershell, usually from restricted workstations, which will be locked to vlan or particular ip addresses. So again, you know you can reduce the the risk, even though youre still patching, and it almost goes without saying in todays world, that you shouldnt install exchange server on the same server as as other things, you know, definitely not ad, even though you know in the World of small business server its supported, but those very, very high risk targets like active directory domain controllers, uh and and another core one of those is your azure ad connect service. They are uh that they are.
They should be treated with the same respect as domain controllers. Dont install exchange on those either thats, not a great idea. You know theres, potentially some small edge cases where that might be okay, but you shouldnt do it today, just dont. Do it install it on a vm on its own? You know if you just need the one for management purposes, keep it to itself and keep it patched and up to date and smtp relay sort of the big thing and ive always thought that perhaps the reason microsoft havent prioritized removing the last exchange server. The reason for that is that well they know that people still need smtp relay and if you read my my article, i go into this in a bit more detail on practical 365.. But vendors have had a long time to think about this uh as a as something to solve, because people have been moving to exchange online for like 10 years now longer, if you count live at edu or bpos, this isnt new to them. So if you speak to your vendor – and you want to call and theyre saying steve weve never been asked about whether our application can send mail directly through exchange online before then, they cant be being honest with you, um, perhaps theyre, just that perhaps theyve spoken to Somebody else in the in their organization um, who hasnt uh or perhaps theyve not spoken to the right person. They must have heard about this as a requirement and its been about two years now.
Since microsoft said, all of the stuff in exchange online is moving to oauth, so imap pop3 smtp, you know those legacy protocols um they cant be authenticated against with basic auth, so theyll have to use oauth. So if your vendor is saying yes, we can work with exchange online and youre looking at it and going. Maybe not, though, because you you want to use basic auth, then theyve had two years to do this. This isnt youre not a special case. Everybody is, in that scenario all of their other customers, so if they havent started developing their software to use either auth, if they pick up for my that mailboxes and send out via smtp or they havent started developing the software to use the graph api, then what Are they doing and if they refuse to do anything or its applications that youve developed in house and the person has long since departed and it you know theres 20 of them that you, you know youre never going to get through. Then you need to find another solution, and i talked through some of these in the article but potentially exchange edge transport servers that can be installed in a perimeter network in a dmz theyre, not domain joined. It could be a a good way of being able to to remove those exchange, servers or perhaps even today, move your receive connectors across to those instead, so they use those as relay boxes. In a normal hybrid scenario, then you would have edge sync and it would be a fully integrated thing with your hybrid environment, but in the future, with no exchange service in your environment then.
But what you might expect is that these are similar to standard oss, open source type mtas, where they are standalone and theyve got a small config where theyve got a list of ips for those legacy. Servers that youll never get rid of that are allowed to relay again. You know multifunction copiers, i mean hes in an office copying not so many people these days, the market for that the bottom has fallen out of it right, but maybe youve still got them right and youve got to allow them to relay well. That could be your solution. You could also roll your own theres, a lot of good mtas out there back in the days when i used to work at university. Well, i used to run xm and its a fantastic email server, its not without its own security risks. Seml is okay hard to configure postfix again, you know not too bad easy to configure, but if youre, not a linux expert, unix, freebsd, openbsd or whatever floats your boat, if thats not things you are experienced in then the support for those unless you buy a distribution Like red hat enterprise, linux, with a support contract, similar cost to windows service, you know it is little to non existent. You wont get the kind of help from the open source community. Always you know youll youll be expected to have done your own research and of course you know, if you dont know about linux, then those machines could be compromised and you wouldnt even know it.
So its a solid thing, if you have that experience, but if you dont, then you know, do do some decent research, first or of course, theres third party solutions. You know if you want to use a third party service um, you can buy appliances for these uh. If you want to that, can do smtp relay or you can use third party services as well uh. One of the comments on the blog post uh was well, you know we. When we moved to exchange online, then there were limits on how many mails we could send those limits still exist, but im talking about a scenario today, where youre relaying some application server traffic, maybe into exchange online, its getting unsecured via smtp to these on prem exchange Servers and then its being relayed over tls secure channel into exchange online either to your users, maybe its your notifications from your logging appliance, uh or similar, or maybe it is a small amount of email that is going outside to for customer notifications, service tickets and and So on, and it has to come from your domain um. If you are going to another solution, thats going to relay outside of your organization, then factors like dkim and dmarc mean that youll probably need to use a subdomain for those, so mail relay marketing.practical365.com so that it doesnt either get rejected or fall into peoples junk email. So consider what your solution is now, because, when microsoft do come out with a solution – and you want to be ready to go, you dont want it to be legacy.
Mail relay that holds you back. So talk to your vendors be firm with them. You know, i know its hard. I have to do this myself and its difficult because youre talking to people you know and often or they they mean well, but you do have to be firm with them because they they know that this is coming. They know that they need to do this, so youve got that that choice. All youve got an alternative solution to consider right and keep the server up to date. You can see the other videos on this channel live streams. Oh its so important. You know, even if youre running it internally, youve got no mailboxes on it. Sure every single vulnerability that you know wisely is getting found and dealt with by microsoft and security. Researchers, who are finding this stuff its its not going to affect every single exchange, hybrid server scenario like the most recent one, if youre not running mailboxes, you might not be at risk but theres other stuff to consider as well so keep the server up today. Even if its not published to the outside world its important to do so, and the question on uh what one of the most recent blogs on this again was, i thought microsoft said: dont run antivirus on my exchange server. Now there certainly was a time where this could be troublesome and that there was some sort of trainer thought years and years ago that it could cause problems and, to be frank, you know i used to run my cafe, epo and once or twice the rules.
Also, all reset and it blocked smtp between some 2007 up transport servers, horrible horrible warning, rare, but thats, not a reason to um not run antivirus on the service. Thats thats rare its you know its necessary risk versus the alternative, so use all of the guidance from microsoft, which is there that tells you what exclusions for obviously smtp traffic, so it doesnt block it. Obviously, so it doesnt try and scan exchange log files and databases. You know that thats common stuff, its been documented for at least 10 years now and theres documentation if youre using defender for endpoint whats now plan 2 as your endpoint detection and response solution, then theres guidance for how to use that with exchange server. You know what it can do to help protect against unusual activity on those those servers as well and either get a sock service based on sentinel, ideally or well, if youre planning and in the process of building our sock yourself then make sure it covers exchange because Its one of those things that hybrid servers they can get left behind right. You know its important and it will continue to be important as well, and you know ive not said it in this video today, but it it is always always crucial. You know you need to make sure that you keep skills up to date with exchange, you know, if youre bringing people into the business you know new it pros who are cloud born.
They still need these skills. You know what we saw earlier in the year was its not quite a lost art but its getting there, and that shouldnt be the case. You know a lot of experienced exchange. Admins have moved on to to do other things, because you know youve been told that theres no future in you being an exchange admin youre not going to go and find another job administering exchange in many other places. Given everybody else has moved to the cloud and if you saw the video that we did um with ingo, then you know ingo is still managing exchange, but in the cloud theres a lot to do there as well, but those on premises, skills you need to maintain For as long as youve got exchange on prem and if youre delegating that management task to your new up and coming excited experts in the business, then you need to help them with this. You know impart some of your knowledge point them at some really good training resources get them up to speed so that they dont pass this by and think its something you know we just use for management. Dont worry about it. You know its still something very, very important and get ready get preparing for that point when you can remove the last exchange server, because that will be a great day and you dont want to be the last person out the door.