How to deploy CodeTwo signature software in a hybrid environment

Problem:

You are looking for the best way to implement CodeTwo email signature software in your hybrid Exchange environment.

Solution:

Since the architecture of CodeTwo Email Signatures 365 and CodeTwo Email Signatures On-prem is completely different, the type of software you can use mostly depends on the location of user mailboxes in your organization. The two simplest scenarios assume that the mailboxes are stored either in the cloud or locally (on-premises), with some minor exceptions allowed.

If it's not possible for you to move all mailboxes to just one part of your hybrid environment, you can still use more advanced options provided by the Centralized Mail Transport feature in Exchange hybrid deployments or use both CodeTwo programs simultaneously.

See the information below to decide which scenario is best for you.

• Hybrid environments with the majority of mailboxes in one location (a local server or cloud)
• Hybrid environments with mailboxes located both in the cloud and on-premises

Hybrid environments with the majority of mailboxes in one location (a local server or cloud)

The following two points should address the needs of most hybrid environments, where the majority of mailboxes reside in the same (on-premises or cloud) part of an Exchange organization. Unifying the location of mailboxes simplifies the configuration of every software product that processes email messages, including CodeTwo software.

Mailboxes in the cloud

If most of your mailboxes are in the cloud but you still want to keep the hybrid configuration, the best option for you is to use CodeTwo Email Signatures 365. If any mailboxes remain in the on-premises (local) part of your organization, you can use CodeTwo Email Signatures On-prem software just for them, migrate them to the cloud later, or completely exclude them from processing by CodeTwo software.

Fig. 1. The default mail flow when using CodeTwo Email Signatures 365.

Learn more on how CodeTwo Email Signatures 365 works

Mailboxes on local (on-premises) servers

If your mailboxes are located only in the on-premises (local) part of your environment, use CodeTwo Email Signatures On-prem to add email signatures. This software uses a transport agent connected to the Microsoft Exchange Transport service. Since all your mailboxes reside locally, all your messages are routed through the on-premises server without any additional configuration.

Fig. 2. The default mail flow when using CodeTwo Email Signatures On-prem.

Find out more about the architecture of CodeTwo Email Signatures On-prem

If some of your mailboxes are in the cloud (but the majority resides on-premises), and you want to use your CodeTwo Email Signatures On-prem software to process emails sent from these mailboxes, you need to route these emails through your on-premises mail servers. For details, see the user's manual.

Hybrid environments with mailboxes located both in the cloud and on-premises

If mailboxes in your environment are currently spread between your Microsoft 365 (Office 365) tenant and the on-premises part of your environment, and it's not possible for you to move (migrate) them to a single location before you implement CodeTwo software, then you should consider two options:

• Enable Centralized Mail Transport (CMT) in your environment and configure an additional transport rule. The idea is to make your on-premises Exchange server responsible for the processing of all messages. The CMT configuration will route all outgoing messages through your local (on-premises) server, where they will be processed by CodeTwo Email Signatures On-prem. If you want to use CodeTwo Email Signatures 365 only and route external emails through your on-premises environment, check this article to learn how to do so. Additionally, you can set up an Exchange transport (mail flow) rule that forwards all internal emails sent between Microsoft 365 (cloud-only) mailboxes through the on-premises server, which does not happen with standard CMT configuration. To learn more about this deployment, see the user’s manual for CodeTwo Email Signatures On-prem.

  Learn more about Centralized Mail Transport

• If you cannot use Centralized Mail Flow in your environment (e.g., because you need to ensure your messages are delivered using a smart host), you can either:
  • configure CodeTwo Email Signatures 365 to handle the entire environment, or
  • use it with CodeTwo Email Signatures On-prem to work together.

    Warning

    The latter scenario should be applied only to certain types of environments because it requires advanced configuration and constant monitoring. Double-check if keeping all mailboxes in the same location or using Centralized Mail Transport is not a better option for your environment.

    Additionally, to integrate both CodeTwo programs, you need to manually create a distribution group that contains the people in your organization who have mailboxes in the cloud. This group needs to be available to both your on-premises organization and your Microsoft 365 (cloud) organization. To achieve that, you need to create the group in your Active Directory and then synchronize it to your Microsoft Entra ID (Azure Active Directory). Note that if the location of any mailbox changes over time, you will need to update the group accordingly. See these guidelines if you find such a solution appropriate for your environment.

How to use CodeTwo Email Signatures 365 to handle the entire hybrid environment

The principle underlying this idea of configuration is that both migrated users (with mailboxes in your Microsoft 365 tenant) and non-migrated ones (with mailboxes in the on-premises part of your environment) get cloud (server-side) signatures from CodeTwo.

From the administering viewpoint, the main advantage of such a setup is that you don’t need to buy and use two separate products. This way, the configuration is simpler and if you plan to move to the cloud, CodeTwo Email Signatures 365 will require only a minimum reconfiguration.

For this configuration to work, you need to set up your environment as follows:

1. Create a Microsoft 365 group in your cloud environment and populate it with the users already migrated to the cloud (with mailboxes in your Microsoft 365 tenant) who are to get signatures. You can name it, e.g., Cloud-Mailboxes.
2. Export the users whose mailboxes are still located on on-premises Exchange Server(s) and import them to your Microsoft 365 tenant, as described here but without assigning a license. Notify the users about their Microsoft 365 credentials, as they will need them later in step 6.

   Important

   Microsoft 365 user accounts created as highlighted in step 2 will not be automatically synchronized with your on-premises environment. To synchronize them manually, you need to follow instructions from this article.

3. Create a mail-enabled security group in your on-premises environment and populate it with the users from step 2. You can name it, e.g., OnPrem-Mailboxes.
4. Deploy CodeTwo Email Signatures 365 for your Microsoft 365 tenant, as highlighted in this video. Remember to choose cloud (server-side) or combo mode when registering your tenant – your on-premises users will be able to get signatures in the cloud.
5. Open the Signatures app and set up cloud (server-side) signature rule(s) for your users. Note that when adding users to the rule, in the Senders step, you will be able to pick both the licensed users (with a cloud mailbox) as well as unlicensed ones (without a cloud mailbox).
6. (Optional) Deploy the modern CodeTwo Signatures Web Add-in for Outlook via the Microsoft 365 admin center if you want your users to be able to preview cloud signatures in Outlook (watch this video to see how this works).

   Important

   This feature will work only for users whose mailboxes are located in the cloud.

Once you complete these steps, your cloud and on-premises users will get CodeTwo cloud signatures. 

How to use both CodeTwo Email Signatures 365 and CodeTwo Email Signatures On-prem in the same environment

The idea of this configuration is based on the following principles:

• CodeTwo Email Signatures 365 adds signatures for people with mailboxes in your Microsoft 365 (Office 365) tenant since the software is optimized for Microsoft 365.
• CodeTwo Email Signatures On-prem adds signatures for people with mailboxes in the on-premises part of your environment since all emails originating from there are processed using Exchange Transport Service, to which the CodeTwo software is connected.

To achieve such a configuration, follow these steps:

1. In your Active Directory, create a new universal distribution group for people with mailboxes in the cloud (Microsoft 365), and name it accordingly (e.g. CloudMailboxes).
2. Add members to this group: you need to add only those people in your organization who have their mailboxes in the cloud and are also supposed to get email signatures.

   Tip

   If you have already implemented CodeTwo Email Signatures 365 in your organization, then you probably already have such a group. If so, make sure that all its members have their mailboxes in the cloud.

3. Make sure the group is synchronized to your Entra ID (Azure AD).
4. Now you need to exclude this group from being processed by your CodeTwo Email Signatures On-prem software. To do that, open the Administration Panel of CodeTwo Email Signatures On-prem and create a new empty email rule.
5. Name it, for example Exclude cloud mailboxes.
6. Move the rule to the top of the list of rules so that it's executed as the first one.

7. On the Conditions tab, add your newly created AD group (here: CloudMailboxes, as shown in Fig. 3.).

Fig. 3. Setting up a rule in the Administration Panel to exclude users with online mailboxes from further processing.

8. Leave the Actions tab unmodified (skip it).
9. On the Options tab, select If this rule is applied > stop processing next rules.
10. Submit your changes. Creating and saving this rule will prevent your CodeTwo Email Signatures On-prem software from processing any messages that originate from your Microsoft 365 tenant (i.e., from the mailboxes located in the cloud).
11. Now you need to reconfigure the scope of senders whose emails will be routed through the CodeTwo Email Signatures 365 service so that it only includes the newly created group. You can reconfigure the senders' scope automatically, or you can do it manually.
12. For manual configuration, sign in to the Exchange admin center (EAC).
13. Navigate to Mail flow > Rules and click CodeTwo Exchange transport rule to select it. In the pane that opens, click the Edit rule conditions button to start editing the rule.

14. Modify the rule's conditions to make sure that the scope of senders is limited to the members of your newly created group (Fig. 4.).​

Fig. 4. Setting up the CodeTwo Exchange transport rule in Exchange Online to match only these users who have their mailboxes in Microsoft 365 and are supposed to get email signatures.

See also:

• Find out more about routing options in Exchange hybrid deployments