There will be situation where the client wants to route all emails (including the ones from Office 365 users to the Internet) to on premise Exchange server first, before sending it out. The most common reason is for centralised tracking and quarantining.
To perform this, during HCW, you would pick the option "Enable centralized mail transport" during the HCW wizard, i.e.:
The only problem is that, when an Office 365 user sends an email to any Internet recipient, it would fail with NDR - "5.7.1 Unable to relay". Further examining the NDR, it would seem that the On Prem Exchange Server (in my case - Exchange 2013 CU6) is rejecting the email relay.
The only article I can find that relates to this problem is here (http://community.office365.com/en-us/f/148/t/265897.aspx), but I couldn't find the receive connector named "Inbound from Office 365" on my Exchange 2013. See below:
So apparently, Exchange 2007 HCW creates a new receive connector called "Inbound from Office 365" and Exchange 2013 HCW just reconfigures the "Default Front End servername" receive connector with TLS authentication with Exchange Online Protection, as seen in the following HCW log entry:
[10/06/2014 13:36:21] INFO : Session=OnPrem Cmdlet=Set-ReceiveConnector -Identity 'ServerName\Default Frontend ServerName' -TLSCertificateName 'CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=USCN=*.company.com, O=Company Name' -TLSDomainCapabilities 'CN=MSIT Machine Auth CA 2, DC=redmond, DC=corp, DC=microsoft, DC=comCN=mail.protection.outlook.com, OU=Forefront Online Protection for Exchange, O=Microsoft, L=Redmond, S=WA, C=US:AcceptCloudServicesMail' START
With Exchange 2013 CU6, it seems like there is a bug that relay is not enabled on the "Default Frontend" receive connector.
According to the Microsoft engineer, it is a bug that has been highlighted to the product group.
So to fix the problem, I just need to issue the command and the problem is fixed:
Get-ReceiveConnector "ServerName\Default Frontend ServerName" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"