Can we keep our data on-premise but use the cloud for email?

Yes. This is called a Hybrid Exchange deployment. It allows you to move mailboxes to Exchange Online while keeping an on-premise server for management. However, that remaining on-premise server MUST be upgraded to Exchange 2019 or the Subscription Edition. You cannot leave it on version 2016.

Does ClonePartner handle the upgrade from 2016 to 2019 if we decide to stay on-prem?

We specialize in cloud migrations, but we can assist with "Modernizing On-Prem" if you have a strict regulatory requirement. However, we strongly advise against this unless absolutely necessary, as the long-term support costs for on-premise hardware are increasing rapidly.

Is my SharePoint 2013 server also at risk?

SharePoint 2013 is already out of mainstream support. If you are still running 2013, you are in a critical "Red Zone." The migration path from 2013 to Online is more complex than from 2016 because it often requires a "double hop" upgrade. We can script this to happen in one pass.

How do we know if we have been compromised before we migrate?

Part of our Pre-Migration Audit involves scanning your current environment. If we find suspicious web shells or unauthorized admin accounts (common in old Exchange servers), we will flag them for your security team before we move a single byte of data.

Can we just use a firewall to protect the old server?

A firewall helps, but it is not a cure. Most modern attacks happen via Phishing or Credential Theft, which bypass the firewall. Once the attacker is inside your network, an unpatched Exchange server is an easy target for "Lateral Movement" to take over your entire domain.

Exchange 2016 End of Support: The 3 Risks of the 'Do Nothing' Strategy

In every migration consultation I run, there is a moment where the client pauses and looks at the budget. Then they ask the question that every engineer dreads.

"Raaj, honestly, what if we just don't move? What if we just keep the servers running? They work fine right now."

I understand why you ask this. You have a SharePoint 2016 farm that has been stable for a decade. You have an Exchange 2016 server that delivers email perfectly. Why spend money to fix something that isn't broken?

Here is the answer: Because "working" is not the same as "secure."

The 2026 End-of-Support Deadline is not just a marketing event. It is an eviction notice. If you choose to keep your data in that building after the eviction date, you aren't saving money. You are gambling your entire company on a server rack that is about to lose its locks.

In this post, I am going to walk you through the specific engineering risks of staying on-premise. I will explain why "Extended Security Updates" are a financial trap and why your legacy server is the single biggest threat to your company's survival.

1. Remember Hafnium? That Was Just a Preview

Do you remember the HAFNIUM Exchange Server hacks of 2021?

Hackers found a vulnerability in on-premise Exchange servers. Within days, thousands of companies were breached. Microsoft released a patch quickly. You applied it. You survived.

Now imagine that same scenario in 2027.

A new vulnerability is found in Exchange 2016. Hackers start scanning the internet for unpatched servers. They know exactly which IP ranges are still running legacy code.

But this time, Microsoft does not send a patch.

Or if they do, it is locked behind a paywall that takes weeks to navigate.

The Zombie Server Problem Running unsupported software means you are running a "Zombie." It walks and talks like a server, but it has no immune system.

SharePoint 2016 Vulnerability: If you store contracts or PII (Personally Identifiable Information) here, you are one unpatched vulnerability away from a massive data leak.
Exchange 2016 Exposure: This server is the front door to your company. Leaving it unpatched is like taking the lock off your front door because "nobody has robbed us yet."

At ClonePartner, we refuse to build architectures on crumbling foundations. You cannot secure a system that the vendor has abandoned.

2. The Mathematics of ESU (It's a Trap)

You might think that paying for "Extended Security Updates" (ESU) is a smart way to buy time.

Let's look at the math. ESU is designed to be punitive. Microsoft does not want you to stay on-premise. They price these updates to force you to move.

The Cost Multiplier

Year 1: Usually 75% of your original license cost.
Year 2: Often doubles to 100% or more.
Year 3: The price becomes unsustainable.

You are not buying new features. You are not buying better performance. You are paying a massive "Ransom" just to receive basic security patches.

Every dollar you spend on ESU is a dollar you didn't spend on modernizing. In three years, you will have spent 200% of the migration budget on ESU fees. And at the end of those three years? You still have to migrate.

The Better Investment Take that ESU budget. Use it for a Fixed-Cost Migration. For the price of keeping the lights on in the graveyard, you could move to a modern environment. You stop paying ESU fees. You stop worrying about zero-day patches. You gain access to modern tools like Copilot that simply do not exist on-premise.

See our breakdown of Real Migration Costs to see how the numbers stack up.

3. The Talent Pool is Drying Up

This is the operational risk that nobody puts on a spreadsheet.

Who manages your Exchange 2016 server right now? Probably a senior engineer named Dave. Dave has been with the company for 15 years. He knows the PowerShell scripts by heart. He knows which cable to jiggle when the RAID array beeps.

What happens when Dave retires in 2027?

Try hiring a "SharePoint 2016 Administrator" in 2027. You won't find one.

New engineering graduates are learning React, Azure, and Power Platform. They are not learning how to manage IIS logs on Windows Server 2012.

The Legacy Knowledge Trap By staying on-premise, you are locking yourself into a shrinking talent pool.

Consultants will charge you $400/hour because they are the only ones left who remember how the old system works.
If the server crashes and your lead admin is unavailable, your business stops.

Moving to the Cloud solves this instantly. You gain access to a global pool of millions of modern developers. You are no longer held hostage by "Legacy Knowledge."

4. Compliance Audits Will Fail Automatically

I touched on this in my Security & Data Sovereignty Guide, but it is critical for regulated industries.

If you are in Healthcare, Finance, or Government, your compliance is strictly tied to "Supported Software."

PCI-DSS: Requires you to run vendor-supported software to process credit cards.
HIPAA: Requires active risk mitigation against known exploits.

Running End-of-Life (EOL) software is an automatic audit failure in many frameworks. Telling an auditor "We plan to migrate soon" is not an acceptable answer.

The Secure Path Migrate now. But do it securely. Use our "Binary on VPC" method to keep your data private during the move. Land in a compliant, evergreen Microsoft Cloud environment. Pass your audit without needing to explain why you are running 10-year-old servers.

Summary: The Cost of Inaction is Too High

The "Do Nothing" option feels safe because it requires zero effort today. But in engineering terms, it is the highest-risk path you can take.

Your Choice

Stay On-Prem: Pay skyrocketing ESU fees. Pray hackers don't find a zero-day. Hope your Lead Admin doesn't retire.
Migrate Now: Pay a one-time fixed fee. Modernize your stack. Sleep at night.

We Make the Hard Choice Easy I know migration is scary. I know you are worried about downtime and broken data. That is why ClonePartner exists.

We have done 750+ Migrations.
We use Automated Validation to prove your data is safe.
We offer Unlimited Sample Migrations so you can see the result before you commit.

Don't wait for the server to crash. Let’s build the lifeboat now.

Book a "Risk Assessment" Call I will look at your legacy footprint and give you a candid, engineer-to-engineer assessment of your risks and a roadmap to get out.