The SharePoint 2013 hybrid capabilities are intended to let users in Office 365 access and search across certain content from an on premises SharePoint farm. By design, current hybrid features cannot be configured to simultaneously allow users outside a corporate network to access the on premises farm, and to also allow on premises content to be used in Office 365. To support both scenarios users will need to connect directly to the on premises SharePoint farm through a solution such as DirectAccess or VPN. That will enable users to access an on premises farm both when they are on a corporate network in addition to outside of that corporate network, as well as use the hybrid capabilities to work with data both from Office 365 and SharePoint on premises.
Using the search hybrid feature of SharePoint 2013 can best be accommodated with a single zone in SharePoint and a split DNS. The reason I suggest a single zone is so that search results in Office 365 will be rendered using the same Url that users use to access content. The reason I suggest split DNS is so that users can be redirected to an endpoint that uses standard SharePoint security mechanisms for authentication, but queries from Office 365 can be directed through a reverse proxy configured to use certificate authentication. The hybrid search feature in SharePoint 2013 supports sending a certificate for authentication as part of the query request. Here’s a diagram to illustrate:
Using the example diagram above, when the user requests www.contoso.com, they are on corpnet so the internal DNS routes them to the internal address of 10.9.8.7. That is a load balancing device that sends their request onto one of the SharePoint web front ends where they will be authenticated and can access their content.
They are still on corpnet – either physically or via DirectConnect or VPN as described above – and they browse their Office 365 tenant on contoso.sharepoint.com. Their Office 365 tenant is configured to use the search hybrid features so when a user executes a query, that query will also be sent to the on premises SharePoint farm. The request goes from Office 365 to www.contoso.com. Since Office 365 is using the external DNS though, it resolves that to the address 188.8.131.52. A reverse proxy device is listening on that address and it requires certificate authentication. The search hybrid features are designed to respond to requests for certificate authentication, so Office 365 sends the certificate to authenticate the request. Once the reverse proxy device completes the certificate authentication it forwards the request onto the internal load balancer at 10.9.8.7, where it gets routed to one of the SharePoint web front ends. When the search results are rendered they use www.contoso.com as the host name. When a user clicks on that search result, they are still on corpnet so they again use the internal DNS to resolve that, which will be 10.9.8.7. When they request the content then, it will be routed to the load balancer and onto SharePoint and the user will be able to retrieve the content.