When Exchange 2013 was released couple of years back there were many changes in Exchange 2013 Architecture notably consolidation of many Exchange roles in previous versions of Exchange into CAS and Mailbox Role in Exchange 2013.
However there was one role which was discontinued Edge Transpport role which was reponsible for providing first line of defence against Malwares, Spam and Viruses. Malwares and Spam filtering in exchange 2013 was done by CAS along with Mailbox role which was good but it didn’t address security scenario for every organization so with the Release of Exchange 2013 Sp1 Microsoft reintroducted Edge Transport role in Exchange 2013.
In this Article we would talk about to Install Edge Transport role and Configure it.
Overview: Edge Transport Server Role is one of the three roles now available with exchange 2013 Sp1 main purpose Edge Transport rule is minimize the attack surface by handling all Internet-facing mail flow, which provides SMTP (Simple Mail Transfer Protocol) relay and smart host services for your Exchange organization. Edge Transport Server is mostly placed in Perimeter network or the DMZ Zone. Edge Transport has some additional transport agents that are not installed on Mailbox servers. Here is the complete list of transport agents for Edge Transport:
In comparison, here is the list for the Mailbox server role.
Prerequisites for Installing Edge Transport.
Note: Edge doesn’t need to be Domain joined machine although you can also use a domain Joined Machine for installing Edge Transport Role. However, workgroup machine still need to resolve Mailbox Server Name and mailbox Server must be able to resolve Edge Server so FQDN is required.
Confiugre Edge Server Primary Suffix
- Change Computer name and also provide primary DNS Suffix as seen in below screenshot.
- Create a A Host Record in DNS for Edge Server.
Note: Make sure Edge Transport is pingable from internal network
Open Firewall ports.
- Port TCP 25 (SMTP) inbound/outbound between the internet and the Edge Transport server
- Port TCP 25 (SMTP) inbound/outbound between the Edge Transport server and the internal network
Port TCP 50636 and 50389 from the internal network to the Edge Transport server for EdgeSync
Installing Active Directory Lightweight Directory Service
Note: Edge Server Doesn’t have access to Active Directory, However sometimes Edge Server need to access information from AD like Mailbox Server Configuration and Recipents Info.
ADLDS is required to store configuration and recipient information which is used by Edge Transport server.
- Open powershell on Edge Server and run as Adminitrator
2. Import Powershell Server Manager module Import-Module SereverManager
3. Run Install-WindowsFeature ADLDS.
Installing Exchange Exchange Server 2013 Transport Role
- Open Command prompt and Run as Administrator
- Type Setup.exe /m:Install /r:et /IacceptExchangeServerLicenseTerms
3. Restart the Server once Installation is complete.
Configuring Edge Subscription for Exchange Server 2013
An Edge Transport server doesn't have direct access to Active Directory. The configuration and recipient information the Edge Transport server uses to process messages is stored locally in AD LDS. Creating an Edge Subscription establishes secure, automatic replication of information from Active Directory to AD LDS. The Edge Subscription process provisions the credentials used to establish a secure LDAP connection between Exchange 2013 Mailbox servers and a subscribed Edge Transport server. The Microsoft Exchange EdgeSync service (EdgeSync) that runs on Mailbox servers performs periodic one-way synchronization to transfer up-to-date data to AD LDS. This reduces the administration tasks you perform in the perimeter network by letting you configure the Mailbox server and then synchronize that information to the Edge Transport server.
You subscribe an Edge Transport server to the Active Directory site that contains the Mailbox servers responsible for transferring messages to and from your Edge Transport servers. The Edge Subscription process creates an Active Directory site membership affiliation for the Edge Transport server. The site affiliation enables Mailbox servers in the Exchange organization to relay messages to the Edge Transport server for delivery to the Internet without having to configure explicit Send connectors.
One or more Edge Transport servers can be subscribed to a single Active Directory site. However, an Edge Transport server can't be subscribed to more than one Active Directory site. If you have more than one Edge Transport server deployed, each server can be subscribed to a different Active Directory site. Each Edge Transport server requires an individual Edge Subscription.
Create an Edge Subscription file:
Logon to your EDGE Transport Server and open Exchange shell Management and run as administrator.
Type below command to create subscription file.
Copy the Edge Subscription file to a Mailbox server
- Copy the Edge Subscription file to a Mailbox server or a file share that's accessible from the Active Directory site containing your Mailbox servers.
- Logon to Mailbox Server.
- Open Exchange Management Shell and run below command
Remove External Send Connector
Edge Subscription would create two send connectors for relaying mails over the internet. If you have earlier configured Internet bound Send Connectors you would need to remove them after you have deployed Edge Transport Server Role.
To get Send Connectors run below command
To remove any send Connector use below command