«

»

Nov 30 2012

Configuring Exchange 2010 Edge Transport Server Role

If you want to keep the bad guys out of your Exchange infrastructure an Edge Transport server is needed. This will also filter emails and make rid of Spam and viruses, and with third-party software installed on the box it can do miracles. The installation is straight forward as you can see it here, so let’s get to the configuration of the Exchange Edge Transport Server role.

This Exchange role needs to sit in a DMZ zone, so forget about putting it in the internal network. Not that you can’t, but what’s the point then; if a hacker manages to attack the Edge server it means is already in your internal network. The following diagram show an example of an Exchange infrastructure with an Edge server attached.

 

 

O yeahh, one more thing, and an important one…DON’T join it to a domain, leave it in a workgroup environment and set the DNS Suffix as you saw in the installation guide. If you don’t have a DNS server in your DMZ zone, you will have to edit the hosts file on the Edge server so he can find the address of the HUB Transport server; actually is the external IP of your firewall that protects the internal network, but you get the point.

Ports need to be opened so the communication can actually takes place between the Edge Transport server and the HUB Transport server.

– Port 25 / TCP (SMTP) in both directions

– Port 50636 / TCP (EdgeSync service over SSL) from internal to DMZ

Now we need to create the subscription which is an XML file. Fire up the Exchange Management Shell on the Edge Transport server and put this line, then press ENTER:

In my case:

You will see two warnings in this screen. The first one says that if you say YES and continue with the subscription, the configuration of the Edge Transport server will be erased. The second one is about the time you have to complete the subscription. If the XML file is not imported on the HUB Transport server and complete the subscription within 1440 minutes (24 hours) it will expire, and you will have to create another one.

On the HUB Transport server open the EMC (Exchange Management Console), and go to Organization Configuration > Hub Transport. From the Actions pane click the New Edge Subscription link.

In the New Exchange Subscription wizard, select the Active Directory site in which the current configuration resides, then provide the XML subscription file. There is a check box, Automatically create a Send connector for this Edge Subscription. If you leave it enabled, it will automatically create a Send connector that routes messages from the Exchange organization to the Internet.  Press New when you’re done.

The HUB Transport server has to be able to resolve the FQDN of the Edge Transport server; so make sure it can.

     



You should see the subscription on the Edge Subscriptions tab, and the Send connectors on the Send Connectors tab.

     

Wait a few minutes for the synchronization to complete, then check if everything worked out. On the HUB Transport server open the EMS (Exchange Management Shell) and put this command:

If it shows Normal on the SyncStatus column, you are good-to-go.

If is not synchronized yet, you can force the process by issuing this command from the HUB Transport server:

You can open the EMC on the Edge Transport server and take a look at the Accepted Domains tab and Send Connectors tab. This also indicates the synchronization succeeded.

     

Want content like this delivered right to your

email inbox?


3 comments

  1. Adel

    Thank You So Much

  2. Keith Newson

    How do you configure the fqdn of the send connectors afterward? I’m trying to make sure that tranmission over tls works and the fqdn doesn’t keep complaining about Event ID 12014 which pertains to the certificate that is installed on the server.

    Thanks,

    Keith

    1. Adrian Costea

      Hi,
      This should help Change FQDN on send connector

Leave a Reply

Your email address will not be published. Required fields are marked *


*

css.php