MSExchangeGuru.com

Learn Exchange the Guru way !!!

 

Exchange 2013 SP1: Edge Transport Server Installation and Configuration

Edge Transport Server has protected many Exchange Infrastructures and we liked to rely on Microsoft since the release of Anti-spam in Exchange 2003 SP2.

Many of us were waiting for the Edge Transport Server to come back in Exchange 2013 and with the Release of SP1 Microsoft gave us Edge Transport Server.

New Edge Transport can only be managed be Exchange management shell until we create a subscription.

Once we configure the subscription, we can manage Edge Transport from the Exchange 2013 SP1 ECP which is CAS 2013 server. This means Edge Transport does not come with a separate EAC or ECP component.

Most of the time we place Edge Transport server in the DMZ.

Let us have a look on the Installation and possible configuration options.

 

Ports:

          Open the following Ports from your DMZ Firewalls

             Internet ß–> EDGE Transport Server

SMTP Port 25

             EDGE Transport Server ß–>Intranet

           SMTP Port 25 and 2525 – Mailflow

           DNS TCP/UDP – 53 – DNS Resolution

           RDP TCP 3389 – Remote Desktop

           LDAP – 50389 – locally to bind to the AD LDS instance – There is no need to open this port on perimeter firewall.

           Secure LDAP – 50636 – Directory synchronization from Mailbox servers to AD LDS

 

 

Installation:

  1. This will be a server in the work group with the domain name of the Active directory domain in the Full Computer name as suffix. See the screen shot.


  2. We need to point the DNS to the Active Directory DNS on the Corporate firewall LAN. Only LAN DNS and no Public DNS. Let the DNS server do the forwarding or use root hints.


  3. Install the ADLDS from Add Roles in the server manager. There is no configuration required. Exchange will configure it.


  4. Install the Exchange Prerequisite from the help of my blog here.
  5. Install the Exchange 2013 SP1 Edge Transport Server.

 

a. Run the setup.exe. Select “Don’t check for updates right now”

b. Now you will see, setup is coping the files to start the setup.

 c. Click next on the below screen

 

d. Accept the agreement and click next here.

             
 e. Select “Don’t use recommended settings” then click next

f. In the server Role selection, make sure you select Edge Transport Role and click next.

           
 g. Give the path then click next.

h. It will do a readiness check.

i. Once Readiness check completes without an error then click install.

j. Once finish, restart the server.

k. Let us do some checks. Setup.log

 l. Check the ADLDS

Check the Server Component

Check the Services

Check the transport Agents

Check the Telnet verbs

Check the receive connector

 

Export Edge Subscription from EDGE Transport Server

      Run the below command to export the subscription then copy the file to Mailbox server.

      New-EdgeSubscription –FileName “FilepathFilename.xml”

      Look at the screen, it clearly says Edge will talk to Mailbox server. We need to import this file within 1440 minutes (24 hours) else subscription will expire.


         Type Y then Enter at the confirmation Prompt.

 

 

DNS Configuration

           Create a host record in the DNS if there is not one present. Then test the ping from EDGE to Mailbox and Mailbox to EDGE. Do not proceed until this works.

    

 

 

 

Import Edge Subscription on a mailbox Server

      Check this when you run Get-help New-EdgeSubscription

    

      Run the below command to import the subscription.

      New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path “ FilepathFilename.xml” -Encoding Byte -ReadCount 0)) -Site “ADSiteName”


         Ensure that you have port 50636 open from mailbox LAN to Edge Transport DMZ.

 

Verify the Changes in Exchange Admin Center in ECP

       Servers

    

 

      Send Connectors

    

             No other send connector required.

       

         Receive Connector

              There is no new receive connector required.

 

 

Don’t change Send connector Configuration

“–” is part of the configuration on the “EdgeSync – Inbound to AD Site” Connector so don’t change it. We will see this in the smart host and accepted domain

The — value in the address space represents all authoritative and internal relay accepted domains for the Exchange organization.

The — value in the list of smart hosts represents all Mailbox servers in the subscribed Active Directory site.


 

Configure Internal SMTP server on Transport Configuration

Use the InternalSMTPServers parameter on the Set-TransportConfig cmdlet to specify a list of internal SMTP server IP addresses or IP address ranges to be ignored by the Sender ID and Connection Filtering agents on the Edge Transport server.

Run the below command on the mailbox server

             Set-TransportConfig –InternalSMTPServers IP, IP

 

 

Configure Port 2525 if CAS and MBX are installed on the same server

           Run the below command

           Set-SendConnector “EdgeSync – Inbound to Default-First*” -Port 2525

           Or Change from ADSIEDIT

 

 

Start Edge Sync

      Once all above completed, run the below command

        Start-EdgeSynchronization -Server MailboxserverFQDN -TargetServer EDGEServerFQDN -ForceFullSync

 

 

Restart Service

    Restart Edge-Sync on the Edge Transport Server.

 

 

 

Test the Mailflow:

           Incoming from EDGE to Exchange ORG

My LAB is not receiving from Internet so I used the telnet. This is also showing the Exchange verbs.

Message Receive – See header

 

 

From Exchange ORG to Internet

See the Message Header

 

 

 

References

Edge Transport Server: http://technet.microsoft.com/en-us/library/bb124701(v=exchg.150).aspx

Message Tracking Verbs: http://technet.microsoft.com/en-us/library/bb124375(v=exchg.150).aspx

 

 

 

Prabhat Nigam

Microsoft MVP | Exchange Server

Team@MSExchangeGuru

140 Responses to “Exchange 2013 SP1: Edge Transport Server Installation and Configuration”

  1. Kamlesh Ambre Says:

    Dear Prabhat,

    My CAS + MB mail servers name FQDN are :

    1) mail1.xyz.com 2) mail2.xyz.com

    I’m using Split brain DNS scenario to resolve server names using mail.xyz.gov.in and changed all virtual directories Internal and external URLs to mail.xyz.gov.in.

    In SSL, I added the following SANs

    mail.xyz.gov.in, autodiscover.xyz.gov.in. imap.xyz.gov.in, pop.xyz.gov.in, edge.xyz.gov.in and sent DSR to Digicert.

    After completing the request with generated certificate , I’m getting error certificate status “Invalid”.

    Q :

    Is that SSL error is because of , domain name mismatch in SSL SAN and actual FQDN of the server ?
    Is it required to add single SAN with mail.xyz.com as a common name ?

    Please advise ?

    T & R,
    Kamlesh

  2. Prabhat Nigam Says:

    As far as CAS url is xxxx.xyz.gov.in you are good.
    SAN certificate should have private key else it might not work.
    From where you bought the certificate.

  3. Kamlesh Ambre Says:

    Dear Prabhat,

    Thanks for reply.

    I brought it from Digicert.
    From your above answer what is understood is. there is no connection between actual server name FQDN or internal domain name if virtual directory URLs used as a SAN name in third party SSL. Right ?

    I’ll check with whether private key is included or not?

    Anything else where issue may lie , please confirm ?

    T & R,
    Kamlesh

    T & R,
    KAmlesh

  4. Kamlesh Ambre Says:

    Dear Prabhat,

    I checked status of Private Key, it is included in SSL which is showing invalid in certificate snap-in in exchange 2013 sp1 control panel.

    T & R,
    Kamlesh

  5. Kamlesh Ambre Says:

    Dear Prabhat,

    Issue has been resolved after importing intermediate certificate.cer on every CA+MB server in DAG.

    Thanks for your support.

    T & R,

    Kamlesh

  6. amit Says:

    Can we Clone Exchange 2010 edge server to Exchange 2013 edge server ?

  7. Prabhat Nigam Says:

    No

  8. Kev Says:

    Hi, HSC-TSA (post 21) mentioned that he got a warning when trying to edit his Edge server in ECP:
    An error occurred while accessing the registry on the server “Edge-1.contoso.com”. The error that occurred is: “Attempted to perform an unauthorized operation.”

    I understand that you cannot use ECP on Edge, but I get this same error when I open ECP on my Mailbox server, go to Servers then try to edit my Edge server.

    I had an MS tech look into another issue and he also tried to find the issue here but could not resolve.

    Is there actually an issue here? there doesn’t appear to be anything you can actually ‘Manage’ in there anyway, but why do we get this ‘Warning’ ? maybe it should say “nothing to see here, please move along” !

  9. Prabhat Nigam Says:

    Actually you can’t edit anything on Edge server. What are you trying to edit?

  10. Exchange Server 2016: All You Need to know Part 2 « MSExchangeGuru.com Says:

    […] Edge Transport is coming with RTM – So yes most of you guessed correct in the NY Exchange User Group on our Exchange Edge Session. […]

  11. Kamlesh Ambre Says:

    Hi,

    What is a path to check smtp logs on ET servers to check the reason for bouncing the outgoing mail for different SMTP domain.

    T & R,
    Kamlesh

  12. Prabhat Says:

    It should be default location if you have not changed it.
    Try the message tracking.
    Get-messagetrackinglog

  13. Exchange 2013: Wrong AdminDisplayVersion on Edge Transport Server « MSExchangeGuru.com Says:

    […] the previous blog I talked about configuring Exchange 2013 Edge transport server. Today I was upgrading my Exchange […]

  14. Rajiv Kumar Says:

    Nice article about step by step Edge server installation and configuration.

  15. Evandro Semedo Says:

    https://social.technet.microsoft.com/Forums/exchange/en-US/d28f491c-054d-423e-b5c0-104c40dbb294/cant-run-tracking-log-explorer-access-denied-in-edge-trasport-2013?forum=exchange2010

    http://blogs.technet.com/b/ehlro/archive/2015/03/30/exchange-2013-edge-as-a-smarthost-with-basic-over-tls-authentication.aspx

  16. BW Says:

    I am running an Exchange 2016 Edge server with 2016 mailbox server. How can I correctly change the “EdgeSync – Default-First-Site-Name to Internet” send connector so that it allows emails larger than 10MB? Can you change this is the EAC or with powershell? Do you run this from the Edge server or mailbox server?

  17. Prabhat Nigam Says:

    you will run the below mentioned command on mailbox server
    Set-SendConnector “send connector name” -MaxMessageSize 100MB

  18. Prabhat Nigam Says:

    What is your issue?

  19. Rob Says:

    I have 3 Exchange 2010 servers (all roles). I want to install Edge 2016 (for testing the antimalware part).
    Can I do this without changing anything on the Exchange 201 organization? Everithing msut keep on working…;)

    What does this command (New-EdgeSubscription -FileName ) do exactly and more importantly: where does it delete accepted domains, message classifications, remote domains, Send connectors and InternalSMTPServers list from?

    If it deletes all that from my Exchange 2010 production servers I cannot continue….

  20. Sheeraz Says:

    Hi,

    we are running following environment for Exchange 2010 on premises.

    3 Mailbox server with Single DAG

    3 Hub/ CAS (multirole) with NLB

    2 Edge Servers are used for routing email through Exchange Online Protection (EOP)

    For Migration Purpose we have introduced following Exchange 2013 severs.

    4 Mailbox + CAS (multirole) servers with Single DAG

    3 Edge Servers

    We have subscribed all three Exchange 2013 Mailbox servers with 2010 Edge Transport Servers and till now email flow is working fine (after doing re-subscription because of Exchange 2013 introduction in the environment). Now, we want to subscribe 2013 Mailbox servers (one by one) with 2013 Edge Transport Servers so that 2010 and 2013 Edge Transport servers can route email to EOP and later we can remove Edge 2010 and Exchange 2010 from the environment.

    we would like to know – while doing Edge Subscription will there be any issues with email routing? and can we do multiple subscription for Hub Transport 2010 and Mailbox 2013 servers, i.e with Edge 2010 and 2013 at same time?

    please note our requirement is to keep Edge server 2013 in the environment. please correct our approach or suggest a better plan.

    Thanks,

  21. Prabhat Nigam Says:

    If you will configure subscription then your production will change. you can test edge T server without subscription by just configuring send connectors.

  22. Prabhat Nigam Says:

    Try sending an email from your exchange 2013 and tell me if it is not going through Edge servers without going to Exchange 2010.

  23. Sheeraz Says:

    Thanks. it worked by creating a send connector without doing subscription.

  24. Kamlesh Ambre Says:

    Hi Prabhat,

    I have 2 CA+MB servers and 2 ET servers.

    Configured attachment rule for 2 MB initially but now change it to 10 MB, but still not able to attach big size file.

    Restarted transport service on 2 CA+MB servers.

    Thanks in advance for your suggestion.

    Kamlesh

  25. Prabhat Nigam Says:

    If you need to attach 10 MB then configure 14MB limit. 33% extra for header.

  26. Joshua Says:

    Dear Prabhat,

    In my environment (exchange 2016), there are 2 mail box servers in DAG load balanced by load balancer. So In external DNS (mail.xyz.com) points to our Public IP and NATs to load balancer. In Internal DNS also it points to the load balancer.
    Now I need to add an edge server, believe I can configure in the load balancer to forward SMTP traffic to edge server. Am I right?

    Now next part is about certificates. Is the SSL certificate needed for edge server?.

    If I’m planning for a SSL certificate, I need to include
    Mail.xyz.com(HTTPS, SMTP, POP3, IMAP)
    Autodiscover.xyz.com
    Xyz.com

    Please correct me if I’m wrong here?.. Also how can I include certificate for edge server?

  27. Prabhat Nigam Says:

    Load balancer can forward the smtp traffic to Edge but you need a separate VIP for it.
    SMTP does not need a cert unless you are configuring TLS and secure SMTP. In that case you need SMTP fqdn.

  28. Chandan Says:

    Dear Nigam,

    I have exchange 2016 8 mailbox installed & two egde server in DMZ network, My queries are below.

    How I can achieve High availability of Edge server, In 2010 We can setup egde server in cloning mode by adding two subscription, How can we do in 2016 Exchange.

    My exchange is running in coexistence mode with 2013-2016, Now I want user from 2013 send the emails from 2013 which is running, User from 2016 are able to send the emails from exchange 2016 with Edge server, 2013 & 2016 are in different AD sites.

    I believe we don’t need edge server Fqdn in public certificate but if I enable TLS then I have smtp.domain.com in my public cert. correct me if I am wrong.

    How can I leverage HLB to forward the SMTP traffic?.

    Thanks in advance.

    Chandan

  29. Chandan Says:

    Configure Internal SMTP server.
    Does Configuration of Internal SMTP server on Transport Configuration required. if yes then Do I need to configure port 2525 for internal SMTP server ?

  30. Robert P Says:

    I have 2 Exchange Edge and CAS Servers (Primary and DR), recently I started having problem with when DR site is down unable to receive emails. Mail queues are stuck in Edge server and it doesn’t deliver to CAS server except internal domain emails within the group. External emails are not getting delivered.

    Thanks,
    Robert

  31. Ratish Nair Says:

    You will have to inspect your connector settings and smarthost settings..
    Also make sure the settings are right on your EDGE and that edge can relay emails to Primary site on Telnet port 25…

    Internal email doesn’t have to go to EDGE servers…

  32. Prabhat Nigam Says:

    In addition to Ratish, check the DNS resolution on Edge.

  33. Robert P Says:

    Port 2525 is configured for CAS and it can accept the email on Port 25.

    Also I have checked the DNS and it works fine.

  34. Prabhat Nigam Says:

    If you have CAS and mbx together in one server then port 2525 is for mailbox role. Unless you swap manually.

  35. Chandan Says:

    Hi Prabhat,

    Greetings !!!

    We have 8 exchange mailbox server with 2 edge server.

    Now We want use Edge server in HA/Redundancy. Can we achieve with import 2 edge subscription.

    We have configured Coexistence with 2013, MX setup on Symantec massage labs, We want user from 2013 use 2013 send connector, User from 2016 will use edge server for communication.
    Do we need to configure port 2525 for edge, Like wise we used in single box 2013.

  36. Robert P Says:

    Hi Prabhat / Ratish,

    I have 2 CAS and 2 Edge server with replication on multiple sites. I have verified the ports but still primary site is unable to deliver emails to the local CAS server on the same location.

  37. Prabhat Nigam Says:

    @Rob: If you still have the issue then you can engage a professional including me.

  38. Prabhat Nigam Says:

    @Chandan – Answer inline. Also check my video on it. https://www.youtube.com/watch?v=XCHgHLpbvqQ

    How I can achieve High availability of Edge server, In 2010 We can setup edge server in cloning mode by adding two subscription, How can we do in 2016 Exchange.

    PN – Cloning does not help. Use DNS round robin or a Load Balancer.

    My exchange is running in coexistence mode with 2013-2016, Now I want user from 2013 send the emails from 2013 which is running, User from 2016 are able to send the emails from exchange 2016 with Edge server, 2013 & 2016 are in different AD sites.

    PN – What is the issue here?

    I believe we don’t need edge server Fqdn in public certificate but if I enable TLS then I have smtp.domain.com in my public cert. correct me if I am wrong.

    PN – Yes, cert is only required for TLS

    How can I leverage HLB to forward the SMTP traffic?.

    PN: Network load balancer or DNS round robin.

    Now We want use Edge server in HA/Redundancy. Can we achieve with import 2 edge subscription.
    PN: Yes, you can

    We have configured Coexistence with 2013, MX setup on Symantec massage labs, We want user from 2013 use 2013 send connector, User from 2016 will use edge server for communication.
    PN: They are in AD site so you can make a scoped Send connector and it connector will accept only local traffive and in source servers add only respective version servers.

    Do we need to configure port 2525 for edge, Like wise we used in single box 2013.
    PN: Port 2525 is for the mailbox role in a combined CAS+MBX and it is safe to receive on MBX so do it.

  39. darryl Says:

    I login to ECP web. when I into Server tab,try to edit edge server,but it can show “Attempted to perform an unauthorized operation”.
    Do you occurred it ?

  40. Prabhat Nigam Says:

    Only exchange management shell in the edge server to change any edge property

Leave a Reply

ad

Categories

Archives