Exchange 2013 SP1: Edge Transport Server Installation and Configuration
Edge Transport Server has protected many Exchange Infrastructures and we liked to rely on Microsoft since the release of Anti-spam in Exchange 2003 SP2.
Many of us were waiting for the Edge Transport Server to come back in Exchange 2013 and with the Release of SP1 Microsoft gave us Edge Transport Server.
New Edge Transport can only be managed be Exchange management shell until we create a subscription.
Once we configure the subscription, we can manage Edge Transport from the Exchange 2013 SP1 ECP which is CAS 2013 server. This means Edge Transport does not come with a separate EAC or ECP component.
Most of the time we place Edge Transport server in the DMZ.
Let us have a look on the Installation and possible configuration options.
Ports:
Open the following Ports from your DMZ Firewalls
Internet ß–> EDGE Transport Server
SMTP Port 25
EDGE Transport Server ß–>Intranet
SMTP Port 25 and 2525 – Mailflow
DNS TCP/UDP – 53 – DNS Resolution
RDP TCP 3389 – Remote Desktop
LDAP – 50389 – locally to bind to the AD LDS instance – There is no need to open this port on perimeter firewall.
Secure LDAP – 50636 – Directory synchronization from Mailbox servers to AD LDS
Installation:
-
This will be a server in the work group with the domain name of the Active directory domain in the Full Computer name as suffix. See the screen shot.
-
We need to point the DNS to the Active Directory DNS on the Corporate firewall LAN. Only LAN DNS and no Public DNS. Let the DNS server do the forwarding or use root hints.
-
Install the ADLDS from Add Roles in the server manager. There is no configuration required. Exchange will configure it.
-
Install the Exchange Prerequisite from the help of my blog here.
-
Install the Exchange 2013 SP1 Edge Transport Server.
a. Run the setup.exe. Select “Don’t check for updates right now”
b. Now you will see, setup is coping the files to start the setup.
d. Accept the agreement and click next here.
f. In the server Role selection, make sure you select Edge Transport Role and click next.
h. It will do a readiness check.
i. Once Readiness check completes without an error then click install.
j. Once finish, restart the server.
k. Let us do some checks. Setup.log
Check the Server Component
Check the transport Agents
Check the receive connector
Export Edge Subscription from EDGE Transport Server
Run the below command to export the subscription then copy the file to Mailbox server.
New-EdgeSubscription –FileName “FilepathFilename.xml”
Look at the screen, it clearly says Edge will talk to Mailbox server. We need to import this file within 1440 minutes (24 hours) else subscription will expire.
Type Y then Enter at the confirmation Prompt.
DNS Configuration
Create a host record in the DNS if there is not one present. Then test the ping from EDGE to Mailbox and Mailbox to EDGE. Do not proceed until this works.
Import Edge Subscription on a mailbox Server
Check this when you run Get-help New-EdgeSubscription
Run the below command to import the subscription.
New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path “ FilepathFilename.xml” -Encoding Byte -ReadCount 0)) -Site “ADSiteName”
Ensure that you have port 50636 open from mailbox LAN to Edge Transport DMZ.
Verify the Changes in Exchange Admin Center in ECP
Servers
Send Connectors
No other send connector required.
Receive Connector
There is no new receive connector required.
Don’t change Send connector Configuration
“–” is part of the configuration on the “EdgeSync – Inbound to AD Site” Connector so don’t change it. We will see this in the smart host and accepted domain
The — value in the address space represents all authoritative and internal relay accepted domains for the Exchange organization.
The — value in the list of smart hosts represents all Mailbox servers in the subscribed Active Directory site.
Configure Internal SMTP server on Transport Configuration
Use the InternalSMTPServers parameter on the Set-TransportConfig cmdlet to specify a list of internal SMTP server IP addresses or IP address ranges to be ignored by the Sender ID and Connection Filtering agents on the Edge Transport server.
Run the below command on the mailbox server
Set-TransportConfig –InternalSMTPServers IP, IP
Configure Port 2525 if CAS and MBX are installed on the same server
Run the below command
Set-SendConnector “EdgeSync – Inbound to Default-First*” -Port 2525
Or Change from ADSIEDIT
Start Edge Sync
Once all above completed, run the below command
Start-EdgeSynchronization -Server MailboxserverFQDN -TargetServer EDGEServerFQDN -ForceFullSync
Restart Service
Restart Edge-Sync on the Edge Transport Server.
Test the Mailflow:
Incoming from EDGE to Exchange ORG
My LAB is not receiving from Internet so I used the telnet. This is also showing the Exchange verbs.
Message Receive – See header
From Exchange ORG to Internet
See the Message Header
References
Edge Transport Server: http://technet.microsoft.com/en-us/library/bb124701(v=exchg.150).aspx
Message Tracking Verbs: http://technet.microsoft.com/en-us/library/bb124375(v=exchg.150).aspx
Prabhat Nigam
Microsoft MVP | Exchange Server
Team@MSExchangeGuru
March 25th, 2014 at 11:25 pm
Thanks for article. Edge 2013 do not have gui. Does it run on windows core?
March 27th, 2014 at 4:56 am
Nice article, Keep on going!!!!!!
March 27th, 2014 at 1:19 pm
The answer is, It may work but it is not supported and not recommended.
Read the below text at technet. http://technet.microsoft.com/en-us/library/aa996719(v=exchg.150).aspx
We don’t support the installation of Exchange 2013 on a computer that’s running in Windows Server Core mode. The computer must be running the full installation of Windows Server.
March 28th, 2014 at 3:32 am
As I know Edge 13 do not have GUI. It would be cool if edge may install to core sever. Ok. Will use full version windows server.
March 30th, 2014 at 5:55 pm
[…] Exchange 2013 SP1: Edge Transport Server Installation and Configuration – […]
March 30th, 2014 at 5:58 pm
[…] Exchange 2013 SP1: Edge Transport Server Installation and Configuration – […]
April 10th, 2014 at 3:33 pm
Question: Why did you have to create port 2525 for the Send Connector if the Mailbox and CAS are on the same server? Also why did you Configure Internal SMTP server on Transport Configuration. What does this do?
Thank you for your help and clarification
April 10th, 2014 at 11:23 pm
@Walter
Why did you have to create port 2525 for the Send Connector if the Mailbox and CAS are on the same server?
This is the send connector which is working on the Edge server to forward emails to the Exchange servers. When mailbox and CAS are together CAS uses port 25 and mailbox uses port 2525. To get the mail delivered directly to the mailbox role we need to change the port.
So it does not make and sense to get the mail delivered to CAS – Frontend transport service which just proxy the email.
Also why did you Configure Internal SMTP server on Transport Configuration. What does this do?
The InternalSMTPServers parameter specifies a list of internal SMTP server IP addresses or IP address ranges that should be ignored by Sender ID and connection filtering. I wanted to ensure my IPs are not getting blocked by Edge.
Hope you got the answers. Enjoy reading.
April 23rd, 2014 at 6:48 am
Hi!
At the “Start Edge Sync” step I’m constantly getting “CouldNotConnect” and “The LDAP server is unavailable.”, although my Mailbox and EdgeTransport servers share a common network subnet without a router/firewall in-between, and Windows Firewall is off at both ends.
Is there any cure for that?
“[PS] C:\Start-EdgeSynchronization -Server mbx.domain.local -TargetServer edge.domain.com -ForceFullSync
RunspaceId : 578c8c8c-002b-4df4-86ff-f78c285d2944
Result : CouldNotConnect
Type : Configuration
Name : Edge
FailureDetails : The LDAP server is unavailable.
StartUTC : 4/23/2014 10:42:24 AM
EndUTC : 4/23/2014 10:42:24 AM
Added : 0
Deleted : 0
Updated : 0
Scanned : 0
TargetScanned : 0
RunspaceId : 578c8c8c-002b-4df4-86ff-f78c285d2944
Result : CouldNotConnect
Type : Recipients
Name : Edge
FailureDetails : The LDAP server is unavailable.
StartUTC : 4/23/2014 10:42:24 AM
EndUTC : 4/23/2014 10:42:24 AM
Added : 0
Deleted : 0
Updated : 0
Scanned : 0
TargetScanned : 0
“
April 29th, 2014 at 2:58 pm
[…] Many in the community are in the same boat, including MVP Prabhat Nigam, who put together a nice step-by-step walkthrough for folks. Once the synchronization is complete you will be able to see the Edge Transport through […]
June 8th, 2014 at 6:48 am
Hello,
I wonder if I need to install CAS role if I install Edge Transport role and why please. Thank you for your time and concern.
Regards,
Pooriya
June 8th, 2014 at 10:16 am
@Pooriya
You don’t need Cas role for edge.
June 8th, 2014 at 10:21 am
@mx
LDAP server is a domain controller.
You should have install ADlds on edge. They need talk to replicate config.
June 8th, 2014 at 10:23 am
@valery
It appears to me installing edge on core is not supported yet but it is a nice thought.
June 8th, 2014 at 12:56 pm
What I want to do is a new installation of exchange 2013 for a new organization. I want to use Edge Transport role in my DMZ. I wonder if I need to install CAS role or it is not required at all once the Edge role is installed. Could you please provide with a short reasoning? Thanks.
June 8th, 2014 at 1:07 pm
@Pooriya
Edge is a spam control email gateway server.
CAS is used for client connectivity but proxy the emails.
If you are installing exchange 2013 for users mailbox then you need CAS role.
Edge is different from CAS. So based on the requirement you need different roles.
June 26th, 2014 at 7:43 am
I used Exchange 2013 SP1+CU5 to install Edge role on Windows server 2012 R2 workgroup machine
then after installation the service “Exchange server health Service” was not starting automatically or manually with the following error “Error 1075: The dependency service does not exist or has been marked for deletion”
and in the Event Viewer I have this error:
Event Id: 7003
The Microsoft Exchange Health Manager service depends on the following service: MSExchangeADTopology. This service might not be installed.
Also after adding the domain name of the Active directory domain in the Full Computer name as suffix; I can not RDP the server..!
please advice
June 26th, 2014 at 10:40 am
If you have open port TCP 3389 and enabled RDP on the server then it should work.
Run the command test-servicehealth and see if any service show up in not running. This shows if any service is required and not running.
June 26th, 2014 at 4:09 pm
Formatting the server with fresh install MS Windows Server 2012 R2 DataCenter, and following the guide here.
Running “Test-ServiceHealth” command, it displays same as what you show in this blog (above).!!
But, the service “Microsoft Exchange Health Manager” is not starting automatically or manually, with the following error “Error 1075: The dependency service does not exist or has been marked for deletion”.
TIA
June 26th, 2014 at 4:47 pm
Looks like you don’t need Health Manager on Edge.
June 29th, 2014 at 7:10 am
after finishing the edge subscription process
I get this warning when I go to EAC –> Servers –> edit edge server
warning
An error occurred while accessing the registry on the server “Edge-1.contoso.com”. The error that occurred is: “Attempted to perform an unauthorized operation.”.
June 30th, 2014 at 3:08 pm
1. You can’t use EAC on EDGE. This is no EAC, use powershell.
2. You can’t edit anything on edge server. everything should be change on CAS and mailbox servers.
June 30th, 2014 at 3:55 pm
Hello Guys,
I have just set up an exchange 2013 organization. I have two servers both of which run MB and CAS roles in a DAG. I have both of these server connected to another server running edge transport role. I have already synced the two servers with the edge server. I am able to send and receive emails internally, but I can send any emails outside. Could you please assist me with this? Thanks a lot.
Regards,
Pooriya
June 30th, 2014 at 4:15 pm
What is the issue?
July 1st, 2014 at 1:26 am
Hi,
The issue is that I can’t send emails on the recipient outside my organization such as Internet.
July 1st, 2014 at 9:09 am
Hello,
I could find my problem. My Network firewall was preventing the edge server to forward messages on the Internet. Now I have a sort of more difficult problem. When I use mxtoolbox.com to make sure about my name resolution and find problem with my mail server, I receive an error message that says I have long SMTP transaction time (9.282 seconds – Not good! on Transaction Time). I receive emails with some time delay like 3-5 minutes in my mailbox. Could you please assist me with this? It would be really kind of you. Thanks a lot.
Regards,
Pooriya
July 1st, 2014 at 12:21 pm
Pooriya,
Stop doing any SMTP filtering on the Firewall.
July 2nd, 2014 at 1:17 am
Prabhat,
I have just a NAT on my firewall. To make sure it is working properly, I did not filter any traffic. Just a dynamic NAT.
July 2nd, 2014 at 1:51 am
Hello,
I also have another question. I am trying to reach my external URL (https://fqdn/ecp)/(https://fqdn/owa) via the Internet, but I can’t. I have a NAT rule on my firewall that is pointing to my edge server. I wonder if I can reach via this rule to my virtual directories. I am sure my name resolution is working. I also wonder if the virtual directories are reachable via the edge server. Thanks a lot.
July 2nd, 2014 at 3:42 am
Point your owa and eac resolution to cas server.
Which firewall you are using.
July 2nd, 2014 at 3:59 am
Hey,
I am using Sophos. I believe the concept behind using edge server is using isolated server in DMZ. If I forward the connections on my firewall to my CAS server, I have practically bypassed the edge server and exposed my internal network to outside. Furthermore, I have two servers both of which are running CAS and MB. which server should I forward the requuests to? Thanks man.
July 2nd, 2014 at 10:47 am
Edge Transport does not have CAS component and not even its own EAC. For CAS request you should have a load balancer but if you don’t you need to see if you can for CAS traffic to both servers from firewall. Else you need to create 2 DNS host records same hostname with server IP and forward to this hostname.
Sophos – check if it has any default SMTP config.
July 6th, 2014 at 7:55 am
Hi Parbhat,
I managed to solve my problems. Now I have two exchange servers running both CAS and MB roles. I also configured a reverse proxy server on my DMZ for secure access to my OWA. Now I can’t receive emails. The reverse proxy can’t work in my DMZ to receive mails. Am I right? Now how can I receive emails in a secure way please? Thanks a lot.
Regards,
Pooriya
July 6th, 2014 at 10:54 am
On your firewall, just allow incoming port 25 for anonymous and forward the request to EDGE. you are safe with EDGE.
July 6th, 2014 at 11:36 am
I removed Edge server as I was thinking reverse proxy do the job for both sending and receiving mails. Can’t reverse proxy securely receive mails please? What are my options to receive mails from the Internet please? Do I have to use edge server or forward my smtp on my firewall to my CAS server? Which one is safer please? Could you please provide me with a thorough response? This is really important to me. Thanks a lot.
July 6th, 2014 at 11:45 am
OWA and SMTP are 2 different things.
Forward SMTP to CAS is fine but I would have preferred EDGE if I have an option.
July 7th, 2014 at 12:19 am
Hello,
Thanks a lot. It is clear now. If I want to use secure smtp, what should I do please? I mean can I forward port 587 (SSMTP) on my firewall to my edge server please?
July 7th, 2014 at 1:40 pm
Use spam filtering on Edge server to secure SMTP.
July 16th, 2014 at 5:42 am
Thanks ! Helped a lot.
July 16th, 2014 at 2:30 pm
Hello,
After I changed my accepted domain I also changed my edge server domain suffix. After I configured the the edge subscription, I am able to sen emails, but I can’t receive emails. I checked my message queue via “get-transportservice | get-queue”, I received the following error.
“The Queue Viewer operation on computer “exet” has failed with an exception. The error message is: Access is denied.”
When I checked my domain for problem via mxtoolbox.com, I got the following error.
We were unable to connect to your server. All connect failures are confirmed by a second MxWatch server from a different location to prevent false alerts.
The standard timeout is 15 seconds.
If the problem was due to a problem resolving your hostname, there will also be a HTTP Dns problem listed as well.
July 16th, 2014 at 5:12 pm
you mx record is wrong or ports are block.
July 17th, 2014 at 4:20 am
Hello,
The MX record is not wrong. mxtoolbox.com and other nslookup tools on the Internet return the right record. I also opened all the ports on my firewall to make sure there is no block ports. Thanks a lot.
July 18th, 2014 at 11:18 pm
I just subscribed my edge to my new 2013 servers in a coexistence scenario. I can now send mail out, but cannot receive mail from the internet.
I get error 451 4.4.0 dns query failed.
All internal mail works as well.
Any suggestions?
July 19th, 2014 at 1:35 am
DNS query is failing at some level, either your mx record is not correct or your firewall is not allowing incoming SMTP for anonymous user.
July 19th, 2014 at 12:55 pm
This actually ended up fixing it:
Took us 6 hrs =/
set-InternalDNSAdapterEnabled $false -InternalDNSServers
July 19th, 2014 at 7:28 pm
good to know
July 26th, 2014 at 2:16 pm
Hi Prabhat, I found your article and subsequent responses extremely useful. Thank you very much for your time devoted to writing it. As a result, I have successfully rebuilt our network recently with internal domain as gb.mydomain.com and Exchange 2013 MBX and CAS combined onto an AD server. In our DMZ, we have a web server and edge server connected through NAT to public IP’s on a Sonicwall NSA E5500 firewall. Everything works perfectly except AutoDiscover/OWA from external connections. Internal is fine. Public DNS has A and MX record for ‘mail’ pointing to edge server and CName records for pretty much everything else pointing to mail. Edge server IPv4 network DNS points to internal MBX/CAS server. There is no SVR 2012 DNS configuration on the Edge server and as the install of Exchange Edge didn’t create one, I’m assuming it’s not needed. I’ve been playing with this for 10days or so now and am beginning to tear my hair out. Is Autodiscover and OWA supposed to be resolved and forwarded by the Edge server or should I use another Public IP address and point it through NAT to the internal CAS server. I’m under the impression that everything should go to the Edge server. If you could provide some guidance, it would be greatly appreciated. Many thanks, Michael
July 27th, 2014 at 12:51 am
@Michael
Edge is only for mail flow.
Autodiscover and OWA should go to CAS and not Edge. So here is your NAT Rule which should take care of it. you need to use PAT.
Public IP:443 –> CAS LAN IP
Public IP:25 –> EDGE LAN IP
FYI -Exchange is not recommend to be installed on domain Controllers. If there is a possible install new DC and demote AD from Exchange.
Hope this helps
August 1st, 2014 at 12:08 pm
Hello,
I would just like to start out by saying I am network tech – I am not a network admin or network engineer.
We are preparing to install 2013 Exchange as an Edge Transport server. We have an exchange 2007 along with a 2003 exchange server. The 2003 forwards the mail to the exchange 2007, so the 2003 is in AD. While reading the prerequisites of exchange 2013 it states that 2003 has to be removed from AD prior to installing. We really would like to avoid that if it is possible. I could understand that 2013 would need 2003 removed from AD if it wasn’t being set up as an edge server and would be set up in the AD that 2003 is/was in. Since it isn’t really going to be a part of that AD, why would we need to remove 2003 first?
It’s my understanding that the edge transport server won’t actually be in AD, but it uses AD LDS to retrieve what it needs from an existing AD.
If that is the case, do we have to remove 2003 from AD? We would like 2003 to continue to function until the edge server is implemented. Once the 2013 is running and doing its job, we would like to then remove 2003 from AD and bring it down. Is that possible?
Thanks!
-Jason
August 2nd, 2014 at 12:37 pm
@Jason
You have a very interesting setup.
Edge will be installed on a standalone server in dmz so it will not care what you have in AD. So go ahead with the installation.
You will configure on exchange 2007 and Edge will sync it from 2007 hub transport.
I don’t see why edge sync will not work from 2007 because it is just a AD sync. At the same time, I have not tested this so I would recommend you to test this in the lab.
If AD sync does not work then you can use Edge Transport as a standalone server with out AD sync until you remove Exchange 2003.