Exchange 2013 SP1: Edge Transport Server Installation and Configuration
Edge Transport Server has protected many Exchange Infrastructures and we liked to rely on Microsoft since the release of Anti-spam in Exchange 2003 SP2.
Many of us were waiting for the Edge Transport Server to come back in Exchange 2013 and with the Release of SP1 Microsoft gave us Edge Transport Server.
New Edge Transport can only be managed be Exchange management shell until we create a subscription.
Once we configure the subscription, we can manage Edge Transport from the Exchange 2013 SP1 ECP which is CAS 2013 server. This means Edge Transport does not come with a separate EAC or ECP component.
Most of the time we place Edge Transport server in the DMZ.
Let us have a look on the Installation and possible configuration options.
Ports:
Open the following Ports from your DMZ Firewalls
Internet ß–> EDGE Transport Server
SMTP Port 25
EDGE Transport Server ß–>Intranet
SMTP Port 25 and 2525 – Mailflow
DNS TCP/UDP – 53 – DNS Resolution
RDP TCP 3389 – Remote Desktop
LDAP – 50389 – locally to bind to the AD LDS instance – There is no need to open this port on perimeter firewall.
Secure LDAP – 50636 – Directory synchronization from Mailbox servers to AD LDS
Installation:
-
This will be a server in the work group with the domain name of the Active directory domain in the Full Computer name as suffix. See the screen shot.
-
We need to point the DNS to the Active Directory DNS on the Corporate firewall LAN. Only LAN DNS and no Public DNS. Let the DNS server do the forwarding or use root hints.
-
Install the ADLDS from Add Roles in the server manager. There is no configuration required. Exchange will configure it.
-
Install the Exchange Prerequisite from the help of my blog here.
-
Install the Exchange 2013 SP1 Edge Transport Server.
a. Run the setup.exe. Select “Don’t check for updates right now”
b. Now you will see, setup is coping the files to start the setup.
d. Accept the agreement and click next here.
f. In the server Role selection, make sure you select Edge Transport Role and click next.
h. It will do a readiness check.
i. Once Readiness check completes without an error then click install.
j. Once finish, restart the server.
k. Let us do some checks. Setup.log
Check the Server Component
Check the transport Agents
Check the receive connector
Export Edge Subscription from EDGE Transport Server
Run the below command to export the subscription then copy the file to Mailbox server.
New-EdgeSubscription –FileName “FilepathFilename.xml”
Look at the screen, it clearly says Edge will talk to Mailbox server. We need to import this file within 1440 minutes (24 hours) else subscription will expire.
Type Y then Enter at the confirmation Prompt.
DNS Configuration
Create a host record in the DNS if there is not one present. Then test the ping from EDGE to Mailbox and Mailbox to EDGE. Do not proceed until this works.
Import Edge Subscription on a mailbox Server
Check this when you run Get-help New-EdgeSubscription
Run the below command to import the subscription.
New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path “ FilepathFilename.xml” -Encoding Byte -ReadCount 0)) -Site “ADSiteName”
Ensure that you have port 50636 open from mailbox LAN to Edge Transport DMZ.
Verify the Changes in Exchange Admin Center in ECP
Servers
Send Connectors
No other send connector required.
Receive Connector
There is no new receive connector required.
Don’t change Send connector Configuration
“–” is part of the configuration on the “EdgeSync – Inbound to AD Site” Connector so don’t change it. We will see this in the smart host and accepted domain
The — value in the address space represents all authoritative and internal relay accepted domains for the Exchange organization.
The — value in the list of smart hosts represents all Mailbox servers in the subscribed Active Directory site.
Configure Internal SMTP server on Transport Configuration
Use the InternalSMTPServers parameter on the Set-TransportConfig cmdlet to specify a list of internal SMTP server IP addresses or IP address ranges to be ignored by the Sender ID and Connection Filtering agents on the Edge Transport server.
Run the below command on the mailbox server
Set-TransportConfig –InternalSMTPServers IP, IP
Configure Port 2525 if CAS and MBX are installed on the same server
Run the below command
Set-SendConnector “EdgeSync – Inbound to Default-First*” -Port 2525
Or Change from ADSIEDIT
Start Edge Sync
Once all above completed, run the below command
Start-EdgeSynchronization -Server MailboxserverFQDN -TargetServer EDGEServerFQDN -ForceFullSync
Restart Service
Restart Edge-Sync on the Edge Transport Server.
Test the Mailflow:
Incoming from EDGE to Exchange ORG
My LAB is not receiving from Internet so I used the telnet. This is also showing the Exchange verbs.
Message Receive – See header
From Exchange ORG to Internet
See the Message Header
References
Edge Transport Server: http://technet.microsoft.com/en-us/library/bb124701(v=exchg.150).aspx
Message Tracking Verbs: http://technet.microsoft.com/en-us/library/bb124375(v=exchg.150).aspx
Prabhat Nigam
Microsoft MVP | Exchange Server
Team@MSExchangeGuru
March 18th, 2015 at 6:16 am
Dear Prabhat,
My CAS + MB mail servers name FQDN are :
1) mail1.xyz.com 2) mail2.xyz.com
I’m using Split brain DNS scenario to resolve server names using mail.xyz.gov.in and changed all virtual directories Internal and external URLs to mail.xyz.gov.in.
In SSL, I added the following SANs
mail.xyz.gov.in, autodiscover.xyz.gov.in. imap.xyz.gov.in, pop.xyz.gov.in, edge.xyz.gov.in and sent DSR to Digicert.
After completing the request with generated certificate , I’m getting error certificate status “Invalid”.
Q :
Is that SSL error is because of , domain name mismatch in SSL SAN and actual FQDN of the server ?
Is it required to add single SAN with mail.xyz.com as a common name ?
Please advise ?
T & R,
Kamlesh
March 18th, 2015 at 6:03 pm
As far as CAS url is xxxx.xyz.gov.in you are good.
SAN certificate should have private key else it might not work.
From where you bought the certificate.
March 19th, 2015 at 10:28 am
Dear Prabhat,
Thanks for reply.
I brought it from Digicert.
From your above answer what is understood is. there is no connection between actual server name FQDN or internal domain name if virtual directory URLs used as a SAN name in third party SSL. Right ?
I’ll check with whether private key is included or not?
Anything else where issue may lie , please confirm ?
T & R,
Kamlesh
T & R,
KAmlesh
March 19th, 2015 at 12:36 pm
Dear Prabhat,
I checked status of Private Key, it is included in SSL which is showing invalid in certificate snap-in in exchange 2013 sp1 control panel.
T & R,
Kamlesh
March 21st, 2015 at 3:21 am
Dear Prabhat,
Issue has been resolved after importing intermediate certificate.cer on every CA+MB server in DAG.
Thanks for your support.
T & R,
Kamlesh
April 7th, 2015 at 3:13 am
Can we Clone Exchange 2010 edge server to Exchange 2013 edge server ?
April 7th, 2015 at 8:29 am
No
May 7th, 2015 at 11:44 pm
Hi, HSC-TSA (post 21) mentioned that he got a warning when trying to edit his Edge server in ECP:
An error occurred while accessing the registry on the server “Edge-1.contoso.com”. The error that occurred is: “Attempted to perform an unauthorized operation.”
I understand that you cannot use ECP on Edge, but I get this same error when I open ECP on my Mailbox server, go to Servers then try to edit my Edge server.
I had an MS tech look into another issue and he also tried to find the issue here but could not resolve.
Is there actually an issue here? there doesn’t appear to be anything you can actually ‘Manage’ in there anyway, but why do we get this ‘Warning’ ? maybe it should say “nothing to see here, please move along” !
May 8th, 2015 at 3:19 am
Actually you can’t edit anything on Edge server. What are you trying to edit?
July 14th, 2015 at 10:13 pm
[…] Edge Transport is coming with RTM – So yes most of you guessed correct in the NY Exchange User Group on our Exchange Edge Session. […]
September 8th, 2015 at 12:26 am
Hi,
What is a path to check smtp logs on ET servers to check the reason for bouncing the outgoing mail for different SMTP domain.
T & R,
Kamlesh
September 8th, 2015 at 12:45 am
It should be default location if you have not changed it.
Try the message tracking.
Get-messagetrackinglog
September 13th, 2015 at 6:46 am
[…] the previous blog I talked about configuring Exchange 2013 Edge transport server. Today I was upgrading my Exchange […]
September 26th, 2015 at 3:11 am
Nice article about step by step Edge server installation and configuration.
November 23rd, 2015 at 1:58 pm
https://social.technet.microsoft.com/Forums/exchange/en-US/d28f491c-054d-423e-b5c0-104c40dbb294/cant-run-tracking-log-explorer-access-denied-in-edge-trasport-2013?forum=exchange2010
http://blogs.technet.com/b/ehlro/archive/2015/03/30/exchange-2013-edge-as-a-smarthost-with-basic-over-tls-authentication.aspx
December 6th, 2015 at 12:27 pm
I am running an Exchange 2016 Edge server with 2016 mailbox server. How can I correctly change the “EdgeSync – Default-First-Site-Name to Internet” send connector so that it allows emails larger than 10MB? Can you change this is the EAC or with powershell? Do you run this from the Edge server or mailbox server?
December 6th, 2015 at 12:56 pm
you will run the below mentioned command on mailbox server
Set-SendConnector “send connector name” -MaxMessageSize 100MB
January 4th, 2016 at 8:31 pm
What is your issue?
January 5th, 2016 at 4:41 am
I have 3 Exchange 2010 servers (all roles). I want to install Edge 2016 (for testing the antimalware part).
Can I do this without changing anything on the Exchange 201 organization? Everithing msut keep on working…;)
What does this command (New-EdgeSubscription -FileName ) do exactly and more importantly: where does it delete accepted domains, message classifications, remote domains, Send connectors and InternalSMTPServers list from?
If it deletes all that from my Exchange 2010 production servers I cannot continue….
February 24th, 2016 at 3:10 am
Hi,
we are running following environment for Exchange 2010 on premises.
3 Mailbox server with Single DAG
3 Hub/ CAS (multirole) with NLB
2 Edge Servers are used for routing email through Exchange Online Protection (EOP)
For Migration Purpose we have introduced following Exchange 2013 severs.
4 Mailbox + CAS (multirole) servers with Single DAG
3 Edge Servers
We have subscribed all three Exchange 2013 Mailbox servers with 2010 Edge Transport Servers and till now email flow is working fine (after doing re-subscription because of Exchange 2013 introduction in the environment). Now, we want to subscribe 2013 Mailbox servers (one by one) with 2013 Edge Transport Servers so that 2010 and 2013 Edge Transport servers can route email to EOP and later we can remove Edge 2010 and Exchange 2010 from the environment.
we would like to know – while doing Edge Subscription will there be any issues with email routing? and can we do multiple subscription for Hub Transport 2010 and Mailbox 2013 servers, i.e with Edge 2010 and 2013 at same time?
please note our requirement is to keep Edge server 2013 in the environment. please correct our approach or suggest a better plan.
Thanks,
February 25th, 2016 at 1:15 am
If you will configure subscription then your production will change. you can test edge T server without subscription by just configuring send connectors.
February 25th, 2016 at 1:20 am
Try sending an email from your exchange 2013 and tell me if it is not going through Edge servers without going to Exchange 2010.
February 25th, 2016 at 9:54 am
Thanks. it worked by creating a send connector without doing subscription.
March 8th, 2016 at 8:50 am
Hi Prabhat,
I have 2 CA+MB servers and 2 ET servers.
Configured attachment rule for 2 MB initially but now change it to 10 MB, but still not able to attach big size file.
Restarted transport service on 2 CA+MB servers.
Thanks in advance for your suggestion.
Kamlesh
March 8th, 2016 at 10:41 am
If you need to attach 10 MB then configure 14MB limit. 33% extra for header.
March 8th, 2016 at 11:27 am
Dear Prabhat,
In my environment (exchange 2016), there are 2 mail box servers in DAG load balanced by load balancer. So In external DNS (mail.xyz.com) points to our Public IP and NATs to load balancer. In Internal DNS also it points to the load balancer.
Now I need to add an edge server, believe I can configure in the load balancer to forward SMTP traffic to edge server. Am I right?
Now next part is about certificates. Is the SSL certificate needed for edge server?.
If I’m planning for a SSL certificate, I need to include
Mail.xyz.com(HTTPS, SMTP, POP3, IMAP)
Autodiscover.xyz.com
Xyz.com
Please correct me if I’m wrong here?.. Also how can I include certificate for edge server?
March 8th, 2016 at 12:17 pm
Load balancer can forward the smtp traffic to Edge but you need a separate VIP for it.
SMTP does not need a cert unless you are configuring TLS and secure SMTP. In that case you need SMTP fqdn.
April 11th, 2016 at 8:38 am
Dear Nigam,
I have exchange 2016 8 mailbox installed & two egde server in DMZ network, My queries are below.
How I can achieve High availability of Edge server, In 2010 We can setup egde server in cloning mode by adding two subscription, How can we do in 2016 Exchange.
My exchange is running in coexistence mode with 2013-2016, Now I want user from 2013 send the emails from 2013 which is running, User from 2016 are able to send the emails from exchange 2016 with Edge server, 2013 & 2016 are in different AD sites.
I believe we don’t need edge server Fqdn in public certificate but if I enable TLS then I have smtp.domain.com in my public cert. correct me if I am wrong.
How can I leverage HLB to forward the SMTP traffic?.
Thanks in advance.
Chandan
April 11th, 2016 at 8:47 am
Configure Internal SMTP server.
Does Configuration of Internal SMTP server on Transport Configuration required. if yes then Do I need to configure port 2525 for internal SMTP server ?
April 11th, 2016 at 3:11 pm
I have 2 Exchange Edge and CAS Servers (Primary and DR), recently I started having problem with when DR site is down unable to receive emails. Mail queues are stuck in Edge server and it doesn’t deliver to CAS server except internal domain emails within the group. External emails are not getting delivered.
Thanks,
Robert
April 11th, 2016 at 3:15 pm
You will have to inspect your connector settings and smarthost settings..
Also make sure the settings are right on your EDGE and that edge can relay emails to Primary site on Telnet port 25…
Internal email doesn’t have to go to EDGE servers…
April 11th, 2016 at 3:20 pm
In addition to Ratish, check the DNS resolution on Edge.
April 11th, 2016 at 3:48 pm
Port 2525 is configured for CAS and it can accept the email on Port 25.
Also I have checked the DNS and it works fine.
April 11th, 2016 at 4:09 pm
If you have CAS and mbx together in one server then port 2525 is for mailbox role. Unless you swap manually.
April 20th, 2016 at 8:56 am
Hi Prabhat,
Greetings !!!
We have 8 exchange mailbox server with 2 edge server.
Now We want use Edge server in HA/Redundancy. Can we achieve with import 2 edge subscription.
We have configured Coexistence with 2013, MX setup on Symantec massage labs, We want user from 2013 use 2013 send connector, User from 2016 will use edge server for communication.
Do we need to configure port 2525 for edge, Like wise we used in single box 2013.
April 21st, 2016 at 3:31 am
Hi Prabhat / Ratish,
I have 2 CAS and 2 Edge server with replication on multiple sites. I have verified the ports but still primary site is unable to deliver emails to the local CAS server on the same location.
June 13th, 2016 at 3:44 am
@Rob: If you still have the issue then you can engage a professional including me.
June 13th, 2016 at 3:55 am
@Chandan – Answer inline. Also check my video on it. https://www.youtube.com/watch?v=XCHgHLpbvqQ
How I can achieve High availability of Edge server, In 2010 We can setup edge server in cloning mode by adding two subscription, How can we do in 2016 Exchange.
PN – Cloning does not help. Use DNS round robin or a Load Balancer.
My exchange is running in coexistence mode with 2013-2016, Now I want user from 2013 send the emails from 2013 which is running, User from 2016 are able to send the emails from exchange 2016 with Edge server, 2013 & 2016 are in different AD sites.
PN – What is the issue here?
I believe we don’t need edge server Fqdn in public certificate but if I enable TLS then I have smtp.domain.com in my public cert. correct me if I am wrong.
PN – Yes, cert is only required for TLS
How can I leverage HLB to forward the SMTP traffic?.
PN: Network load balancer or DNS round robin.
Now We want use Edge server in HA/Redundancy. Can we achieve with import 2 edge subscription.
PN: Yes, you can
We have configured Coexistence with 2013, MX setup on Symantec massage labs, We want user from 2013 use 2013 send connector, User from 2016 will use edge server for communication.
PN: They are in AD site so you can make a scoped Send connector and it connector will accept only local traffive and in source servers add only respective version servers.
Do we need to configure port 2525 for edge, Like wise we used in single box 2013.
PN: Port 2525 is for the mailbox role in a combined CAS+MBX and it is safe to receive on MBX so do it.
December 20th, 2016 at 2:02 am
I login to ECP web. when I into Server tab,try to edit edge server,but it can show “Attempted to perform an unauthorized operation”.
Do you occurred it ?
December 20th, 2016 at 2:51 am
Only exchange management shell in the edge server to change any edge property