Edge Transport Role in Exchange Server 2010 provides an important layer of security between external and internal messaging infrastructure. The Edge server analyses messages and can identify spam, content, connection trends and take the appropriate action to prevent delivery of potentially harmful content, spam, and other undesired messages. So, all message coming to and going form entire organization scanned through Edge Transport Server and verify with the policies deployed in it then pass through toward external networks. The Edge Transport server plays a vital role in the messaging infrastructure, protecting the organization from attack and the preventing delivery of unnecessary email, which ultimately can save an organization’s reputation, reduce administrative overhead, and increase productivity.
Installation Prerequisite:
Windows Server 2008 x64 SP 2 or Windows Server 2008 R2
Microsoft .NET Framework 3.5
Windows Remote Management 2.0
Windows PowerShell V2
Active Directory Lightweight Directory Services (AD LDS)
Exchange Server 2010 HT, CAS, Mailbox Roles installed in a separate Windows Server 2008 computer
Installation:
Edge Transport Config:
Now from Start>All Programs>Microsoft Exchange Server 2010>Exchange Management Console you have to configure Anti-Spam, Receive Connectors, Send Connectors, Transport Rules, Accepted Domains tabs available in Edge Transport console. on
Anti-Spam
tab, you have to configure Content Filtering, IP Allow List, IP Allow List Providers, IP Block List, IP Block List Providers, Recipient Filtering, Sender Filtering, Sender ID and Sender Reputation through action pan.
EdgeSync Config on an Edge Transport Server:
In Edge Transport Server, Open the Exchange Management Shell> Type following
New-EdgeSubscription –FileName “C:\Edgeinfo.xml”
Copy the Edge subscription file to the Hub Transport server into C:\Edgeinfo.xml
In Hub Transport Server, Open Exchange Management Console>Organization Configuration>Hub Transport section
In the action pane, click New Edge Subscription>New Edge Subscription Wizard.
Click Browse>select Active Directory site>Select Default First Site
Browse to the location of the Edge subscription file you copied from the Edge Transport server and click Next>Finish
Verify synchronization to the Edge Transport server’s AD LDS and review the application log in Event Viewer on both Hub and Edge Transport servers
Further Study:
Key Words: Edge Transport, Exchange 2010, AD LDS, Windows Server 2008
Blog by Raihan Al-Beruni 
Hello Brother,
Can u give doc, regarding how to configure POP/SMTP/Configuration guide for ex 2010……
Waiting for your replyy
LikeLike
Visit https://araihan.wordpress.com/2010/03/17/how-to-configure-exchange-2010-hub-transport-ht-server/ for Hub Transport configuration. HT is the SMTP connector. start all the exchange related services in Windows. Default services should be started/Automatic status. You can create seperate connector for each of them by using Exchange Management Console.
Please be professional when seeking help. No brotherhood pls.
Regards,
Raihan
LikeLike
Pingback: Exchange 2010 deployment in different firewall scenario « Information Technology Blog
I am looking for HA solution for Edge/CAS/Hub transport any suggestion/design guides
Thanks,
Sunil
LikeLike
Hello Sunil,
Here is a how to for you. http://technet.microsoft.com/en-us/library/dd638121.aspx and http://technet.microsoft.com/en-us/library/bb124721%28EXCHG.80%29.aspx
Thanks for visiting my site. Raihan
LikeLike
Hi Brother,
I am planning to configure an exchange server 2010 with dynamic ip address.Do have any experience on this,please help me out,
thank you
sujith
LikeLike
sujith,
Dynamic IP would not work on exchange deployment. You need static IP for all exchange roles.
Regards,
Raihan
LikeLike
HiRaihan,
MS recommends the Edge transport server role be outside the AD environment and on another server for spam/AV protection. do you see any options here/ or pls validate this assumption.
Thanks
Ali
LikeLike
In best practice architecture, Edge Transport or ET is placed in DMZ. ET uses Antivirus and Antispam engine from Mcafee or Trend Micro. You need to install antivirus on the same server. You can place ET in internal network also. You can have more than one ET if you want. You can use ironport and ET together. Microsoft provide full flexibility to a systems architecture. It’s really up to you what you want.
LikeLike
Thank you so much bro,
I have one more question to you, currently we are using win sbs 2003 and exchange in one box as domain controller and file server for users about 20-24 and i want to discard the present machine and implement all new win server ent 2008 and exchange 2010, can u please advise the equipment to implement, like if i need to buy 2 server machines along with 2 sets of win server 2008 and exchange 2010. this would be my first experience in implementation.
god bless u
thanks
ali
LikeLike
Hey,
Thanks for your post.
I have established a Back to back DMZ network with 2 TMG Firewalls (one in the front and one in the back)
I was also able to correctly configure exchange server 2010 (one internal server with Hub/CAS/Mailbox and an Edge Server in the DMZ)
The EdgeSync between the Edge in the DMZ and the Hub in the internal network was successfully done ( the test-edgesynchronization command in the powerShell returned a “Success” status).
But, I’m actually blocked :
1- I want to configure the OWA to be able to connect from the internet. So, How should I configure the front and the back TMG servers to be able to do it. Should I configure both or only the front one ?
2- My FAI, is disabling the MX records, so the only available solution is an FAI Smtp server to which I have to forward mails. For the incoming mails, it will be forwarded directly to my server. So, how can I configure both the Edge and the Front TMG server to be able to work within this restrictions ?
Looking forwards to your answer !!
LikeLike
Hello Melek,
Good to hear everything configured ok. OWA config http://microsoftguru.com.au/2010/03/16/forefront-tmg-2010-publish-outlook-web-access-and-exchange-servers-using-forefront-tmg-2010/
and http://microsoftguru.com.au/2010/04/09/forefront-tmg-2010-publishing-exchange-server/
In your situation, publish OWA in Front End TMG. Add IP range of internal network of backend TMG into interal network IP range of FrontEnd TMG to avoid IP spoofing.
In back to back config CAS server should be placed in DMZ. So place ONLY CAS and ET server in DMZ. your rest of config is ok. now you need publish Exchange CAS in Front End and HT, ET, SMTP in backend. However, SMTP, HTTPS must be allowed in proper direction of DMZ, external and internal.
I dont understand what you mean by FAI.
For MX record, Add external MX record and Webmail CNAME through ISP or ISP tools. Add firewall policy/port forwarding in router. Add MX and CNAME record in local DNS server. Hope this help.
LikeLike
Hey Rayhan,
Thanks for your response.
First of all, sorry for “FAI” term (it’s a french one), it means ISP.
So, the problem is that we cannot make a MXRecord due to government restrictions.
The only possibility that we have is to forward all outbound messages from our servers to the ISP ones.
What sould I do then ? and how to configure the TMG since I’m actually confused ?
LikeLike
Pingback: Blogging year 2010—-what stats says | MicrosoftGURU
A more explicit explanation :
I have a back to back network (Internet-DMZ-Intranet) with 2 TMG servers.
I have also installed the following servers :
1- An exchange server including (HT, CAS, MailBox) in the intranet domain.
But, as you mentioned in your response, I should remove the CAS from the internal server and put it in the DMZ. Can I remove this component from my exchange server without any trouble ? or is there any steps to follow to make a clean remove ?
2-An edge server in the DMZ with a workable synchronization with the HT.
3- My ISP cannot register my MX Record due to some government restrictions.
It provides an alternative solution by redirecting all incoming mails to our server and I should send all my ougoing messages to its SMTP server.
So, my question is :
How should I configure my front TMG ? To which server (edge or HT/Mailbox) should I open the SMTP port ? Is there any step by step guide for that.
Thanks a lot for your help.
LikeLike
I understand you are worried placing CAS in DMZ. Then use reverse proxy. An ET in DMZ should work with HT. You just need to allow DNS in DMZ.
No 3 Q is weird for me. You need an MX record you can have it anywhere in the world.
LikeLike
Thanks a lot for your quick answer ! 🙂
About Q 3, the ISP is also blocking any SMTP request from outside. So i cannot receive any email from any different Server. The only solution is its routing solution :(.
I’m acutually working on it. As soon as I find a solution, I’ll let you know.
LikeLike
Can you tell me how to install a good certificate on the edge server because I have a problem after following your configuration using outlook 2010 anywhere I cannot connect to the Exchange server 2010 from internet.
I get an error message about the proxy server.
Thank you
LikeLike
what sort of error you are getting? Did you publish exchange using TMG?
LikeLike
I want to be your friend
LikeLike
This guide was brilliant, even better was that there is a wizard that will walk you thru the edge subscription steps instead of the powershell stuff.
Thanks!!
LikeLike
thanks for visiting my site
LikeLike
Raihan,
Thank you for the detailed instructions! Do you know if the Exchange 2010 ET and the Lync 2010 Access Edge (AE) can coexist on the same server?
Thank you!
Trevor
LikeLike
Its not a best practice. Please check this technet http://technet.microsoft.com/en-us/library/gg398123.aspx
LikeLike
The technet article does not address the questuion. I too would like to know if I can colocate the Exchange edge transport server and the Lync edge server on the same box.
LikeLike
my answer is no. for best practice you should not install lync edge on exchange edge. Its not a good idea at all.
LikeLike
hi, thanks for your step, by step guide for edge deployment.
could you provide after edge subscription, what are the configuration left on edge server
(like send connector, recieve connector, accepted domain ) do we have to create them on hub server / edge. please explain
Thanks….
LikeLike
All Exchange config are here http://microsoftguru.com.au/category/exchange-server-2010/
LikeLike
Dear
Thanks for your helpful blog . Can you give step by step for configure of external mail of exchange 2007 in one server (win2008 with active director)
Masud
LikeLike
http://microsoftguru.com.au/2010/03/17/how-to-configure-exchange-2010-hub-transport-ht-server/
LikeLike
Hello!
Please i need help.After configuring my edge transport i try synchronizing and had this error report:
EdgeSync service cannot connect to this subscription because of error “The LDAP server is
unavailable.”.
LikeLike
where did you put Edge Server? Do you have proper rules in firewall for edge communication
LikeLike
most of the emails come from outside are blocked by our exchange server. we have exchange server + edge sync(i think tmg) for sending/receiving emails from outside.
Kindly advise.
LikeLike
Hi guys,
i am trying to install exchange on one of my member server but it is failing while installation,when i checked DNS health on my DC the test is failing ,can you please suggest how to solve this issue
Command use for DNS health:dcdiag /test:DNS
OS :Windows server 2008 R2
LikeLike
Hi Raihan,
If i upgrading the exchange server edge 2007 to edge server 2010,
do i have to reconfigure anti-spam settings (ip block list, block senders etc..) in exchange 2010 server
LikeLike
here is detailed how to http://technet.microsoft.com/en-us/library/dd346708.aspx
LikeLike
Hi,
I am getting hub transport role installation failed.how to solve
Regards,
Madhav
LikeLike
what error you getting? have you checked installation log
LikeLike
hey, i am getting spam attack on exchange 2010, how i can block that too many mails are genrated. any help
LikeLike
Hi Raihan,
I am hoping you can help with my Exchange 2010 SP1 setup. All I am trying to accomplish is to relay mail from Exchange to Internet using SMTP, nothing complicated. Currently my mail leaves but it can take up to an hour for it to resolve DNS for the external emails am I missing something. I have SMTP and and port 53 opened on the firewall. I have setup a send and receive connector and using External DSN Lookups. Let me know if I have missed something, your help is appreciated.
LikeLike
How did you configure Exchange I mean what is your design layout? Can you telnet servername 25
can you use smtpdiag, check EMC>Tools>traffic flow
LikeLike
Hi Riahan,
I can telnet and everything is fine it is just that the mail sits in the Queue for a while and gets an error dnslookup error but the a few minutes later it resolves dns and then leaves Exchange. In order for me to get DNS to work I had to track down our various customer MX records and add it to our exchange to speed up the lookup but this isn’t the ideal method as you can tell.
Bharat
Sent from my iPhone
LikeLike