Edge server serves as a best security filtering system for all the incoming and outgoing emails in our organization. It prevents spammers from exploring and hacking our network.
In real time edge servers will be placed in a DMZ zone.
So the setup will be looking like below
Intranet (Basically corporate LAN) – intranet firewall – DMZ – perimeter firewall – Internet
So we should be placing the edge server’s right in between the intranet and perimeter firewall which is demilitarized zone.
Basically in this DMZ zone there wouldn’t be full access to the directory services because this DMZ zone acts as a first filtering agent for any kind of spam messages that are coming to the network.
We will have the DMZ be placed in a different sub-net apart from LAN sub-net for security reasons not to expose the LAN network to the spammers.So we use the concept of DNS suffix so that we would be able to communicate with the LAN network with minimal required access to few services.
With help of ADLDS installed on edge servers ,directory services would be able to provide dedicated required services for Edge server.Here the edge transport server uses the ADLDS services to store the recipient and configuration information alone.
By having this information it would be able to validate the authenticated valid users on its own domain, applying the required spam filtering agent settings for its recipients, knowing the connector configurations and routing the mail-flow accordingly.
Following are the prerequisites for installing Edge server
Remote Tools Administration Pack
Required Windows components – NET-Framework, ADLDS
Windows Management Framework 4.0
Follow below TechNet article to install Exchange 2013 edge server Prerequisites
1. Configure DNS suffix on Edge server.
Add the edge server name along with the domain name as the DNS suffix.
In my-case im adding it as edge2013.exchangequery.com
2. Configure firewall rule as following:
SMTP – TCP port 25 (from Internet)
SMTP – TCP port 25 (from Edge server to Hub server on internal network)
SMTP – TCP/UDP port 25 (from Edge to Internet)
SMTP – TCP/UDP port 25 (from Hub to Edge server)
LDAP for Edge Sync – TCP port 50389 (from Mailbox to Edge server) Secure LDAP for Edge Sync – TCP port 50636 (from Mailbox to Edge server). Do not open these ports on perimeter firewall. These ports should be open only on intranet firewall.
If you are installing edge in lab setup you can follow the below steps
1) Bring edge server and do not join it in a domain.
2) Add the DNS suffix with the domain name alone.
3) Have edge server on a different subnet. But have these 2 subnets on the same VLAN.
4) Add one ip range of edge server in mailbox server as Additional in advance TCP/IP settings in the primary NIC. Similarly do the same for edge server. Add one ip range of mailbox server as Additional in advance TCP/IP settings in the primary NIC.
By doing this only you would be able to ping these 2 different sub-nets and they will have network connectivity.
In real time scenarios we have to ensure connectivity between perimeter n\w and LAN n\w and all the required ports open else we will be having trouble with the edge synchronization with the mailbox servers.
3. Install the Exchange 2013 Edge server
Select the edge transport role
Wait for the readiness to be completed.
Reboot the computer once the setup completes successfully.
After the reboot ensure that the edge server is installed. From Exchange 2013 we do not have exchange 2013 management through GUI and it is from exchange management shell on the edge server itself.But after Edge-synchronization is completed we will be able to manage the edge server from EAC.
Run the following command to ensure that edge server is available.
Also you can run Get-Transportservice | FL to check all other parameters as well.
4. Start edge subscription by following command:
“New-EdgeSubscription –Filename “C:\edgeserversubscription.xml”
5. Copy the xml file to the mailbox server local disk.
6. Complete subscription by running the below command:
New-EdgeSubscription -FileData ([byte]$(Get-Content -Path “C:\EdgeServerSubscription.xml” -Encoding Byte -ReadCount 0)) -Site “Default-First-Site-Name”
7. Run Start-EdgeSynchronization
Now we need to Start-EdgeSynchronization cmdlet to immediately start synchronization of configuration data from Active Directory to the subscribed Edge Transport server.
Start-EdgeSynchronization -Server exchangequery.com
Once the synchronization is over the edge setup is completed successfully.
Technology Consultant 🙂
Thanks Buddy !!!
There is certainly a lot to know about this issue. I love
all the points you’ve made.
Thanks and you are welcome
You should take part in a contest for one of the highest quality websites online.
I will highly recommend this blog!
hi there, i have question. i plan to install edge transport server in my oganization. current mx point to CAS/Mailbox server..once i setup the edge transport server, as i know i need to move the MX record to the edge transport server. what will happen to the outlook everywhere, outlook and RPC over http? or do i need to create new mail2.domain.com and point to new edge server and make this as MX record?
Hi Jafni all you need to do is just point your existing mx record to your edge server . Point your existing public DNS entries mail2.domain.com to your edge server which will make the emails to flow through your edge server.
we are running following environment for Exchange 2010 on premises.
3 Mailbox server with Single DAG
3 Hub/ CAS (multirole) with NLB
2 Edge Servers are used for routing email through Exchange Online Protection (EOP)
For Migration Purpose we have introduced following Exchange 2013 severs.
4 Mailbox + CAS (multirole) servers with Single DAG
3 Edge Servers
We have subscribed all three Exchange 2013 Mailbox servers with 2010 Edge Transport Servers and till now email flow is working fine after doing re-subscription because of Exchange 2013 introduction in the environment. Now, we want to subscribe 2013 Mailbox servers (one by one) with 2013 Edge Transport Servers so that 2010 and 2013 Edge Transport servers can route email to EOP and later we can remove Edge 2010 and Exchange 2010 from the environment.
we would like to know – while doing Edge Subscription will there be any issues with email routing? and can we do multiple subscription for Hub Transport 2010 and Mailbox 2013 servers, i.e with Edge 2010 and 2013 at same time?
please note our requirement is to keep Edge server 2013 in the environment. please help us in determining steps to introduce Edge Transport Server 2013 in parallel to Edge Transport Server 2010.
Create a new Edge Synchronization between the new Exchange 2013 and Mailbox
Remove the old Subscription
You should modify the firewall publish rule to change inbound and outbound message flow once you has install Exchange 2013 Edge server in DMZ.
When changing this firewall rule only you might have some downtime . So better to plan a downtime and perform this activity .