Exchange 2007 - Install the Edge Server Role

Exchange 2007 - Install the Edge Transport Server Role

In Exchange 2007, the Edge Transport server is in different category from the other roles.  It has special requirements because it's outside of your Active Directory, and it's also on the external side of your firewall.

The following outline and screenshots were kindly supplied by Alain Laventure.

Topics for Exchange 2007 Edge Server Role

• Requirements for the Exchange 2007 Edge Server Role
• Workgroup
• ADAM or AD LDS
• Install Exchange 2007
• EdgeSync
• Ports Required by the Edge Server
• Hub Server Role
• Subscriptions
• Troubleshooting Edge Server Queues
• Summary - Edge Transport Server Role in Exchange 2007

 ♠

Requirements for the Exchange 2007 Edge Server Role

If you keep in mind that the purpose of the Edge role is security, then the reasons behind these particular and precise requirements, become clearer.

Planning

Remember that you need 64-bit hardware when you install the underlying operating system on, either Windows Server 2008, or Windows Server 2003. 

As for the placement of your Edge Transport Server, it should be in the perimeter network, and certainly outside the main network firewall.

Workgroup - You should prepare a stand-alone server for the Edge Transport Role.  The Edge server is exposed to the internet, and because it's running Exchange 2007 server, it becomes a likely target for hackers and spammers.  Thus, if this Edge server in a workgroup then it has no information about your domain, and consequently, your administrative usernames and passwords cannot be compromised.

ADAM (Active Directory Application Mode) - If you have ever wondered what was the point of this alternative active directory, then planning the Edge server will act as a case study for the use of ADAM.  Note, in Windows Server 2008 the equivalent of ADAM is AD LDS (Active Directory Lightweight Directory Services).

The point is that although the Edge server is in a workgroup, it still needs a few basic Active Directory capabilities, in particular, it needs to know how to send (forward) appropriate email to your domain recipients.

Install Exchange 2007

• Insert the Exchange 2007 setup disk.
• Install (Add) the Edge Server Role.
• Take the time for a Readiness Check.

EdgeSync - Remember that the Edge Transport server doesn't have access to your domain's Active Directory directory service.  The role of Microsoft's EdgeSync is to copy a subset of Active Directory information and 'paste' it into the Edge server's directory service (AD LDS or ADAM).  Rest assured, EdgeSync does not send any information back to Active Directory, thus there is no backdoor for hackers to exploit.

During this one-way transfer, only a specialist sub-set of Active Directory gets copied, mainly data about the connection configuration, but also anti-spam information.  Without this information the Edge server would not know where to send incoming email, which is addressed to your Exchange 2007 recipients.

Ports Required by the Edge Server

Hub Server Role - The Edge Server communicates with one of the internal Exchange 2007 servers that has the Hub Server Role.  Specifically, the Edge Rules agent filters unwanted messages and thus reduces the spam that enters your Exchange organization.  To manage the Edge Rules agent, launch the Exchange Management Console.  Experiment with different conditions, exceptions, actions, and the scope until you have the desired level of filtering.

Edge Subscriptions - You can manage the Edge subscription and synchronization processes with the EdgeSubscription family of PowerShell cmdlets.  To setup subscriptions follow this export --> import sequence.

On the Edge Server (Export)

New-EdgeSubscription -Filename c:\scripts\EdgeSubscriptionFile.xml

On the Hub Transport Server (Import)

Copy the file EdgeSubscriptionFile.xml from the Edge server.

Open the Exchange Management Console, expand the Organization Configuration and select Hub Transport.  Now you are ready to call the New Edge Subscription wizard, browse for the filename (EdgeSubscriptionFile.xml), the wizard will complete the subscription.

Edge Transport DNS - This server sees every message that comes into your organization.  You should also configure DNS so that your domain's external Mail Exchange (MX) record points to the Edge Server.  Once all the components are configured, Exchange 2007 automatically routes outgoing mail through the Edge Transport Service.

Redundancy There is no reason (other than cost) not to install a second Edge Transport Server; the benefits would be redundancy, and possibly load balancing.

Troubleshooting Edge Server Queues

Problem at the Edge Server
In the Queue Viewer, you see messages displaying the error message:
451 5.7.3 'Cannot achieve Exchange Server authentication'.

Solve the Problem in the Exchange Management Console

• Navigate to Server Configuration --> Hub Transport
• Right-click the Receive connector, and then select Properties.
• Select the Authentication tab.
• Check the Transport Layer Security (TLS) check box.
• Check the Exchange Server authentication check box.
• Click Apply.

Synchronize with the Hub Server
To complete the job, force synchronization with one of these PowerShell commands.

Start-EdgeSynchronization  [Exchange 2007 RTM]

Start-EdgeSynchronization -server HubServerName [Exchange SP1]

Guy Recommends: SolarWinds Engineer's Toolset v10

The Engineer's Toolset v10 provides a comprehensive console of utilities for troubleshooting computer problems.  Guy says it helps me monitor what's occurring on the network, and the tools teaches me more about how the system literally operates.

There are so many good gadgets, it's like having free rein of a sweetshop. Thankfully the utilities are displayed logically: monitoring, discovery, diagnostic, and Cisco tools.  Download your copy of the Engineer's Toolset v 10

Troubleshooting DNS Problems

400 4.4.7 Message Delayed
451 4.4.0 DNS Query Failed

Solution - Call for your 'Toolbox'

Select Mail flow tools category

Open the Queue Viewer

Check that you have an inbound message queue for an accepted domain, such as "MyCompany.com", and if there is an error similar to "451 4.4.0 DNS Query Failed".

Troubleshooting:

1. Select the Edge server in the Result pane, and then select Properties.
2. Find the Internal DNS Lookups tab.
3. Select: All Available.
4. If you have multiple NIC adapters, select the one is for the internal network, select 'Use network card DNS settings'. The IP addresses will magically populate the box with the DNS server IP addresses from the internal network card.
5. Don't reboot, but Restart the Transport service.

If you have only one network card, there are two options:

You can select 'Use these DNS servers' and then select the IP address of the internal DNS server.  Alternatively, you can add a host file containing the DNS server information. 

Exchange Server 2007 is a complex topic, do you need practical hands on training?  As an MCT trainer, I can thoroughly recommend TrainSignal.  In particular, I like the way that TrainSignal cover all learning methods, instructor lead, video and of course text material.  You can either take one module, for example Exchange 2007 or go for a combination of modules.  Learn more about Microsoft Exchange Server 2007 here

Summary - Edge Transport Server Role in Exchange 2007

In a nutshell, the Edge Transport Server is your Exchange 2007 security outpost.  Thus, it is best to deploy this server in your organization's perimeter network.  For these security reasons, it makes sense to install the Edge role on a stand-alone server in a Workgroup.  This Edge Transport server then communicates with the Hub Server, (which has Active Directory) through the EdgeSync service.

Credit and acknowledgement
Alain Laventure provided the screenshots, the detailed steps and the background for this article on the Edge Transport Server Role.

See more Microsoft Exchange Server 2007 topics:

• Exchange 2007 Home   • SP1   • Migration Advice   • Transition Checklist   •Compatibility   • ExBPA

• Install   • Server Roles   • CAS Role   • Hub Transport  • SMTP Connector  • Exchange CCR   • Edge

• Mailbox Role   • Create Mailbox   • Mailbox Stores   • Recipients   • GAL   • Free Syslog Analyser

Please write in if you see errors of any kind.  Please report any factual mistakes, grammatical errors or broken links, I will be happy to not only to correct the fault, but also to give you credit.

 *