Configuring Exchange 2016 Edge Transport Server
We have been seeing the different Architecture of the Exchange Server and has been implementing those architecture on our environment. One of the major component on the Exchange Architecture is Edge Server. There might be different WH question for the Edge server like, WHAT, WHY and HOW. So, on this blog I am sharing my knowledge and experience regarding the Edge server as well how to configure Exchange 2016 Edge Transport Server.
WHAT is the Exchange Edge Transport server?
Basically, Exchange Edge Transport server are resided on the DMZ Network which helps to make flow email from the External world i.e. internet to our exchange server. But during the transport it also manage to check and filter the emails for the spams.
Below is the basic concept of the Exchange Edge Transport Architecture which lies between the Firewalls.
WHY Exchange Edge Transport Server?
As Edge Transport servers handle all inbound and outbound Internet mail flow by providing mail relay and smart host services for your Exchange organization. Agents running on the Edge Transport server provide additional layers of message protection and security. These agents provide protection against spam and apply transport rules to control mail flow. All of these features work together to help minimize the exposure of your internal Exchange to threats on the Internet. Although it is not mandatory to have Exchange Edge Transport server on every Architecture.
How to configure Exchange Edge Transport Server?
You can install one or more Edge Transport server in the perimeter network. Deploying more than one Edge Transport server provides redundancy and failover capabilities for your inbound message flow. You can load balance the SMTP traffic to your organization among Edge Transport servers by defining more than one MX record with the same priority value for your mail domain. You can achieve consistency in the configuration among multiple Edge Transport servers by using cloned configuration scripts.
Configuring Exchange Edge Transport roles
Now, let’s start with the configuration of the Exchange Edge transport server.
To configure Exchange Edge transport server, we first need to know it’s pre-requisites. Till today it is recommended that not to install Exchange 2016 edge server on Windows server 2016 do its clashes between the Windows Server 2016 and Exchange Transport role filtering. For details here is the link.
Component |
Requirement |
Mailbox and Edge Transport server roles |
|
* it is recommended not to install Exchange Edge transport roles on Windows server 2016.
It is always required 2 NIC on the Edge server one facing toward the External Internet and another facing toward the Internal Intranet.
After the installation and configuration of OS and NIC, now it’s time to configure OS to get ready install Exchange Edge Transport.
As we don’t need to join these server in to domain but we need to make sure this server knows the domain controller and understand the to communicate. So, to make it understand, we make configuration as of the below snapshot.
Afterward, add the A record on your Domain DNS
Once this is done, it’s time to install the pre-requisites. You require to install AD LDS, hence open PowerShell and run the below cmdlet.
Install-WindowsFeature ADLDS
After you’ve installed the operating system roles and features, install .NET Framework 4.7.1
Now it’s time to install the Exchange Edge Transport role. On the Installation phase while selecting the Server role, select ‘Edge Transport Role’ and click on ‘Next’ to continue the installation.
Once the installation has been complete on Exchange Edge Transport Server, now it’s time to configure Edge subscription. To configure the edge subscription run this command on EMS.
New-EdgeSubscription -fileName C:\edgesubscription.xml
Check you C: Drive you can find the ‘.xml’ file. Copy it and paste on the Exchange Mailbox server and run this cmdlet to sync your Edge with Mailbox.
New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path "C:\EdgeServerSubscription.xml" -Encoding Byte -ReadCount 0)) -Site "Default-First-Site-Name"
Now you can see the Edge server reflected on the ECP portal as well can see the send connector updated.
Hope this will help you to configure your Edge server.
Great article and structure of the post! Congrats…
thanks
How is this secure? It’s in the DMZ, but then you add a second NIC and attach it to your internal LAN? What am I missing?
Hi ConfusedAndBewildered,
DMZ means in both end we do have firewall before entering our core network. ON Exchange Edge it is the front facing server for SMTP and SMTPS, if something goes wrong it will scarifies it self and prevent mailbox servers.
Thanks for this unique content. But my question is about the NIC IP from Edge to the firewall connected to internet Is it a public IP or an IP from the DMZ network?