Configure Mail Flow Between an Edge Transport Server and Hub Transport Servers Without Using EdgeSync
Applies to: Exchange Server 2010
We always recommend that you use the Edge Subscription process to establish mail flow between the Exchange organization and a computer that's running Microsoft Exchange Server 2010 that has the Edge Transport server role installed. However, we realize that there are situations where you can't subscribe the Edge Transport server to the Exchange organization by using the Edge Subscription process. To manually establish mail flow between the Exchange organization and an Edge Transport server, you must create and configure the Send connectors and Receive connectors on the Edge Transport server and on the Hub Transport servers in the Exchange organization.
Looking for other tasks related to managing message routing? Check out Managing Message Routing.
Prerequisites
This procedure uses Basic authentication over Transport Layer Security (TLS) to provide encryption and authentication. When you use Basic authentication over TLS, the receiving server must have an X.509 Secure Sockets Layer (SSL) server certificate installed. The fully qualified domain name (FQDN) value configured on the Receive connector must match the FQDN in the SSL server certificate. By default, the value of the FQDN on the Receive connector is the FQDN of the server that contains the Receive connector.
You can also use the Externally Secured authentication method. However, if you do so, the communication between the Edge Transport server and Hub Transport server isn't authenticated or encrypted by Exchange. We recommend that you use the Externally Secured authentication method only when an additional encryption method is used. The encryption method can be an Internet Protocol security (IPsec) association or a virtual private network (VPN).
An Edge Transport server is typically multihomed. This means that the Edge Transport server has network adapters that are connected to multiple network segments. Each of these network adapters has a unique IP configuration. The network adapter that's connected to the external, or public, network segment should be configured to use a public Domain Name System (DNS) server for name resolution. This enables the server to resolve SMTP domain names to MX resource records and route mail to the Internet. The network adapter that's connected to the internal, or private, network segment should be configured to use a DNS server in the perimeter network or should have a Hosts file available.
For more information, see "Configuring DNS settings for the Edge Transport server role" in Planning Roadmap for New Deployments.You must create a user account in Active Directory and add the account to the Exchange Servers universal security group. This account is used by the Send connector on the Edge Transport server to authenticate to the destination Hub Transport server in the Exchange organization.
Important
This account is granted the permissions that are associated with Exchange servers. Make sure that you safeguard the account credentials to prevent misuse of the account. You can configure the account to allow logon to specific computers only.
Edge Transport Server Procedures
The following connectors are required on the Edge Transport server:
- A Send connector configured to send messages to the Internet
- A Send connector configured to send messages to the Hub Transport servers in the Exchange organization
- A Receive connector configured to receive messages only from Hub Transport servers in the Exchange organization
- A Receive connector configured to accept messages only from the Internet
By default, a single Receive connector is created during the installation of the Edge Transport server role. This connector can be used for both incoming Internet messages and incoming messages from the Hub Transport servers. Typically, the Edge Subscription process automatically configures the correct permissions and authentication on the default Receive connector. When you don't use the Edge Subscription process, we recommend that you modify the default Receive connector on the Edge Transport server to only accept messages from the Internet. You should then create a Receive connector on the Edge Transport server that's configured to only accept messages from internal Hub Transport servers.
The following sections walk you through all the configuration steps required to prepare your Edge Transport server to communicate with your Exchange organization.
Step 1: Create a Send connector configured to send messages to the Internet
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Send connectors - Edge Transport" entry in the Transport Permissions topic.
This Send connector requires the following configuration:
- Name To Internet.
- Usage type Internet.
- Address spaces "*" (all domains).
- Network settings Use DNS MX records to route mail automatically. Depending on your network configuration, you can also route mail through a smart host. The smart host then routes mail to the Internet.
Use the EMC to create a Send connector configured to send messages to the Internet
- Open the EMC. Select Edge Transport, and then in the work pane, click the Send Connectors tab.
- In the action pane, click New Send Connector. The New Send Connector wizard starts.
- On the Introduction page, follow these steps:
- In the Name field, type a meaningful name for this connector, such as To Internet.
- In the Select the intended use for this connector field, select Internet.
- Click Next.
- On the Address space page, click Add. In the SMTP Address Space dialog box, enter *, and then click OK.
- Click Next.
- On the Network settings page, select Use domain name system (DNS) "MX" records to route mail automatically, and then click Next.
- On the New connector page, review the configuration summary for the connector. If you want to modify the settings, click Back. To create the Send connector by using the settings in the configuration summary, click New.
- On the Completion page, review the following, and then click Finish to close the wizard:
- A status of Completed indicates that the wizard completed the task successfully.
- A status of Failed indicates that the task wasn't completed. If the task fails, review the summary for an explanation, and then click Back to make any configuration changes.
Use the Shell to create a Send connector configured to send messages to the Internet
You use the New-SendConnector cmdlet to create a Send connector.
New-SendConnector -Name "To Internet" -AddressSpaces * -Usage Internet -DNSRoutingEnabled $true
For detailed syntax and parameter information, see New-SendConnector.
Step 2: Create a Send connector configured to send messages to the Exchange organization
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Send connectors - Edge Transport" entry in the Transport Permissions topic.
This Send connector requires the following configuration:
- Name To Internal Org
- Usage type Internal
- DNS Routing disabled (smart host routing enabled)
- Address spaces All accepted domains for the Exchange organization
- **Network settings **Fully qualified domain name (FQDN) of one or more Hub Transport servers as smart hosts and smart host authentication setting configured to Basic authentication over TLS
- Smart host authentication mechanism Basic authentication and Basic authentication requiring TLS
Use the EMC to create the Send connector configured to send messages to the Exchange organization
- Open the EMC. Select Edge Transport, and then in the work pane, click the Send Connectors tab.
- In the action pane, click New Send Connector. The New Send Connector wizard starts.
- On the Introduction page, follow these steps:
- In the Name field, type a meaningful name for this connector, such as To Internal Org.
- In the Select the intended use for this connector field, select Internal.
- On the Address space page, follow these steps:
- Click Add.
- In the SMTP Address Space dialog box, enter the accepted domains for the Exchange organization. You may select the Include all subdomains check box to use this connector to send e-mail to all subdomains of the address space. When you're finished, click OK.
To add more address spaces to this connector, click Add, repeat this step, and then click OK. - When you're finished, click Next.
- On the Network settings page, following these steps:
- Select Route mail through the following smart hosts, and then click Add.
- In the Add Smart Host dialog box, select Fully qualified domain name (FQDN), and enter the FQDN of the destination Hub Transport server. The Edge Transport server must be able to resolve the specified FQDN of the destination Hub Transport server. When you're finished, click OK.
To add more Hub Transport servers as smart hosts, click Add and repeat this step. - When you're finished, click Next.
- On the Configure smart host authentication settings page, select Basic Authentication and Basic Authentication over TLS. In the Username and Password fields, enter the credentials for the user account in the internal domain. Use the domain\user format or user principal name (UPN) format to enter the user name and provide the user's password. Click Next.
- On the New connector page, review the configuration summary for the connector. If you want to modify the settings, click Back. To create the Send connector by using the settings in the configuration summary, click New.
- On the Completion page, review the following, and then click Finish to close the wizard:
- A status of Completed indicates that the wizard completed the task successfully.
- A status of Failed indicates that the task wasn't completed. If the task fails, review the summary for an explanation, and then click Back to make any configuration changes.
Use the Shell to create the Send connector configured to send messages to the Exchange organization
You use the New-SendConnector cmdlet to create a Send connector.
Note
Before you create the Send connector, you first need to run the Get-Credential command to save the user name and password you will use in a temporary variable. You need to do this because the New-SendConnector cmdlet doesn't accept the user credentials in plain text.
$HubCredentials = Get-Credential
New-SendConnector -Name "To Internal Org" -Usage Internal -AddressSpaces *.contoso.com -DNSRoutingEnabled $false -SmartHosts Hub01.contoso.com,Hub02.contoso.com -SmartHostAuthMechanism BasicAuth,BasicAuthRequireTLS -AuthenticationCredential $HubCredentials
For detailed syntax and parameter information, see New-SendConnector.
Step 3: Modify the default Receive connector to only accept messages from the Internet
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Receive connectors - Edge Transport" entry in the Transport Permissions topic.
You should make the following configuration changes to the default Receive connector:
- Modify the name to reflect that the connector will be used solely to receive e-mail from the Internet
- Change the network bindings to accept messages only from the network adapter that is accessible from the Internet
Use the EMC to modify the default Receive connector to only accept messages from the Internet
- Open the EMC. Select Edge Transport, and then in the work pane, click the Receive Connectors tab.
- In the work pane, select the Receive connector to modify. The default Receive connector is named Default internal Receive connector Servername.
- Under the name of the Receive connector in the action pane, click Properties to open the Properties page.
- Click the General tab to modify the name of the connector and give it a specific name to signify that it will be used only for receiving messages from the Internet.
- Click the Network tab. Under Use these local IP addresses to Receive mail, click Edit. In the Edit Receive Connector Binding dialog box, select Specify an IP address, and then enter the IP address of the Internet-facing network adapter. Click OK.
- Click OK to save your changes and exit the Properties page.
Use the Shell to modify the default Receive connector to only accept messages from the Internet
You use the Set-ReceiveConnector cmdlet to modify the properties of the default Receive connector.
Set-ReceiveConnector "Default internal Receive connector Edge01" -Name "From Internet" -Bindings 10.1.1.1:25
For detailed syntax and parameter information, see Set-ReceiveConnector.
Step 4: Create a Receive connector configured to only accept messages from the Exchange organization
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Receive connectors - Edge Transport" entry in the Transport Permissions topic.
This Receive connector requires the following configuration:
- Name From Internal Org
- Usage type Internal
- Local network bindings Internal network-facing network adapter
- Remote network settings IP address of one or more Hub Transport servers in the Exchange organization
- Authentication method Basic authentication over TLS
Use the EMC to create a Receive connector configured to only accept messages from the Exchange organization
- Open the EMC. Select Edge Transport, and then in the work pane, click the Receive Connectors tab.
- In the action pane, click New Receive Connector. The New Receive Connector wizard starts.
- On the Introduction page, follow these steps:
- In the Name field, type a meaningful name for this connector, such as From Internal Org.
- In the Select the intended use for this connector field, select Internal.
- On the Remote network settings page, follow these steps:
- Select the default IP address range entry 0.0.0.0 - 255.255.255.255, and then click .
- Click Add or the drop-down arrow located next to Add and type the IP address or IP address range of the internal Hub Transport server or servers. When you're finished, click OK.
To add multiple destination Hub Transport servers to this connector, click Add and repeat this step. Each Hub Transport server that you define in this step must also be listed as a source server in the corresponding Send connectors that are configured on the Hub Transport servers. - When you're finished, click Next.
- On the New Connector page, review the configuration summary for the connector. If you want to modify the settings, click Back. To create the Receive connector by using the settings in the configuration summary, click New.
- On the Completion page, review the following, and then click Finish to close the wizard:
- A status of Completed indicates that the wizard completed the task successfully.
- A status of Failed indicates that the task wasn't completed. If the task fails, review the summary for an explanation, and then click Back to make any configuration changes.
- In the work pane, select the Receive connector that you created.
- Under the name of the Receive connector in the action pane, click Properties to open the Properties page.
- Click the Network tab. Under Use these local IP addresses to Receive mail, click Edit. In the Edit Receive Connector Binding dialog box, select Specify an IP address, and then enter the IP address of the internal organization-facing network adapter. Click OK.
- Click the Authentication tab. Select Basic Authentication and Offer Basic authentication only after starting TLS.
- Click OK to save your changes and exit the Properties page.
Use the Shell to create a Receive connector configured to only accept messages from the Exchange organization
You use the New-ReceiveConnector cmdlet to create a Receive connector.
This example creates a Receive connector configured to accept messages from the Exchange organization.
New-ReceiveConnector -Name "From Internal Org" -Usage Internal -AuthMechanism TLS,BasicAuth,BasicAuthRequireTLS,ExchangeServer -Bindings 10.1.1.1:25 -RemoteIPRanges 192.168.5.10,192.168.5.20
For detailed syntax and parameter information, see New-ReceiveConnector.
Hub Transport Server Procedures
The following connector is required for the Hub Transport servers in your organization:
- A Send connector that's configured to send messages to the Edge Transport server in the perimeter network for relay to the Internet
By default, two Receive connectors are created during the installation of the Hub Transport server role. The connector named Client ServerName is configured to accept messages from all POP3 and IMAP messaging clients. The connector named Default ServerName is configured to accept messages from an Edge Transport server. No modifications to these connectors are required.
Create a Send connector configured to send outgoing messages to the Edge Transport server
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Send connectors" entry in the Transport Permissions topic.
This Send connector requires the following configuration:
- Usage type To Edge
- Usage type Internal
- Address spaces *
- **Network settings **IP address or FQDN of the Edge Transport server as a smart host and smart host authentication setting configured to Basic Authentication over TLS
Use the EMC to create a Send connector configured to send outgoing messages to the Edge Transport server
- Open the EMC. In the console tree, expand Organization Configuration, select Hub Transport, and then in the work pane, click the Send Connectors tab.
- In the action pane, click New Send Connector. The New Send Connector wizard starts.
- On the Introduction page, follow these steps:
- In the Name field, type a meaningful name for this connector, such as To Edge.
- In the Select the intended use for this connector field, select Internal.
- On the Address space page, click Add. In the SMTP Address Space dialog box, enter * in the Address field, and then click OK.
When you're finished, click Next. - On the Network settings page, follow these steps:
- Select Route mail through the following smart hosts, and then click Add.
- In the Add Smart Host dialog box, select Fully qualified domain name (FQDN), and enter the FQDN of the destination Edge Transport server. The Hub Transport server must be able to resolve the specified FQDN of the destination Edge Transport server. Click OK.
- When you're finished, click Next.
- On the Configure smart host authentication settings page, select Basic Authentication and Basic Authentication over TLS. In the Username and Password fields, enter the credentials for the user account on the destination Edge Transport server. Click Next.
- By default, the Source Server page lists the Hub Transport server on which you're performing this procedure. If you want to add more Hub Transport servers for fault tolerance, those Hub Transport servers must be configured as sources on the corresponding Receive connector on the Edge Transport server. To add more source servers, click Add. In the Select Hub Transport servers and Edge Subscriptions dialog box, select the Hub Transport servers that will be used as the source servers for sending messages to the Edge Transport server that you provided in step 6. When you're finished adding additional source servers, click OK.
To add more source servers, click Add and repeat this step.
When you're finished, click Next. - On the New connector page, review the configuration summary for the connector. If you want to modify the settings, click Back. To create the Send connector by using the settings in the configuration summary, click New.
- On the Completion page, review the following, and then click Finish to close the wizard:
- A status of Completed indicates that the wizard completed the task successfully.
- A status of Failed indicates that the task wasn't completed. If the task fails, review the summary for an explanation, and then click Back to make any configuration changes.
Use the Shell to create a Send connector configured to send outgoing messages to the Edge Transport server
You use the New-SendConnector cmdlet to create a Send connector.
The following example creates a new Send connector with the following settings:
Usage type: Internal
Address Space: *
DNS Routing disabled (smart host routing enabled)
Smart hosts: edge01.contoso.net
Source Transport servers: hub01.contoso.com, hub 02.contoso.com
Smart host authentication mechanism: Basic authentication, basic authentication requiring TLS
Note
Before you create the Send connector, you first need to run the Get-Credential command to save the user name and password you will use in a temporary variable. You need to do this because the New-SendConnector cmdlet doesn't accept the user credentials in plain text.
$EdgeCredentials = Get-Credential
New-SendConnector -Name "To Edge" -Usage Internal -AddressSpaces * -DNSRoutingEnabled $false -SmartHosts edge01.contoso.com -SourceTransportServers hub01.contoso.com,hub02.contoso.com -SmartHostAuthMechanism BasicAuth,BasicAuthRequireTLS -AuthenticationCredential $EdgeCredentials
For detailed syntax and parameter information, see New-SendConnector.