Adding an Edge Transport Server to an Existing Exchange 2003 Organization
Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3
This topic provides an overview of the message processing services that are performed by the Edge Transport server role and the procedures that are required to add the Edge Transport server role to an existing Microsoft Exchange Server 2003 organization. In Microsoft Exchange Server 2007, the Edge Transport server is an Internet-facing server that performs anti-spam and antivirus processing tasks and applies transport rules to messages in transport between the Internet and the Exchange organization. This server role is deployed in the perimeter network and outside the Active Directory directory service forest.
The Edge Transport server does not depend on any particular messaging or directory configuration. You can add an Edge Transport server to an existing Exchange 2003 organization without upgrading the internal Exchange servers. You don't have to perform any Active Directory preparation steps when you install the Edge Transport server. The Edge Transport server doesn't have access to Active Directory for storage of configuration information. The Edge Transport server uses the Active Directory Application Mode (ADAM) directory service for storage of configuration information. The ADAM schema contains all the object classes and attributes that are required to perform configuration of the Edge Transport server.
Important
The anti-spam features, recipient lookup and safelist aggregation, and the Domain Security feature require that the Edge Transport server is subscribed to the Exchange organization by using the Edge Subscription process and EdgeSync synchronization. If you don't create an Edge Subscription, you can't use those features. To create an Edge Subscription, you must deploy at least one computer that is running an Exchange 2007 Hub Transport server in the Exchange organization, and you must configure Exchange server coexistence. For more information about how Exchange 2007 coexists with earlier versions of Exchange Server, see Planning for Coexistence.
Edge Transport Server Messaging Services
The Edge Transport server can provide the following messaging services to the Exchange organization:
The Edge Transport server can act as a smart host server for the organization. A smart host is a designated server through which an e-mail server routes all outgoing messages. The smart host performs the Domain Name System (DNS) lookup and makes the connection on behalf of an e-mail server. For more information about how to use a smart host to route Internet e-mail in a Microsoft Exchange Server 2003 organization, see Configuring an SMTP Connector.
The Edge Transport server can act as a Simple Mail Transfer Protocol (SMTP) relay server for the organization. An SMTP relay server receives incoming messages on behalf of an organization and relays the messages to internal e-mail servers. For more information about how to use the Edge Transport server as an SMTP relay server for a server that is running Exchange 2003, see Using a Windows SMTP Relay Server in a Perimeter Network.
When messages are received, the Edge Transport server can perform anti-spam and antivirus tasks before it sends the mail to the internal Exchange servers. To perform anti-spam and antivirus tasks, the appropriate agents must be enabled and configured. For more information, see Planning for Anti-Spam and Antivirus Features.
The Edge Transport server can perform address rewriting so that all outgoing messages appear to come from a single SMTP domain. The Edge Transport server uses a mapping of SMTP addresses to rewrite addresses for outgoing mail. When incoming mail is received, the mapping table is used to discover the appropriate mailbox for message delivery. For more information about how to configure address rewriting, see Planning for Address Rewriting.
The Edge Transport server can apply transport rules to messages that are sent to or received from the Internet. You configure transport rules to evaluate the message conditions, such as specific words or text patterns in message fields and headers. Then you can take actions, such as redirecting or quarantining a message, when the conditions are met. For more information about transport rules, see Managing Transport Rules.
Planning to Deploy the Edge Transport Server
Before you deploy the Edge Transport server, you must answer the following planning questions:
How will you position the Edge Transport server within the perimeter network?
How will you administer the Edge Transport server?
How will you configure mail flow?
How will you configure the transport agent settings?
The following sections explain factors that affect each planning decision.
The following figure summarizes the tasks that you must perform to configure an Edge Transport server to support an existing Exchange 2003 or Exchange 2000 Server organization. Each of these tasks is described in the following sections of this topic.
Summary of Configuration Tasks
Adding the Edge Transport Server to the Perimeter Network
Typically, the Edge Transport server is installed as a stand-alone server without any domain membership. A stand-alone server configuration provides an excellent level of isolation and is the most secure implementation. Although the Edge Transport server can be installed on a domain-joined computer, the Edge Transport server will always use ADAM to store recipient and configuration information and will never access Active Directory directly.
When you add the Edge Transport server to the perimeter network, you must consider how the Edge Transport server will interact with other servers in the perimeter network. The following are some topology considerations:
Have you deployed Microsoft Internet Acceleration and Security (ISA) Server 2006 in the perimeter network to handle Internet network traffic? In this scenario, ISA doesn't proxy or modify the SMTP protocol. ISA can be configured to redirect, or tunnel, the SMTP protocol to the Edge Transport server. For more information, see Using ISA Server 2006 with Exchange 2007.
Do you have an existing smart host or SMTP relay in the perimeter network? After the Edge Transport server is deployed, you can load balance traffic between the Edge transport server and the existing server during a test period. Or you can just decommission the existing smart host or SMTP relay.
Do you have an existing anti-spam gateway product deployed in the perimeter network? After the Edge Transport server is deployed, you can decommission the existing gateway product. If you want to maintain both systems for a while, you can configure a Send connector on the Edge Transport server so that it will relay e-mail to the existing system before the e-mail is delivered to the Exchange organization.
To provide smart host and SMTP relay services, you must allow for access through TCP port 25 on both the internal and external firewalls, to and from the Edge Transport server.
Administering the Edge Transport Server
No Exchange-specific administrative groups are configured on an Edge Transport server. Because the Edge Transport server is designed to be deployed as a stand-alone server, the local administrator account is granted full access to the Edge Transport server role. To create user-specific administrative accounts, you can create local user accounts on the Edge Transport server and then add those accounts to the Local Administrators group on that computer.
If you want to perform remote administration of the Edge Transport server, you must enable remote connections to the Edge Transport server by using Microsoft Windows Remote Desktop. You must also configure the internal firewall to allow for access to TCP port 3389. This port is used by the Remote Desktop Protocol (RDP).
Configuring Mail Flow
After the Edge Transport server is deployed, you perform the configuration steps required to enable mail flow between the Edge Transport server and the Internet and between the Edge Transport server and the Exchange 2003 organization. You must perform the following tasks:
Verify the configuration of the DNS mail exchange (MX) records for the SMTP domains for which the Edge Transport server will accept e-mail.
Configure accepted domains on the Edge Transport server. Accepted domains define the SMTP domains for which this server accepts e-mail. An accepted domain can be configured as authoritative, internal relay, or external relay. For more information, see Managing Accepted Domains.
Configure connectors on the Edge Transport server to accept mail from and send mail to the Internet. The following connectors are required:
Internet Send connector You must have a Send connector that is configured to route e-mail messages to the Internet. Configure the address space that this connector sends to as all domains. You specify all domains by using an asterisk (
*
). You can select to use DNS name resolution to route e-mail or to route all e-mail through a smart host, such as a server hosted by your ISP. This connector is used to send mail to all Internet SMTP domains unless you configure additional connectors for specific domains.Internet Receive connector You must have a Receive connector that is bound to the external IP address of the Edge Transport server and is set to receive traffic from port 25. This connector is used to receive mail from all Internet SMTP domains and should accept anonymous submissions. The default Receive connector on an Edge Transport server is configured to accept e-mail submissions from both the Internet and from the Exchange organization. You don't have to configure a second Receive connector unless you want to separate incoming SMTP traffic or configure different authentication methods for Internet and Exchange organization e-mail.
Configure connectors on the Edge Transport server to accept mail from the organization for relay to the Internet and to send mail to the organization that is being relayed from the Internet. The following connectors are required:
- Send connector that is configured to send e-mail to the Exchange organization The address space for this connector specifies the authoritative and internal relay domains for which this server receives mail. You can configure the address space as "
--
". The--
placeholder is used to represent the list of authoritative and internal relay accepted domains, or you can configure a list of SMTP domains. Configure this Send connector to use a smart host for routing e-mail. List one or more Exchange 2003 or Exchange 2000 bridgehead servers as the smart host. If you configure more than one smart host on a Send connector, connections will be load balanced between them.
Note
Exchange 2003 and Exchange 2000 transmit some information, such as the spam confidence level (SCL) for a message, as Exch50 data. To preserve this data when messages are relayed from the Edge Transport server to the Exchange organization, you must modify the discretionary access control list (DACL) on this Send connector to grant the NT Authority\ANONYMOUS LOGON account the ms-Exch-SMTP-Send-Exch50 permission.
Important
We recommend that you configure this Send connector to use Basic authentication plus TLS to authenticate to the legacy Exchange server. If you select an alternative authentication method, such as Externally Secured (for example, with IPsec), you must modify the registry of the Exchange 2003 server to enable it to receive anonymous submission of Exch50 data.
- Receive connector that is bound to the internal IP address of the Edge Transport server and that is set to receive traffic from port 25 The remote IP range from which this connector accepts mail is set to the IP addresses or address range of the Exchange Server 2003 or Exchange 2000 Server bridgehead servers inside the organization. The default Receive connector on an Edge Transport server is configured to accept e-mail submissions from both the Internet and from the Exchange organization. You don't have to configure a second Receive connector unless you want to separate incoming SMTP traffic or configure different authentication methods for Internet and Exchange organization e-mail.
- Send connector that is configured to send e-mail to the Exchange organization The address space for this connector specifies the authoritative and internal relay domains for which this server receives mail. You can configure the address space as "
Configure the Edge Transport server to accept all or some incoming SMTP connections to the organization. To configure the Edge Transport server to accept all or some incoming SMTP traffic for the organization, you can modify DNS MX records to direct mail for your SMTP domains to the Edge Transport server. If MX records reference the firewall IP address, configure firewall rules to direct SMTP traffic to the Edge Transport server.
To process mail through the Edge Transport server that is outgoing from the Exchange organization to the Internet, create an SMTP connector on an Exchange 2003 bridgehead server. You configure this SMTP connector to route all mail through a smart host and designate the fully qualified domain name (FQDN) or IP address of the Edge Transport server as the smart host. If you have an existing SMTP connector that is configured to send e-mail to the Internet you can modify that SMTP connector to revise the smart host information.
For more information about how to configure mail flow, see How to Deploy an Edge Transport Server in an Existing Exchange Server 2003 Organization.
Configuring Transport Agent Settings
By default, all the transport agents are installed and enabled on the Edge Transport server. You can disable the Recipient Filtering agent because it is not available in this scenario. For more information about how to configure anti-spam and antivirus settings, see Managing Anti-Spam and Antivirus Features.
If you have configured anti-spam settings on Exchange 2003, you can use the Exchange 2007 Anti-Spam Migration Tool to migrate the anti-spam settings from Exchange 2003 to the Edge Transport server. The Exchange 2007 Anti-Spam Migration Tool reads the Exchange 2003 anti-spam settings from Active Directory and converts them to an equivalent Windows PowerShell script that consists of Exchange 2007 tasks. You can then run the script on the Edge Transport server role. For more information and to download this tool, see Exchange 2007 Anti-Spam Migration Tool.
For More Information
For more information, see the following topics: