Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2012-07-23
We always recommend that you use the Edge Subscription process to establish mail flow between the Exchange organization and a computer that's running Microsoft Exchange Server 2010 that has the Edge Transport server role installed. However, we realize that there are situations where you can't subscribe the Edge Transport server to the Exchange organization by using the Edge Subscription process. To manually establish mail flow between the Exchange organization and an Edge Transport server, you must create and configure the Send connectors and Receive connectors on the Edge Transport server and on the Hub Transport servers in the Exchange organization.
Looking for other tasks related to managing message routing? Check out Managing Message Routing.
Prerequisites
- This procedure uses Basic authentication over Transport Layer
Security (TLS) to provide encryption and authentication. When you
use Basic authentication over TLS, the receiving server must have
an X.509 Secure Sockets Layer (SSL) server certificate installed.
The fully qualified domain name (FQDN) value configured on the
Receive connector must match the FQDN in the SSL server
certificate. By default, the value of the FQDN on the Receive
connector is the FQDN of the server that contains the Receive
connector.
- You can also use the Externally Secured authentication method.
However, if you do so, the communication between the Edge Transport
server and Hub Transport server isn't authenticated or encrypted by
Exchange. We recommend that you use the Externally Secured
authentication method only when an additional encryption method is
used. The encryption method can be an Internet Protocol security
(IPsec) association or a virtual private network (VPN).
- An Edge Transport server is typically multihomed. This
means that the Edge Transport server has network adapters that are
connected to multiple network segments. Each of these network
adapters has a unique IP configuration. The network adapter that's
connected to the external, or public, network segment should be
configured to use a public Domain Name System (DNS) server for name
resolution. This enables the server to resolve SMTP domain names to
MX resource records and route mail to the Internet. The network
adapter that's connected to the internal, or private, network
segment should be configured to use a DNS server in the perimeter
network or should have a Hosts file available.
For more information, see "Configuring DNS settings for the Edge Transport server role" in Planning Roadmap for New Deployments.
- You must create a user account in Active Directory and add the
account to the Exchange Servers universal security group. This
account is used by the Send connector on the Edge Transport server
to authenticate to the destination Hub Transport server in the
Exchange organization.
Important: This account is granted the permissions that are associated with Exchange servers. Make sure that you safeguard the account credentials to prevent misuse of the account. You can configure the account to allow logon to specific computers only.
Edge Transport Server Procedures
The following connectors are required on the Edge Transport server:
- A Send connector configured to send messages to the
Internet
- A Send connector configured to send messages to the Hub
Transport servers in the Exchange organization
- A Receive connector configured to receive messages only from
Hub Transport servers in the Exchange organization
- A Receive connector configured to accept messages only from the
Internet
By default, a single Receive connector is created during the installation of the Edge Transport server role. This connector can be used for both incoming Internet messages and incoming messages from the Hub Transport servers. Typically, the Edge Subscription process automatically configures the correct permissions and authentication on the default Receive connector. When you don't use the Edge Subscription process, we recommend that you modify the default Receive connector on the Edge Transport server to only accept messages from the Internet. You should then create a Receive connector on the Edge Transport server that's configured to only accept messages from internal Hub Transport servers.
The following sections walk you through all the configuration steps required to prepare your Edge Transport server to communicate with your Exchange organization.
Step 1: Create a Send connector configured to send messages to the Internet
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Send connectors - Edge Transport" entry in the Transport Permissions topic.
This Send connector requires the following configuration:
- Name To Internet.
- Usage type Internet.
- Address spaces "*" (all domains).
- Network settings Use DNS MX records to
route mail automatically. Depending on your network configuration,
you can also route mail through a smart host. The smart host then
routes mail to the Internet.
Use the EMC to create a Send connector configured to send messages to the Internet
- Open the EMC. Select Edge Transport, and then in the
work pane, click the Send Connectors tab.
- In the action pane, click New Send Connector. The New
Send Connector wizard starts.
- On the Introduction page, follow these steps:
- In the Name field, type a meaningful name for this
connector, such as To Internet.
- In the Select the intended use for this connector field,
select Internet.
- In the Name field, type a meaningful name for this
connector, such as To Internet.
- Click Next.
- On the Address space page, click Add. In the
SMTP Address Space dialog box, enter *, and then click
OK.
- Click Next.
- On the Network settings page, select Use domain name
system (DNS) "MX" records to route mail automatically, and then
click Next.
- On the New connector page, review the configuration
summary for the connector. If you want to modify the settings,
click Back. To create the Send connector by using the
settings in the configuration summary, click New.
- On the Completion page, review the following, and then
click Finish to close the wizard:
- A status of Completed indicates that the wizard
completed the task successfully.
- A status of Failed indicates that the task wasn't
completed. If the task fails, review the summary for an
explanation, and then click Back to make any configuration
changes.
- A status of Completed indicates that the wizard
completed the task successfully.
Use the Shell to create a Send connector configured to send messages to the Internet
You use the New-SendConnector cmdlet to create a Send connector.
Copy Code | |
---|---|
New-SendConnector -Name "To Internet" -AddressSpaces * -Usage Internet -DNSRoutingEnabled $true |
For detailed syntax and parameter information, see New-SendConnector.
Step 2: Create a Send connector configured to send messages to the Exchange organization
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Send connectors - Edge Transport" entry in the Transport Permissions topic.
This Send connector requires the following configuration:
- Name To Internal Org
- Usage type Internal
- DNS Routing disabled (smart host routing enabled)
- Address spaces All accepted domains for
the Exchange organization
- Network settings Fully qualified domain
name (FQDN) of one or more Hub Transport servers as smart hosts
andsmart host authentication setting configured to Basic
authentication over TLS
- Smart host authentication
mechanism Basic authentication and Basic
authentication requiring TLS
Use the EMC to create the Send connector configured to send messages to the Exchange organization
- Open the EMC. Select Edge Transport, and then in the
work pane, click the Send Connectors tab.
- In the action pane, click New Send Connector. The New
Send Connector wizard starts.
- On the Introduction page, follow these steps:
- In the Name field, type a meaningful name for this
connector, such as To Internal Org.
- In the Select the intended use for this connector field,
select Internal.
- In the Name field, type a meaningful name for this
connector, such as To Internal Org.
- On the Address space page, follow these steps:
- Click Add.
- In the SMTP Address Space dialog box, enter the accepted
domains for the Exchange organization. You may select the
Include all subdomains check box to use this connector to
send e-mail to all subdomains of the address space. When you're
finished, click OK.
To add more address spaces to this connector, click Add, repeat this step, and then click OK.
- When you're finished, click Next.
- Click Add.
- On the Network settings page, following these steps:
- Select Route mail through the following smart hosts, and
then click Add.
- In the Add Smart Host dialog box, select Fully
qualified domain name (FQDN), and enter the FQDN of the
destination Hub Transport server. The Edge Transport server must be
able to resolve the specified FQDN of the destination Hub Transport
server. When you're finished, click OK.
To add more Hub Transport servers as smart hosts, click Add and repeat this step.
- When you're finished, click Next.
- Select Route mail through the following smart hosts, and
then click Add.
- On the Configure smart host authentication settings
page, select Basic Authentication and Basic Authentication over
TLS. In the Username and Password fields, enter
the credentials for the user account in the internal domain. Use
the domain\user format or user principal name (UPN) format
to enter the user name and provide the user's password. Click
Next.
- On the New connector page, review the configuration
summary for the connector. If you want to modify the settings,
click Back. To create the Send connector by using the
settings in the configuration summary, click New.
- On the Completion page, review the following, and then
click Finish to close the wizard:
- A status of Completed indicates that the wizard
completed the task successfully.
- A status of Failed indicates that the task wasn't
completed. If the task fails, review the summary for an
explanation, and then click Back to make any configuration
changes.
- A status of Completed indicates that the wizard
completed the task successfully.
Use the Shell to create the Send connector configured to send messages to the Exchange organization
You use the New-SendConnector cmdlet to create a Send connector.
Note: |
---|
Before you create the Send connector, you first need to run the Get-Credential command to save the user name and password you will use in a temporary variable. You need to do this because the New-SendConnector cmdlet doesn't accept the user credentials in plain text. |
Copy Code | |
---|---|
$HubCredentials = Get-Credential New-SendConnector -Name "To Internal Org" -Usage Internal -AddressSpaces *.contoso.com -DNSRoutingEnabled $false -SmartHosts Hub01.contoso.com,Hub02.contoso.com -SmartHostAuthMechanism BasicAuth,BasicAuthRequireTLS -AuthenticationCredential $HubCredentials |
For detailed syntax and parameter information, see New-SendConnector.
Step 3: Modify the default Receive connector to only accept messages from the Internet
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Receive connectors - Edge Transport" entry in the Transport Permissions topic.
You should make the following configuration changes to the default Receive connector:
- Modify the name to reflect that the connector will be used
solely to receive e-mail from the Internet
- Change the network bindings to accept messages only from the
network adapter that is accessible from the Internet
Use the EMC to modify the default Receive connector to only accept messages from the Internet
- Open the EMC. Select Edge Transport, and then in the
work pane, click the Receive Connectors tab.
- In the work pane, select the Receive connector to modify. The
default Receive connector is named Default internal Receive
connector Servername.
- Under the name of the Receive connector in the action pane,
click Properties to open the Properties page.
- Click the General tab to modify the name of the
connector and give it a specific name to signify that it will be
used only for receiving messages from the Internet.
- Click the Network tab. Under Use these local IP
addresses to Receive mail, click Edit. In the Edit
Receive Connector Binding dialog box, select Specify an IP
address, and then enter the IP address of the Internet-facing
network adapter. Click OK.
- Click OK to save your changes and exit the
Properties page.
Use the Shell to modify the default Receive connector to only accept messages from the Internet
You use the Set-ReceiveConnector cmdlet to modify the properties of the default Receive connector.
Copy Code | |
---|---|
Set-ReceiveConnector "Default internal Receive connector Edge01" -Name "From Internet" -Bindings 10.1.1.1:25 |
For detailed syntax and parameter information, see Set-ReceiveConnector.
Step 4: Create a Receive connector configured to only accept messages from the Exchange organization
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Receive connectors - Edge Transport" entry in the Transport Permissions topic.
This Receive connector requires the following configuration:
- Name From Internal Org
- Usage type Internal
- Local network bindings Internal
network-facing network adapter
- Remote network settings IP address of
one or more Hub Transport servers in the Exchange organization
- Authentication method Basic
authentication over TLS
Use the EMC to create a Receive connector configured to only accept messages from the Exchange organization
- Open the EMC. Select Edge Transport, and then in the
work pane, click the Receive Connectors tab.
- In the action pane, click New Receive Connector. The New
Receive Connector wizard starts.
- On the Introduction page, follow these steps:
- In the Name field, type a meaningful name for this
connector, such as From Internal Org.
- In the Select the intended use for this connector field,
select Internal.
- In the Name field, type a meaningful name for this
connector, such as From Internal Org.
- On the Remote network settings page, follow these
steps:
- Select the default IP address range entry 0.0.0.0 -
255.255.255.255, and then click .
- Click Add or the drop-down arrow located next to
Add and type the IP address or IP address range of the
internal Hub Transport server or servers. When you're finished,
click OK.
To add multiple destination Hub Transport servers to this connector, click Add and repeat this step. Each Hub Transport server that you define in this step must also be listed as a source server in the corresponding Send connectors that are configured on the Hub Transport servers.
- When you're finished, click Next.
- Select the default IP address range entry 0.0.0.0 -
255.255.255.255, and then click .
- On the New Connector page, review the configuration
summary for the connector. If you want to modify the settings,
click Back. To create the Receive connector by using the
settings in the configuration summary, click New.
- On the Completion page, review the following, and then
click Finish to close the wizard:
- A status of Completed indicates that the wizard
completed the task successfully.
- A status of Failed indicates that the task wasn't
completed. If the task fails, review the summary for an
explanation, and then click Back to make any configuration
changes.
- A status of Completed indicates that the wizard
completed the task successfully.
- In the work pane, select the Receive connector that you
created.
- Under the name of the Receive connector in the action pane,
click Properties to open the Properties page.
- Click the Network tab. Under Use these local IP
addresses to Receive mail, click Edit. In the Edit
Receive Connector Binding dialog box, select Specify an IP
address, and then enter the IP address of the internal
organization-facing network adapter. Click OK.
- Click the Authentication tab. Select Basic
Authentication and Offer Basic authentication only after
starting TLS.
- Click OK to save your changes and exit the
Properties page.
Use the Shell to create a Receive connector configured to only accept messages from the Exchange organization
You use the New-ReceiveConnector cmdlet to create a Receive connector.
This example creates a Receive connector configured to accept messages from the Exchange organization.
Copy Code | |
---|---|
New-ReceiveConnector -Name "From Internal Org" -Usage Internal -AuthMechanism TLS,BasicAuth,BasicAuthRequireTLS,ExchangeServer -Bindings 10.1.1.1:25 -RemoteIPRanges 192.168.5.10,192.168.5.20 |
For detailed syntax and parameter information, see New-ReceiveConnector.
Hub Transport Server Procedures
The following connector is required for the Hub Transport servers in your organization:
- A Send connector that's configured to send messages to the Edge
Transport server in the perimeter network for relay to the
Internet
By default, two Receive connectors are created during the installation of the Hub Transport server role. The connector named Client ServerName is configured to accept messages from all POP3 and IMAP messaging clients. The connector named Default ServerName is configured to accept messages from an Edge Transport server. No modifications to these connectors are required.
Create a Send connector configured to send outgoing messages to the Edge Transport server
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Send connectors" entry in the Transport Permissions topic.
This Send connector requires the following configuration:
- Usage type To Edge
- Usage type Internal
- Address spaces *
- Network settings IP address or FQDN of
the Edge Transport server as a smart host and smart host
authentication setting configured to Basic Authentication over
TLS
Use the EMC to create a Send connector configured to send outgoing messages to the Edge Transport server
- Open the EMC. In the console tree, expand Organization
Configuration, select Hub Transport, and then in the
work pane, click the Send Connectors tab.
- In the action pane, click New Send Connector. The New
Send Connector wizard starts.
- On the Introduction page, follow these steps:
- In the Name field, type a meaningful name for this
connector, such as To Edge.
- In the Select the intended use for this connector field,
select Internal.
- In the Name field, type a meaningful name for this
connector, such as To Edge.
- On the Address space page, click Add. In the
SMTP Address Space dialog box, enter * in the Address
field, and then click OK.
When you're finished, click Next.
- On the Network settings page, follow these steps:
- Select Route mail through the following smart hosts, and
then click Add.
- In the Add Smart Host dialog box, select Fully
qualified domain name (FQDN), and enter the FQDN of the
destination Edge Transport server. The Hub Transport server must be
able to resolve the specified FQDN of the destination Edge
Transport server. Click OK.
- When you're finished, click Next.
- Select Route mail through the following smart hosts, and
then click Add.
- On the Configure smart host authentication settings
page, select Basic Authentication and Basic Authentication over
TLS. In the Username and Password fields, enter
the credentials for the user account on the destination Edge
Transport server. Click Next.
- By default, the Source Server page lists the Hub
Transport server on which you're performing this procedure. If you
want to add more Hub Transport servers for fault tolerance, those
Hub Transport servers must be configured as sources on the
corresponding Receive connector on the Edge Transport server. To
add more source servers, click Add. In the Select Hub
Transport servers and Edge Subscriptions dialog box, select the
Hub Transport servers that will be used as the source servers for
sending messages to the Edge Transport server that you provided in
step 6. When you're finished adding additional source servers,
click OK.
To add more source servers, click Add and repeat this step.
When you're finished, click Next.
- On the New connector page, review the configuration
summary for the connector. If you want to modify the settings,
click Back. To create the Send connector by using the
settings in the configuration summary, click New.
- On the Completion page, review the following, and then
click Finish to close the wizard:
- A status of Completed indicates that the wizard
completed the task successfully.
- A status of Failed indicates that the task wasn't
completed. If the task fails, review the summary for an
explanation, and then click Back to make any configuration
changes.
- A status of Completed indicates that the wizard
completed the task successfully.
Use the Shell to create a Send connector configured to send outgoing messages to the Edge Transport server
You use the New-SendConnector cmdlet to create a Send connector.
The following example creates a new Send connector with the following settings:
- Usage type: Internal
- Address Space: *
- DNS Routing disabled (smart host routing enabled)
- Smart hosts: edge01.contoso.net
- Source Transport servers: hub01.contoso.com, hub
02.contoso.com
- Smart host authentication mechanism: Basic authentication,
basic authentication requiring TLS
Note: Before you create the Send connector, you first need to run the Get-Credential command to save the user name and password you will use in a temporary variable. You need to do this because the New-SendConnector cmdlet doesn't accept the user credentials in plain text.
Copy Code | |
---|---|
$EdgeCredentials = Get-Credential New-SendConnector -Name "To Edge" -Usage Internal -AddressSpaces * -DNSRoutingEnabled $false -SmartHosts edge01.contoso.com -SourceTransportServers hub01.contoso.com,hub02.contoso.com -SmartHostAuthMechanism BasicAuth,BasicAuthRequireTLS -AuthenticationCredential $EdgeCredentials |
For detailed syntax and parameter information, see New-SendConnector.