Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2012-07-23

Using an Edge Transport server, you can provide anti-spam, antivirus, and transport rules processing for your Exchange organization. You can deploy and configure an Edge Transport server to act as a smart host in the perimeter network of an existing Microsoft Exchange Server 2003 organization before you start upgrading your existing Exchange 2003 servers to Exchange Server 2010. Although it's a better practice to introduce Exchange 2010 into your Exchange 2003 organization and use Edge subscriptions, you may want to start using Edge servers before you start your upgrade. This deployment option may be desirable in the following scenarios:

Note:
In the scenario described in this topic, no computers running Microsoft Exchange Server 2010 have been deployed in the Exchange organization. This limits the available features on the Edge Transport server because you can't use any of the features that rely on Edge Subscription. The features that rely on Edge Subscription are recipient lookup and safelist aggregation. If you want to create an Edge Subscription, you must deploy at least one Exchange 2010 Hub Transport server in the Exchange organization and configure the organization for coexistence. For more information, see Upgrade from Exchange 2003 Transport.

Looking for other management tasks related to Edge Transport servers? Check out Managing Transport Servers.

Prerequisites

  • An Edge Transport server has been deployed in the perimeter network. For detailed steps, see Install Exchange 2010 Using the Custom Installation Type.

  • An Edge Transport server has been configured to perform antivirus and anti-spam processing and to apply transport rules. For detailed steps, see Managing Anti-Spam and Antivirus Features and Managing Transport Rules.

  • Accepted domains are configured on the Edge Transport server. You need to create an accepted domain entry for each SMTP domain for which the Exchange organization receives e-mail. For detailed steps, see Transport Server Post-Deployment Tasks.

  • Verify the configuration of the Domain Name System (DNS) mail exchange (MX) resource record for those domains and make any changes that may be needed so that e-mail to your accepted domains is directed to the Edge Transport server.

  • Determine the authentication method that will be used to help secure the connection between the Edge Transport server and the Exchange organization. We recommend that you use Basic authentication over Transport Layer Security (TLS). Alternatively, you can decide to use Externally Secured as your authentication mechanism. This authentication mechanism relies on network security, such as Internet Protocol security (IPsec), to help secure the connection. For more information about the authentication methods that are available, see Securing Transport Servers.

Deploy an Edge Transport server in an Exchange 2003 Organization

For all deployments, you must first create a Send connector from the Edge Transport server to the Internet. Then, configure mail flow as appropriate for your selected authentication method.

Create a Send connector from the Edge Transport server to the Internet

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Edge Transport server" entry in the Transport Permissions topic.

Use the New Send Connector wizard in the EMC to create a Send connector on the Edge Transport server with the following settings:

  • Introduction page   In Select the intended use for this Send connector, select Internet.

  • Address space page   Click Add, and in the SMTP Address Space dialog, type * (an asterisk).

For detailed steps, see Create an SMTP Send Connector.

Alternatively, you can use the New-SendConnector cmdlet to create the connector in the Shell. This example creates the Send connector To Internet, which uses DNS to route messages.

Copy Code 
New-SendConnector -Name "To Internet" -AddressSpaces * -Usage Internet -DNSRoutingEnabled $true

If you use a smart host to route messages to the Internet, you need to use different parameters. This example creates the same Send connector but configures it to use the smart host 10.10.1.1 instead of DNS to route messages.

Copy Code 
New-SendConnector -Name "To Internet" -AddressSpaces * -Usage Internet -DNSRoutingEnabled $false -SmartHosts "10.10.1.1"

For detailed syntax and parameter information, see New-SendConnector.

Note:
When you install the Edge Transport server role, a default Receive connector is created that's configured to receive mail from the Internet. Therefore, you don't need to create a Receive connector that corresponds to the Send connector you created in this section.

Configure mail flow between the Edge Transport server and the Exchange 2003 organization using Basic authentication over TLS

The procedures in this section help you configure secured mail flow between the Edge Transport server and the Exchange 2003 organization using Basic authentication over TLS.

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Edge Transport server" entry in the Transport Permissions topic.

Configure credentials for authenticated mail flow

  1. Create the credentials used by the Edge Transport server to authenticate to the Exchange 2003 server. Create a user account in Active Directory that services the Exchange organization. Add the user account to the Exchange Domain Servers security group.

    Important:
    This account is granted the permissions and rights assigned to Exchange servers. Make sure that you safeguard the account credentials to prevent misuse of the account. You can configure the account to enable logon to specific computers only.
  2. On the Edge Transport server, create the credentials used by the Exchange 2003 server to authenticate to the Edge Transport server. Create a user account in the Users folder in the Local Users and Groups container on the Edge Transport server.

Configure Exchange 2003 to accept messages from the Edge Transport server

On the Exchange 2003 server or servers that will receive messages from the Edge Transport server, verify that the SMTP virtual server is configured to enable Basic authentication over TLS.

  1. Open Exchange System Manager. Expand the Servers node. Expand the desired server. Expand the Protocols node. Expand SMTP. Right-click Default SMTP Virtual Server, and select Properties.

  2. Click the Access tab, and then click Authentication.

  3. In the Authentication dialog box, select Basic authentication (password is sent in clear text) and Requires TLS encryption. Click OK.

  4. Click OK to close Default SMTP Virtual Server Properties.

Create a Send connector from the Edge Transport server to the Exchange 2003 organization

Use the New Send Connector wizard in the EMC to create a Send connector on the Edge Transport server with the following settings:

  • Introduction page   In Select the intended use for this Send connector, select Internal.

  • Address Space page   Click Add to open the SMTP Address Space dialog. In this dialog, type – in the Address field.  This character is a placeholder that represents all authoritative internal relay domains in your accepted domains configuration.  Alternatively, you can list each domain as a separate entry. Leave the remaining fields with their default settings and click OK.

  • Network Settings page   In Route mail through the following smart hosts, enter the IP address or the fully qualified domain name (FQDN) of the Exchange 2003 bridgehead server that will receive messages from the Edge Transport server. If you configure more than one bridgehead server as a smart host, the connections from the Edge Transport server will be load-balanced between the smart hosts.

  • Configure smart host authentication settings page   Select Basic Authentication and Basic Authentication over TLS. In the User name and Password fields, enter the credentials for the user account that you created in the "Configure credentials for authenticated mail flow" section earlier in this topic.

    For detailed steps, see Create an SMTP Send Connector.

Alternatively, you can use the New-SendConnector cmdlet to create the connector in the Shell. This example creates the Send connector To Exchange Organization with the required settings and designates the servers 10.10.1.10 and 10.10.1.11 as the Exchange 2003 bridgehead servers that will receive mail from the Edge Transport server.

Copy Code 
$mycred = get-credential

In the dialog box that appears, enter the credentials for the user account you created the "Configure credentials for authenticated mail flow" section. Use the domain\user format or user principal name (UPN) format to enter the user name, and then provide the user's password. Click OK.

Copy Code 
New-SendConnector -Name "To Exchange Organization" -Usage Internal -AddressSpaces "--" -DNSRoutingEnabled $false -SmartHosts "10.10.1.10","10.10.1.11" -SmartHostAuthMechanism BasicAuthRequireTLS -AuthenticationCredential $mycred

For detailed syntax and parameter information, see New-SendConnector.

After you create the Send connector, you must grant the permissions required to enable transmission of XExch50 data from the Edge Transport server to the Exchange 2003 server by running this command in the Shell.

Copy Code 
Add-AdPermission -Identity "To Exchange Organization" -User "NT Authority\Anonymous Logon" -ExtendedRights ms-Exch-SMTP-Send-Exch50

Create a Receive connector on the Edge Transport server to accept messages from the Exchange 2003 organization

Use the New Receive Connector wizard in the EMC to create a Receive connector on the Edge Transport server with the following settings:

  • Introductionpage   In Select the intended use for this Receive connector, select Internal.

  • Remote network settings page   Delete all network ranges and add the IP addresses of the Exchange 2003 bridgehead servers that will relay messages to the Edge Transport server

After you create the connector, modify the authentication method by selecting Basic Authentication and Offer Basic authentication only after starting TLS on the Authentication tab of the connector's properties. For detailed steps, see Create an SMTP Receive Connector and Configure Receive Connector Properties.

Alternatively, you can use the New-ReceiveConnector cmdlet to create the connector in the Shell. This example creates the Receive connector From Exchange Organization with the required settings and designates that the servers 10.10.1.10 and 10.10.1.11 are the only ones from which the Receive connector will accept messages.

Copy Code 
New-ReceiveConnector -Name "From Exchange Organization" -Usage Internal -RemoteIPRanges 10.10.1.10,10.10.1.11 -AuthMechanism TLS,BasicAuth,BasicAuthRequireTLS -Bindings 0.0.0.0:25

On the Edge Transport server, run this command in the Shell to grant permissions on the new Receive connector to the local user account you created in the "Configure credentials for authenticated mail flow" section.

Copy Code 
Add-AdPermission -Identity "Receive Connector Name" -User Edge\Contoso -ExtendedRights ms-Exch-SMTP-Submit,ms-Exch-Accept-Headers-Routing,ms-Exch-SMTP-Accept-Any-Recipient,ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
Important:
This account is granted the permissions that enable it to relay messages through the Edge Transport server. Make sure that you safeguard the account credentials to prevent misuse of the account.

Configure Exchange 2003 to send messages to the Edge Transport server

On the Exchange 2003 server, follow these steps to create an SMTP connector configured to relay all Internet e-mail through the Edge Transport server and use Basic authentication over TLS to help secure the connection:

  1. Open Exchange System Manager. Right-click the Connectors container that's located in the routing group where the server that will host this connector resides, select New, and then select SMTP Connector.

    Note:
    If no routing groups are displayed in Exchange System Manager, right-click the Exchange organization container, select Properties, and then select the Display routing groups check box.
  2. Select the General tab. In the Name field, type a unique name for the connector.

  3. Select Forward all mail through this connector to the following smart hosts, and type the IP address or FQDN of the Edge Transport server. If you enter an IP address, it must be enclosed in brackets, for example: [192.168.1.1].

  4. Click Add to add a local bridgehead server. In the Add Bridgehead dialog box, select one or more Exchange 2003 servers.

  5. Select the Address Space tab, and then click Add to create an address space. In the Add Address Space dialog box, select SMTP, and then click OK.

  6. On the Internet Address Space Properties page, enter *, and then click OK.

  7. Select the Advanced tab, and then click Outbound Security. In the Outbound Security dialog box, select Basic Authentication, and then click Modify.

  8. In the Outbound Connection Credentials dialog box, enter the user name for the local user account that you created on the Edge Transport server, enter the password for the account, and then click OK.

  9. On the Outbound Security dialog box, select TLS encryption. Click OK to close the Outbound Security dialog box. Click OK.

Configure mail flow between the Edge Transport server and the Exchange 2003 organization using anonymous access

The procedures in this section help you configure unauthenticated mail flow between the Edge Transport server and the Exchange 2003 organization using anonymous access.

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Edge Transport server" entry in the Transport Permissions topic.

Configure Exchange 2003 to accept messages from the Edge Transport server

  1. On the Exchange 2003 server or servers that will receive messages from the Edge Transport server, verify that the SMTP virtual server is configured to enable Anonymous access:

    1. Open Exchange System Manager. Expand the Servers node. Expand the desired server. Expand the Protocols node. Expand SMTP. Right-click Default SMTP Virtual Server, and then select Properties.

    2. Click the Access tab, and then click Authentication.

    3. In the Authentication dialog box, select Anonymous access. Click OK.

  2. Configure the relay restriction for the Exchange 2003 server to enable only the Edge Transport server to relay through this virtual server:

    1. On the Access tab of Default SMTP Virtual Server Properties, click Relay.

    2. In the Relay Restrictions dialog box, select Only the list below, and then click Add.

    3. In the Computer dialog box, select Single computer to specify a single IP address, or select Group of computers to specify an IP address range. Click OK.

    4. In the Relay Restrictions dialog box, verify that the check box Allow all computers which successfully authenticate to relay, regardless of the list above is selected. Click OK.

    5. Click OK to close Default SMTP Virtual Server Properties.

  3. Follow these steps to modify the registry settings on the Exchange 2003 bridgehead server to enable the Exchange 2003 server to send and receive XExch50 properties anonymously:

    Caution:
    Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data.
    1. Open Registry Editor.

    2. Locate HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMTPSVC\XEXCH50

    3. Right-click XEXCH50 and select New | DWORD Value. Type SuppressExternal for the value name. By default, the value data is 0. This indicates that the XEXCH50 properties are transmitted to the remote server anonymously.

    4. Right-click XEXCH50 and select New | Key. Type the number of the SMTP virtual server instance as the key value. For example, the default virtual server instance is 1, and the second SMTP virtual server created on a server is 2.

    5. Right-click the key that you just created, point to New, and then click DWORD Value.

    6. In the details pane, type Exch50AuthCheckEnabled for the value name. By default, the value data is 0. This indicates that the XEXCH50 properties are transmitted when e-mail is sent anonymously.

Create a Send connector from the Edge Transport server to the Exchange 2003 organization

Use the New Send Connector wizard in the EMC to create a Send connector on the Edge Transport server with the following settings:

  • Introduction page   In Select the intended use for this Send connector, select Internal.

  • Address spacepage   Type the -- character, which is a placeholder that represents all authoritative and internal relay domains in your accepted domains configuration. Alternatively, you can list each domain as a separate entry.

  • Network settingspage   In Route mail through the following smart hosts, enter the IP address or the FQDN of the Exchange 2003 bridgehead server that will receive messages from the Edge Transport server. If you configure more than one bridgehead server as a smart host, the connections from the Edge Transport server will be load-balanced between the smart hosts.

  • Configure smart host authentication settingspage   Select Externally Secured (for example with IPsec).

    For detailed steps, see Create an SMTP Send Connector.

    Alternatively, you can use the New-SendConnector cmdlet to create the connector in the Shell. This example creates the Send connector To Exchange Organization with the required settings and designates the servers 10.10.1.10 and 10.10.1.11 as the Exchange 2003 bridgehead servers that will receive mail from the Edge Transport server.

    Copy Code 
    New-SendConnector -Name "To Exchange Organization" -Usage Internal -AddressSpaces "--" -SmartHosts 10.10.1.10,10.10.1.11  -SmartHostAuthMechanism ExternalAuthoritative -DNSRoutingEnabled $False
  1. After you create the Send connector, you must grant the permissions required to enable transmission of XExch50 data from the Edge Transport server to the Exchange 2003 server by running this command in the Shell.

    Copy Code 
    Add-AdPermission -Identity "To Exchange Organization" -User "NT Authority\Anonymous Logon" -ExtendedRights ms-Exch-SMTP-Send-Exch50

Create a Receive connector on the Edge Transport server to accept messages from the Exchange 2003 organization

Use the New Receive Connector wizard in the EMC to create a Receive connector on the Edge Transport server with the following settings:

  • Introductionpage   In Select the intended use for this Receive connector, select Internal.

  • Remote network settingspage   Delete all network ranges and add the IP addresses of the Exchange 2003 bridgehead servers that will relay messages to the Edge Transport server.

After you create the connector, modify the authentication method by selecting Externally Secured (for example with IPsec) on the Authentication tab of the connector's properties. Clear all other authentication options. For detailed steps, see Create an SMTP Receive Connector and Configure Receive Connector Properties.

Alternatively, you can use the New-ReceiveConnector cmdlet to create the connector in the Shell. This example creates the Receive connector From Exchange Organization with the required settings and designates that the servers 10.10.1.10 and 10.10.1.11 are the only ones from which the Receive connector will accept messages.

Copy Code 
New-ReceiveConnector -Name "From Exchange Organization" -Usage Internal -RemoteIPRanges 10.10.1.10,10.10.1.11 -AuthMechanism ExternalAuthoritative -Bindings 0.0.0.0:25
Important:
If you specify an IP address range instead of specific IP addresses for this Receive connector, it will enable all connections from the specified remote IP address range to relay messages through the Edge Transport server. In this scenario, make sure that a trusted network connection exists between the Edge Transport server and the Exchange organization.

Configure Exchange 2003 to send messages to the Edge Transport server

On the Exchange 2003 server, follow these steps to create an SMTP connector configured to relay all Internet e-mail through the Edge Transport server:

  1. Open Exchange System Manager. Right-click the Connectors container located in the routing group where the server that will host this connector resides, select New, and then select SMTP Connector.

    Note:
    If no routing groups are displayed in Exchange System Manager, right-click the Exchange organization container, select Properties, and then select the Display routing groups check box.
  2. Select the General tab. In the Name field, type a unique name for the connector.

  3. Select Forward all mail through this connector to the following smart hosts, and type the IP address or FQDN of the Edge Transport server. If you enter an IP address, it must be enclosed in brackets, for example: [192.168.1.1].

  4. Click Add to add a local bridgehead server. In the Add Bridgehead dialog box, select one or more Exchange 2003 servers.

  5. Select the Address Space tab, and then click Add to create an address space. In the Add Address Space dialog box, select SMTP, and then click OK.

  6. On the Internet Address Space Properties page, enter *, and then click OK.

  7. Click OK to close the SMTP connector properties page.