Applies to: Exchange Server 2007 SP3, Exchange Server
2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-08-06
The Microsoft Exchange Server 2007 Edge Transport server role is designed to provide improved antivirus and anti-spam protection for the Exchange organization. Computers that have the Edge Transport server role also apply policies to messages in transport between organizations. The Edge Transport server role is deployed in an organization's perimeter network. The perimeter network is also known as the boundary network or screened subnet. The Edge Transport server can be deployed as a stand-alone server or as a member of a perimeter Active Directory domain. This topic provides an overview of the steps that we recommend that you perform when planning to deploy the Edge Transport server role.
Planning for Edge Transport Server Deployment
The Edge Transport server role differs from other Exchange 2007 server roles in several important ways that you must consider when you plan your deployment. The Exchange 2007 Edge Transport server does not have access to Active Directory for storage of configuration and recipient information as do the other Exchange 2007 server roles. The Edge Transport server uses the Active Directory Application Mode (ADAM) directory service to store configuration and recipient information. The Edge Transport server is deployed outside the Exchange organization in the perimeter network and can provide Simple Mail Transfer Protocol (SMTP) relay and smart host functionality. The Edge Transport server also has an important role in providing anti-spam and antivirus functionality for the Exchange organization.
|Exchange 2007 Service Pack 1 (SP1) supports deployment of server roles on a Windows Server 2008 computer. If the Edge Transport server is installed on Windows Server 2008, ADAM is replaced by Active Directory Lightweight Directory Services (AD LDS). Windows Server 2008 includes several features that have been enhanced or renamed. For information about the feature changes between Windows Server 2003 and Windows Server 2008, see Terminology Changes.|
When you plan to deploy the Edge Transport server role, you should consider all the following topics:
- Topology Options Begin by planning
where you will put your Edge Transport server in the Exchange
physical topology. When you have determined where the Edge
Transport server will be located in the network relative to your
other Exchange servers, you can plan for the connectors that you
will require and for how they should be configured. For more
information about how to plan for placement of the Edge Transport
server, see Planning Your
- Server Capacity Planning for server
capacity includes planning to conduct performance monitoring of the
Edge Transport server. Performance monitoring will help you
understand how hard the server is working. This information will
determine the capacity of your current hardware configuration. For
more information, see Planning Processor
- Transport Features The Edge Transport
server can provide antivirus and anti-spam protection at the edge
of the network. As part of your planning process, you should
determine the transport features that you will enable at the Edge
Transport server and how they will be configured. For more
information about how to plan to use Exchange 2007 transport
features, see Planning for Edge
Transport Server Features.
- Security The Edge Transport server role
is designed to have a minimal attack surface. Therefore, it
important to correctly secure and manage both the physical access
and network access to the server. Planning for security will help
you make sure that IP connections are only enabled from authorized
servers and from authorized users. For more information, see the
The recommended practice is to put the Edge Transport server within a perimeter network. To make sure that the server can send and receive e-mail and receive recipient and configuration data updates from the Microsoft Exchange EdgeSync service, you must allow communication through the ports that are listed in the following table.
Communication port settings for Edge Transport servers
Network interface Open port Protocol Note
Inbound from and outbound to the Internet
This port must be open for mail flow to and from the Internet.
Inbound from and outbound to the internal network
This port must be open for mail flow to and from the Exchange organization.
This port is used to make a local connection to ADAM.
Inbound from the internal network
This port must be open for EdgeSync synchronization.
Inbound from the internal network
Opening this port is optional. It provides more flexibility in managing the Edge Transport servers from inside the internal network by letting you use a remote desktop connection to manage the Edge Transport server.
|The Edge Transport server role uses non-standard LDAP ports. The ports that are specified in this topic are the LDAP communication ports that are configured when the Edge Transport server role is installed. For more information, see How to Modify ADAM Configuration.|
- EdgeSync You can create an Edge
Subscription to subscribe the Edge Transport server to the Exchange
organization. When you create an Edge Subscription, recipient and
configuration data is replicated from Active Directory to
ADAM. You subscribe an Edge Transport server to an
Active Directory site. Then the
Microsoft Exchange EdgeSync service that is running on
the Hub Transport servers in that site periodically updates ADAM by
synchronizing data from Active Directory. The Edge
Subscription process automatically provisions the Send connectors
that are required to enable mail flow from the Exchange
organization to the Internet through an Edge Transport server. If
you are using the recipient lookup or safelist aggregation features
on the Edge Transport server, you must subscribe the Edge Transport
server to the organization. For more information, see Using an Edge
Subscription to Populate ADAM with Active Directory Data.
For More Information
For more information, see the following topics: