Applies to: Exchange Server 2007 SP3, Exchange Server
2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-07-02
We always recommend that you use the Edge Subscription process to establish mail flow between the Exchange organization and a computer that is running Microsoft Exchange Server 2007 that has the Edge Transport server role installed. However, we realize that there are situations where you can't subscribe the Edge Transport server to the Exchange organization by using the Edge Subscription process. To manually establish mail flow between the Exchange organization and an Edge Transport server, you must create and configure the Send connectors and Receive connectors on the Edge Transport server and on the Hub Transport servers in the Exchange organization.
Before You Begin
To perform this procedure, the account you use must be delegated the following:
- Exchange Organization Administrator role
To perform the following procedures on a computer that has the Edge Transport server role installed, you must log on by using an account that is a member of the local Administrators group on that computer.
For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.
This procedure uses Basic authentication over Transport Layer Security (TLS) to provide encryption and authentication. When you use Basic authentication over TLS, the receiving server must have an X.509 Secure Sockets Layer (SSL) server certificate installed. The fully qualified domain name (FQDN) value configured on the Receive connector must match the FQDN in the SSL server certificate. By default, the value of the FQDN on the Receive connector is the FQDN of the server that contains the Receive connector.
It is much easier to configure the Externally Secured authentication method. However, the communication between the Edge Transport server and Hub Transport server is not authenticated or encrypted by Microsoft Exchange. We recommend that you use the Externally Secured authentication method only when an additional encryption method is used. The encryption method can be an IPsec association or a virtual private network (VPN).
An Edge Transport server is typically multi-homed. This means that the Edge Transport server has network adapters that are connected to multiple network segments. Each of these network adapters has a unique IP configuration. The network adapter that is connected to the external, or public, network segment should be configured to use a public Domain Name System (DNS) server for name resolution. This enables the server to resolve Simple Mail Transfer Protocol (SMTP) domain names to MX resource records and route mail to the Internet. The network adapter that is connected to the internal, or private, network segment should be configured to use a DNS server in the perimeter network or should have a Hosts file available.
For more information, see How to Configure a DNS Suffix for the Edge Transport Server Role.
Edge Transport Server Procedures
The following connectors are required on the Edge Transport server:
- A Send connector that is configured to send messages to the
Internet
- A Send connector that is configured to send messages to the Hub
Transport servers in the Exchange organization
- A Receive connector that is configured to receive messages only
from Hub Transport servers in the Exchange organization
- A Receive connector that is configured to accept messages only
from the Internet
By default, a single Receive connector is created during the installation of the Edge Transport server role. This connector can be used for both incoming Internet messages and incoming messages from the Hub Transport servers. Typically, the Edge Subscription process automatically configures the correct permissions and authentication on the default Receive connector. When you don't use the Edge Subscription process, we recommend that you modify the default Receive connector on the Edge Transport server to only accept messages from the Internet. You should then create a new Receive connector on the Edge Transport server that is configured to only accept messages from internal Hub Transport servers.
Creating a Send Connector That is Configured to Send Messages to the Internet
This Send connector requires the following configuration:
- Usage type: Internet.
- Address spaces: "*" (all domains).
- Network settings: Use DNS MX records to route mail
automatically. Depending on your network configuration, you can
also route mail through a smart host. The smart host then routes
mail to the Internet.
To use the Exchange Management Console to create a Send connector on the Edge Transport server that is configured to send messages to the Internet
-
Open the Exchange Management Console. Select Edge Transport, and then in the work pane, click the Send Connectors tab.
-
In the action pane, click New Send Connector. The New SMTP Send Connector wizard starts.
-
On the Introduction page, follow these steps:
- In the Name field, type a meaningful name for this
connector, such as "To Internet".
In the Select the intended use for this connector: field, select Internet.
- On the Address space page, click Add. In the
Add Address Space dialog box, enter *, and then click
OK.
Note: In Microsoft Exchange Server 2007 Service Pack 1 (SP1), the dialog box is named SMTP Address Space. - When you are finished, click Next.
- In the Name field, type a meaningful name for this
connector, such as "To Internet".
-
On the Network settings page, select Use domain name system (DNS) "MX" records to route mail automatically, and then click Next.
-
On the New connector page, review the configuration summary for the connector. If you want to modify the settings, click Back. To create the Send connector by using the settings in the configuration summary, click New.
-
On the Completion page, click Finish.
To use the Exchange Management Shell to create a Send connector on the Edge Transport server that is configured to send messages to the Internet
-
Run the following command:
Copy Code New-SendConnector -Name <Name> -AddressSpaces * -Usage Internet -DNSRoutingEnabled $true
For example, to create a new Send connector named "To Internet" with the required settings, run the following command:
Copy Code New-SendConnector -Name "To Internet" -AddressSpaces * -Usage Internet -DNSRoutingEnabled $true
For detailed syntax and parameter information, see New-SendConnector.
Creating a Send Connector That is Configured to Send Messages to the Internal Exchange Organization
Before you begin this procedure, you must create a user account in the Active Directory directory service and add the account to the Exchange Servers universal security group. This account is used by the Send connector on the Edge Transport server to authenticate to the destination Hub Transport server in the Exchange organization.
Important: |
---|
This account is granted the permissions that are associated with Exchange servers. Make sure that you safeguard the account credentials to prevent misuse of the account. You can configure the account to allow logon to specific computers only. |
This Send connector requires the following configuration:
- Usage type: Internal
- Address spaces: All accepted domains for the Exchange
organization
- Network settings:
- Fully qualified domain name (FQDN) of one or more Hub Transport
servers as smart hosts
- Smart host authentication setting: Basic authentication over
TLS
- Fully qualified domain name (FQDN) of one or more Hub Transport
servers as smart hosts
To use the Exchange Management Console to create a Send connector on the Edge Transport server that is configured to send messages to the internal Exchange organization
-
Open the Exchange Management Console. Select Edge Transport, and then in the work pane, click the Send Connectors tab.
-
In the action pane, click New Send Connector. The New SMTP Send Connector wizard starts.
-
On the Introduction page, follow these steps:
- In the Name field, type a meaningful name for this
connector, such as "To Internal Org".
- In the Select the intended use for this connector:
field, select Internal.
- In the Name field, type a meaningful name for this
connector, such as "To Internal Org".
-
On the Address space page, follow these steps:
- Click Add.
- In the Add Address Space dialog box, enter the accepted
domains for the Exchange organization. You may select the
Include all subdomains check box to use this connector to
send e-mail to all subdomains of the address space. When you are
finished, click OK.
Note: In Exchange 2007 SP1, the dialog box is named SMTP Address Space.
- When you are finished, click Next.
- Click Add.
-
On the Network settings page, following these steps:
- Select Route mail through the following smart hosts, and
then click Add.
- In the Add Smart Host dialog box, select Fully
qualified domain name (FQDN), and enter the FQDN of the
destination Hub Transport server. The Edge Transport server must be
able to resolve the specified FQDN of the destination Hub Transport
server. When you are finished, click OK.
To add more Hub Transport server as smart hosts, click Add, and repeat this step.
- When you are finished, click Next.
- Select Route mail through the following smart hosts, and
then click Add.
-
On the Configure smart host authentication settings page, select Basic Authentication and Basic Authentication over TLS. In the Username and Password fields, enter the credentials for the user account in the internal domain. Use the domain\user format or user principal name (UPN) format to enter the user name and provide the user's password. Click Next.
-
On the New connector page, review the configuration summary for the connector. If you want to modify the settings, click Back. To create the Send connector by using the settings in the configuration summary, click New.
-
On the Completion page, click Finish.
Important: The Edge Transport server must be able to resolve the name of the Hub Transport server so that it exactly matches the FQDN that is specified in the SmartHosts parameter. This is the FQDN that is specified in the X.509 certificate that is installed on the destination Hub Transport server. It is also the FQDN that is specified in the Receive connector that is configured on the destination Hub Transport server.
To use the Exchange Management Shell to create a Send connector on the Edge Transport server that is configured to send messages to the Internal Exchange organization
-
Run the following command on the Edge Transport server:
Copy Code $hubcred = get-credential
- In the dialog box that appears, enter the credentials for the
user account in the internal domain. Use the domain\user format or
UPN format to enter the user name and provide the user's password.
Click OK.
- In the dialog box that appears, enter the credentials for the
user account in the internal domain. Use the domain\user format or
UPN format to enter the user name and provide the user's password.
Click OK.
-
Run the following command on the Edge Transport server:
Copy Code New-SendConnector -Name <ConnectorName> -Usage Internal -AddressSpaces <AcceptedDomain1,AcceptedDomain2...> -DNSRoutingEnabled $False -SmartHosts <HubServer1,HubServer2...> -SmartHostAuthMechanism BasicAuth,BasicAuthRequireTLS -AuthenticationCredential $hubcred
For example, to create a new Send connector named "To Internal Org" for the accepted domain "contoso.com" and all subdomains to the destination Hub Transport servers named "hub01.contoso.com" and "hub02.contoso.com", run the following command:
Copy Code New-SendConnector -Name "To Internal Org" -Usage Internal -AddressSpaces *.contoso.com -DNSRoutingEnabled $False -SmartHosts Hub01.contoso.com,Hub02.contoso.com -SmartHostAuthMechanism BasicAuth,BasicAuthRequireTLS -AuthenticationCredential $hubcred
Important: The Edge Transport server must be able to resolve the name of the Hub Transport server so that it exactly matches the FQDN that is specified in the SmartHosts parameter. This is the FQDN that is specified in the X.509 certificate that is installed on the destination Hub Transport server. It is also the FQDN that is specified in the Receive connector that is configured on the destination Hub Transport server.
For detailed syntax and parameter information, see New-SendConnector.
Modifying the Default Receive Connector to Only Accept Messages from the Internet
A default Receive connector named "Default internal Receive connector ServerName" is created when the Edge Transport server role is installed on the server. The default Receive connector is configured to accept messages from the Internet and from the internal Exchange organization. If you are not going to use the Edge Subscription process to correctly configure the authentication methods on the default Receive connector, you should modify the default Receive connector to only accept the anonymous message submissions from the Internet. You should then create a separate Receive connector that only accepts the trusted message submissions from the internal Exchange organization.
Only one reconfiguration is required on the default Receive connector. You must set the local network bindings to the IP address of the Internet-facing network adapter only. You may also want to rename the default Receive connector to something more descriptive.
Note: |
---|
If Exchange 2007 SP1 is deployed on a computer that
is running Windows Server 2008, you can enter IP addresses and
IP address ranges in the Internet Protocol Version 4 (IPv4)
format, Internet Protocol Version 6 (IPv6) format, or both formats.
A default installation of Windows Server 2008 enables
support for IPv4 and IPv6. We strongly recommend against configuring Receive connectors to accept anonymous connections from unknown IPv6 addresses. If you configure a Receive connector to accept anonymous connections from unknown IPv6 addresses, the amount of spam that enters your organization is likely to increase. Currently, there is no broadly accepted industry standard protocol for looking up IPv6 addresses. Most IP Block List providers do not support IPv6 addresses. Therefore, if you allow anonymous connections from unknown IPv6 addresses on a Receive connector, you increase the chance that spammers will bypass IP Block List providers and successfully deliver spam into your organization. For more information about Exchange 2007 SP1 support for IPv6 addresses, see IPv6 Support in Exchange 2007 SP1 and SP2. For more information about connection filtering, how to add IP addresses to the IP Allow list and IP Block list, and how to configure IP Block List provider services and IP Allow List provider services, see Configuring Connection Filtering. |
To use the Exchange Management Console to modify the default Receive connector on an Edge Transport server to only accept messages from the Internet
-
Open the Exchange Management Console. Select Edge Transport, and then in the work pane, click the Receive Connectors tab.
-
In the work pane, select the Receive connector to modify. The default Receive connector is named "Default internal Receive connector Servername".
-
Under the name of the Receive connector in the action pane, click Properties to open the Properties page.
-
Click the General tab to modify the name of the connector.
-
Click the Network tab. Under Use these local IP addresses to Receive mail, click Edit.
- In the Edit Receive Connector Binding dialog box, select
Specify an IP address, and then enter the IP address of the
Internet-facing network adapter. Click OK.
- In the Edit Receive Connector Binding dialog box, select
Specify an IP address, and then enter the IP address of the
Internet-facing network adapter. Click OK.
-
Click OK to save your changes and exit the Properties page.
To use the Exchange Management Shell to modify the default Receive connector on an Edge Transport server to only accept messages from the Internet
-
Run the following command:
Copy Code Set-ReceiveConnector "Default internal Receive connector <ServerName>" -Name <NewConnectorName> -Bindings <ExternalNetworkAdapterIP:25>
For example, to modify the default Receive connector on an Edge Transport server named "Edge01", rename the connector "From Internet" with an external network adapter with IP address 10.1.1.1, and run the following command:
Copy Code Set-ReceiveConnector "Default internal Receive connector Edge01" -Name "From Internet" -Bindings 10.1.1.1:25
For detailed syntax and parameter information, see New-ReceiveConnector.
Creating a New Receive Connector that is Configured to Only Accept Messages from the Internal Exchange Organization
This Receive connector requires the following configuration:
- Usage type: Internal
- Local network bindings: Internal network-facing network
adapter
- Remote network settings: IP address of one or more Hub
Transport servers in the Exchange organization
- Authentication method: Basic authentication over TLS
To use the Exchange Management Console to create a new Receive connector on an Edge Transport server that is configured to only accept messages from the internal Exchange organization
-
Open the Exchange Management Console. Select Edge Transport, and then in the work pane, click the Receive Connectors tab.
-
In the action pane, click New Receive Connector. The New SMTP Receive Connector wizard starts.
-
On the Introduction page, follow these steps:
- In the Name field, type a meaningful name for this
connector.
- In the Select the intended use for this connector:
field, select Internal.
- In the Name field, type a meaningful name for this
connector.
-
On the Remote network settings page, follow these steps:
- Select the default IP address range entry 0.0.0.0 -
255.255.255.255, and then click .
- Click Add or the drop-down arrow located next to
Add and type the IP address or IP address range of the
internal Hub Transport server or servers. When you are finished,
click OK.
To add multiple destination Hub Transport servers to this connector, click Add and repeat this step. Each Hub Transport server that you define in this step must also be listed as a source server in the corresponding Send connectors that are configured on the Hub Transport servers.
- When you are finished, click Next.
- Select the default IP address range entry 0.0.0.0 -
255.255.255.255, and then click .
-
On the New Connector page, review the configuration summary for the connector. If you want to modify the settings, click Back. To create the Receive connector by using the settings in the configuration summary, click New.
-
On the Completion page, click Finish.
-
In the work pane, select the Receive connector that you created.
-
Under the name of the Receive connector in the action pane, click Properties to open the Properties page.
-
Click the Network tab. Under Use these local IP addresses to Receive mail, click Edit.
- In the Edit Receive Connector Binding dialog box, select
Specify an IP address, and then enter the IP address of the
internal organization-facing network adapter. Click OK.
- In the Edit Receive Connector Binding dialog box, select
Specify an IP address, and then enter the IP address of the
internal organization-facing network adapter. Click OK.
-
Click the Authentication tab. Select Basic Authentication and Offer Basic authentication only after starting TLS.
-
Click OK to save your changes and exit the Properties page.
To use the Exchange Management Shell to create a new Receive connector on an Edge Transport server that is configured to only accept messages from the internal Exchange organization
-
Run the following command:
Copy Code New-ReceiveConnector -Name <ConnectorName> -Usage Internal -AuthMechanism TLS,BasicAuth,BasicAuthRequireTLS,ExchangeServer -Bindings <InternalNetworkAdapterIP:25> -RemoteIPRanges <HubTransportServerAddress1,HubTransportServerAddress2...>
For example, to create a new Receive connector named "To Internal Org", on an Edge Transport server that has an internal network adapter IP address of 10.1.1.1 and that accepts messages from internal Hub Transport servers that use IP addresses 192.168.5.10 and 192.168.5.20, run the following command:
Copy Code New-ReceiveConnector -Name "To Internal Org" -Usage Internal -AuthMechanism TLS,BasicAuth,BasicAuthRequireTLS,ExchangeServer -Bindings 10.1.1.1:25 -RemoteIPRanges 192.168.5.10,192.168.5.20
For detailed syntax and parameter information, see New-ReceiveConnector.
Hub Transport Server Procedures
The following connector is required on the Hub Transport servers:
- A Send connector that is configured to send messages to the
Edge Transport server in the perimeter network for relay to the
Internet
By default, two Receive connectors are created during the installation of the Hub Transport server role. The connector named "Client ServerName" is configured to accept messages from all POP3 and IMAP messaging clients. The connector named "Default ServerName" is configured to accept messages from an Edge Transport server. No modifications to these connectors are required.
Creating a Send Connector That is Configured to Send Outgoing Messages to the Edge Transport Server
Before you begin this procedure, you must create a user account on the destination Edge Transport server that is a member of the local Administrators security group. This account is used by the Send connector on the Hub Transport server to authenticate to the destination Edge Transport server.
This Send connector requires the following configuration:
- Usage type: Internal
- Address spaces: *
- Network settings:
- IP address or FQDN of the Edge Transport server as a smart
host
- Smart host authentication setting: Basic Authentication over
TLS
- IP address or FQDN of the Edge Transport server as a smart
host
To use the Exchange Management Console to create a Send connector on a Hub Transport server that is configured to send outgoing messages to the Edge Transport server
-
Open the Exchange Management Console. In the console tree, expand Organization Configuration, select Hub Transport, and then in the work pane, click the Send Connectors tab.
-
In the action pane, click New Send Connector. The New SMTP Send Connector wizard starts.
-
On the Introduction page, follow these steps:
- In the Name field, type a meaningful name for this
connector, such as "To Edge".
- In the Select the intended use for this connector:
field, select Internal.
- In the Name field, type a meaningful name for this
connector, such as "To Edge".
-
On the Address space page, click Add. In the Add Address Space dialog box, enter *, and then click OK.
When you are finished, click Next.
Note: |
---|
In Exchange 2007 SP1, the dialog box is named SMTP Address Space. |
- On the Network settings page, follow these steps:
- Select Route mail through the following smart hosts, and
then click Add.
- In the Add Smart Host dialog box, select Fully
qualified domain name (FQDN), and enter the FQDN of destination
Edge Transport server. The Hub Transport server must be able to
resolve the specified FQDN of the destination Edge Transport
server. Click OK.
- When you are finished, click Next.
- Select Route mail through the following smart hosts, and
then click Add.
- On the Configure smart host authentication settings page,
select Basic Authentication and Basic Authentication over
TLS. In the Username and Password fields, enter
the credentials for the user account on the destination Edge
Transport server. Click Next.
- By default, the Source Server page lists the Hub
Transport server on which you are performing this procedure. If you
want add more Hub Transport servers for fault tolerance, those Hub
Transport servers must be configured as sources on the
corresponding Receive connector on the Edge Transport server. To
add more source servers, click Add. In the Select Hub
Transport servers and Edge Subscriptions dialog box, select the
Hub Transport servers that will be used as the source server for
sending messages to the Edge Transport server that you provided in
step 6. When you are finished adding additional source servers,
click OK.
To add more source servers, click Add and repeat this step.
When you are finished, click Next.
- On the New connector page, review the configuration
summary for the connector. If you want to modify the settings,
click Back. To create the Send connector by using the
settings in the configuration summary, click New.
- On the Completion page, click Finish.
Important: The specified Hub Transport servers must be able to resolve the name of the Edge Transport server so that it exactly matches the FQDN that is specified in the SmartHosts parameter. This is the FQDN that is specified in the X.509 certificate that is installed on the destination Edge Transport server. It is also the FQDN that is specified in the Receive connector that is configured on the destination Edge Transport server.
To use the Exchange Management Shell to create a Send connector on a Hub Transport server that is configured to send outgoing messages to the Edge Transport server
-
Run the following command on the Hub Transport server:
Copy Code $edgecred = get-credential
- In the dialog box that appears, enter the credentials for the
user account on the Edge Transport server. Click OK.
- In the dialog box that appears, enter the credentials for the
user account on the Edge Transport server. Click OK.
-
Run the following command on the Hub Transport server:
Copy Code New-SendConnector -Name <ConnectorName> -Usage Internal -AddressSpaces * -DNSRoutingEnabled $False -SmartHosts <EdgeServer> -SourceTransportServers <HubServer1,HubServer2...> -SmartHostAuthMechanism BasicAuth,BasicAuthRequireTLS -AuthenticationCredential $edgecred
For example, to create a new Send connector named "To Edge" that is sourced on the Hub Transport servers named "hub01.contoso.com" and "hub02.contoso.com" to the destination Edge Transport server named edge01.contoso.net, run the following command:
Copy Code New-SendConnector -Name "To Edge" -Usage Internal -AddressSpaces * -DNSRoutingEnabled $False -SmartHosts edge01.contoso.net -SourceTransportServers hub01.contoso.com,hub02.contoso.com -SmartHostAuthMechanism BasicAuth,BasicAuthRequireTLS -AuthenticationCredential $edgecred
Important: The Hub Transport servers must be able to resolve the name of the Edge Transport server so that it exactly matches the FQDN that is specified in the SmartHosts parameter. This is the FQDN that is specified in the X.509 certificate that is installed on the destination Edge Transport server. It is also the FQDN that is specified in the Receive connector that is configured on the destination Edge Transport server.
For detailed syntax and parameter information, see New-SendConnector.
For More Information
For more information, see the following topics: