Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-08-27

This topic explains how to deploy and configure an Edge Transport server to act as a smart host and Simple Mail Transfer Protocol (SMTP) relay server in the perimeter network of an existing Microsoft Exchange Server 2003 organization. An Edge Transport server can also provide anti-spam, antivirus, and transport rules processing for an existing Exchange organization.

Note:
This topic also applies to existing Microsoft Exchange 2000 Server organizations.
Note:
In the scenario that is described in this topic, no computers that are running Microsoft Exchange Server 2007 have yet been deployed in the Exchange organization. This limits the available features on the Edge Transport server because you can't use any of the features that rely on Edge Subscriptions. The features that rely on Edge Subscriptions are recipient lookup, safelist aggregation, and domain security. If you want to create an Edge Subscription, you must deploy at least one Exchange 2007 Hub Transport server in the Exchange organization and configure the organization for coexistence. For more information, see Coexisting with Exchange Server 2003 and Exchange 2000 Server and Subscribing the Edge Transport Server to the Exchange Organization.

Procedure Overview

The deployment of an Edge Transport server to support an existing Exchange 2003 organization can be broken down into the following three steps:

  1. Deploy the Edge Transport server in the perimeter network. To deploy the Edge Transport server, follow the procedures in the topic How to Perform a Custom Installation Using Exchange Server 2007 Setup.

  2. Configure mail flow between the Edge Transport server and the Internet and between the Edge Transport server and the Exchange organization. This topic provides detailed steps for configuring the required connectors for this scenario. However, this topic doesn't provide detailed steps on how to redirect SMTP traffic from the Internet to your Edge Transport server. For more information about that process, see Adding an Edge Transport Server to an Existing Exchange 2003 Organization. You configure the following connectors to enable end-to-end mail flow:

    1. A Send connector from the Edge Transport server to the Internet

    2. A Send connector from the Edge Transport server to the Exchange organization

    3. A Receive connector on the Edge Transport server that accepts connections from only the Exchange organization

    4. An SMTP Send connector from the Exchange organization to the Edge Transport server

    The default Receive connector on the Edge Transport server is configured to allow anonymous connections from the Internet and requires no configuration changes. The SMTP virtual server on the Exchange 2003 bridgehead server must be configured to enable the authentication mechanism used by the Edge Transport server. You can use either Basic authentication or Anonymous access. If you use Anonymous access, you must also modify the Exchange 2003 registry to allow anonymous receipt of XExch50 data. The XExch50 data contains important information such as the spam confidence level (SCL) for a message.

  3. Configure the Edge Transport server to perform antivirus and anti-spam processing and to apply transport rules. To configure these features on the Edge Transport server, follow the procedures specific to each feature. For more information, see the following topics:

Before You Begin

To deploy the Exchange 2007 Edge Transport server to support an existing Exchange organization, you must perform the following tasks:

  • Configure accepted domains on the Edge Transport server. You will create an accepted domain entry for each SMTP domain for which the Exchange organization receives e-mail. For more information about this step, see Managing Accepted Domains.

  • Verify the configuration of the Domain Name System (DNS) mail exchange (MX) resource record for those domains and make any changes that may be needed so that e-mail to your accepted domains is directed to the Edge Transport server.

  • Determine the authentication method that will be used to help secure the connection between the Edge Transport server and the Exchange organization. We recommend that you use Basic authentication over TLS. Alternatively, you can decide to use Externally Secured as your authentication mechanism. This authentication mechanism relies on network security, such as IPsec or a VPN, to help secure the connection. For more information about the authentication methods that are available, see Exchange 2007 Transport Permissions Model.

    If you use Basic authentication over TLS to help secure the connectors between the Edge Transport server and the Exchange organization, the authenticating server must have a server certificate installed. If the Exchange 2007 Send connector is configured to use Basic authentication over TLS or to use Basic authentication with the RequireTLS parameter set to $True, the Exchange 2003 server must advertise the correct certificate before authentication can occur. You can verify that a certificate has been imported to the Exchange 2003 SMTP Virtual Server by viewing the properties of the virtual server. To view or import a server certificate, select the Access tab and then click Certificate. For more information about how to use server certificates, see SMTP TLS Certificate Selection.

To perform the following procedures on a computer that has the Edge Transport server role installed, you must log on by using an account that is a member of the local Administrators group on that computer.

To perform the following procedures on a computer that has Exchange 2003 installed, you must log on by using an account that has been delegated the Exchange Administrator role.

For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.

Procedure

Use the procedures in this section to configure the Edge Transport server as a smart host and SMTP relay server for an existing Exchange 2003 organization. In each procedure, follow the steps that enable the authentication method that you want to use to configure the connectors between the Edge Transport server and the Exchange organization.

Configuring a Send Connector from the Edge Transport Server to the Internet

To use the Exchange Management Console to create the Send connector from the Edge Transport server to the Internet

  1. On the computer that has the Edge Transport server role installed, open the Exchange Management Console. Select Edge Transport, and then in the work pane, click the Send Connectors tab.

  2. In the action pane, click New Send Connector. The New SMTP Send Connector wizard starts.

  3. On the Introduction page, follow these steps:

    1. In the Name: field, type a meaningful name for this connector. This name is used to identify the connector.

    2. In the Select the intended use for this connector: field, select the Internet usage type for the connector. By default, this connector will be configured to use DNS MX records to route e-mail.

    Click Next.

  4. On the Address space page, click Add. In the Add Address Space dialog box, enter * and then click OK. Click Next.

  5. On the Network settings page, the option to Use domain name system (DNS) "MX" records to route mail automatically is selected. If this is the correct setting, click Next. If you must route mail through a smart host, such as a server hosted by your Internet service provider (ISP), select Route mail through the following smart hosts: and then click Add. In the Add smart host dialog box, enter the smart host server's fully-qualified domain name (FQDN) or IP address, and then click OK. Click Next. On the Configure smart host authentication settings page, select the authentication method that is used to authenticate with your ISP. Click Next.

  6. On the New Connector page, review the configuration summary for the connector. If you want to modify the settings, click Back. To create the Send connector by using the settings in the configuration summary, click New.

  7. On the Completion page, click Finish.

To use the Exchange Management Shell to create the Send connector from the Edge Transport server to the Internet

  • Run the following command:

    Copy Code 
    New-SendConnector -Name <"Connector Name"> -AddressSpaces * -Usage Internet -DNSRoutingEnabled $true

For detailed syntax and parameter information, see New-SendConnector.

Configuring Connectors to Enable Mail Flow from the Edge Transport Server to the Exchange 2003 Organization

Perform one of the following procedures to configure the connectors that enable mail flow from the Edge Transport server to the Exchange 2003 organization. Follow the procedure that enables your desired authentication method.

To configure the connector from the Edge Transport server to the Exchange 2003 organization to use Basic authentication over TLS

  1. Create the credentials that are used by the Edge Transport server to authenticate to the Exchange 2003 server. Create a user account in the Active Directory directory service that services the Exchange organization. Add the user account to the Exchange Domain Servers security group.

    Important:
    This account is granted the permissions and rights that are assigned to Exchange servers. Make sure that you safeguard the account credentials to prevent misuse of the account. You can configure the account to enable logon to specific computers only.

  2. On the Exchange 2003 server or servers that will receive messages from the Edge Transport server, verify that the SMTP virtual server is configured to enable Basic authentication over TLS.

    1. Open Exchange System Manager. Expand the Servers node. Expand the desired server. Expand the Protocols node. Expand SMTP. Right-click Default SMTP Virtual Server, and select Properties.

    2. Click the Access tab and then click Authentication.

    3. In the Authentication dialog box, select Basic authentication (password is sent in clear text) and Requires TLS encryption. Click OK.

    4. Click OK to close Default SMTP Virtual Server Properties.

  3. Create a Send connector from the Edge Transport server to the Exchange 2003 organization. You can create this Send connector by using the Exchange Management Console or the Exchange Management Shell.

    To create a Send connector by using the Exchange Management Console, follow these steps:

    1. On the Edge Transport server, open the Exchange Management Console. Select Edge Transport, and then in the work pane, click the Send Connectors tab.

    2. In the action pane, click New Send Connector. The New SMTP Send Connector wizard starts.

    3. On the Introduction page, follow these steps:

    • In the Name: field, type a meaningful name for this connector.

    • In the Select the intended use for this connector: field, select Internal, and then click Next.

    1. On the Address space page, click Add. In the Add Address Space dialog box, enter --. The -- character is a placeholder that represents all authoritative and internal relay domains in your accepted domains configuration. Alternatively, you can list each domain as a separate entry. If you list each accepted domain as a separate entry, you can also select the Include all subdomains check box. Click OK to close the Add Address Space dialog box, and then click Next.

    2. On the Network settings page, select Route mail through the following smart hosts, and then click Add.

    3. In the Add smart host dialog box, select either IP Address or Fully qualified domain name (FQDN). Enter the IP address or the FQDN of the Exchange 2003 bridgehead server that will receive messages from the Edge Transport server. Click OK. To specify more than one bridgehead server as a smart host, click Add and repeat this step. If you configure more than one bridgehead server as a smart host, the connections from the Edge Transport server will be load-balanced between the smart hosts. After you have entered all smart hosts, click Next.

    4. On the Configure smart host authentication settings page, select Basic Authentication and Basic Authentication over TLS. In the User name and Password fields, enter the credentials for the user account that you created in step 1 of this procedure. Use the domain\user format or user principal name (UPN) format to enter the user name. Type the password for the account in the password field. Click Next.

    5. On the New Connector page, review the configuration summary for the connector. If you want to modify the settings, click Back. To create the Send connector by using the settings in the configuration summary, click New.

    6. On the Completion page, click Finish.

    To create a Send connector by using the Exchange Management Shell, run the following command on the Edge Transport server:

    Copy Code 
    $mycred = get-credential
    1. In the dialog box that appears, enter the credentials for the user account you created in step 1 of this procedure. Use the domain\user format or UPN format to enter the user name and then provide the user's password. Click OK.

    2. Run the following command on the Edge Transport server:

      Copy Code 
      New-SendConnector -Name <"Connector Name"> -Usage Internal -AddressSpaces "--" -DNSRoutingEnabled $false -SmartHosts <Server1, Server2...> -SmartHostAuthMechanism BasicAuthRequireTLS -AuthenticationCredential $mycred

  4. On the Edge Transport server, run the following command in the Exchange Management Shell to grant the permissions that are required to enable transmission of XExch50 data from the Edge Transport server to the Exchange 2003 server:

    Copy Code 
    Add-AdPermission -Identity <"Send Connector Name"> -User "NT Authority\Anonymous Logon" -ExtendedRights ms-Exch-SMTP-Send-Exch50

To configure the connector from the Edge Transport server to the Exchange 2003 organization to use Anonymous access

  1. On the Exchange 2003 server or servers that will receive messages from the Edge Transport server, verify that the SMTP virtual server is configured to enable Anonymous access.

    1. Open Exchange System Manager. Expand the Servers node. Expand the desired server. Expand the Protocols node. Expand SMTP. Right-click Default SMTP Virtual Server and select Properties.

    2. Click the Access tab and then click Authentication.

    3. On the Authentication dialog box, select Anonymous access. Click OK.

  2. Configure the relay restriction for the Exchange 2003 server to enable only the Edge Transport server to relay through this virtual server:

    1. On the Access tab of Default SMTP Virtual Server Properties, click Relay.

    2. On the Relay Restrictions dialog box, select Only the list below, and then click Add.

    3. On the Computer dialog box, select Single computer to specify a single IP address, or select Group of computers to specify an IP address range. Click OK.

    4. On the Relay Restrictions dialog box, verify that the check box Allow all computers which successfully authenticate to relay, regardless of the list above is selected. Click OK.

    5. Click OK to close the Default SMTP Virtual Server Properties.

  3. Follow these steps to modify the registry settings on the Exchange 2003 bridgehead server to enable the Exchange 2003 server to send and receive XExch50 properties anonymously:

    Caution:
    Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data. 
    1. Open Registry Editor.

    2. Locate HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMTPSVC\XEXCH50

    3. Right-click XEXCH50 and select New | DWORD Value. Type SuppressExternal for the value name. By default, the value data is 0. This indicates that the XEXCH50 properties are transmitted to the remote server anonymously.

    4. Right-click XEXCH50 and select New | Key. Type the number of the SMTP virtual server instance as the key value. For example, the default virtual server instance is 1, and the second SMTP virtual server created on a server is 2.

    5. Right-click the key that you just created, point to New, and then click DWORD Value.

    6. In the details pane, type Exch50AuthCheckEnabled for the value name. By default, the value data is 0. This indicates that the XEXCH50 properties are transmitted when e-mail is sent anonymously.

  4. Create a Send connector from the Edge Transport server to the Exchange 2003 organization. You can create this Send connector by using the Exchange Management Console or the Exchange Management Shell.

    To create a Send connector by using the Exchange Management Console, follow these steps:

    1. On the Edge Transport server, open the Exchange Management Console. Select Edge Transport, and then in the work pane, click the Send Connectors tab.

    2. In the action pane, click New Send Connector. The New SMTP Send Connector wizard starts.

    3. On the Introduction page, follow these steps:

      i. In the Name: field, type a meaningful name for this connector.

      ii. In the Select the intended use for this connector: field, select Internal, and then click Next.

    4. On the Address space page, click Add. In the Add Address Space dialog box, enter --. The -- character is a placeholder that represents all authoritative and internal relay domains in your accepted domains configuration. Alternatively, you can list each domain as a separate entry. If you list each accepted domain as a separate entry, you can also select the Include all subdomains check box. Click OK to close the Add Address Space dialog box, and then click Next.

    5. On the Network settings page, select Route mail through the following smart hosts:, and then click Add.

    6. In the Add smart host dialog box, select either IP Address or Fully qualified domain name (FQDN). Enter the IP address or the FQDN of the Exchange 2003 bridgehead server that will receive messages from the Edge Transport server. Click OK. To specify more than one bridgehead server as a smart host, click Add and repeat this step. If you configure more than one bridgehead server as a smart host, the connections from the Edge Transport server will be load-balanced between the smart hosts. When all smart hosts are entered, click Next.

    7. On the Configure smart host authentication settings page, select Externally Secured (for example with IPsec). Click Next.

    8. On the New Connector page, review the configuration summary for the connector. If you want to modify the settings, click Back. To create the Send connector by using the settings in the configuration summary, click New.

    9. On the Completion page, click Finish.

    To create a Send connector by using the Exchange Management Shell, run the following command on the Edge Transport server:

    Copy Code 
    New-SendConnector -Name <"Connector Name"> -Usage Internal -AddressSpaces "--" -SmartHosts <Server1, Server2...>  -SmartHostAuthMechanism ExternalAuthoritative -DNSRoutingEnabled $False

  5. On the Edge Transport server, run the following command in the Exchange Management Shell to grant the permissions that are required to enable transmission of XExch50 data from the Edge Transport server to the Exchange 2003 server:

    Copy Code 
    Add-AdPermission -Identity <"Send Connector Name"> -User "NT Authority\Anonymous Logon" -ExtendedRights ms-Exch-SMTP-Send-Exch50

Configuring Connectors to Enable Mail Flow from the Exchange 2003 Organization to the Edge Transport Server

Perform one of the following procedures to configure the connectors that enable mail flow from the Exchange 2003 organization to the Edge Transport server. Follow the procedure that enables your desired authentication method.

To configure the connector from the Exchange 2003 organization to the Edge Transport server to use Basic authentication over TLS

  1. On the Edge Transport server, create the credentials that are used by the Exchange 2003 server to authenticate to the Edge Transport server. Create a user account in the Users folder in the Local Users and Groups container on the Edge Transport server. In this example, the account name is Edge\Contoso.

  2. Create a Receive connector from the Edge Transport server that accepts connections from only the Exchange 2003 server. You can create this Receive connector by using the Exchange Management Console or the Exchange Management Shell.

    To create a Receive connector by using the Exchange Management Console, follow these steps:

    1. Open the Exchange Management Console. In the console tree, click Edge Transport, and then in the work pane, click the Receive Connectors tab. In the action pane, click New Receive Connector.

    2. On the New SMTP Receive Connector wizard Introduction page, in the Name field, type a unique name for the connector.

    3. From the Select the intended use for this connector drop-down list, select Internal, and then click Next.

    4. On the Remote Network settings page, delete the all network ranges entry, and then click Add.

    5. In the Add IP Address(es) of Remote Servers dialog box, type the IP addresses of the Exchange 2003 bridgehead servers that will relay messages to the Edge Transport server, click OK, and then click Next.

    6. On the New Connector page, click New, and then on the Completion page, click Finish.

    7. Modify the authentication method that is used for this Receive connector. In the task pane, select the Receive connector that you want to modify, and then in the action pane, click Properties. Click the Authentication tab. Select Basic Authentication and Offer Basic authentication only after starting TLS. Click OK.

    To create a Receive connector by using the Exchange Management Shell, run the following command on the Edge Transport server:

    Copy Code 
    New-ReceiveConnector -Name <"Connector Name"> -Usage Internal -RemoteIPRanges <IP address of Exchange 2003 server> -AuthMechanism Tls,BasicAuth,BasicAuthRequireTLS -Bindings 0.0.0.0:25

  3. On the Edge Transport server, run the following command in the Exchange Management Shell to grant permissions on the new Receive connector to the local user account you created in step 1:

    Copy Code 
    Add-AdPermission -Identity "Receive Connector Name" -User Edge\Contoso -ExtendedRights ms-Exch-SMTP-Submit,ms-Exch-Accept-Headers-Routing,ms-Exch-SMTP-Accept-Any-Recipient,ms-Exch-SMTP-Accept-Authoritative-Domain-Sender
    Important:
    This account is granted the permissions that enable it to relay messages through the Edge Transport server. Make sure that you safeguard the account credentials to prevent misuse of the account.

  4. On the Exchange 2003 server, follow these steps to create an SMTP connector that is configured to relay all Internet e-mail through the Edge Transport server and use Basic authentication over TLS to help secure the connection:

    1. Open Exchange System Manager. Right-click the Connectors container that is located in the routing group where the server that will host this connector resides, select New, and then select SMTP Connector.

      Note:
      If no routing groups are displayed in Exchange System Manager, right-click the Exchange organization container, select Properties, and then select the Display routing groups check box.
    2. Select the General tab. In the Name field, type a unique name for the connector.

    3. Select Forward all mail through this connector to the following smart hosts, and type the IP address or FQDN of the Edge Transport server. If you enter an IP address, it must be enclosed in brackets as follows, for example: [192.168.1.1].

    4. Click Add to add a local bridgehead server. In the Add Bridgehead dialog box, select one or more Exchange 2003 servers.

    5. Select the Address Space tab, and then click Add to create an address space. In the Add Address Space dialog box, select SMTP, and then click OK.

    6. On the Internet Address Space Properties page, enter *, and then click OK.

    7. Select the Advanced tab, and then click Outbound Security. In the Outbound Security dialog box, select Basic Authentication, and then click Modify.

    8. In the Outbound Connection Credentials dialog box, enter the user name for the local user account that you created on the Edge Transport server, enter the password for the account, and then click OK.

    9. On the Outbound Security dialog box, select TLS encryption. Click OK to close the Outbound Security dialog box. Click OK.

To configure the connector from the Exchange 2003 organization to the Edge Transport server and enable anonymous access

  1. Create a Receive connector on the Edge Transport server that accepts connections from only the Exchange 2003 server. You can create this Receive connector by using the Exchange Management Console or the Exchange Management Shell.

    To create a Receive connector on the Edge Transport server by using the Exchange Management Console, follow these steps:

    1. Open the Exchange Management Console. In the console tree, click Edge Transport, and then in the work pane, click the Receive Connectors tab. In the action pane, click New Receive Connector.

    2. On the New SMTP Receive Connector wizard Introduction page, in the Name field, type a unique name for the connector.

    3. From the Select the intended use for this connector drop-down list, select Internal, and then click Next.

    4. On the Remote Network settings page, delete the all network ranges entry, and then click Add.

    5. In the Add IP Address(es) of Remote Servers dialog box, type the IP addresses of the Exchange 2003 bridgehead servers that will relay messages to the Edge Transport server, click OK, and then click Next.

    6. On the New Connector page, click New, and then on the Completion page, click Finish.

    7. Modify the authentication method that is used for this Receive connector. In the task pane, select the Receive connector that you want to modify, and then in the action pane, click Properties. Click the Authentication tab. Clear the check boxes for Transport Layer Security (TLS) and Exchange Server authentication, select Externally Secured (for example with IPsec), and then click OK.

    To create a Receive connector on the Edge Transport server by using the Exchange Management Shell, run the following command on the Edge Transport server:

    Copy Code 
    New-ReceiveConnector -Name <"Connector Name"> -Usage Internal -RemoteIPRanges <IP address of Exchange 2003 server> -AuthMechanism ExternalAuthoritative -Bindings 0.0.0.0:25
    Important:
    This Receive connector enables all connections from the specified remote IP range to relay messages through the Edge Transport server. Make sure that a trusted network connection exists between the Edge Transport server and the Exchange organization.

  2. On the Exchange 2003 server, follow these steps to create an SMTP connector that is configured to relay all Internet e-mail through the Edge Transport server:

    1. Open Exchange System Manager. Right-click the Connectors container that is located in the routing group where the server that will host this connector resides, select New, and then select SMTP Connector.

      Note:
      If no routing groups are displayed in Exchange System Manager, right-click the Exchange organization container, select Properties, and then select the Display routing groups check box.
    2. Select the General tab. In the Name field, type a unique name for the connector.

    3. Select Forward all mail through this connector to the following smart hosts, and type the IP address or FQDN of the Edge Transport server. If you enter an IP address, it must be enclosed in brackets as follows, for example: [192.168.1.1].

    4. Click Add to add a local bridgehead server. In the Add Bridgehead dialog box, select one or more Exchange 2003 servers.

    5. Select the Address Space tab, and then click Add to create an address space. In the Add Address Space dialog box, select SMTP, and then click OK.

    6. On the Internet Address Space Properties page, enter *, and then click OK.

    7. Click OK to close the SMTP connector properties page.

For more information about how to test the connectivity between the Exchange servers, see How to Use Telnet to Test SMTP Communication. You can use SMTP protocol logging to verify that XExch50 data is received by the Exchange 2003 organization.

For More Information