Home » Exchange Server » Installing an Exchange Server 2013 Edge Transport Server

Installing an Exchange Server 2013 Edge Transport Server

The Exchange Server 2013 Edge Transport role can be installed on the same server operating systems as other Exchange 2013 server roles – Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.

For this demonstration I will be installing on a Windows Server 2012 R2 server.

Preparing to Install Exchange Server 2013 Edge Transport

After installing the operating system configure an IP address, any static routes that may be required, and give the server a name (as well as a DNS suffix).

exchange-2013-edge-transport-pre-requisites-01

The server does not need to be a domain member.

There are two important DNS requirements:

  1. The Edge Transport server must be able to resolve the Mailbox server names in DNS. An easy way to achieve this is to point the DNS client configuration on the Edge server to your internal DNS servers (this may require opening a firewall port).
  2. The internal Mailbox servers must be able to resolve the Edge Transport server in DNS. You may need to manually register a DNS record on your internal DNS servers for this.

There are also some firewall ports to open:

  • Port TCP 25 (SMTP) inbound/outbound between the internet and the Edge Transport server
  • Port TCP 25 (SMTP) inbound/outbound between the Edge Transport server and the internal network
  • Port TCP 50636 from the internal network to the Edge Transport server for EdgeSync

The only pre-requisite feature/role is the Active Directory Lightweight Directory Service.

Installing Exchange Server 2013 Edge Transport Role

Download the Exchange Server 2013 setup files (Service Pack 1 or later) to the server and run the following command from an elevated command prompt to perform the install.

A reboot is required after setup completes.

After installing the Edge Transport server you can configure an Edge Subscription to establish inbound and outbound mail flow.

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server

68 comments

  1. Rob says:

    This is probably a stupid question but I cannot find any documentation to definitively answer this.

    We have a pure Exchange 2010 Org. We will be deploying Exchange 2013 Edge Transport servers now (ahead of our 2013 Org upgrade).

    In this scenario is an AD schema update required? (I am assuming not but trying to make sure)

  2. Rani Singh says:

    I hope we can use existing 2010 Edge transport role if we are upgrading to 2013 server. In this case installing 2013 Edge transport server is not needed. Correct me if I am wrong.

  3. wagdi says:

    I’ve read a lot of scenarios about installing exchange 2013 and there is no one of them is talking about Edge Transport. And when I install the exchange 2013 standard software there are only tow roles can be installed ( mailbox&client access). my question is, from where can I install the Edge Transport role , and can I install it in the same server with previous roles ( I have only 60 mail box ) , and finally is this role Optional or mandatory??

    • It is an optional role, introduced in Service Pack 1. If you don’t see it in setup then you’re installing a build that is older that Service Pack 1, which I do not recommend doing. The latest build at this time is Cumulative Update 6.

      • wagdi says:

        Dear Paul
        Thanks for your response, thank you very much
        yes I have installed the old version of exchange 2013 and then install the CU6 as update. I will try to complete the server settings with out installing Edge Transport since it is an optional role. I have some problems with SAN certificate and connection between exchange server and outlook. I’ll be back to ask for your help in these matters.
        thanks for your cooperation

  4. Robert says:

    Paul,

    Does the Malware Agent work on the Edge Transport server role? Or is that agent only available on the MBX server roles?

    Thanks,

    Robert

  5. Germán says:

    Paul,

    i have a question and i hope that you can help me:

    I am planning migrate Exchange 2010 to Exchange 2013, but i do not find information about the order of installation of the roles “Mailbox”, “Client Access” and “Edge” , i have three servers, a for each role, but the order of installation is important? if so then what is the order of installation?

  6. Tom Hutchins says:

    Paul, Is it normal practice to install the EDGE server and Exchange 2013 on the same server.. Are there any known issue If we do that.. We are upgrading to EX2013 from 2007 and previously we used a POPcon server on a separate box… Also I’m planing on Visualizing these systems..

      • Tom Hutchins says:

        Thanks Paul , So your saying dont have the Exchange server (CAS … ) running on the same esx host as the Edge transport ? Main issue im looking at it to have the EDGE transport isolated from the system like on its own DMZ ,,,

        • No I’m not referring to virtualization/hypervisor hosts. How you virtualize your servers is up to you, as long as you stay within the supported guidelines.

          I’m referring to installing the Edge role on its own dedicated Windows server. It can’t co-exist on the same server with any other Exchange roles.

  7. Rocky says:

    Company has on-premise Exchange 2013 DAG and planning on go to Office 365 (EOP). Our out-bound SMTP traffic goes through our Cisco Virtual Email Security Appliance (aka, IronPort). Just to confirm, if setup the hybrid architecture, will mail flow not work through Cisco appliance? Will edge transport server be required?

    • Mail flow between Office 365 and your on-prem servers in a Hybrid configuration can’t go through a non-Exchange server/system.

      It can go through an Edge Transport, but that is optional. You can still do Hybrid without Edge.

      Your inbound/outbound email to the rest of the world can still go via the Ironport.

      • cazz says:

        We have a similar configuration as Rocky does above, except with Exchange 2010 DAG + 3 CAS/Hub Transport servers in front. All Internet traffic goes through our Cisco Ironport. We are just starting our planning to move to O365 this year.

        What would be the advantage of doing Hybrid with Exchange 2013 Edge Transport to handle traffic to/from MS O365?

  8. Jeremy D says:

    hi paul, in EAC, under servers > servers, when i click on our edge server and then click the edit button, i get ” An error occurred while accessing the registry on the server ” ServerName”. The error that occurred is: “Attempted to perform an unauthorized operation.”.

    the edge server, in a standalone server and we have opened up the tcp 445, 135
    remote registry is enable and working, is this ment to happen or is there something that i have missed?

  9. Mike says:

    Do you know for licensing . If we have 2 enterprise servers behind the firewall and then we implement the edge server outside the dmz does it also need to be Enterprise or will standard work ?

    Thanks for the help !

    • The only difference between Standard and Enterprise is the number of mailbox databases it can host. Edge Transport doesn’t host any databases, therefore there is no benefit to using an Enterprise license for it. Standard will work fine.

  10. Ernie Crawford says:

    Hi Paul,
    I recently installed an Edge Transport server for integration with O365. I am planing to upgrade my Exchange Environment from CU6 to CU8. Is there any thing special I need to do on the edge server for the upgrade.

  11. Andy Miller says:

    Hi Paul

    I have just installed 4 2013 Edge servers as part of an upgrade from Exchange 2007 to 2013 and all seems to have gone well so far. The 2013 Edge severs are going though acceptance testing at the moment before they are put into production and we hav enoticed the following:

    The “Microsoft Exchange Health Manager” service is set to “Automatic” but will not start and writes the following to the system log “The Microsoft Exchange Health Manager service depends on the following service: MSExchangeADTopology. This service might not be installed.”

    Running the “Test-ServiceHealth” shows all the required services are running and obviously the MSExchangeADTopology service is not installed. So do you know if I can just set the “Health Manager” service to disabled or manual to get rid of the error in the system log?

    Cheers
    Andy

  12. Simon M says:

    Hi Paul,

    Thanks for providing an excellent set of articles on Edge servers!

    One question I can’t find answered anywhere, does an Exchange 2013 Edge Transport server require a full Exchange Server license (even though its not hosting any mailboxes) ?

    Thanks

    Simon.

  13. Jay says:

    Paul,

    Awesome article. Thank you. I do have a question. We have an Exchange 3013 hybrid configuration with Office 365 and route our mail through EOP.

    Most of our mailboxes are still on-premises. In the event that Office 365 went down, we would want to ensure that the business can continue to send and receive messages.

    Would it be possible to build an Edge transport server, and not give it an edge subscription? I ask because we would want to use it as a fail safe in the event mail flow went down in Office 365.

    Could we configure the edge subscription, and then change the mx record to route mail to our Edge transport server until Office 365 was restored?

    I guess i’m asking if Exchange will be upset if we build an edge transport server with no edge subscription, and then turn it off so it isn’t being used until necessary. Does that make sense?

    • You don’t need an Edge Transport to receive email on-prem, you can just point your MX at your on-prem firewall and NAT the SMTP port (TCP 25) to your Exchange 2013 CAS.

      My concern with your suggestion is that it complicates the response to an outage with lots of extra steps to perform against a half-implemented Edge server, and puts in place a solution that hasn’t been validated in your environment. What if the Edge subscription fails, or there’s a firewall issue, or a certificate issue, or something else goes wrong that you weren’t expecting?

      If you’re going to deploy an Edge, deploy it in full. The Edge can be involved in Hybrid mail flow with Office 365 after all. But it isn’t mandatory.

      • Jay says:

        Paul,

        Thank you for the response sir. The main reason that we considered the Edge would be for the spam filtering that it offers.

        Our concern would be that just moving the MX via the firewall would open us up to a lot of Spam.

        In our situation, do you have a recommendation that would be better for us? the major concern is just ensuring mail flow, and decent spam filtering in the event Office 365 went down for an extended period of time.

        Any recommendations are greatly appreciated. Thank you Paul.

  14. Rafael Adrian says:

    Hi Paul,

    Very nice article!
    I am having a problem installing Edge server on same server with other Exchange roles, I have CU 9 and when I try to install Edge it give back the error that it cannot be installed on same server with other Exchange 2013 server roles.
    I have a very small organization with around 15-20 mailboxes, I really don’t see the point to have two servers only to exchange emails. Office 365 with Exchange is not so OK with our security reasons and an “in house” email server is the best solution.
    What can be done ?

    Thank you!

  15. Sebastien says:

    I, Questions,

    Do I need a second Exchange 2013 lincense for a edge server and can I use only my GFI ME 2015 as a edge transport instead installing a new edge server?

    Thanks

  16. sheeraz says:

    Hi Paul,

    we are running following environment for Exchange 2010 on premises.

    3 Mailbox server with Single DAG

    3 Hub/ CAS (multirole) with NLB

    2 Edge Servers are used for routing email through Exchange Online Protection (EOP)

    For Migration Purpose we have introduced following Exchange 2013 severs.

    4 Mailbox + CAS (multirole) servers with Single DAG

    3 Edge Servers

    We have subscribed all three Exchange 2013 Mailbox servers with 2010 Edge Transport Servers and till now email flow is working fine after doing re-subscription because of Exchange 2013 introduction in the environment. Now, we want to subscribe 2013 Mailbox servers (one by one) with 2013 Edge Transport Servers so that 2010 and 2013 Edge Transport servers can route email to EOP and later we can remove Edge 2010 and Exchange 2010 from the environment.

    we would like to know – while doing Edge Subscription will there be any issues with email routing? and can we do multiple subscription for Hub Transport 2010 and Mailbox 2013 servers, i.e with Edge 2010 and 2013 at same time?

    please note our requirement is to keep Edge server 2013 in the environment and please note we have around 10k users base.

    Thanks,

  17. Steve says:

    Hi Paul,

    We are a Exchange 2010 house and are planning to migrate to Office 365 over about 6-12mth.
    So we are looking to run in Hybrid for quite a while.
    We are looking to configure an Edge Transport Server in our DMZ on a standalone server as per your instructions. Can we use Exchange 2013 as an Edge Transport Server or do we have to stick with Exchange 2010?

    • Yes you can. TechNet has some guidance on running different versions of Edge alongside different versions of servers. But keep in mind that an Edge server is not required for Hybrid, it’s optional.

      • Steve says:

        Hi Paul, do you have links to the TechNet articles?

        Our IS policy restricts what we can expose to the public internet, so we have to go down the Edge server route.

  18. trang says:

    hi paul,
    i have a problem about change ip address of my edge server in exchange server 2013?
    i can’t find the document solve this. Can u help me make the listed i need to do, and some importan attention when i do this. thanks u.

  19. yoel says:

    what gateway must be used on edge server on the dmz point to internal firewall o point to the internet one. because the edge server must have a different ip addres and segment from internal one so when delivering email to internet using dns servers the server shoud know how to get to 8.8.8.8 for example trought the internet firewall.
    does cas/mailbox server is the one that search in the edge for new incoming mail, or the edge after receive make a conection and delivery it to mailbox. if is the last the gateway is just needed the internet firewall and is just add a route to internal server pointin to dmz firewall ip address with de route add. in case the first then should multiple route should be added to the internal network to work route to cas/mailbox, route to dns servers AD.

    • I barely understand your question but I will try to answer it:

      1. The Edge Transport server needs to be able to route to both the internet, and to the internal network
      2. The firewall requirements for Edge Transport are mentioned in the article above and are also available on TechNet if you need clarification.

  20. Bob B says:

    Hi Paul,
    Looking to possibly setup an Edge Transport in a DMZ. Do I need to use Windows Server or can I get away with Win7 Pro ?

  21. John Mmasi says:

    Hello PAUL.We are receiving a ,ot of spam with attachmnets to users inbox from unknows senders.
    We have exch 2013, with edge transport 2010 and EOP configured for filtering. What can be the issue here? Attachmnet encrypt user s files and folders when opened. pld advice.

    • Zero day ransomware attacks can defeat even the best anti-malware protection. But since you’re an EOP customer already, you should look at upgrading to Advanced Threat Protection as well, which can often detect zero day malware by using behavioral analysis.

      You should also double check that attackers aren’t spamming your Exchange server directly. Make sure your firewall only allows inbound SMTP connections from the EOP IP address ranges.

Leave a Reply

Your email address will not be published. Required fields are marked *