In the last part of this series I demonstrated how to install the Edge Transport server role for Exchange Server 2010. In this next part I’ll go through the process of configuring the Edge Subscription between the Edge Transport server and Hub Transport server located in the internal network.
The Edge Subscription is a relationship between an Edge Transport server and an Active Directory site, and allows the Edge Transport server to receive information about the Exchange organization such as recipients, domain names, and safelists/blocklists for anti-spam.
This information is synchronized at regular intervals through a process called EdgeSync.
Firewall Ports for Exchange Server 2010 Edge Transport Servers
For EdgeSync and mail flow to work there are a few network ports that need to be open on the firewall between the Internet, the Edge Transport server, and the internal Hub Transport server.
Edge Transport Server Network Ports for EdgeSync
- Secure LDAP (TCP 50636) from the Hub Transport server to the Edge Transport server
Edge Transport Server Network Ports for Mail Flow
- SMTP (TCP 25) from the Internet to the Edge Transport server
- SMTP (TCP 25) from the Edge Transport server to the Hub Transport server
- SMTP (TCP 25) from the Hub Transport server to the Edge Transport server
- DNS (UDP 53) from the Edge Transport server to a DNS server capable of public DNS lookups (ie to look up MX records)
Configuring ISA Server 2006 for Edge Transport Servers
If you are using ISA Server 2006 as your firewall and want to create the access rules for the Edge Transport server the first thing you’ll need to configure is a new network protocol for the secure LDAP connection. ISA Server 2006 is pre-configured with a secure LDAP protocol however the EdgeSync process uses the non-standard port of TCP 50636.
Create a new network protocol named “EdgeSync” for TCP 50636 outbound.
Configure the ISA Server 2006 firewall policy with access rules for the Edge Transport network access required.
Creating the Edge Subscription for Exchange Server 2010 Edge Transport Servers
With the firewall access all configured correctly the next step is to configure the Edge Subscription itself.
On the Edge Transport server open the Exchange Management Shell and run the following command using the New-EdgeSubscription cmdlet.
[PS] C:\>New-EdgeSubscription -FileName C:edgesubscription.xml Confirm If you create an Edge Subscription, this Edge Transport server will be managed via EdgeSync replication. As a result, any of the following objects that were created manually will be deleted: accepted domains, message classifications, remote domains, and Send connectors. After creating the Edge Subscription, you must manage these objects from inside the organization and allow EdgeSync to update the Edge Transport server. Also, the InternalSMTPServers list of the TransportConfig object will be overwritten during the synchronization process. EdgeSync requires that this Edge Transport server is able to resolve the FQDN of the Hub Transport servers in the Active Directory site to which the Edge Transport server is being subscribed, and those Hub Transport servers be able to resolve the FQDN of this Edge Transport server. You should complete the Edge Subscription inside the organization in the next "1440" minutes before the bootstrap account expires. [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y
There are two important things to be aware of here:
- You must complete the next step of the Edge Subscription process within 1440 minutes (24 hours), otherwise you’ll need to generate a new Edge Subscription again
- The Hub Transport servers in the Active Directory site that will be subscribed must be able to resolve the FQDN of the Edge Transport server. You can either add DNS records manually or use a HOSTS file entry.
Copy the “edgesubscription.xml” file to the Hub Transport server. Launch the Exchange Management Console and navigate to Organization Management/Hub Transport.
In the Actions pane click on New Edge Subscription.
Browse and select the Active Directory site to be subscribed, as well as the XML file that you copied from the Edge Transport server.
Click the New button to complete the wizard.
After the Edge Subscription has been created you will see two Send Connectors configured for your organization.
It can take up to an hour before the first Edge synchronization process runs, but you can run it manually if you need to. On the Hub Transport server launch the Exchange Management Shell and run the following command using the Start-EdgeSynchronization cmdlet.
[PS] C:\>Start-EdgeSynchronization -Server esp-ho-ex2010a RunspaceId : b7415ae2-f763-449e-bb36-20a6a18759cd Result : Success Type : Configuration Name : esp-ho-ex2010e FailureDetails : StartUTC : 5/7/2011 1:27:39 PM EndUTC : 5/7/2011 1:28:07 PM Added : 290 Deleted : 0 Updated : 0 Scanned : 295 TargetScanned : 0 RunspaceId : b7415ae2-f763-449e-bb36-20a6a18759cd Result : Success Type : Recipients Name : esp-ho-ex2010e FailureDetails : StartUTC : 5/7/2011 1:27:39 PM EndUTC : 5/7/2011 1:28:08 PM Added : 401 Deleted : 0 Updated : 0 Scanned : 401 TargetScanned : 0
After the initial Edge synchronization has occurred you will be able to see the Send Connectors and Accepted Domains configured on the Edge Transport server.
Testing Mail Flow
After the Edge Subscription is in place and you’ve synchronized at least once you can send email between your Exchange organization and an external mailbox, and then inspect the email message headers to verify that the messages are traversing your Edge Transport server.
Received: from esp-ho-ex2010e.exchangeserverpro.net (10.0.3.2) by esp-ho-ex2010a.exchangeserverpro.net (10.0.1.4) with Microsoft SMTP Server (TLS) id 14.1.289.1; Sat, 7 May 2011 23:50:10 +1000 Received: from (192.168.0.45) by esp-ho-ex2010e.exchangeserverpro.net (10.0.3.2) with Microsoft SMTP Server id 14.1.218.12; Sat, 7 May 2011 23:50:07 +1000 MIME-Version: 1.0 Content-Type: text/plain
Hello;
Good TUTO but missing some steps :
1) on the edge server set the IP of server DNS and the DNS suffixe in TCP/IPV4 settings in advanced settings (DNS tab)
2) set the DNS suffix in the server name of the edge server (change name > more ect)
3) set the “crédentials manager” service “run” and “automatic” on edge server and exchange server
4) set a DNS entry in DNS Server for the Edge server with FQDN (edge.domain.local)
5) run the ad lsd wizard on the edge server
after that you can run this tuto
Hi All,
How can I check :
1. how many times Edge Sync File has generated from and Imported to Hub server?
2. How to Add another Hub Server server to existing working Edge server?
Thanks in advance for your response
Hi all,
I know that the edge transport server should not be on an ad integrated server but could anyone explain to me why?
Where i work there are three firewalls. internet facing is a hardware appliance just allowing and denying ports, then there is a AD intergarated TMG (TMG1) and then there is a second AD intergrated TMG server (TMG2) then behind that is the network.
I have been asked to put the edge transport server onto TMG1. It is AD intergrated so i am a bit reluctant.
I would have thought you would have made TMG2 non-AD intergrated and then installed the edge on that.
Any thoughts would be appreciated.
Hi Paul
I am running an Edge Server on separate workgroup named Edge
Have already created “new accepted domain” and “New Edge Subscription”
When I run the cmd for edge synchronization i get the following error:
RunspaceId : e70987c4-5341-4b2b-a2da-0ce148ce2221
Result : CouldNotConnect
Type : Recipients
Name : PB21EXCH03
FailureDetails : The LDAP server is unavailable.
StartUTC : 5/7/2013 9:56:03 AM
EndUTC : 5/7/2013 9:56:24 AM
Added : 0
Deleted : 0
Updated : 0
Scanned : 0
TargetScanned : 0
RunspaceId : e70987c4-5341-4b2b-a2da-0ce148ce2221
Result : CouldNotConnect
Type : Configuration
Name : PB21EXCH03
FailureDetails : The LDAP server is unavailable.
StartUTC : 5/7/2013 9:56:03 AM
EndUTC : 5/7/2013 9:56:24 AM
Added : 0
Deleted : 0
Updated : 0
Plz help!!!!
The Real Person!
The Real Person!
Is there a firewall between the Hub Transports and Edge Transport? If so have you opened the correct ports?
Pingback: Creating an Exchange 2010 Edge Subscription | viruk67
Hi Paul, proud to read your usefull posts on exchange.
Please can you help me the issue i’m facing.
i have an exchange server 2007 SP1 edge server, and i’ve subscribed an exchange 2010 sp2 HT to it; now, when i run the command test-edgesync, i receive an incomplete sync with a failure detail, in application log, i receive error 1004.
Please waitting for your help.
Thank you.
Dear Mr. Paul,
Could you please advice me to backup exchange mailbox database and restore to a dissimilar hardware
I got stuck here .please help me
after configuring edge, user receive that server can’t send my message and in queue is “5.7.3 cannot achieve exchange server authentication”
I already Have configured edge and I can send emails but I don’t receive.
I ran this command below. but on mailbox I don’t have nothing even antispam I have disable.
Timestamp : 18-12-2012 15:00:59
ClientIp : 97.74.135.47
ClientHostname : p3plwbeout05-02.prod.phx3.secureserver.net
ServerIp : 10.20.30.10
ServerHostname : EDGE
SourceContext : 08CFAA82812A4C24;2012-12-18T15:00:58.218Z;0
ConnectorId : EDGEDefault internal receive connector EDGE
Source : SMTP
EventId : RECEIVE
InternalMessageId : 20
MessageId :
Recipients : {email@xxx.eu}
RecipientStatus : {}
TotalBytes : 1542
RecipientCount : 1
RelatedRecipientAddress :
Reference :
MessageSubject : TESTINFG
Sender : jsm@xxx.info
ReturnPath : jsm@xxx.info
MessageInfo : 00A: NTS:
MessageLatency :
MessageLatencyType : None
EventData :
[PS] C:Windowssystem32>
The Real Person!
The Real Person!
If you’re not receiving email then you need to test the connectivity to your server from the outside world. You can use tools such as mxtoolbox.com to do this.
same problem here. I can send email to internet but i can’t receive email from the internet after ive installed edge transport server. Before, without edge server, I can successfully receive mails externally.
report upon testing says its normal sync etc. but still i can not receive external mails.
PLEASE HELP…
pls email: myrick.borillo@fortis.com.ph
same problem. user is experiencing intermittent email loss hes gets 00A: NTS:
and wierdly gets delivered to the mailbox and he is unable to see and the person who email is getting NDR.
Please check receive connector on edge server go to receive connector properties and look at the permissions groups anonymous users should be checked.
Ram
Hi and thank you for this great article.
I Follow all the steps you mention here and when I issue a “Test-EdgeSyncrhonisation” on my hub exchange I always have the message “no edgesync credential found for the edge transport…”.
I saw on multiple forum that the problem might be due to certificates and already request a new certificate on the hub transport from my internal PKI.
Any idea about that ?
RunspaceId : 5a07552a-ab9a-4547-84d2-f0e3c94ec3fd
Result : CouldNotConnect
Type : Recipients
Name : NPSSERVER
FailureDetails : The supplied credential is invalid.
StartUTC : 10/24/2011 3:10:17 PM
EndUTC : 10/24/2011 3:10:17 PM
Added : 0
Deleted : 0
Updated : 0
Scanned : 0
TargetScanned : 0
RunspaceId : 5a07552a-ab9a-4547-84d2-f0e3c94ec3fd
Result : CouldNotConnect
Type : Configuration
Name : NPSSERVER
FailureDetails : The supplied credential is invalid.
StartUTC : 10/24/2011 3:10:17 PM
EndUTC : 10/24/2011 3:10:17 PM
Added : 0
Deleted : 0
Updated : 0
Scanned : 0
TargetScanned : 0
wats wrong here pleaase
The Real Person!
The Real Person!
Are the Edge and Hub Transport servers the same version of Exchange? (including service packs and update rollups)
Pingback: Exchange 2010 Edge Transport Server: Configuring EdgeSync | promote website|online promotion|online promotion|website promotion:qmmt.info supply