In the last part of this series I demonstrated how to install the Edge Transport server role for Exchange Server 2010. In this next part I’ll go through the process of configuring the Edge Subscription between the Edge Transport server and Hub Transport server located in the internal network.
The Edge Subscription is a relationship between an Edge Transport server and an Active Directory site, and allows the Edge Transport server to receive information about the Exchange organization such as recipients, domain names, and safelists/blocklists for anti-spam.
This information is synchronized at regular intervals through a process called EdgeSync.
Firewall Ports for Exchange Server 2010 Edge Transport Servers
For EdgeSync and mail flow to work there are a few network ports that need to be open on the firewall between the Internet, the Edge Transport server, and the internal Hub Transport server.
Edge Transport Server Network Ports for EdgeSync
- Secure LDAP (TCP 50636) from the Hub Transport server to the Edge Transport server
Edge Transport Server Network Ports for Mail Flow
- SMTP (TCP 25) from the Internet to the Edge Transport server
- SMTP (TCP 25) from the Edge Transport server to the Hub Transport server
- SMTP (TCP 25) from the Hub Transport server to the Edge Transport server
- DNS (UDP 53) from the Edge Transport server to a DNS server capable of public DNS lookups (ie to look up MX records)
Configuring ISA Server 2006 for Edge Transport Servers
If you are using ISA Server 2006 as your firewall and want to create the access rules for the Edge Transport server the first thing you’ll need to configure is a new network protocol for the secure LDAP connection. ISA Server 2006 is pre-configured with a secure LDAP protocol however the EdgeSync process uses the non-standard port of TCP 50636.
Create a new network protocol named “EdgeSync” for TCP 50636 outbound.
Configure the ISA Server 2006 firewall policy with access rules for the Edge Transport network access required.
Creating the Edge Subscription for Exchange Server 2010 Edge Transport Servers
With the firewall access all configured correctly the next step is to configure the Edge Subscription itself.
On the Edge Transport server open the Exchange Management Shell and run the following command using the New-EdgeSubscription cmdlet.
[PS] C:\>New-EdgeSubscription -FileName C:edgesubscription.xml Confirm If you create an Edge Subscription, this Edge Transport server will be managed via EdgeSync replication. As a result, any of the following objects that were created manually will be deleted: accepted domains, message classifications, remote domains, and Send connectors. After creating the Edge Subscription, you must manage these objects from inside the organization and allow EdgeSync to update the Edge Transport server. Also, the InternalSMTPServers list of the TransportConfig object will be overwritten during the synchronization process. EdgeSync requires that this Edge Transport server is able to resolve the FQDN of the Hub Transport servers in the Active Directory site to which the Edge Transport server is being subscribed, and those Hub Transport servers be able to resolve the FQDN of this Edge Transport server. You should complete the Edge Subscription inside the organization in the next "1440" minutes before the bootstrap account expires. [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y
There are two important things to be aware of here:
- You must complete the next step of the Edge Subscription process within 1440 minutes (24 hours), otherwise you’ll need to generate a new Edge Subscription again
- The Hub Transport servers in the Active Directory site that will be subscribed must be able to resolve the FQDN of the Edge Transport server. You can either add DNS records manually or use a HOSTS file entry.
Copy the “edgesubscription.xml” file to the Hub Transport server. Launch the Exchange Management Console and navigate to Organization Management/Hub Transport.
In the Actions pane click on New Edge Subscription.
Browse and select the Active Directory site to be subscribed, as well as the XML file that you copied from the Edge Transport server.
Click the New button to complete the wizard.
After the Edge Subscription has been created you will see two Send Connectors configured for your organization.
It can take up to an hour before the first Edge synchronization process runs, but you can run it manually if you need to. On the Hub Transport server launch the Exchange Management Shell and run the following command using the Start-EdgeSynchronization cmdlet.
[PS] C:\>Start-EdgeSynchronization -Server esp-ho-ex2010a RunspaceId : b7415ae2-f763-449e-bb36-20a6a18759cd Result : Success Type : Configuration Name : esp-ho-ex2010e FailureDetails : StartUTC : 5/7/2011 1:27:39 PM EndUTC : 5/7/2011 1:28:07 PM Added : 290 Deleted : 0 Updated : 0 Scanned : 295 TargetScanned : 0 RunspaceId : b7415ae2-f763-449e-bb36-20a6a18759cd Result : Success Type : Recipients Name : esp-ho-ex2010e FailureDetails : StartUTC : 5/7/2011 1:27:39 PM EndUTC : 5/7/2011 1:28:08 PM Added : 401 Deleted : 0 Updated : 0 Scanned : 401 TargetScanned : 0
After the initial Edge synchronization has occurred you will be able to see the Send Connectors and Accepted Domains configured on the Edge Transport server.
Testing Mail Flow
After the Edge Subscription is in place and you’ve synchronized at least once you can send email between your Exchange organization and an external mailbox, and then inspect the email message headers to verify that the messages are traversing your Edge Transport server.
Received: from esp-ho-ex2010e.exchangeserverpro.net (10.0.3.2) by esp-ho-ex2010a.exchangeserverpro.net (10.0.1.4) with Microsoft SMTP Server (TLS) id 14.1.289.1; Sat, 7 May 2011 23:50:10 +1000 Received: from (192.168.0.45) by esp-ho-ex2010e.exchangeserverpro.net (10.0.3.2) with Microsoft SMTP Server id 22.214.171.124; Sat, 7 May 2011 23:50:07 +1000 MIME-Version: 1.0 Content-Type: text/plain