Home » Exchange Server » Configuring an Edge Subscription for Exchange Server 2013

Configuring an Edge Subscription for Exchange Server 2013

An Edge Subscription subscribes an Exchange Server 2013 Edge Transport server to an Active Directory site. This automatically creates the required connectors for internet mail flow to occur inbound and outbound via the Edge Transport server and the Mailbox servers in that Active Directory site.

On the Edge Transport server create an Edge Subscription file.

Copy the Edge Subscription file to a Mailbox server in the organization Import the Edge Subscription file by running the following command.

In my example “DataCenter1” is the name of the Active Directory site that hosts the Mailbox servers that I want to participate in EdgeSync with the Edge Transport server. If you have multiple Edge Transport servers (for high availability) you simply repeat the process of creating the Edge Subscription file on each Edge Transport server and then subscribing it to the Active Directory site.

Note: If you add a new Mailbox server to the site it will not participate in EdgeSync until you resubscribe the Edge Transport server to the site.

Removing Other Send Connectors

If you’ve previously configured send connectors for outbound email you may need to take additional steps to remove them after you’ve deployed your Edge Transport server.

For example, here you can see the two EdgeSync connectors that were automatically created, and the existing “Internet Email” send connector as well. At the moment outbound email will still go out via the “Internet Email” connector.

Remove any unnecessary send connectors so that mail will flow via the Edge Transport server.

Verify Outbound Email

You can verify that outbound email is flowing via the Edge Transport server by sending an outbound message, then copying the message headers from the received message into a header analyzer such as MXToolbox or ExRCA.

exchange-2013-edge-transport-message-headers

Verify Inbound Email

For inbound email you will need to ensure that your MX records point to the public IP address for your Edge Transport server (which may be a NATed IP address behind a firewall or other network device). To verify inbound mail flow send an email from an external address or use the inbound SMTP test on ExRCA.

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server

37 comments

  1. Tom says:

    Hi,

    I have a DAG setup in which each of the participating mailbox servers are in different Active Directory sites, a total of 5 AD sites.

    I am planning to introduce Edge Servers as well.

    Do I need to install 5 Edge Servers in each of these sites and make subscriptions to each of the mailbox servers in the respective sites?

    Or, can I deploy 2 Edge Servers in DMZ and make individual subscriptions to each of the mailbox servers in each site?

    Please let me know if any one has any prior experience with multi-site Exchange setup..

    SiteA – EXMB1
    SiteB – EXMB2
    SiteC- EXMB3
    SiteD – EXMB4
    SiteE – EXMB5

    • Opening paragraph of the article says:

      “An Edge Subscription subscribes an Exchange Server 2013 Edge Transport server to an Active Directory site. This automatically creates the required connectors for internet mail flow to occur inbound and outbound via the Edge Transport server and the Mailbox servers in that Active Directory site.”

      The subscription is between an Edge server and a *site*, not to individual Mailbox servers.

      Only one Edge subscription can be created per Edge server, but multiple Edge subscriptions can be created per site. So yes you can have multiple Edge servers subscribed to the same site.

      Does that make sense?

  2. Otto Melzig says:

    We have 2 sites with about 70 users each – Port Moresby and Lae. The sites have very limited bandwidth between each other but both have good bandwidth to a third site Sydney, which is connected to the internet at high speed. There are no mailbox users in Sydney.

    We want to have a setup where all inbound mail from the internet goes to Sydney first and is then delivered to either Lae or Port Moresby.

    But since an edge transport server can only service one site it seems we will need to deploy a FULL exchange client access and mailbox server in Sydney and then route all email to this first.

    Is there any other way of achieving the desired result?

    • Maxim Grishin says:

      You don’t need a *mailbox* server in Sydney, but rather a *hub transport* server, so less storage will be required. But yes, a server in Sydney is needed if you want to route messages through Sydney. You can use a hub transport server acting as receiver in place of an edge transport server, although this approach is less secure than using an edge transport server.

  3. vic hindocha says:

    Hey Paul –
    I have a pre-existing Edge 2010 server in my environment. I have just upgraded to Exchange 2013; I would like to upgrade from Edge 2010 to Edge 2013; I have read you posts, which i found extremely helpful, however, I doesn’t mention anything about upgrading from Edge 2010 to Exchange 2013.

    My questions are as follows:

    1) When i create a New-EdgeSubscription will this script also copy over the configurations from Edge 2010 over to Edge 2013?
    2) How to i make Edge 2013 the “primary edge server”?

    I want to avoid create a New-EdgeSubscription and then it become production automatically without any configurations done.

    Thanks in advance
    Vic

  4. Mark Joseph says:

    Hi Paul,

    We’re currently in the design phase of our O365 migration. One challenge we are encountering is setting up our hybrid environment.
    Here is our situation:
    * We have 3 CAS servers and 4 Mailbox servers on-premise (internal network).
    * Our CAS servers are load-balanced using ADC (located in perimeter network).
    * We also have IP-based firewall installed in our environment.
    * We don’t want to expose our CAS and Mailbox servers to the internet, so we’re thinking of using EDGE Transport server.
    Questions:
    1) Can we still enable Rich Coexistence with just EDGE?
    2) We’ve read an issue regarding mailbox migration with ADC/network load balancer, can we just use EDGE for the mailbox migration so that we don’t have to worry about possible mailbox lockout in our ADC or migration time-out?

    • Edge Transport is only involved in transport/mail flow. It is not involved in any of the other hybrid functionality like rich co-existence, remove mailbox moves, etc.

      You don’t already allow remote access to Exchange for services like OWA and ActiveSync?

  5. sony says:

    Do I have to run

    “New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path “C:AdminEdge.xml” -Encoding Byte -ReadCount 0)) -Site “DataCenter1” on ALL my MAIL SERVERS? I only ran this to first mailbox server

    I have one Edge server and Two mailbox/CAS servers(DAG) and it was working fine until I switched over to second mailbox server in DAG.

    • When you run it (once) it sets up the subscription for the Edge server to the AD Site, including all transport (Mailbox) servers in that site *at the time*. If you add a new Mailbox server later, the subscription needs to be recreated.

      You also need to make sure the firewall ports between the Edge and the internal servers are open for all servers.

  6. Yassine says:

    Hi Paul,

    After confguring a new Edge server I got problem with the Incoming email, every external email got stuck on the edge server and in the queue I notice the error “DNS Query faild with error Error retry”.
    Any idea where can the problem be?

  7. Deepak says:

    Shouldnt I import these subscriptions to the servers with CAS roles?
    I had imported these to the ones with MBX only roles and ended up having large queues and a DNS query issue as posted earlier by Yassine.

    Regards,
    Deepak

    • Edge servers are subscribed to an AD site, not to a server. When you subscribe the Edge server to the site all of the Transport (MBX for 2013, HT for 2010) in the site can/will use that Edge server for in/out email.

      If you’re having inbound mail queueing on the Edge server it could be an SMTP connectivity issue from the Edge to your internal servers, or a DNS issue (the Edge needs to be able to resolve the internal servers by name).

  8. Evandro Semedo says:

    Paul,

    How to configure a FQDN for each edge transport?

    Example: Get-SendConnector “EdgeSync – Default-First-Site-Name to Internet” | Set-SendConnector -Fqdn smtphost1.domain.com.br

    tks.

  9. Jesus says:

    I have a Exchange 2013 organization with diferents roles in each server and a Exchange 2013 servers in the same organization.
    Exchange 2007 and 2013 is in diferent adsites. Exchange 2007 has EDGE subscription with four EDGE Transport 2007.
    I create Exchange 2013 edge subscription over Exchange 2013 in other adsite but all email that i send to Internet exit by exchange 2007 subscription.
    If i change scope to new send connector to internet generated by edge subscription the messages follow exit by the old edge connector to internet.
    Regards.

  10. Ferdie Fernandez says:

    Hi,

    We have a 2007 MBX and HTC servers in 4 sites but only 1 edge server at one location for mail routing to internet. Can i put another edge server in another site and I want that site to route emails from that Edge server? Can i use Edge 2013 ? Can it mixed with 2007 HTC/MBX servers? What need to be taken off when doing this configuration?

  11. Daniel S. says:

    Hi,

    I have an Exchange Server 2013 CU10 organisation, with one MBX – CAS server. I am currently configuring an Exchange 2016 Edge in DMZ.

    The Edge Subscription should take care of the internal and external, inbound and outbound port 25 traffic.

    I would like to know if should I expect any trouble for the other Exchange services, like ActiveSync, OWA, POP3, IMAP, OutlookAnywhere.

    I am planning to leave those, for the time being, external published direct from my CAS – MBX Server, and after everything is working as it should, I will publish those thru WAP with AD FS.

    Thank you.

    Regards
    SD.

  12. Farid says:

    Hello and thank you for your tips.
    I have my Azure VM on a 2012 R2 datacenter with Exchange CU12 Edge transport Role.
    I ran into a problem after running New-EdgeSubscription -FileName C:AdminEdge.xml
    I get a smart card popup and it requires a PIN.
    When cancelling, the cmdlt aborts.
    Also tried randon numbers etc…no luck.
    Ant suggestions?

      • Farid says:

        Thanks for the feedback.
        I figured it out. It was actually the remote desktop session that azure creates for you and you download to use it to connect to your VM which has a setting with a check mark for smart card, ports and devices to be used on remote machine.
        I just needed to uncheck that.

  13. Rafal says:

    We currently have an Exchange 2013 organisation which at some point (politics…) will be moved to O365, we need to deploy an Edge service in the mean time. Would an Exchange 2013 Edge server work ok with an Exchange 2010 SP3 RUx organisation, or are we better deploying the 2010 Edge service? There doesn’t seem to be a categorical answer on Technet that I can see.

  14. hosamani says:

    I have a query for having Resubscription one of Edge Transport server to the site.

    We have 2 Edge servers and 4 MBX/CAS mixes role and all are Exchange 2013 CU6 version all servers)

    Issue: One of the Edge server is not syncing with mailbox servers, however there is no impact on mail flow. and only impact is mailbox safalist/blocklist not replicating.

    Also very soon one of the SSL certificate is getting expire and I am planning to renew it.

    So, is it better to Resubscribe it before certificate renewal or can we do it after? Also is there any impact on existing configuration after renewal with mail flow ?

    • Yes, I believe that updating the SMTP certificate on the Edge server(s) requires a resubscription.

      You’re running an unsupported build (CU6) so you should also plan to update your servers to the latest CU before you do the certificate changes.

      As for the synchronization issue, the most likely cause is a firewall port not being open, but maybe resubscribing will also fix it.

      • hosamani says:

        Hi Paul, Appreciate your quick response.

        All required ports are open between edge and MBC/CAS. Also verified the services and restarted as well, also tried to resync with force parameter, no luck.

        Error: EdgeSync service cannot connect to this subscription because of error “The supplied credential is invalid.”

        So if i resubscribe, will be any impact on existing configuration ? because same edge servers are used for application mail relay.

        Thank you

        • Resubscribing will be necessary to fix that error. Without knowing your environment I can’t say whether it will impact other things. Test whatever scenarios you’re worried about, and be prepared to reapply any configurations that might be lost in the resubscription process.

          • Sb says:

            Hi Paul,

            I have 2 edge servers and 3 MBX/CAS servers(Exch-13). So after Resubscribing, should i start EdgeSynchronization from Each server ?

            like
            Start-EdgeSynchronization -Server MBX1 -target server Edge-1 and Edge2
            Start-EdgeSynchronization -Server MBX2 -target server Edge-1 and Edge2
            Start-EdgeSynchronization -Server MBX3-target server Edge-1 and Edge2

            or is there any option or p-command to Sync all my mbx/CAS servera at same time ?

            Thanks

  15. kyle says:

    Hi Paul,Thanks for your “exchange-server-2013-edge-transport-server” serial posts.

    I follow this post add 2EDGE server in my 2CAS+2MBX demo environment this week without any warn info.

    Should i need to change the new send connector “EdgeSync-ADsitename to internet” ‘s FQDN from BLANK to mail.myoffice.com or just leave it alone?

    I found that i must reset the “senderid” and “senderfilter” options(like blanksenderblockingenabled) in both 2EDGE server although i set it on 2MBX server before.if your EDGE serial posts upgrade some tips about antispam settings ,it will be more greate.

    Thanks.
    Sorry so my poor english 🙂

  16. Arman says:

    Hi Paul,
    we have a two mailbox servers, two CAS servers and edge server. when we adding second edge server mail doesn’t go in and out. there is and error in the smtpsend logs
    2017-01-28T16:44:14.260Z,EdgeSync – Inbound to Default-First-Site-Name,08D4479C5359C393,27,192.168.xx.xx:1503,192.168.yy.yy:25,*,,TLS negotiation failed with error SocketError

    is there any suggestions?
    Many thanks

Leave a Reply

Your email address will not be published. Required fields are marked *