At the recent Microsoft Ignite conference my friend and fellow MVP Michael Van Horenbeeck delivered a short presentation titled Edge Transport servers and Hybrid: Why, or why not?
You can check out the slide deck here, but to summarize the main points, the reasons to run Edge in a hybrid environment are:
- You have a technical/security requirement to terminate incoming SMTP (from Exchange Online) in your DMZ
- You need to re-route messages before they enter your on-premises Exchange organization
- You need the Edge Transport server’s address rewriting capabilities
The reasons not to deploy Edge are:
- You have more servers to manage
- Edge Transport mail filter (e.g. anti-spam) features are not as effective as other solutions
- It increases the complexity to your environment
Michael also notes that managing Edge Transport is PowerShell only, which may be a downside for some admins.
I happened to be running an Edge Transport server in my hybrid test lab, and hadn’t really thought about whether I needed it until I saw the tweets during Michael’s presentation. Originally I deployed the Edge Transport server in my lab to route email to some separate labs on different domains. Occasionally my lab’s mail flow would break, and I had to deal with the added complexity of troubleshooting an environment that has an Edge server deployed. So I decided to get rid of it.
Removing an Edge Transport server from a hybrid environment is not a difficult task in itself, but you might have environmental factors that increase the work involved. The steps I followed were:
- Re-run the Hybrid Configuration Wizard to reconfigure my hybrid mail flow to use the Exchange 2016 Mailbox servers, instead of the Edge Transport server.
- Updated my inbound NAT for SMTP (TCP port 25) to point to the Exchange 2016 Mailbox server (I made this change immediately after running the HCW).
- Sent some test messages and waited 24 hours, then confirmed with message tracking logs on the Edge Transport server that no new messages had traversed the Edge server.
- Removed the Edge subscriptions.
- Uninstalled the Edge Transport server.
- Shut down and decommissioned the VM.
The result is a simpler Exchange hybrid environment with fewer servers to operate, maintain, and troubleshoot.
Hi Paul,
Thanks for a great article as usual. We are migrating to Office 365. We have Exchange 2016 mailbox servers and Exchange 2010 CAS/Hub Transport/Mailbox servers. The are 3 Edge Transport servers used for address rewrite (outgoing). We are opting for Exchange Hybrid. I think you can’t have anything in between the on-prem server and Exchange Online that rewrites addresses because EOP might treat this email as external and subject to spam filter?? How can I mitigate this issue? I dont see any address rewrite capability in Exchange Online? Thanks for your help.
What security items do you give up by doing this:
The Edge Transport server role is an optional role that’s typically deployed on a computer located in an Exchange organization’s perimeter network and is designed to minimize the attack surface of the organization.
Why would I want to increase my attack surface?
Second question:
100% of my email goes through the exchange servers. Why would I put this in a DMZ or in my core network? I mean, allowing internet traffic directly into my core network seems reckless and putting all my email in a DMZ seems just as reckless.
Apparently, these questions are unanswerable.
+1 Following This
Hi Paul,
We have a new exchange 2016 server that is used for outbound smtp relay and management of exchange mailboxes,etc in o365 only. We use AAD connect to sync to o365 and all our mailboxes, DL, etc are in o365(no public folder). We have an old exchange 2010 server that was routing email using, e.g. external1.dns.name, externalIP1. I have since cut internal smtp mail to the new exchange 2016 server, different Datacenter, external2.dns.name, externalIP2. I created a new send (on perm) and receive (o365) connectors that correspond to the new exchange 2016 server.
SMTP Mail is flowing correctly. We have outbound NAT (port25/443) to o365, but no inbound NAT to on perm exchange 2016, as no email needs to come back in.
Do I need to update the HCW for the exchange 2016 server, I will be decommissioning the old exchange 2010 server where the HCW was originally run against? Can I remove the HCW config, e.g using, remove-hybrid configuration?
Just not finding useful information that matches my scenario. I would be interested in your opinion.
Thanks. RI
Hi, you had been helpful re SSL in past couple of days. Thanks. Setting up a hybrid – a 2013 environment but stood up two 2016 servers as well to migrate internal relays etc (someone else design). At some point once all mailboxes moved from 2013 mail servers, 2013 servers will go away). But I am currently doing a hybrid- and I am assuming to set up on a 2013 first. I have been reviewing the options regarding transports for inbound / outbound. Currently using 3rd party (mimecast) for AV and journaling. It appears that Enabling Centralized Transport may be the way to go at least initially, and perhaps long term. I realize that is an internal decision.
My question – and it appears to be partially answered above- is that if there are changes later (such as the type of transport and/or elimination of the 2013 servers) that one can ‘simply’ rerun the hybrid wizard to make changes? Any additional suggestions appreciated (being guilty of not knowing what I don’t know). Thanks.
Yes, when you make changes to your on-prem infrastructure, re-run the HCW to update the config.
Hi Paul,
First of all I appreciate your articles since I am new to Exchange 2016, they are a tremendous help.
I’m setting up a new Exchange 2016 server and was looking at using an Edge Transport Server but after reading this I’m thinking I really don’t need the Edge Transport. I haven’t configured the Hybrid in ECP, so would I be correct in that all I need to do is remove the Edge Subscription from Exchange, create new send and receive connectors and make the changes for SMTP in the firewalls to point to the Exchange Server?
Sounds about right.
I also dont see need for edge in hybrid. If you go hybrid you “trust” o365 and extend your Exchange organization to o365, so its one org. Also you can only allow o365 ip adresses on firewall for the hybrid mail flow fqdn if you not use mx record.
And also , Edge subscription : Sharing the same certificate between Edge and Hub Transport servers is not allowed! See https://social.technet.microsoft.com/Forums/en-US/86eb3c39-5cb0-45c5-9b50-5eea92628101/edge-subscription-sharing-the-same-certificate-between-edge-and-hub-transport-servers-is-not?forum=Exch2016SD