• Home
  • Topics
    • Office 365
    • Teams
    • SharePoint
    • Exchange 2019
    • Exchange 2016
    • Exchange 2013
    • Hybrid
    • Certificates
    • PowerShell
    • Migration
    • Security
    • Azure
  • Blog
  • Podcast
  • Webinars
  • Books
  • About
  • Subscribe
    • Facebook
    • Twitter
    • RSS
    • YouTube

Practical 365

You are here: Home / Exchange Server / Taking the Edge Out of Hybrid Configurations

Taking the Edge Out of Hybrid Configurations

October 12, 2017 by Paul Cunningham 11 Comments

At the recent Microsoft Ignite conference my friend and fellow MVP Michael Van Horenbeeck delivered a short presentation titled Edge Transport servers and Hybrid: Why, or why not?

You can check out the slide deck here, but to summarize the main points, the reasons to run Edge in a hybrid environment are:

  • You have a technical/security requirement to terminate incoming SMTP (from Exchange Online) in your DMZ
  • You need to re-route messages before they enter your on-premises Exchange organization
  • You need the Edge Transport server’s address rewriting capabilities

The reasons not to deploy Edge are:

  • You have more servers to manage
  • Edge Transport mail filter (e.g. anti-spam) features are not as effective as other solutions
  • It increases the complexity to your environment

Michael also notes that managing Edge Transport is PowerShell only, which may be a downside for some admins.

I happened to be running an Edge Transport server in my hybrid test lab, and hadn’t really thought about whether I needed it until I saw the tweets during Michael’s presentation. Originally I deployed the Edge Transport server in my lab to route email to some separate labs on different domains. Occasionally my lab’s mail flow would break, and I had to deal with the added complexity of troubleshooting an environment that has an Edge server deployed. So I decided to get rid of it.

Removing an Edge Transport server from a hybrid environment is not a difficult task in itself, but you might have environmental factors that increase the work involved. The steps I followed were:

  1. Re-run the Hybrid Configuration Wizard to reconfigure my hybrid mail flow to use the Exchange 2016 Mailbox servers, instead of the Edge Transport server.
  2. Updated my inbound NAT for SMTP (TCP port 25) to point to the Exchange 2016 Mailbox server (I made this change immediately after running the HCW).
  3. Sent some test messages and waited 24 hours, then confirmed with message tracking logs on the Edge Transport server that no new messages had traversed the Edge server.
  4. Removed the Edge subscriptions.
  5. Uninstalled the Edge Transport server.
  6. Shut down and decommissioned the VM.

The result is a simpler Exchange hybrid environment with fewer servers to operate, maintain, and troubleshoot.

Exchange Server Edge Transport, Hybrid

Comments

  1. James Maynard says

    January 14, 2019 at 2:10 pm

    Hi Paul,

    Thanks for a great article as usual. We are migrating to Office 365. We have Exchange 2016 mailbox servers and Exchange 2010 CAS/Hub Transport/Mailbox servers. The are 3 Edge Transport servers used for address rewrite (outgoing). We are opting for Exchange Hybrid. I think you can’t have anything in between the on-prem server and Exchange Online that rewrites addresses because EOP might treat this email as external and subject to spam filter?? How can I mitigate this issue? I dont see any address rewrite capability in Exchange Online? Thanks for your help.

    Reply
  2. James beamer says

    August 13, 2018 at 1:22 am

    What security items do you give up by doing this:

    The Edge Transport server role is an optional role that’s typically deployed on a computer located in an Exchange organization’s perimeter network and is designed to minimize the attack surface of the organization.

    Why would I want to increase my attack surface?

    Second question:

    100% of my email goes through the exchange servers. Why would I put this in a DMZ or in my core network? I mean, allowing internet traffic directly into my core network seems reckless and putting all my email in a DMZ seems just as reckless.

    Reply
    • james beamer says

      September 21, 2018 at 1:41 am

      Apparently, these questions are unanswerable.

      Reply
    • GodfatherX64 says

      October 22, 2018 at 10:25 pm

      +1 Following This

      Reply
  3. RI says

    August 7, 2018 at 2:34 am

    Hi Paul,

    We have a new exchange 2016 server that is used for outbound smtp relay and management of exchange mailboxes,etc in o365 only. We use AAD connect to sync to o365 and all our mailboxes, DL, etc are in o365(no public folder). We have an old exchange 2010 server that was routing email using, e.g. external1.dns.name, externalIP1. I have since cut internal smtp mail to the new exchange 2016 server, different Datacenter, external2.dns.name, externalIP2. I created a new send (on perm) and receive (o365) connectors that correspond to the new exchange 2016 server.

    SMTP Mail is flowing correctly. We have outbound NAT (port25/443) to o365, but no inbound NAT to on perm exchange 2016, as no email needs to come back in.

    Do I need to update the HCW for the exchange 2016 server, I will be decommissioning the old exchange 2010 server where the HCW was originally run against? Can I remove the HCW config, e.g using, remove-hybrid configuration?

    Just not finding useful information that matches my scenario. I would be interested in your opinion.

    Thanks. RI

    Reply
  4. Dan says

    March 30, 2018 at 1:33 am

    Hi, you had been helpful re SSL in past couple of days. Thanks. Setting up a hybrid – a 2013 environment but stood up two 2016 servers as well to migrate internal relays etc (someone else design). At some point once all mailboxes moved from 2013 mail servers, 2013 servers will go away). But I am currently doing a hybrid- and I am assuming to set up on a 2013 first. I have been reviewing the options regarding transports for inbound / outbound. Currently using 3rd party (mimecast) for AV and journaling. It appears that Enabling Centralized Transport may be the way to go at least initially, and perhaps long term. I realize that is an internal decision.

    My question – and it appears to be partially answered above- is that if there are changes later (such as the type of transport and/or elimination of the 2013 servers) that one can ‘simply’ rerun the hybrid wizard to make changes? Any additional suggestions appreciated (being guilty of not knowing what I don’t know). Thanks.

    Reply
    • Paul Cunningham says

      March 30, 2018 at 10:51 am

      Yes, when you make changes to your on-prem infrastructure, re-run the HCW to update the config.

      Reply
  5. C. Hunt says

    October 20, 2017 at 5:20 am

    Hi Paul,
    First of all I appreciate your articles since I am new to Exchange 2016, they are a tremendous help.
    I’m setting up a new Exchange 2016 server and was looking at using an Edge Transport Server but after reading this I’m thinking I really don’t need the Edge Transport. I haven’t configured the Hybrid in ECP, so would I be correct in that all I need to do is remove the Edge Subscription from Exchange, create new send and receive connectors and make the changes for SMTP in the firewalls to point to the Exchange Server?

    Reply
    • Paul Cunningham says

      October 20, 2017 at 7:49 am

      Sounds about right.

      Reply
  6. RKast says

    October 14, 2017 at 4:15 am

    I also dont see need for edge in hybrid. If you go hybrid you “trust” o365 and extend your Exchange organization to o365, so its one org. Also you can only allow o365 ip adresses on firewall for the hybrid mail flow fqdn if you not use mx record.

    Reply
    • Rkast says

      October 14, 2017 at 4:25 am

      And also , Edge subscription : Sharing the same certificate between Edge and Hub Transport servers is not allowed! See https://social.technet.microsoft.com/Forums/en-US/86eb3c39-5cb0-45c5-9b50-5eea92628101/edge-subscription-sharing-the-same-certificate-between-edge-and-hub-transport-servers-is-not?forum=Exch2016SD

      Reply

Leave a Reply Cancel reply

You have to agree to the comment policy.

Recent Articles

  • The Practical 365 Weekly Update: S2, Ep 9 – Controversial Teams guest changes and a roundup of important Microsoft 365 announcements and features
  • Hands-on SharePoint Syntex Blog Series – Part I
  • The Practical 365 Weekly Update: S2, Ep 8 – What to expect in 2021, Solarigate, TLS in Exchange and new Teams updates
  • Security updates released for Exchange and SharePoint Servers 2010 to 2019
  • The Practical 365 Weekly Update: S2, Ep 7 – Urgent Exchange security updates, new Teams features launch
Practical 365

Related Posts

Related Posts

Training Courses

  • Configuring and Managing Office 365 Security
  • Office 365 Admin Playbook
  • Exchange 2016 Exam 70-345
  • Managing Exchange Mailboxes and Distribution Groups in PowerShell
  • More Training Courses...

Recommended Resources

  • Office 365 Security Resources
  • Office 365 Books
  • Exchange Server Books
  • Exchange Server Migrations
  • Exchange Analyzer
  • Digicert SSL Certificates

About This Site

Practical 365 is a leading site for Office 365 and Exchange Server news, tips and tutorials. Read more...

Find out more about advertising with us.

Contact us


Subscribe to our newsletter
  • Facebook
  • Twitter
  • RSS
  • YouTube

Copyright © 2021 Quadrotech Solutions AG · Disclosure · Privacy Policy
Alpenstrasse 15, 6304 Zug, Switzerland