Typically, the Edge Transport server is installed as a stand-alone server without any domain membership. A stand-alone server configuration provides an excellent level of isolation and is the most secure implementation. Although the Edge Transport server can be installed on a domain-joined computer, the Edge Transport server will always use ADAM to store recipient and configuration information and will never access Active Directory directly.

When you add the Edge Transport server to the perimeter network, you must consider how the Edge Transport server will interact with other servers in the perimeter network. The following are some topology considerations:

• Have you deployed Microsoft Internet Acceleration and Security (ISA) Server 2006 in the perimeter network to handle Internet network traffic? In this scenario, ISA doesn't proxy or modify the SMTP protocol. ISA can be configured to redirect, or tunnel, the SMTP protocol to the Edge Transport server. For more information, see Using ISA Server 2006 with Exchange 2007.
  
• Do you have an existing smart host or SMTP relay in the perimeter network? After the Edge Transport server is deployed, you can load balance traffic between the Edge transport server and the existing server during a test period. Or you can just decommission the existing smart host or SMTP relay.
  
• Do you have an existing anti-spam gateway product deployed in the perimeter network? After the Edge Transport server is deployed, you can decommission the existing gateway product. If you want to maintain both systems for a while, you can configure a Send connector on the Edge Transport server so that it will relay e-mail to the existing system before the e-mail is delivered to the Exchange organization.
  

To provide smart host and SMTP relay services, you must allow for access through TCP port 25 on both the internal and external firewalls, to and from the Edge Transport server.

No Exchange-specific administrative groups are configured on an Edge Transport server. Because the Edge Transport server is designed to be deployed as a stand-alone server, the local administrator account is granted full access to the Edge Transport server role. To create user-specific administrative accounts, you can create local user accounts on the Edge Transport server and then add those accounts to the Local Administrators group on that computer.

If you want to perform remote administration of the Edge Transport server, you must enable remote connections to the Edge Transport server by using Microsoft Windows Remote Desktop. You must also configure the internal firewall to allow for access to TCP port 3389. This port is used by the Remote Desktop Protocol (RDP).

After the Edge Transport server is deployed, you perform the configuration steps required to enable mail flow between the Edge Transport server and the Internet and between the Edge Transport server and the Exchange 2003 organization. You must perform the following tasks:

• Verify the configuration of the DNS mail exchange (MX) records for the SMTP domains for which the Edge Transport server will accept e-mail.
  
• Configure accepted domains on the Edge Transport server. Accepted domains define the SMTP domains for which this server accepts e-mail. An accepted domain can be configured as authoritative, internal relay, or external relay. For more information, see Managing Accepted Domains.
  
• Configure connectors on the Edge Transport server to accept mail from and send mail to the Internet. The following connectors are required:
  
  • Internet Send connector   You must have a Send connector that is configured to route e-mail messages to the Internet. Configure the address space that this connector sends to as all domains. You specify all domains by using an asterisk ( * ). You can select to use DNS name resolution to route e-mail or to route all e-mail through a smart host, such as a server hosted by your ISP. This connector is used to send mail to all Internet SMTP domains unless you configure additional connectors for specific domains.
    
  • Internet Receive connector   You must have a Receive connector that is bound to the external IP address of the Edge Transport server and is set to receive traffic from port 25. This connector is used to receive mail from all Internet SMTP domains and should accept anonymous submissions. The default Receive connector on an Edge Transport server is configured to accept e-mail submissions from both the Internet and from the Exchange organization. You don't have to configure a second Receive connector unless you want to separate incoming SMTP traffic or configure different authentication methods for Internet and Exchange organization e-mail.
    
• Configure connectors on the Edge Transport server to accept mail from the organization for relay to the Internet and to send mail to the organization that is being relayed from the Internet. The following connectors are required:
  
  • Send connector that is configured to send e-mail to the Exchange organization   The address space for this connector specifies the authoritative and internal relay domains for which this server receives mail. You can configure the address space as " -- ". The -- placeholder is used to represent the list of authoritative and internal relay accepted domains, or you can configure a list of SMTP domains. Configure this Send connector to use a smart host for routing e-mail. List one or more Exchange 2003 or Exchange 2000 bridgehead servers as the smart host. If you configure more than one smart host on a Send connector, connections will be load balanced between them. 
    

  Note:

  Exchange 2003 and Exchange 2000 transmit some information, such as the spam confidence level (SCL) for a message, as Exch50 data. To preserve this data when messages are relayed from the Edge Transport server to the Exchange organization, you must modify the discretionary access control list (DACL) on this Send connector to grant the NT Authority\ANONYMOUS LOGON account the ms-Exch-SMTP-Send-Exch50 permission.

  Important:
  We recommend that you configure this Send connector to use Basic authentication plus TLS to authenticate to the legacy Exchange server. If you select an alternative authentication method, such as Externally Secured (for example, with IPsec), you must modify the registry of the Exchange 2003 server to enable it to receive anonymous submission of Exch50 data.

  • Receive connector that is bound to the internal IP address of the Edge Transport server and that is set to receive traffic from port 25   The remote IP range from which this connector accepts mail is set to the IP addresses or address range of the Exchange Server 2003 or Exchange 2000 Server bridgehead servers inside the organization. The default Receive connector on an Edge Transport server is configured to accept e-mail submissions from both the Internet and from the Exchange organization. You don't have to configure a second Receive connector unless you want to separate incoming SMTP traffic or configure different authentication methods for Internet and Exchange organization e-mail.
    
• Configure the Edge Transport server to accept all or some incoming SMTP connections to the organization. To configure the Edge Transport server to accept all or some incoming SMTP traffic for the organization, you can modify DNS MX records to direct mail for your SMTP domains to the Edge Transport server. If MX records reference the firewall IP address, configure firewall rules to direct SMTP traffic to the Edge Transport server.
  
• To process mail through the Edge Transport server that is outgoing from the Exchange organization to the Internet, create an SMTP connector on an Exchange 2003 bridgehead server. You configure this SMTP connector to route all mail through a smart host and designate the fully qualified domain name (FQDN) or IP address of the Edge Transport server as the smart host. If you have an existing SMTP connector that is configured to send e-mail to the Internet you can modify that SMTP connector to revise the smart host information.
  

For more information about how to configure mail flow, see How to Deploy an Edge Transport Server in an Existing Exchange Server 2003 Organization.

By default, all the transport agents are installed and enabled on the Edge Transport server. You can disable the Recipient Filtering agent because it is not available in this scenario. For more information about how to configure anti-spam and antivirus settings, see Managing Anti-Spam and Antivirus Features.

If you have configured anti-spam settings on Exchange 2003, you can use the Exchange 2007 Anti-Spam Migration Tool to migrate the anti-spam settings from Exchange 2003 to the Edge Transport server. The Exchange 2007 Anti-Spam Migration Tool reads the Exchange 2003 anti-spam settings from Active Directory and converts them to an equivalent Windows PowerShell script that consists of Exchange 2007 tasks. You can then run the script on the Edge Transport server role. For more information and to download this tool, see Exchange 2007 Anti-Spam Migration Tool.

For more information, see the following topics:

• How to Deploy an Edge Transport Server in an Existing Exchange Server 2003 Organization
  
• Coexisting with Exchange Server 2003 and Exchange 2000 Server
  
• Understanding Edge Subscriptions
  
• Managing Connectors
  
• Managing Anti-Spam and Antivirus Features
  
• Managing Accepted Domains