Welcome  |  Sign in
Skip Navigation Links
Exchange Server TechCenter
Click to Rate and Give Feedback
TechNet
TechNet Library
Exchange Server
 White Paper: Edge Subscription and ...
White Paper: Edge Subscription and Synchronization

Topic Last Modified: 2007-03-29

Kate Follis, Senior Technical Writer, Microsoft Exchange Server

March 2007

This white paper provides detailed information about Edge Subscriptions and the EdgeSync synchronization process. You use Edge Subscriptions to populate the Active Directory Application Mode (ADAM) directory service instance on the Microsoft Exchange Server 2007 Edge Transport server role with Active Directory directory service data. This establishes secure, automatic replication of information from Active Directory to ADAM. The EdgeSync synchronization process reduces the administration that you must perform in the perimeter network by letting you perform required configuration on the Hub Transport server role and then write that information to the Edge Transport server.

In Exchange 2007, the Edge Transport server role is deployed in your organization's perimeter network. Designed to minimize the attack surface, the Edge Transport server handles all Internet-facing mail flow and provides Simple Mail Transfer Protocol (SMTP) relay and smart host services for the Exchange organization. Additional layers of message protection and security are provided by a series of agents that run on the Edge Transport server and act on messages as they are processed by the message transport components. These agents support the features that provide protection against viruses and spam and apply transport rules to control message flow.

An Edge Transport server can be subscribed to an Active Directory site. Subscribing the Edge Transport server to the Active Directory site associates the Edge Transport server with the Exchange organization. This process reduces the administration that you must perform in the perimeter network by letting you perform required configuration on the Hub Transport server role and then write that information to the Edge Transport server. An organization that deploys more than one Edge Transport server can maintain a consistent configuration by using Edge Subscriptions. You must create an Edge Subscription if you plan to use the anti-spam features, recipient lookup or safelist aggregation, or the Domain Security feature.

Objectives and acknowledgements   Much of the information in this white paper originally appeared as individual Help topics in the Exchange Server 2007 Help. In this white paper, we have consolidated this information to provide an end-to-end, printable guide that you can use to deploy, test, and maintain Edge Subscriptions for Exchange 2007.

Note:
To print this white paper, click Printer Friendly Version in your Web browser.

This white paper is intended to walk you through the deployment of Edge Subscriptions. Read all of it. Also, as with any software deployment, we recommend that you set up the solution in a lab and experiment with the functionality before you deploy it in the real world.

During the development of Exchange 2007, the Microsoft IT department deployed Edge Subscriptions with early adopter partners. As a result, configuration and deployment issues were discovered and fixed. Other minor configuration and deployment issues have also been identified and are documented in this white paper.

The following people reviewed this content for technical accuracy: Chris Ahlers, Felix Deschamps, Hao Zhang, Matt Kuzior, Steve Clagg, and Shawn Thomas.

Return to top

The Exchange 2007 Edge Subscription feature introduces new terminology and functionality. Familiarity with the Edge Subscription terminology will help you understand the information in this document. In this section, I define Edge Subscription terminology and components to help you understand the Edge Subscription feature.

  • Edge Subscription   The Edge Subscription is the record of an Edge Transport server that has been subscribed to an Exchange organization. The ADAM directory service on a subscribed Edge Transport server is updated with information from Active Directory by the Microsoft Exchange EdgeSync service.
  • Edge Subscription process   The Edge Subscription process is the procedure that an administrator follows to establish an Edge Subscription for an Edge Transport server. You subscribe an Edge Transport server to an Active Directory site to associate the Edge Transport server with the Exchange organization.
  • Edge Subscription file   The Edge Subscription file is an XML file that is exported from the Edge Transport server and imported to the Hub Transport server to establish the Edge Subscription. The Edge Subscription file contains information about the Edge Transport server and information about the credentials that are used to establish the initial synchronization.
  • EdgeSync bootstrap replication account   The EdgeSync bootstrap replication account (ESBRA) is the set of credentials that is generated on the Edge Transport server whenever a new Edge Subscription file is generated. The credentials are written to the Edge Subscription file, transferred to the Exchange organization, and used by Hub Transport servers to authenticate to the Edge Transport server during the initial synchronization of data. These credentials are used only to establish the initial synchronization. They expire 1,440 minutes (24 hours) after the Edge Subscription file is created.
  • EdgeSync replication account   An EdgeSync replication account (ESRA) is the set of credentials that is used to authenticate and authorize the secure LDAP connection between an Edge Transport server and a Hub Transport server. After the Edge Subscription is created in the Exchange organization, each Hub Transport server generates a unique set of ESRA credentials for each subscribed Edge Transport server. The credentials are managed by the system, stored on the Exchange server Active Directory configuration object in an encrypted form, and replicated to ADAM to create a reciprocal ESRA.
  • Edge Credential service   The Edge Credential service, which runs on Edge Transport servers only, creates the reciprocal ESRA accounts in ADAM so that a Hub Transport server can authenticate to an Edge Transport server to perform EdgeSync synchronization.
  • Microsoft Exchange EdgeSync service   The Microsoft Exchange EdgeSync service is the data synchronization service that runs on a Hub Transport server. The Microsoft Exchange EdgeSync service that is running on the Hub Transport servers in the Active Directory site to which the Edge Transport server is subscribed periodically performs one-way replication of recipient and configuration data to ADAM. The Microsoft Exchange EdgeSync service copies only the information that is required for the Edge Transport server to perform anti-spam configuration tasks or to use Domain Security, and information about the Send connector configuration that is required to enable mail flow between the Exchange 2007 organization's Hub Transport servers and the Internet through one or more Edge Transport servers. The Microsoft Exchange EdgeSync service performs scheduled updates so that the information in ADAM remains current.
  • EdgeSync synchronization process   The EdgeSync synchronization process is the task or process that the Microsoft Exchange EdgeSync service performs to propagate data from Active Directory to the subscribed Edge Transport server. Configuration data is synchronized one time each hour. Recipient data is synchronized one time every four hours. The Microsoft Exchange EdgeSync service invokes ESRA credentials and transfers data over an encrypted channel. When synchronization occurs, new objects are added to ADAM, deleted objects are removed, and property modifications are written to existing objects. During the initial replication, ADAM is populated. After the initial replication has finished, synchronization occurs at fixed intervals. Configuration data is synchronized at one-hour intervals. Recipient data is synchronized at four-hour intervals. You can use the Start-EdgeSynchronization cmdlet in the Exchange Management Shell to start immediate synchronization.

Return to top

You start the Edge Subscription process by exporting an Edge Subscription XML file on the Edge Transport server. When the Edge Subscription file is created on the Edge Transport server by using the New-EdgeSubscription cmdlet in the Exchange Management Shell, the following actions occur:

  • An ADAM account is created.
  • Credentials are retrieved and written to the Edge Subscription XML file.

Each Edge Transport server requires an individual Edge Subscription. The credentials that are written to the Edge Subscription file are specific to the server from which the file is exported.

Next, the Edge Subscription XML file is transferred to a Hub Transport server that is located in the Active Directory site to which you want to subscribe the Edge Transport server. The Edge Subscription file is imported to the Hub Transport server by using either the New-EdgeSubscription cmdlet or the New Edge Subscription wizard in the Exchange Management Console. This step finishes the Edge Subscription process. The Microsoft Exchange EdgeSync service that is running on the Hub Transport servers in the Active Directory site to which the Edge Transport server is subscribed will now perform one-way replication of data from Active Directory to ADAM. The ADAM credentials that are created during the Edge Subscription process are used to authenticate the secure Lightweight Directory Access Protocol (secure LDAP) connection that is made during the initial synchronization process.

To deploy an Edge Transport server and subscribe it to an Active Directory site, follow these steps:

  1. Install the Edge Transport server role.
  2. Verify that the Hub Transport servers and the Edge Transport server can locate one another by using Domain Name System (DNS) name resolution. For more information about this step, see Configuring DNS Settings for Exchange 2007 Servers.
  3. Configure the objects and settings to be replicated to the Edge Transport server.
  4. Run the New-EdgeSubscription cmdlet in the Exchange Management Shell on the Edge Transport server to export the Edge Subscription file.
  5. Copy the Edge Subscription file to a Hub Transport server.
  6. Run the New-EdgeSubscription cmdlet in the Exchange Management Shell or use the New Edge Subscription wizard in the Exchange Management Console to import the Edge Subscription file.
    Important:
    The ESBRA credentials are written to the Edge Subscription file in clear text. You must protect this file throughout the Edge Subscription process. As noted earlier in this white paper, these credentials are used only to establish the initial synchronization and will expire 1,440 minutes (24 hours) after the Edge Subscription file is created. If the Edge Subscription process is not completed within that time, you must run the New-EdgeSubscription cmdlet in the Exchange Management Shell on the Edge Transport server again to create a new Edge Subscription file. After the Edge Subscription file is imported to a Hub Transport server, you should immediately delete the Edge Subscription file from the Edge Transport server, the Hub Transport server, and any removable media.

The following figure illustrates the Edge Subscription process.

Edge Subscription process


Edge subscription file import and export process

To perform the Edge Subscription procedures on a computer that has the Edge Transport server role installed, you must log on by using an account that is a member of the local Administrators group on that computer.

To perform the Edge Subscription procedures on a computer that has the Hub Transport server role installed, the account you use must be delegated the Exchange Organization Administrator role.

For more information about permissions, delegating roles, and the rights that are required to administer Exchange 2007, see Permission Considerations.

Return to top

When the New-EdgeSubscription command is run on the Edge Transport server to export the Edge Subscription file, any objects that will be replicated from Active Directory to ADAM by the Microsoft Exchange EdgeSync service are removed from the Edge Transport server. After you import the Edge Subscription file on the Hub Transport server, recipient and configuration data is replicated from Active Directory to ADAM. Therefore, you must configure settings on the Hub Transport server to populate the settings on the Edge Transport server.

Note:
After an Edge Transport server is subscribed to the Exchange organization, the tasks that are used to configure the objects that are replicated to the Edge Transport server by the Microsoft Exchange EdgeSync service are disabled on the Edge Transport server.

Verify that the perimeter network firewall that separates the Edge Transport server from the Exchange organization is configured to enable communications through the correct ports. The Edge Transport server uses non-standard LDAP ports. By default, these ports are configured when the Edge Transport server role is installed. You can modify the ports that are used by ADAM by using the ConfigureAdam.ps1 script that is provided with Exchange 2007. However, do not modify the ports after you create the Edge Subscription. If you modify the ports after you create the Edge Subscription, you must resubscribe the Edge Transport server. By default, the following LDAP ports are used to access ADAM:

  • LDAP   Port 50389/TCP is used locally to bind to the ADAM instance. This port does not have to be open on the perimeter network firewall.
  • Secure LDAP   Port 50636/TCP is used for directory synchronization from Hub Transport servers to ADAM. This port must be open for successful EdgeSync synchronization.

Verify that DNS host name resolution is successful from the Edge Transport server to the Hub Transport servers, and from the Hub Transport servers to the Edge Transport server.

License the Edge Transport server. The licensing information for the Edge Transport server is captured when the Edge Subscription is created and is shown in the Exchange Management Console for the Exchange organization. For subscribed Edge Transport servers to appear as licensed, they must be subscribed to the Exchange organization after the license key is applied on the Edge Transport server. If the license key is applied on the Edge Transport server after you perform the Edge Subscription process, the licensing information is not updated in the Exchange organization, and you must resubscribe the Edge Transport server.

Configuring Settings for Propagation to Edge Transport Servers

You configure the following settings for propagation to the Edge Transport server role:

  • Internal SMTP servers   Use the Set-TransportConfig cmdlet to configure the InternalSMTPServers parameter. This parameter specifies a list of internal SMTP server IP addresses or IP address ranges that should be ignored by Sender ID and connection filtering.
  • Accepted domains   Configure all authoritative domains, internal relay domains, and external relay domains.
  • Remote domains   Configure remote domain settings.
  • Domain Secure lists   Configure the TLSReceiveDomainSecureList and the TLSSendDomainSecureList attributes on the TransportConfig object for the Exchange organization. These attributes specify the list of remote domains that are configured for mutual Transport Layer Security (TLS) authentication.

Return to top

You subscribe an Edge Transport server to an Active Directory site. Subscribing the Edge Transport server to the Active Directory site enables the Edge Transport server to receive updates to ADAM from Active Directory and creates a synchronization relationship between the Edge Transport server and the Hub Transport servers deployed in that site. The Edge Subscription process also creates an Active Directory site membership affiliation for the Edge Transport server. The site affiliation enables Hub Transport servers in the Exchange organization to relay messages to the Edge Transport server for delivery to the Internet without having to configure explicit Send connectors.

One or more Edge Transport servers can be subscribed to a single Active Directory site. However, an Edge Transport server cannot be subscribed to more than one Active Directory site. If you have more than one Edge Transport server deployed, each server can be subscribed to a different Active Directory site. Each Edge Transport server requires an individual Edge Subscription. A subscribed Edge Transport server can support only one Exchange organization.

When you run the New-EdgeSubscription cmdlet on the Edge Transport server, the following actions occur:

  • An ADAM account is created. This account is the EdgeSync bootstrap replication account (ESBRA). As noted earlier in this white paper, these credentials are used to authenticate the first EdgeSync connection to the Edge Transport server. The account is configured to expire 1,440 minutes (24 hours) after it is created. Therefore, you must complete the Edge Subscription process before that time expires. If the ESBRA expires before the Edge Subscription process is complete, you must run the New-EdgeSubscription cmdlet on the Edge Transport server again to create a new Edge Subscription file.
  • The ESBRA credentials are retrieved from ADAM and written to the Edge Subscription file. The public key for the Edge Transport server's self-signed certificate is also exported to the Edge Subscription file. The credentials that are written to the Edge Subscription file are specific to the server from which the file is exported.
  • Any previously created configuration objects in a class that will now be replicated to ADAM from Active Directory are deleted from ADAM and the Exchange Management Shell tasks used to configure those objects are disabled. You can still use the tasks that let you view those objects. The following tasks are disabled on the Edge Transport server when you run the New-EdgeSubscription cmdlet:
    • Set-SendConnector
    • New-SendConnector
    • Remove-SendConnector
    • New-AcceptedDomain
    • Set-AcceptedDomain
    • Remove-AcceptedDomain
    • New-MessageClassification
    • Set-MessageClassification
    • Remove-MessageClassification
    • New-RemoteDomain
    • Set-RemoteDomain
    • Remove-RemoteDomain

When you import the Edge Subscription file on the Hub Transport server by running the New-EdgeSubscription cmdlet in the Exchange Management Shell or by using the New Edge Subscription wizard in the Exchange Management Console, the following actions occur:

  • The Edge Subscription is created, establishing a record of an Edge Transport server which has been joined to an Exchange organization and to which the Microsoft Exchange EdgeSync service will propagate configuration data. This step creates the Edge configuration object in Active Directory.
  • Each Hub Transport server in the Active Directory site receives notification from Active Directory that a new Edge Transport server has been subscribed. The Hub Transport server retrieves the ESBRA from the Edge Subscription file. The Hub Transport server then encrypts the ESBRA by using the public key of the Edge Transport server's self-signed certificate. The encrypted credentials are then written to the Edge configuration object.
  • Each Hub Transport server also encrypts the ESBRA by using its own public key and then stores the credentials in its own configuration object.
  • EdgeSync replication accounts (ESRA) are created in Active Directory for each Edge Transport-Hub Transport server pair. Each Hub Transport server stores its ESRA credentials as an attribute of the Hub Transport server configuration object.
  • Send connectors are automatically created to relay messages outbound from the Edge Transport server to the Internet, and inbound from the Edge Transport server to the Exchange organization. For more information, see "EdgeSync and Send Connectors" later in this white paper.
  • The Microsoft Exchange EdgeSync service that runs on Hub Transport servers uses the ESBRA credentials to establish a secure LDAP connection between a Hub Transport server and the Edge Transport server and performs the initial replication of data. The following data is replicated to ADAM:
    • Topology data
    • Configuration data
    • Recipient data
    • ESRA credentials
  • The Microsoft Exchange Credential Service that runs on the Edge Transport server installs the ESRA credentials. These credentials are used to authenticate and secure later synchronization connections.
  • The EdgeSync synchronization schedule is established.

The Microsoft Exchange EdgeSync service that is running on the Hub Transport servers in the Active Directory site to which the Edge Transport server is subscribed will now perform one-way replication of data from Active Directory to ADAM on a regular schedule.

Return to top

How to Export an Edge Subscription File

Perform the following procedure on the Edge Transport server. You must provide the complete file path of the Edge Subscription file that you are creating.

Procedure

To use the Exchange Management Shell to create an Edge Subscription file

  • Run the following command:

    New-EdgeSubscription -FileName "C:\EdgeSubscriptionInfo.xml"

How to Import the Edge Subscription File

When you import the Edge Subscription file, you can select whether to have the Send connector to the Internet automatically created. You can also select whether to have the Send connector from the Edge Transport server to the Hub Transport servers in the Active Directory site to which the Edge Transport server is subscribed created automatically. If you decide not to have the Send connectors created automatically, you can manually configure Send connectors as needed.

Procedure

To use the Exchange Management Console to import the Edge Subscription file

  1. Copy the Edge Subscription file from the Edge Transport server to the Hub Transport server where you will perform this procedure.

  2. Open the Exchange Management Console. Expand Organization Configuration, select Hub Transport, and then in the result pane, click the Edge Subscriptions tab.

  3. In the action pane, click New Edge Subscription. The New Edge Subscription Wizard starts.

  4. On the New Edge Subscription page, in the Active Directory Site: drop-down list, select an Active Directory site.

  5. On the New Edge Subscription page, click Browse. Locate the Edge Subscription file to import. Select the file, and then click Open.

  6. On the New Edge Subscription page, click New.

  7. On the Completion page, click Finish.

To use the Exchange Management Shell to import the Edge Subscription file

  • Run the following command to subscribe an Edge Transport server to the specified site and to have the Internet Send connector and the Send connector from the Edge Transport server to the Hub Transport servers created automatically. This command also forces the initial synchronization to immediately start:

    New-EdgeSubscription -filename "C:\EdgeSubscriptionInfo.xml" -CreateInternetSendConnector $true - CreateInboundSendConnector $true -site "Default-First-Site-Name" -Force
    Note:
    The default value of the CreateInternetSendConnector parameter and the CreateInboundSendConnector parameter is $true. It is shown here for demonstration only.
Note:
It is a best practice to delete the Edge Subscription file from the Edge Transport server after you copy the file to the Hub Transport server where you will import the Edge Subscription file, and from the Hub Transport server after the subscription is imported.

Return to top

When you run the New-EdgeSubscription cmdlet in the Exchange Management Shell on an Edge Transport server, information about the Edge Transport server and the ESBRA credentials is written to the Edge Subscription file.

The following table describes the data that is contained in the Edge Subscription XML file.

Contents of the Edge Subscription file

Subscription data Description

Edge Transport server name

The NetBIOS name of the Edge Transport server. The name of the Edge Subscription in Active Directory will match this name.

Edge Transport server FQDN

The fully-qualified domain name (FQDN) of the Edge Transport server. The Hub Transport servers in the subscribed Active Directory site must be able to locate the Edge Transport server by using DNS to resolve the FQDN.

Edge certificate binary large object (BLOB)

The public key of the Edge Transport server's self-signed certificate.

ESRA user name

The name assigned to the ESBRA. The ESBRA account has the following format: ESRA.Edge Transport server name. ESRA means EdgeSync replication account.

ESRA password

The password assigned to the ESBRA. The password is generated by using a random number generator and is stored in the Edge Subscription file in clear text.

Effective date

The creation date of the Edge Subscription file.

Duration

The length of time that these credentials will be valid before they expire. The ESBRA account is valid for only 24 hours.

ADAM SSL port

The secure LDAP port to which the Microsoft Exchange EdgeSync service binds when synchronizing data from Active Directory to ADAM. By default, this is TCP port 50636.

Product ID

The licensing information for the Edge Transport server. After an Edge Transport server is subscribed to Active Directory, the licensing information about the Edge Transport server is displayed in the Exchange Management Console for the Exchange organization. You must license the Edge Transport server before you create the Edge Subscription for this information to be displayed correctly.
Important:
The ESBRA credentials are written to the Edge Subscription file in clear text. You must protect this file throughout the subscription process. After the Edge Subscription file is imported to a Hub Transport server, you should immediately delete the Edge Subscription file from the Edge Transport server, the Hub Transport server, and any removable media.

Return to top

EdgeSync replication accounts (ESRA) are an important part of EdgeSync security. Authentication and authorization of the ESRA is the mechanism used to help secure the connection between an Edge Transport server and a Hub Transport server.

The ESBRA contained in the Edge Subscription file is used to establish a secure LDAP connection only during the initial synchronization. After the Edge Subscription file is imported to a Hub Transport server in the Active Directory site to which the Edge Transport is being subscribed, additional ESRA accounts are created in Active Directory for each Edge Transport-Hub Transport server pair. During initial synchronization, the newly created ESRA credentials are replicated to ADAM. These ESRA credentials are used to help secure later synchronization sessions.

Each EdgeSync replication account is assigned the properties described in the following table.

Ms-Exch-EdgeSyncCredential properties

Property name Type Description

TargetServerFQDN

String

The Edge Transport server that will accept these credentials.

SourceServerFQDN

String

The Hub Transport server that will present these credentials. This value is empty if the credential is the bootstrap credential.

EffectiveTime

DateTime (Coordinated Universal Time [UTC])

When to start using this credential.

ExpirationTime

DateTime (UTC)

When to stop honoring this credential.

UserName

String

The user name that is used to authenticate.

Password

Byte

The password that is used to authenticate. The password is encrypted by using ms-Exch-EdgeSync-Certificate.

The following sections of this white paper describe how the ESRA credentials are provisioned and used during the EdgeSync synchronization process.

Provisioning the EdgeSync Bootstrap Replication Account (ESBRA)

When the New-EdgeSubscription cmdlet is run on the Edge Transport server, the ESBRA is provisioned as follows:

  • A self-signed certificate (Edge-Cert) is created on the Edge Transport server. The private key is stored in the local computer store and the public key is written to the Edge Subscription file.
  • The ESBRA (ESRA.Edge) is created in ADAM and the credentials are written to the Edge Subscription file.
  • The Edge Subscription file is exported by copying it to removable media. The file is now ready to import to a Hub Transport server.

Provisioning EdgeSync Replication Accounts in Active Directory

When the Edge Subscription file is imported on a Hub Transport server, the following steps occur to establish a record of the Edge Subscription in Active Directory and to provision additional ESRA credentials.

  1. An Edge Transport server configuration object is created in Active Directory. The Edge-Cert certificate is written to this object as an attribute.
  2. Every Hub Transport server in the subscribed Active Directory site receives an Active Directory notification that a new Edge Subscription has been registered. As soon as the notification is received, each Hub Transport server retrieves the ESRA.Edge account and encrypts the account by using the Edge-Cert public key. The encrypted ESRA.Edge account is written to the Edge Transport server configuration object.
  3. Each Hub Transport server creates a self-signed certificate (Hub-Cert). The private key is stored in the local computer store and the public key is stored in the Hub Transport server configuration object in Active Directory.
  4. Each Hub Transport server encrypts the ESRA.Edge account by using the public key of its own Hub-Cert certificate and then stores it on its own configuration object.
  5. Each Hub Transport server generates an ESRA for each existing Edge Transport server configuration object in Active Directory (ESRA.Hub.Edge). The account name is generated by using the following naming convention:
    ESRA.<Hub Transport server NetBIOS Name>.<Edge Transport server NetBIOS Name>.<Effective Date UTC Time>
    The password for ESRA.Hub.Edge is generated by a random number generator and is encrypted by using the public key of the Hub-Cert certificate. The generated password has the maximum length allowed for Microsoft Windows Server.
  6. Each ESRA.Hub.Edge account is encrypted by using the public key of the Edge-Cert certificate and is stored on the Edge Transport server configuration object in Active Directory.

The following sections of this white paper explain how these accounts are used during the EdgeSync synchronization process.

Return to top

Authenticating Initial Replication

The ESBRA account, ESRA.Edge, is used only when establishing the initial synchronization session. During the first EdgeSync synchronization session, the additional ESRA accounts, ESRA.Hub.Edge, are replicated to ADAM. These accounts are used to authenticate later EdgeSync synchronization sessions.

The Hub Transport server that performs the initial replication is determined randomly. The first Hub Transport server in the Active Directory site to perform a topology scan and discover the new Edge Subscription performs the initial replication. Because this discovery is based on the timing of the topology scan, any Hub Transport server in the site may perform the initial replication.

The Microsoft Exchange EdgeSync service initiates a secure LDAP session from the Hub Transport server to the Edge Transport server. The Edge Transport server presents its self-signed certificate and the Hub Transport server verifies that the certificate matches the certificate that is stored on the Edge Transport server configuration object in Active Directory. After the Edge Transport server's identity is verified, the Hub Transport server provides the credentials of the ESRA.Edge account to the Edge Transport server. The Edge Transport server verifies the credentials against the account that is stored in ADAM.

The Microsoft Exchange EdgeSync service on the Hub Transport server then pushes the topology, configuration, and recipient data from Active Directory to ADAM. The change to the Edge Transport server configuration object in Active Directory is replicated to ADAM. ADAM receives the newly added ESRA.Hub.Edge entries and the Edge Credential service creates the corresponding ADAM account. These accounts are now available to authenticate later scheduled EdgeSync synchronization sessions.

Edge Credential Service

The Edge Credential service is part of the Edge Subscription process. It runs only on the Edge Transport server. This service creates the reciprocal ESRA accounts in ADAM so that a Hub Transport server can authenticate to an Edge Transport server to perform EdgeSync synchronization. The Microsoft Exchange EdgeSync service does not communicate directly with the Edge Credential service. The Edge Credential service communicates with ADAM and installs the ESRA credentials whenever the Hub Transport server updates them.

Authenticating Scheduled Synchronization Sessions

After initial EdgeSync synchronization finishes, the EdgeSync synchronization schedule is established and data that has changed in Active Directory is regularly updated in ADAM. A Hub Transport server initiates a secure LDAP session with the ADAM instance on the Edge Transport server. ADAM proves its identity to that Hub Transport server by presenting its self-signed certificate. The Hub Transport server presents its ESRA.Hub.Edge credentials to ADAM. The ESRA.Hub.Edge password is encrypted by using the Hub Transport server's self-signed certificate's public key. This means that only that particular Hub Transport server can use those credentials to authenticate to ADAM.

Renewing EdgeSync Replication Accounts

The password for the ESRA account must comply with the local server's password policy. To prevent the password renewal process from causing temporary authentication failure, a second ESRA.Hub.Edge account is created seven days before the first ESRA.Hub.Edge account expires with an effective time that is three days before the first ESRA expiration time. As soon as the second ESRA account becomes effective, EdgeSync stops using the first account and starts to use the second account. When the expiration time for the first account is reached, those ESRA credentials are deleted. This renewal process will continue until the Edge Subscription is removed.

Return to top

The following figure illustrates the EdgeSync synchronization process.

EdgeSync synchronization process


EdgeSync synchronization process

The initial replication populates ADAM with data from Active Directory. This can take some time, depending on the quantity of data in the directory service. Successive synchronization updates ADAM with new and changed objects and removes any objects that have been deleted from Active Directory.

The directory service changes that are available to synchronize to ADAM at the synchronization intervals are completely dependent on the data that has been replicated to the global catalog server to which the Hub Transport server is bound. The Hub Transport server will bind to the global catalog server that is discovered by the Microsoft Exchange Active Directory Topology service when an Exchange 2007 server starts. Binding to a global catalog server makes sure that recipient data for every domain in the forest is propagated to ADAM.

As noted earlier in this white paper, the Microsoft Exchange EdgeSync service is the data synchronization service that periodically replicates configuration data from Active Directory to a subscribed Edge Transport server. The Microsoft Exchange EdgeSync service runs on all Hub Transport servers under the context of the Local Service account. Data is pushed from Active Directory by the Hub Transport server inside the organization to the Edge Transport server in the perimeter network. This means that the Hub Transport server always initiates the synchronization session and that the Microsoft Exchange EdgeSync service performs only one-way synchronization from Active Directory to ADAM. Data from ADAM is never synchronized to Active Directory.

To perform synchronization, the Microsoft Exchange EdgeSync service establishes a mutually authenticated and authorized secure LDAP channel from the Hub Transport server to the Edge Transport server. The ESRA credentials that are provisioned during the Edge Subscription process are used to establish the secure LDAP connection.

By default, the Microsoft Exchange EdgeSync service uses the non-standard TCP port 50636 for secure LDAP communications. Your internal firewall must allow outbound communication through this port to the Edge Transport servers in the perimeter network. If you want to modify the secure LDAP port that is used to connect to ADAM, you must use the ConfigureAdam.ps1 script that is provided with Exchange 2007.

Return to top

Selection of a Preferred Hub Transport Server

If more than one Hub Transport server exists in the site to which an Edge Transport server is subscribed, any of those Hub Transport servers can replicate data to the subscribed Edge Transport servers. However, to avoid contention among the Hub Transport servers during synchronization, a single Hub Transport server is preferred. The preferred Hub Transport server continues to perform synchronization for a particular Edge Transport server. If the preferred Hub Transport server is not available, another Hub Transport server takes over as the preferred server.

The selection of the preferred Hub Transport server occurs as follows:

  • The first Hub Transport server in the Active Directory site to perform a topology scan and discover the new Edge Subscription performs the initial replication. Because this discovery is based on the timing of the topology scan, any Hub Transport server in the site may perform the initial replication.
  • The Hub Transport server that performs the initial replication establishes an EdgeSync lease option and sets a "lock" on the Edge Subscription. The lease option establishes that Hub Transport server as the preferred server to provide synchronization services to that Edge Transport server. The lock prevents the Microsoft Exchange EdgeSync service on another Hub Transport server from taking over the lease option.
  • The EdgeSync lease option lasts for one hour. No other Microsoft Exchange EdgeSync service can take over the option from another Hub Transport server during this one-hour period unless a manual synchronization occurs before this period expires. If the preferred Hub Transport server is not available to provide the Microsoft Exchange EdgeSync service when manual synchronization is performed, after a five-minute wait, the lock is released and another Microsoft Exchange EdgeSync service takes over the lease option and performs synchronization.
  • If manual synchronization is not performed, synchronization occurs based on the EdgeSync synchronization schedule. If the preferred server is not available when scheduled synchronization occurs, after a five-minute wait, the lock is released and another Microsoft Exchange EdgeSync service takes over the lease option and performs synchronization.

This method of locking and leasing prevents more than one instance of the Microsoft Exchange EdgeSync service from pushing data to the same Edge Transport server at the same time.

Note:
When an Edge Transport server is subscribed to an Active Directory site, all the Hub Transport servers that are installed in that Active Directory site at that time can participate in the EdgeSync synchronization process. If one of those servers is removed, the Microsoft Exchange EdgeSync service that is running on the remaining Hub Transport servers will continue the data synchronization process. However, if new Hub Transport servers are installed in the Active Directory site, they will not participate in the EdgeSync synchronization process. To enable those Hub Transport servers to participate in the EdgeSync synchronization process, you have to resubscribe the Edge Transport server.

The following table lists the EdgeSync properties that are related to the locking and leasing process. The properties are not configurable.

EdgeSync lease properties

Property name Value Description

Lock duration

5 minutes

This setting determines for how long a particular Microsoft Exchange EdgeSync service will acquire a lock. If the Microsoft Exchange EdgeSync service on the Hub Transport server that is holding this lock does not respond, it will take five minutes for the Microsoft Exchange EdgeSync service on another Hub Transport server to take over the lease. Forcing EdgeSync synchronization does not override this value.

Option duration

1 hour

This setting determines for how long a Microsoft Exchange EdgeSync service can declare a lease option on an Edge Transport server. If the Microsoft Exchange EdgeSync service holding the lease is unavailable and does not restart during this option period, no other Microsoft Exchange EdgeSync service will take over the lease option, unless you force EdgeSync synchronization.

Lock renewal

1 minute

This setting determines how frequently the lock field is updated when a Microsoft Exchange EdgeSync service has acquired a lock to an Edge Transport server.

Return to top

Synchronization Schedule

Different types of data synchronize on different schedules. The schedule specifies the maximum length of time that a Microsoft Exchange EdgeSync service should go between synchronization intervals. The EdgeSync schedule intervals are not configurable. However, if you use the Start-EdgeSynchronization cmdlet in the Exchange Management Shell to force synchronization of Edge Subscriptions to occur immediately, you override the timer that determines the next time that EdgeSync synchronization is scheduled to occur.

The following table lists the EdgeSync schedule parameters that determine when different types of data are synchronized to ADAM.

EdgeSync schedule parameters

Parameter Value Description

Configuration

1 hour

This parameter determines the frequency at which the Microsoft Exchange EdgeSync service will try to synchronize configuration data to an Edge Transport server.

Recipients

4 hours

This parameter determines the frequency at which the Microsoft Exchange EdgeSync service will try to synchronize recipient data to an Edge Transport server.

Topology

5 minutes

This parameter determines how frequently topology information is reloaded.

How to Force EdgeSync Synchronization

You can use the Start-EdgeSynchronization cmdlet to force synchronization to start immediately. You may want to do this to start initial replication immediately after you create the Edge Subscription or if you have made significant changes to the configuration or recipients in Active Directory. The Start-EdgeSynchronization cmdlet resets the EdgeSync synchronization schedule. The time of the subsequent synchronization intervals is based on the time that this command is initiated.

Note:
If you try to run this procedure during regular synchronization, an error will occur.

Procedure

To use the Exchange Management Shell to force EdgeSync synchronization

  • Run the following command:

    Start-EdgeSynchronization

Return to top

Because Active Directory and ADAM both use LDAP, and because both directory services use the Exchange 2007 schema, you can replicate data from Active Directory to ADAM. This replication is established when you subscribe an Edge Transport server to an Active Directory site. The Edge Subscription process enables the Hub Transport servers in that site to use the Microsoft Exchange EdgeSync service to synchronize recipient and configuration data from Active Directory to the ADAM instance on the Edge Transport server. The Microsoft Exchange EdgeSync service performs scheduled updates so that the information in ADAM remains current.

Note:
The Microsoft Exchange EdgeSync service performs only one-way replication of data from Active Directory to ADAM. Information from ADAM is never replicated to Active Directory, and any existing data in ADAM is not merged with Active Directory data. When an Edge Subscription is created, Active Directory becomes the authoritative data source for the Edge Transport server and any existing objects in ADAM of a replicated data class are overwritten.

Several types of data are replicated from Active Directory to ADAM:

  • Edge Subscription information
  • Configuration information
  • Recipient information
  • Topology information

The following sections describe these types of data and the way that they are used by the Edge Transport server.

Edge Subscription Information

Exchange 2007 extends both the Active Directory and ADAM schemas to provide attributes on the ms-Exch-ExchangeServer object to represent the data needed to control the EdgeSync synchronization process. These attributes provide the following three functions that are important to the EdgeSync synchronization process:

  • They provide automatic provisioning and maintenance of the credentials that are used to help secure the LDAP connection between a Hub Transport server and a subscribed Edge Transport server.
  • They arbitrate the synchronization lock and lease process that makes sure that only one Hub Transport server at a time will try to synchronize with an individual Edge Transport server.
  • They optimize the EdgeSync synchronization process to maintain a record of the current synchronization status and avoid excessive manual synchronization.

The following table lists the schema extensions that are specific to Edge Subscriptions. The values assigned to these attributes are maintained by the Edge Subscription and EdgeSync synchronization process. You should not manually edit these attributes by using editing tools, such as Ldp.exe or Active Directory Service Interfaces (ADSI) Edit.

Edge Subscription schema extensions

Attribute name Description

ms-Exch-Server-EKPK-Public-Key

This attribute represents the current public key for the certificate being used by the server. This value is stored by both Edge Transport servers and Hub Transport servers. The public key is used to encrypt the credentials that are used to authenticate the server during LDAP and SMTP communication.

ms-Exch-EdgeSync-Credential

This attribute represents the list of credentials that the Microsoft Exchange EdgeSync service uses to establish an authenticated LDAP session to ADAM. On Hub Transport servers, this attribute contains only the credentials that the Hub Transport server uses to authenticate to the subscribed Edge Transport servers. On Edge Transport servers, this attribute contains the credentials of each Hub Transport server in the subscribed Active Directory site that participates in the EdgeSync synchronization process. This attribute is only present on Hub Transport servers that run the EdgeSync synchronization process and on subscribed Edge Transport servers.

ms-Exch-Edge-Sync-Lease

This attribute is used to arbitrate between Hub Transport servers when more than one Hub Transport server tries to replicate to the same Edge Transport server.

ms-Exch-Edge-Sync-Status

This attribute is only present in ADAM on the Edge Transport server object. This attribute tracks the status of replication to an ADAM instance and includes information about replication.

Return to top

Configuration Information

When you subscribe to an Edge Transport server to the organization, you can manage the configuration objects that are common to the Edge Transport server and the Exchange organization from inside the organization and then write those changes to the Edge Transport server by using the Microsoft Exchange EdgeSync service. This process helps maintain a consistent configuration across all servers involved in message processing.

A subset of the configuration data for the Exchange organization must also be maintained on the Edge Transport server. During the EdgeSync synchronization process, the configuration data that the Edge Transport server needs is written to the configuration partition of ADAM. If you manually configure the Edge Transport server and then decide to create an Edge Subscription for that server, the affected configuration objects are deleted. The configuration data written to ADAM includes the following:

  • Hub Transport servers   The FQDN of each Hub Transport servers in the subscribed Active Directory site is made available to the local ADAM store on the Edge Transport server. This information is used to derive a list of smart host servers for the inbound Send connector.
  • Accepted domains   All authoritative, internal relay, and external relay domains configured for the Exchange organization are written to ADAM. Having the accepted domains available to Edge Transport enables the Exchange organization to perform domain filtering and reject invalid SMTP traffic into their organization as early as possible. For more information about accepted domains, see Managing Accepted Domains.
  • Message classifications   If message classifications are available on the Edge Transport server, transport agents and content conversion can act on message classifications in the perimeter network. For example, the Attachment Filter agent can apply the “Attachment Removed” classification when it removes an attachment. Therefore, informational text will be displayed to a Microsoft Outlook user or an Outlook Web Access user to tell the recipient what happened. Agents that are developed for use by third-party applications can use message classifications in a similar manner. Also, message classifications may have to be translated by the Edge Transport server from a GUID in an X-header to TNEF as a localized recipient description.
  • Remote domains   All remote domain policies configured for the Exchange organization are written to ADAM. Remote domain policies control out-of-office message settings and message format settings for a remote domain. For more information about remote domains, see Managing Remote Domains.
  • Send connectors   By default, the Send connectors required to enable end-to-end mail flow between the Exchange organization and the Internet are automatically created. Any existing Send connectors on the Edge Transport server are deleted. If you want to configure additional Send connectors, you configure the Send connector inside the Exchange organization and select the Edge Subscription as the source server for the connector.
  • Internal SMTP servers   The value for the InternalSMTPServers attribute is stored on the TransportConfig object for both the Exchange organization and the local Edge Transport server. During the EdgeSync synchronization process, the value that is stored on the local Edge transport server object is overwritten with the value that is stored on this object for the Exchange organization. This attribute specifies a list of internal SMTP server IP addresses or IP address ranges that should be ignored by Sender ID and connection filtering.
  • Domain Secure lists   The TLSReceiveDomainSecureList and the TLSSendDomainSecureList attributes are stored on the TransportConfig object for both the Exchange organization and the local Edge Transport server. During the EdgeSync synchronization process, the value that is stored on the local Edge transport server object is overwritten with the value that is stored on this object for the Exchange organization. These attributes specify the list of remote domains that are configured for mutual TLS authentication.

The tasks used to configure the configuration objects described earlier in this section are disabled on the Edge Transport server when it is subscribed to the Exchange organization. You can still use the tasks that let you view these objects. If you remove an Edge Subscription from an Edge Transport server, all replicated configuration objects are removed from ADAM.

Return to top

Recipient Information

The recipient information that is replicated to ADAM includes only a subset of the recipient attributes. Only the data that the Edge Transport server must have to perform certain anti-spam tasks is replicated. Distribution groups are not replicated to ADAM. The recipient information replicated to ADAM includes the following:

  • Recipients   The list of recipients in the Exchange organization is replicated to ADAM. Each recipient is identified by the GUID assigned to it in Active Directory. If you configure a recipient's user account to deny receipt of mail from outside the organization, the recipient is not replicated to ADAM. If you disable or delete the mailbox for a recipient, it is not replicated to ADAM.
  • Proxy addresses   All proxy addresses assigned to each recipient are replicated to ADAM as hashed data. This is a one-way hash that uses Secure Hash Algorithm (SHA) 256. SHA-256 generates a 256-bit message digest of the original data. Storing proxy addresses as hashed data helps secure this information in case the Edge Transport server or ADAM is compromised. Proxy addresses are referenced when the Edge Transport server performs the recipient lookup anti-spam task.
  • Safe Senders List and Safe Recipients List   The Safe Senders Lists and Safe Recipients Lists that are defined in each recipient's Outlook instance are aggregated and replicated to ADAM. These settings are stored on the Mailbox store where the recipient's mailbox resides. Information about blocked senders is not replicated. An Outlook user's safelist collection is the combined data from the user's Safe Senders List, Safe Recipients List, Blocked Senders List, and external contacts. Having safelist collection data available in ADAM enables the Edge Transport server to screen senders appropriately, reducing the operational overhead involved with filtering mail. This information is sent as hashed data.
  • Per Recipient anti-spam settings   By using the Set-Mailbox cmdlet, you can assign anti-spam threshold settings per recipient that differ from the organization-wide anti-spam settings. If you configure per recipient anti-spam settings, these settings override the organization-wide settings. By replicating these settings to ADAM, the per recipient settings can be considered before the message is relayed to the Exchange organization. This information is sent as hashed data.

If you remove an Edge Subscription, all the replicated data is also removed and you will no longer be able to use the Edge Transport features that rely on this recipient data.

Topology Information

The topology information includes notification of newly subscribed Edge Transport servers or removed Edge Subscriptions. This data is refreshed every five minutes.

Return to top

After an Edge Transport server is subscribed to the Exchange organization, all configuration of Send connectors for that Edge Transport server must be performed on a Hub Transport server. The EdgeSync synchronization process then replicates those Send connectors to ADAM as part of the configuration data. This section describes the Send connectors that are automatically created during the EdgeSync synchronization process and how the Edge Subscription affects the configuration of Send connectors for the Edge Transport server.

Automatically Created Send Connectors

By default, when you complete the Edge Subscription process by importing the Edge Subscription file to a Hub Transport server, the Send connectors that are required to enable end-to-end mail flow between the Internet and the Exchange organization are created automatically. Any existing Send connectors on the Edge Transport server are deleted. You can also select to suppress automatic creation of Send connectors and configure Send connectors manually. Manual Send connector configuration for a subscribed Edge Transport server is discussed in "Manually Configuring Send Connectors" later in this white paper.

The EdgeSync synchronization process provisions the following Send connectors:

  • A Send connector that is configured to relay e-mail messages from the Exchange organization to the Internet
  • A Send connector that is configured to relay e-mail messages from the Edge Transport server to the Exchange organization

Also, by subscribing an Edge Transport server to the Exchange organization, you enable Hub Transport servers that are located in the Active Directory directory service site to which the Edge Transport server is subscribed to use the intra-organization Send connector to relay messages to that Edge Transport server. These Send connectors are described in the following sections of this white paper.

Automatically Created Send Connector to the Internet

By default, when you run the New-EdgeSubscription cmdlet in the Exchange Management Shell on the Hub Transport server, the CreateInternetSendConnector parameter is set to $true. The following table shows the default configuration of this Send connector.

Automatic Internet Send connector configuration

Parameter Value

Name

EdgeSync - <Site Name> to Internet

Address Space

SMTP:*;100

Source Servers

Edge Subscription name

Note:
The name of the Edge Subscription is the same as the name of the subscribed Edge Transport server.

Enabled

True

DNS Routing Enabled

True

Domain Secure Enabled (Mutual Auth TLS)

True

If more than one Edge Transport server is subscribed to the same Active Directory site, additional Send connectors to the Internet are not created. Instead, all Edge Subscriptions are added to the same Send connector as source servers. This configuration causes outbound connections to the Internet to be load balanced between the subscribed Edge Transport servers.

This Send connector is configured to send e-mail messages from the Exchange organization to all remote SMTP domains. It will use DNS routing to resolve domain names to mail exchange (MX) records. You can modify the configuration of this connector manually. However, if you must route outbound e-mail through a smart host, for example, you can suppress creation of this connector and manually configure a Send connector to the Internet.

Note:
A Send connector that is configured to use a smart host to route e-mail must have the DNSRoutingEnabled parameter set to $false. If the DNSRoutingEnabled parameter is set to $false, the DomainSecureEnabled parameter must also be set to $false.

Automatically Created Inbound Send Connector

By default, when you run the New-EdgeSubscription cmdlet in the Exchange Management Shell on the Hub Transport server, the CreateInboundSendConnector is parameter set to $true. You cannot change the value of this parameter when you use the New Edge Subscription Wizard in the Exchange Management Console. The following table shows the configuration of this Send connector.

Automatic inbound Send connector configuration

Parameter Value

Name

EdgeSync - Inbound to <Site Name>

Address Space

SMTP:--;1

Source Servers

Edge Subscription name

Enabled

True

DNS Routing Enabled

False

Smart Hosts

--

The -- placeholder in the address space for the inbound Send connector represents the authoritative and internal relay accepted domains for the Exchange organization and is the literal character displayed. Any messages that the Edge Transport server receives for authoritative and internal relay accepted domains are routed to this Send connector and relayed to the smart hosts.

The -- placeholder in the list of smart hosts represents all the Hub Transport servers that are located in the subscribed Active Directory site and is the literal character displayed. Hub Transport servers that are added to an Active Directory site after an Edge Subscription has been established do not participate in the EdgeSync synchronization process. However, they are automatically added to the list of smart hosts for the inbound Send connector. If more than one Hub Transport server is located in the subscribed Active Directory site, inbound connections will be load balanced across the smart hosts.

You cannot modify the address space or list of smart hosts for the inbound Send connector. However, if you use the New-EdgeSubscription cmdlet in the Exchange Management Shell when you create the Edge Subscription on the Hub Transport server, you can set the value of the CreateInboundSendConnector parameter to $false. If you do this, no inbound connector is created and you must manually configure a Send connector from the Edge Transport server to the Exchange organization.

After the initial EdgeSync synchronization has finished, you can run the Get-SendConnector cmdlet in the Exchange Management Shell on the subscribed Edge Transport server to verify that these Send connectors are created.

Intra-organization Send Connector

The intra-organization Send connector is an implicit and hidden Send connector that is automatically computed by Exchange 2007 and enables Hub Transport servers in the same organization to relay messages to one another without using explicit Send connectors. Because a configuration object that has an Active Directory site association exists in Active Directory for an Edge Subscription, the intra-organization Send connector will also be used to relay messages to that Edge Transport server.

Only Hub Transport servers that are located in the same Active Directory site to which the Edge Transport server is subscribed can send and receive e-mail directly to or from the subscribed Edge Transport server. If you have a multi-site forest and Exchange 2007 is deployed in more than one site, the Hub Transport servers in non-subscribed sites will route outbound e-mail to the subscribed site. A Hub Transport server in the subscribed site will route outbound e-mail to the Edge Transport server.

The following figure shows outbound mail flow from a non-subscribed Active Directory site in an Exchange organization. An Active Directory forest with two sites has associated an Edge Subscription with Site-A. If a message is sent from Site-B to an Internet recipient, it will be relayed first to Site-A. The receiving Hub Transport server in Site-A relays the message to the Edge Transport server by using the intra-organization Send connector. The Edge Transport server then routes the message to the automatically created EdgeSync - Site-A to Internet Send connector for delivery to the recipient domain.

Outbound mail flow with an Edge Subscription


Outbound mail flow with Edge Subscription

The following figure illustrates inbound mail flow from the Internet through a subscribed Edge Transport server. In this example, a message is received for a recipient whose mailbox is stored on a Mailbox server that is located in Site-B. The Edge Transport server receives the message and routes it to the EdgeSync - Inbound to Site-A Send connector. The receiving Hub Transport server in Site-A then routes the message to Site-B by using the intra-organization Send connector.

Inbound mail flow with an Edge Subscription


Inbound mail flow with an Edge Subscription

Return to top

Manually Configuring Send Connectors

After an Edge Transport server is subscribed to an Active Directory site, the tasks for creating and modifying Send connectors are disabled on the Edge Transport server. If you want to create a Send connector for which the Edge Transport server is a source server, you create the Send connector inside the Exchange organization. You can specify one or Edge Subscriptions as the source server for a Send connector. You cannot specify both Hub Transport servers and Edge Subscriptions as source servers for the same Send connector. The Send connector will be replicated to the ADAM instance on the Edge Transport server that is configured as a source server the next time that configuration data is synchronized by the EdgeSync synchronization process. If you list more than one Edge Subscription as a source server, connections to that Send connector will be load balanced between the subscribed Edge Transport servers. However, the Edge Transport servers have to be subscribed to the same Active Directory site for load balancing to occur. If Edge Subscriptions in different Active Directory sites are configured as source servers on the same Send connector, Hub Transport servers will route only to the closest source server.

You have to create Send connectors manually in the following scenarios:

  • You have suppressed automatic creation of the Internet or Inbound Send connectors.
  • You have accepted domains that are configured as external relay domains.

Suppressing Automatic Creation of Send Connectors

Depending on the topology of your Exchange organization, you may decide to suppress automatic creation of Send connectors. The following scenarios provide examples of topologies that require that you suppress automatic creation of Send connectors.

Partitioning Mail Flow

You may decide to partition the inbound and outbound mail processing between two Edge Transport servers. In this scenario, one Edge Transport server is responsible for processing outbound mail flow and a second Edge Transport server is responsible for processing inbound mail flow. To achieve this scenario, you configure the Edge Subscriptions as follows:

  • For the Edge Transport server that processes only outbound mail flow, run the following command in the Exchange Management Shell on the Hub Transport server:
    New-EdgeSubscription -File "c:\edge1subscriptionfile.xml" -Site "Site-A" -CreateInboundSendConnector $false -CreateInternetSendConnector $true
  • For the Edge Transport server that processes only inbound mail flow, run the following command in the Exchange Management Shell on the Hub Transport server:
    New-EdgeSubscription -File "c:\edge2subscriptionfile.xml" -Site "Site-A" -CreateInboundSendConnector $true -CreateInternetSendConnector $false
Routing Outbound E-Mail to a Smart Host

If your Exchange organization routes all outbound e-mail through a smart host, the default automatically created Send connector to the Internet will not have the correct configuration.

In this scenario, you run the following command in the Exchange Management Shell on the Hub Transport server to suppress automatically creation of the Send connector to the Internet:

New-EdgeSubscription -File "c:\edgesubscriptionfile.xml" -Site "Site-A" -CreateInternetSendConnector $false

After the Edge Subscription process is complete, manually create a Send connector to the Internet. Create the Send connector inside the Exchange organization and select the Edge Subscription as the source server for the connector. Select the Custom usage and configure one or more smart hosts. The Send connector will be replicated to the ADAM instance on the Edge Transport server the next time that EdgeSync synchronizes configuration data. You can also force EdgeSync synchronization to immediately start by running the Start-EdgeSynchronization cmdlet in the Exchange Management Shell on a Hub Transport server.

The following code provides an example of how to use the Exchange Management Shell to configure a Send connector for a subscribed Edge Transport server to route messages for all Internet address spaces through a smart host. This task is run inside the Exchange organization, not on the Edge Transport server.

New-SendConnector -Name "EdgeSync - Site-A to Internet" -Usage Custom -AddressSpaces SMTP:*;100 -DNSRoutingEnabled $false -SmartHosts 192.168.10.1 -SmartHostAuthMechanism None -SourceTransportServers EdgeSubscriptionName
Important:
This example does not specify any smart host authentication mechanism. Make sure that you configure the correct authentication mechanism and provide all necessary credentials when you create a smart host connector in your own Exchange organization.

Configuring Send Connectors for External Relay Domains

If you have accepted domains in your Exchange organization that are configured as external relay domains, you have to manually create a Send connector for those address spaces. Messages that are being delivered to external relay domains are relayed by the Edge Transport server. The Edge Subscription process does not automatically create and configure Send connectors for external relay domains. Therefore, you have to configure Send connectors for those domains and specify one or more Edge Subscriptions as the source server for those Send connectors. 

The DNS MX resource record for an external relay domain resolves to your Edge Transport server. Configure a Send connector that relays e-mail to an external relay domain to use a smart host for routing. If you configure the Send connector for an external relay domain to use DNS routing, a routing loop will occur. For more information about external relay domains, see Managing Accepted Domains.

Return to top