Planning for Edge Transport Servers

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

 

Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

The Microsoft Exchange Server 2007 Edge Transport server role is designed to provide improved antivirus and anti-spam protection for the Exchange organization. Computers that have the Edge Transport server role also apply policies to messages in transport between organizations. The Edge Transport server role is deployed in an organization's perimeter network. The perimeter network is also known as the boundary network or screened subnet. The Edge Transport server can be deployed as a stand-alone server or as a member of a perimeter Active Directory domain. This topic provides an overview of the steps that we recommend that you perform when planning to deploy the Edge Transport server role.

Planning for Edge Transport Server Deployment

The Edge Transport server role differs from other Exchange 2007 server roles in several important ways that you must consider when you plan your deployment. The Exchange 2007 Edge Transport server does not have access to Active Directory for storage of configuration and recipient information as do the other Exchange 2007 server roles. The Edge Transport server uses the Active Directory Application Mode (ADAM) directory service to store configuration and recipient information. The Edge Transport server is deployed outside the Exchange organization in the perimeter network and can provide Simple Mail Transfer Protocol (SMTP) relay and smart host functionality. The Edge Transport server also has an important role in providing anti-spam and antivirus functionality for the Exchange organization.

Note

Exchange 2007 Service Pack 1 (SP1) supports deployment of server roles on a Windows Server 2008 computer. If the Edge Transport server is installed on Windows Server 2008, ADAM is replaced by Active Directory Lightweight Directory Services (AD LDS). Windows Server 2008 includes several features that have been enhanced or renamed. For information about the feature changes between Windows Server 2003 and Windows Server 2008, see Terminology Changes.

When you plan to deploy the Edge Transport server role, you should consider all the following topics:

  • Topology Options   Begin by planning where you will put your Edge Transport server in the Exchange physical topology. When you have determined where the Edge Transport server will be located in the network relative to your other Exchange servers, you can plan for the connectors that you will require and for how they should be configured. For more information about how to plan for placement of the Edge Transport server, see Planning Your Deployment.

  • Server Capacity   Planning for server capacity includes planning to conduct performance monitoring of the Edge Transport server. Performance monitoring will help you understand how hard the server is working. This information will determine the capacity of your current hardware configuration. For more information, see Planning Processor Configurations.

  • Transport Features   The Edge Transport server can provide antivirus and anti-spam protection at the edge of the network. As part of your planning process, you should determine the transport features that you will enable at the Edge Transport server and how they will be configured. For more information about how to plan to use Exchange 2007 transport features, see Planning for Edge Transport Server Features.

  • Security   The Edge Transport server role is designed to have a minimal attack surface. Therefore, it important to correctly secure and manage both the physical access and network access to the server. Planning for security will help you make sure that IP connections are only enabled from authorized servers and from authorized users. For more information, see the Deployment Security Checklist.

    The recommended practice is to put the Edge Transport server within a perimeter network. To make sure that the server can send and receive e-mail and receive recipient and configuration data updates from the Microsoft Exchange EdgeSync service, you must allow communication through the ports that are listed in the following table.

    Communication port settings for Edge Transport servers

    Network interface Open port Protocol Note

    Inbound from and outbound to the Internet

    25/TCP

    SMTP

    This port must be open for mail flow to and from the Internet.

    Inbound from and outbound to the internal network

    25/TCP

    SMTP

    This port must be open for mail flow to and from the Exchange organization.

    Local only

    50389/TCP

    LDAP

    This port is used to make a local connection to ADAM.

    Inbound from the internal network

    50636/TCP

    Secure LDAP

    This port must be open for EdgeSync synchronization.

    Inbound from the internal network

    3389/TCP

    RDP

    Opening this port is optional. It provides more flexibility in managing the Edge Transport servers from inside the internal network by letting you use a remote desktop connection to manage the Edge Transport server.

Note

The Edge Transport server role uses non-standard LDAP ports. The ports that are specified in this topic are the LDAP communication ports that are configured when the Edge Transport server role is installed. For more information, see How to Modify ADAM Configuration.

  • EdgeSync   You can create an Edge Subscription to subscribe the Edge Transport server to the Exchange organization. When you create an Edge Subscription, recipient and configuration data is replicated from Active Directory to ADAM. You subscribe an Edge Transport server to an Active Directory site. Then the Microsoft Exchange EdgeSync service that is running on the Hub Transport servers in that site periodically updates ADAM by synchronizing data from Active Directory. The Edge Subscription process automatically provisions the Send connectors that are required to enable mail flow from the Exchange organization to the Internet through an Edge Transport server. If you are using the recipient lookup or safelist aggregation features on the Edge Transport server, you must subscribe the Edge Transport server to the organization. For more information, see Using an Edge Subscription to Populate ADAM with Active Directory Data.

For More Information

For more information, see the following topics: