Planning for Edge Transport Servers

[This is pre-release documentation and subject to change in future releases. This topic's current status is: Writing Not Started.]

Applies to: Exchange Server 2010* *Topic Last Modified: 2008-12-09

The Microsoft Exchange 2010 Edge Transport server role is designed to provide improved antivirus and anti-spam protection for the Exchange organization. Computers that have the Edge Transport server role also apply policies to messages in transport between organizations. The Edge Transport server role is deployed in an organization's perimeter network. The perimeter network is also known as the boundary network or screened subnet. The Edge Transport server can be deployed as a stand-alone server or as a member of a perimeter Active Directory domain. This topic provides an overview of the steps that we recommend that you perform when planning to deploy the Edge Transport server role.

Planning for Edge Transport Server Deployment

The Edge Transport server role differs from other Exchange 2010 server roles in several important ways that you must consider when you plan your deployment. The Exchange 2010 Edge Transport server does not have access to Active Directory for storage of configuration and recipient information as do the other Exchange 2010 server roles. The Edge Transport server uses the Active Directory Lightweight Directory Service to store configuration and recipient information. The Edge Transport server is deployed outside the Exchange organization in the perimeter network and can provide Simple Mail Transfer Protocol (SMTP) relay and smart host functionality. The Edge Transport server also has an important role in providing anti-spam and antivirus functionality for the Exchange organization.

When you plan to deploy the Edge Transport server role, you should consider all the following topics:

  • Topology Options   Begin by planning where you will put your Edge Transport server in the Exchange physical topology. When you have determined where the Edge Transport server will be located in the network relative to your other Exchange servers, you can plan for the connectors that you will require and for how they should be configured.

  • Server Capacity   Planning for server capacity includes planning to conduct performance monitoring of the Edge Transport server. Performance monitoring will help you understand how hard the server is working. This information will determine the capacity of your current hardware configuration.

  • Transport Features   The Edge Transport server can provide antivirus and anti-spam protection at the edge of the network. As part of your planning process, you should determine the transport features that you will enable at the Edge Transport server and how they will be configured.

  • **Security   **The Edge Transport server role is designed to have a minimal attack surface. Therefore, it important to correctly secure and manage both the physical access and network access to the server. Planning for security will help you make sure that IP connections are only enabled from authorized servers and from authorized users. For more information, see the Deployment Security Checklist.
    The recommended practice is to put the Edge Transport server within a perimeter network. To make sure that the server can send and receive e-mail and receive recipient and configuration data updates from the Microsoft Exchange EdgeSync service, you must allow communication through the ports that are listed in the following table.

    Communication port settings for Edge Transport servers

    Network interface Open port Protocol Note

    Inbound from and outbound to the Internet

    25/TCP

    SMTP

    This port must be open for mail flow to and from the Internet.

    Inbound from and outbound to the internal network

    25/TCP

    SMTP

    This port must be open for mail flow to and from the Exchange organization.

    Local only

    50389/TCP

    LDAP

    This port is used to make a local connection to AD LDS.

    Inbound from the internal network

    50636/TCP

    Secure LDAP

    This port must be open for EdgeSync synchronization.

    Inbound from the internal network

    3389/TCP

    RDP

    Opening this port is optional. It provides more flexibility in managing the Edge Transport servers from inside the internal network by letting you use a remote desktop connection to manage the Edge Transport server.

Note

The Edge Transport server role uses non-standard LDAP ports. The ports that are specified in this topic are the LDAP communication ports that are configured when the Edge Transport server role is installed. For more information, see Modify AD LDS Configuration.

  • **EdgeSync   **You can create an Edge Subscription to subscribe the Edge Transport server to the Exchange organization. When you create an Edge Subscription, recipient and configuration data is replicated from Active Directory to AD LDS. You subscribe an Edge Transport server to an Active Directory site. Then the Microsoft Exchange EdgeSync service that is running on the Hub Transport servers in that site periodically updates AD LDS by synchronizing data from Active Directory. The Edge Subscription process automatically provisions the Send connectors that are required to enable mail flow from the Exchange organization to the Internet through an Edge Transport server. If you are using the recipient lookup or safelist aggregation features on the Edge Transport server, you must subscribe the Edge Transport server to the organization. For more information, see Using an Edge Subscription to Populate AD LDS with Active Directory Data.

For More Information

For more information, see the following topics: