Configuring Edge Transport Server Connectors
Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-07-02
After you install the Microsoft Exchange Server 2007 Edge Transport server role, you must configure the Send connectors and Receive connectors. Send connectors and Receive connectors must exist for the Edge Transport server to send and receive messages from the Internet and to send and receive messages from Hub Transport servers in the Exchange organization. You subscribe an Edge Transport server to the organization to complete the Send connector configuration on an Edge Transport server. The Microsoft Exchange EdgeSync service replicates the appropriate connectors to the Edge Transport server. If you don't use EdgeSync, you must manually create and configure the Send connectors that EdgeSync creates. Use the information in this topic to determine the appropriate configuration.
This topic describes the required connectors for a typical Exchange 2007 installation and the tasks you must perform to create and configure those connectors.
|The Edge Transport servers and the Hub Transport servers must be able to use domain name system (DNS) host resolution to locate each other. For more information, see How to Configure a DNS Suffix for the Edge Transport Server Role.|
In Exchange 2007, Receive connectors represent an inbound connection point for Simple Mail Transfer Protocol (SMTP) communications. Send connectors represent a logical gateway through which all outbound messages are sent. For end-to-end mail flow, the Edge Transport server must have connectors that support mail flow to and from the Internet, and to and from the organization. The following connectors are required on the Edge Transport server:
A Send connector that is configured to send messages to the Internet
The address space for this connector is typically "*" (all Internet domains) and DNS routing is used to resolve destinations. The usage type for this connector is Internet. This Send connector is created automatically when the Edge Transport server is subscribed to an Active Directory directory service site by using EdgeSync.
A Receive connector that is configured to accept messages from the Internet
This connector typically accepts connections from all IP address ranges and allows for anonymous access. The local network bindings for this Receive connector should be the external-facing IP address of the Edge Transport server. The usage type for this connector is Internet.
A Send connector that is configured to send messages to the Hub Transport servers in the Exchange organization
The address space for this connector can be "--", or you can list each of your accepted domains. Use the Hub Transport servers in the organization as the smart hosts for this connector. The usage type for this connector is Internal. This Send connector is created automatically when the Edge Transport server is subscribed to an Active Directory site by using EdgeSync.
A Receive connector that is configured to receive messages from Hub Transport servers in the Exchange organization
This connector can be configured to accept connections only from the IP address ranges assigned to the Hub Transport servers. The local network bindings for this Receive connector should be the internal-facing IP address of the Edge Transport server. The usage type for this connector is Internal. This connector is optional.
Note: By default, a single Receive connector is configured on the Edge Transport server during installation. This connector is used for both incoming Internet e-mail and incoming e-mail from the Hub Transport servers. The permissions on the connector are automatically determined by how sessions are authenticated. The Edge Subscription process automatically configures permissions and authentication. A second Receive connector is optional and is typically configured only when EdgeSync is not used.
During installation, one Receive connector is created. This Receive connector is configured to accept SMTP communications from all IP address ranges and is bound to all IP addresses of the local server. It is configured to have the Internet usage type. Therefore, the connector accepts anonymous connections. If you use EdgeSync, no additional Receive connectors are required. The Edge Subscription process automatically configures permissions and authentication mechanisms. Anonymous sessions and authenticated sessions are granted different permission sets.
If you don't use EdgeSync, we recommend that you modify the settings of this Receive connector and create an additional Receive connector of the Internal usage type. To complete Receive connector configuration, follow these steps:
Modify the settings of the default Receive connector. Set the local network bindings to the IP address of only the Internet-facing network adapter.
Note: If Exchange 2007 Service Pack 1 (SP1) is deployed on a computer that is running Windows Server 2008, you can enter IP addresses and IP address ranges in the Internet Protocol Version 4 (IPv4) format, Internet Protocol Version 6 (IPv6) format, or both formats. A default installation of Windows Server 2008 enables support for IPv4 and IPv6.
We strongly recommend against configuring Receive connectors to accept anonymous connections from unknown IPv6 addresses. If you configure a Receive connector to accept anonymous connections from unknown IPv6 addresses, the amount of spam that enters your organization is likely to increase. Currently, there is no broadly accepted industry standard protocol for looking up IPv6 addresses. Most IP Block List providers do not support IPv6 addresses. Therefore, if you allow anonymous connections from unknown IPv6 addresses on a Receive connector, you increase the chance that spammers will bypass IP Block List providers and successfully deliver spam into your organization.
For more information about Exchange 2007 SP1 support for IPv6 addresses, see IPv6 Support in Exchange 2007 SP1 and SP2. For more information about connection filtering, how to add IP addresses to the IP Allow list and IP Block list, and how to configure IP Block List provider services and IP Allow List provider services, see Configuring Connection Filtering.
Create a new Receive connector. Select Internal as the connector usage type. Set the local network bindings to the IP address of the organization-facing network adapter only. Configure the remote network settings to receive mail from the remote IP addresses that are assigned to the Hub Transport servers.
Note: Any Receive connector that is responsible for accepting connections from Edge Transport servers or other Hub Transport servers must have the Exchange Server authentication method assigned to it. The Exchange Server authentication method is the default authentication method when you create a new Receive connector that has the Internal usage type.
If you want to support Basic authentication, create a local user account and grant the necessary permissions by using the Add-ADPermission cmdlet.
When you subscribe an Edge Transport server to the organization, the Send connectors that are required to send messages to the internal organization and to the Internet are automatically created by the Microsoft Exchange EdgeSync service. You must perform manual configuration of the connectors if you decide not to create an Edge Subscription.
To complete configuration of Send connectors by using an Edge Subscription, follow these steps:
Install the Hub Transport server role.
On the Edge Transport server role, export the Edge Subscription file. If you are installing more than one Edge Transport server, each server requires a separate subscription file.
On the Hub Transport server role, import the Edge Subscription.
Verify that synchronization was successful.
To manually complete configuration of Send connectors and not create an Edge Subscription, follow these steps:
Create a new Send connector and select Internet as the usage type. Set the address space to "*" (all domains). Configure the network settings to use DNS MX records to route mail automatically.
Create a new Send connector and select Internal as the usage type. Use your accepted domains as the address space. Configure the network settings to route all mail through smart hosts. Add the IP address or fully qualified domain names (FQDN) of one or more Hub Transport servers as the smart hosts. Select Externally Secured (for example with IPsec) as the authentication mechanism for the smart host security settings. You must also verify that a Receive connector exists on the Hub Transport server that is configured to accept connections from the IP address range of the Edge Transport servers and that the Receive connector is set to use Externally Secured (for example with IPsec) as the authentication mechanism.
Note: If you select Externally Secured (for example with IPsec) as the authentication method, no authentication occurs. A trusted network connection must exist between the transport servers. This connection may be an IPsec association or a virtual private network, or the servers may reside in a trusted physically controlled network. Alternative authentication mechanisms can be used for this connector. For more information about the available authentication mechanisms, see Exchange 2007 Transport Permissions Model.