The Edge Transport Server Role provides a number of benefits in an Exchange Messaging Architecture. If configured properly, it is a secure, well-integrated SMTP Relay that offers advanced SMTP functionality including MTLS Authentication and detailed Agent Rule Processing. I have detailed installing the Anti-Spam Agent on a Hub Transport Server Role in a separate Blog entry. Fortunately, all those same Anti-Spam capabilities are available by default on the Edge Transport Server Role.
When you consider installing the Edge Transport Server Role it is recommended this Server provide 2 Network Interfaces. One NIC placed externally into a DMZ Network segment with the second NIC placed internally toward a Server Network Segement. Additionally, it is recommended the Edge Transport Server Role be in 'Workgroup Mode' (or not Domain Joined). In my configuration I have Domain Joined this Server. I have configured Edge Transport Servers predominately in Workgroup Mode in Production Environments. The Microsoft Exchange Team has posted a useful mapping of required Ports and Protocols between Exchange 2007 Server Roles. You will find this detail in the Blog Entry titled 'Exchange 2007 Data Path Security Reference (Ports and Protocols Reference)' located here. In this entry you will note that:
- External NIC - Inbound TCP 25 Anonymous
- Internal NIC - Inbound from Edge to Hub Transport using S-LDAP on TCP 50636
<Click the Image to Enlarge in a Separate Window>
Here we observer the IP Configuration detail for the 2 Network Interface Cards on the Edge Transport Server Role.
Use of the 'Winver' utility invoked using Windows PowerShell 1.0 indicates Windows 2003 SP2.
In order for an Edge Transport Server Role to function Active Directory Application Mode (ADAM) SP1 is required. Here are the steps for installation.
A successful (by observation only) installation of ADAM SP1.
We are now ready to initiate the Exchange 2007 Installation Steps for the Exchange 2007 Edge Transport Role.
I choose a 'Custom Installation' to be able to manually select 'Edge Transport Server' as the Role Type.
A normal 'Error Message' reminding that 32-Bit Exchange 2007 cannot be used in Production Environments.
Success! Completion of the Exchange 2007 Edge Transport installation is near.
I invoke the Exchange 2007 Management Console to validate basic information.
Note the 'Edge Transport' under the 'Role' Column. Also note the Anti-Spam Agent is installed by default.
When we observe the 'Accepted Domains' Tab note not 'Accepted Domains' are listed. We will separately define an 'Edge Subscription' to populate this information in the configuration.
Next I move to install the 'Update Rollup 4 for Exchange 2007'.
With 'Update Rollup 4 for Exchange 2007' installed I move to 'Reboot'.
Upon a succesful Reboot I invoke the Exchange Command Shell Commandlet of 'Test-ServiceHealth' to ensure all Services started appropriately.
From here I would initiate a new Edge Subscription with the Hub Transport Server Role. I will follow this process in a seperate Blog entry.
If you'd like to 'Learn Advanced IT' - Check out the Free Video Lessons on Windows 2008 SP2 Failover Cluster Nodes for Highly Available File Services and other Microsoft topics as well - http://www.exchangesummit.net.
Lynn Lunik
Independent Security Consultant
Windows(R) Platform
IT Pro Secure Corporation
and
exchangesummit.net
http://itprosecure.com and http://www.exchangesummit.net
blog <at> itprosecure.com
Posted
Sep 05 2007, 03:06 PM
by
lynn lunik