<p>One of the new server roles that was introduced in Exchange 2007 was that of an edge transport server. An edge transport server is a specialized server, running a hardened version of Exchange, that sits between your Exchange organization and the Internet. Brien Posey shows how it works.</p>
When Microsoft created Exchange Server 2007, they made some major architectural changes from the previous versions. One of the most basic, but important of these changes was the introduction of server roles. The idea of server roles existed in a limited capacity in the previous version of Exchange, but was greatly expanded in Exchange 2007.
One of the new server roles that was introduced in Exchange 2007 was that of an edge transport server. In case you are not familiar with an edge transport server, it is a specialized server, running a hardened version of Exchange, that sits between your Exchange organization and the Internet. All inbound mail passes through the edge transport server, where unwanted messages are disposed of. The legitimate messages are then sent on to your Exchange Server organization.
In this article series, I am going to show you how to set up an edge transport server from scratch. This first article will walk you through the setup and configuration process. The second article in the series will show you how to configure the edge transport server s filtering capabilities.
Before I Begin
Before I get started, I wanted to warn you that an edge transport server is designed to sit at your network s perimeter. As such, it needs to be far more secure than servers residing on your private network. It is therefore critically important that when you install Windows onto your edge transport server, you do not configure the server to be a domain member.
Beginning the Installation Process
There is a lot more to setting up an edge transport server than just inserting a CD and running Setup. Even so, that s how you will have to begin the process, just to see where you stand. When you run Setup, you will see a screen that s similar to the one that s shown in Figure A. At first glance, this looks like a typical splash screen, but take a closer look at the Install section. Notice that steps 1, 4, and 5 are listed, while steps 2 and 3 are grayed out. When a step is grayed out, it means that the particular step has already been performed. For example, in this particular case, Microsoft Management Console, version 3 and Windows PowerShell are already installed.
I won t bore you with the step by step details for installing the various prerequisites, but I do want to take a moment and tell you what you need to do to prepare the server for Exchange Server, and where you can get the required components. There are actually quite a few more required components than the ones that are listed on the splash screen. If you don t install all of the prerequisites up front, then Setup will fail a readiness check that takes place half way through the Setup process, as shown in Figure B.
There are six required components that you must install prior to installing Exchange. There are also other components that aren t technically required, but that you will probably want to install anyway. An example of such a component is the latest service pack for Windows Server. My advice is to install the latest service pack for Windows Server, and to then install the six components that are listed below. Once those components are in place, run Windows Update, install Exchange Server, and run Windows Update again.
The required components are:
Microsoft .NET Framework, version 2.0
Microsoft Management Console version 3.0
Hotfix for version 2.0 of the .NET Framework
IRow-GetColumns hotfix for Windows
Update for Windows Server x64 Edition (KB898060)
Once these components are in place, there is one more task that you need to perform prior to installing Exchange Server. You must install Active Directory Application Mode (ADAM). In case you aren t familiar with ADAM, it is a database that is designed to closely mimic the Active Directory database.
As I m sure you probably already know, Exchange 2007 is completely dependent on the Active Directory, and edge transport servers are no different. The problem is that because of their position at the edge of the corporate network, edge transport servers need to be far more secure than other servers in your organization.
Making an edge transport server a domain controller, or even making it a domain member so that it could access the Active Directory would be a huge security risk. Rather than expose the edge transport server to these types of risks, Microsoft designed the edge transport server so that it is not even a domain member. Instead, a process called an edge synchronization copies a minimal amount of information from the Active Directory to the ADAM partition that resides locally on the edge transport server.
I will talk a lot more about the edge synchronization process later on. For now though, you need to install ADAM onto your edge transport server. You can download ADAM from Microsoft's Web site.
Installing Exchange Server
Now that the various prerequisites are in place, it s time to install Exchange Server. The installation process is fairly simple, but a custom installation is required, so I want to walk you through it.
When you click the Install Exchange link, shown in Figure A, you will be taken to the introductory screen that s shown in Figure C. Click Next to bypass this screen, and Setup will display the license agreement, shown in Figure D.
Choose the option to accept the license agreement, and click Next. When you do, you will be taken to the screen that s shown in Figure E. This screen asks you if you want to enable error reporting. If you enable error reporting, then Exchange will automatically send error reports to Microsoft without prompting you. Some people like enabling error reporting, while others consider it to be too intrusive. It s really up to you as to whether or not you decide to enable error reporting. Just make your decision, and click Next.
At this point, you will be taken to the screen that s shown in Figure F. This screen asks you if you want to perform a typical Exchange Server installation or a custom installation. Since you are setting up an edge transport server, you absolutely must choose the Custom Exchange Server installation.
Click Next, and Setup will take you to the screen that s shown in Figure G. As you can see in the figure, this screen allows you to choose the Exchange Server roles that you want to install. Keep in mind that the Edge Transport Server role is exclusive, meaning that it cannot be combined with any other Exchange Server roles. When you choose the Edge Transport Server Role, all of the other options are grayed out, but the Management Tools option is selected by default, as shown in the figure.
When you click Next, Setup will perform the prerequisite check that I showed you earlier. In case you are wondering, the reason why Setup waits until this stage in the process to perform the check is because different roles have different prerequisites. Assuming that you have performed the necessary prep work, the readiness check should be completed successfully.
Now, just click the Install button, and Setup will begin copying the necessary files, as shown in Figure I. When the file copy process completes, click Finish, and Setup will close, but Windows will open the Exchange Management Console.
If you look at Figure J, you can see that the management console used by edge transport servers differs considerably from the version that is used for managing Exchange 2007 servers that are hosting other roles. This is because edge transport servers are hardened against attack, and therefore many of the features that are standard on other Exchange servers have been removed.
Performing an Edge Synchronization
So far we have installed Exchange 2007 in a way that will allow it to perform the edge transport server role. The problem is that right now, the server is completely isolated. It is not a member of an Active Directory domain, nor is it aware of the existence of your Exchange Server organization. We need to configure Exchange in a way that will allow communications between the edge transport server and the rest of the Exchange Server organization without actually making the edge transport server a part of the organization.
To do this, we must create an edge synchronization. An edge synchronization is essentially a one way trust relationship. The edge transport server trusts the Active Directory, but the Active Directory does not trust the edge transport server.
Creating an edge synchronization involves creating an XML file that contains pertinent information about the edge transport server. This information is then imported into the Active Directory, to make the Active Directory aware of the edge server s existence.
Before I show you how to perform the edge subscription, I need to warn you about a couple of things. First, creating an edge synchronization overwrites anything that you have manually configured on the edge transport server. Specifically, the following objects and types of information are overwritten:
The Server s InternalSMTPServers list of TransportConfig Objects
Once you implement the edge synchronization, Exchange will also configure itself so that you can t use the Exchange Management Shell to configure any of these types of objects on the edge transport server. This is a security precaution designed to prevent scripting attacks. You will still be able to manage the server through the Exchange Management Console though.
With that said, let s create the edge subscription. To do so, we need to begin by creating an XML file that can be used for the subscription process. To do so, open the Exchange Management Shell, and enter the following command:
New-EdgeSubscription file C:\subscription.xml
When you enter this command, Exchange will display the warning message shown in Figure K. Press Y, and Exchange will create the edge subscription file (named subscription.xml) and place it in the server s root directory.
Now, copy the XML file that you just created to removable media, and delete the file from the edge server. Deleting the file is extremely important for security reasons. Finally, insert the removable media into your hub transport server, so that you can create the edge subscription.
You can complete the process by opening the Exchange Management Console and navigating through the console tree to Organization Configuration | Hub Transport. Now, click on the New Edge Subscription link, found in the Actions pane. When you do, Exchange will launch the New Edge Subscription Wizard. As you can see in Figure L, the wizard prompts you for the name and path of the subscription file that you created earlier. Once you supply this information, verify that the Automatically Create a Send Connector for this Edge Subscription check box is selected, and then click the New button.