How to: Configure Exchange Edge server for E-mail policy with Thread Management Gateway (TMG)

First of all, the Edge role should be placed in DMZ, that’s the only Exchange role that should be placed in DMZ.
A picture below will show an example of an environment for how the Edge server could be place into infrastructure.


The prerequisites are installed by using the xml file provided with the ISO file for Exchange 2010 SP1.
It’s used by starting up PowerShell and running the following command: “servermanagercmd –ip path:scriptsexchange-all.xml“.

Before starting with the installation, since it’s placed in the DMZ, make sure that the DNS suffix is added for the “domain.local”, in my case its “target.local”.

A reboot of the server and you will be ready to continue the installation of the Edge role.

Then it’s time for the Edge installation, it’s done by starting up the setup.com (Run as administrator).

Installation is done after some waiting..

It’s time for the EdgeSubscription file creation, it’s done by using the EMS and typing in:
New-EdgeSubscription –Filename “C:edge.xml

(Start the EMS with Run as administrator, or else you won’t be able to save the file into C:)

The next step is to copy the xml file to the HUB transport server, in my case it’s a multi-role server (CAS/HUB/MBX).
Start EMC and go to Organization Configuration -> Hub Transport -> Edge Subscriptions and select New EdgeSubscription.

Select which AD Site that the Edge should be subscribed to, and browse for the xml file created earlier.

When the subscription is completed successfully it should look like this.

It’s time to start the Edgesync, it’s done from my multi-role server (server03.target.local).

And hopefully it will look something like this after a while and you will see the accepted domains in the Edge server.
You will also see the receive and send connectors.

Conclusion

For being able to have a successful Edgesync the port 50636 (TCP) should be open from HUB server(s) to the Edge server.
Also for sending mails (SMTP), port 25 should be open.
The Edge server is listening on port 50389.

Quote: “EdgeSync uses a secure LDAP connection from the Hub Transport server to subscribed Edge Transport servers over TCP 50636. AD LDS also listens on TCP 50389.
Connections to this port don’t use SSL. You can use LDAP utilities to connect to the port and check AD LDS data. ”

Make sure that the name resolution is working, the Edge server needs to have a working name resolution to the HUB server(s) and in the opposite direction.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.